Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces

Ryan Webster, Julien Rabin, Loic Simon, Frederic Jurie

TL;DR

GAN-generated faces may leak information about their training data. This paper introduces an identity-based membership attack that can determine whether a training identity is associated with generated faces without needing exact copies. The method is evaluated across multiple face datasets and GAN training setups, revealing privacy risks even with diverse datasets. The findings highlight a new class of privacy vulnerabilities for GAN-generated imagery and underscore the need for defensive strategies and auditing to protect identity information.

Abstract

Recently, generative adversarial networks (GANs) have achieved stunning realism, fooling even human observers. Indeed, the popular tongue-in-cheek website {\small \url{ http://thispersondoesnotexist.com}}, taunts users with GAN generated images that seem too real to believe. On the other hand, GANs do leak information about their training data, as evidenced by membership attacks recently demonstrated in the literature. In this work, we challenge the assumption that GAN faces really are novel creations, by constructing a successful membership attack of a new kind. Unlike previous works, our attack can accurately discern samples sharing the same identity as training samples without being the same samples. We demonstrate the interest of our attack across several popular face datasets and GAN training procedures. Notably, we show that even in the presence of significant dataset diversity, an over represented person can pose a privacy concern.

This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces

TL;DR

GAN-generated faces may leak information about their training data. This paper introduces an identity-based membership attack that can determine whether a training identity is associated with generated faces without needing exact copies. The method is evaluated across multiple face datasets and GAN training setups, revealing privacy risks even with diverse datasets. The findings highlight a new class of privacy vulnerabilities for GAN-generated imagery and underscore the need for defensive strategies and auditing to protect identity information.

Abstract

Recently, generative adversarial networks (GANs) have achieved stunning realism, fooling even human observers. Indeed, the popular tongue-in-cheek website {\small \url{ http://thispersondoesnotexist.com}}, taunts users with GAN generated images that seem too real to believe. On the other hand, GANs do leak information about their training data, as evidenced by membership attacks recently demonstrated in the literature. In this work, we challenge the assumption that GAN faces really are novel creations, by constructing a successful membership attack of a new kind. Unlike previous works, our attack can accurately discern samples sharing the same identity as training samples without being the same samples. We demonstrate the interest of our attack across several popular face datasets and GAN training procedures. Notably, we show that even in the presence of significant dataset diversity, an over represented person can pose a privacy concern.

Paper Structure

This paper contains 18 sections, 1 equation, 2 figures, 1 table.

Table of Contents

  1. Introduction
  2. Language
  3. Paper Length
  4. Dual Submission
  5. Supplemental Material
  6. Line Numbering
  7. Mathematics
  8. Blind Review
  9. Manuscript Preparation
  10. Printing Area
  11. Layout, Typeface, Font Sizes, and Numbering
  12. Headings.
  13. Lemmas, Propositions, and Theorems.
  14. Figures and Photographs
  15. Formulas
  16. ...and 3 more sections

Figures (2)

  • Figure 1: The website of ACCV 2020 is at http://accv2020.kyoto. If images are copied from some source then provide the reference. Follow copyright rules as they apply. A caption ends with a full stop.
  • Figure 2: One kernel at $x_s$ ( dotted kernel) or two kernels at $x_i$ and $x_j$ ( left and right) lead to the same summed estimate at $x_s$. This shows a figure consisting of different types of lines. Elements of the figure described in the caption should be set in Italics and in parentheses, as shown in this sample caption.