{"id":"https://openalex.org/W3156534051","doi":"https://doi.org/10.1007/s10994-021-05951-6","title":"Protect privacy of deep classification networks by exploiting their generative power","display_name":"Protect privacy of deep classification networks by exploiting their generative power","publication_year":2021,"publication_date":"2021-04-01","ids":{"openalex":"https://openalex.org/W3156534051","doi":"https://doi.org/10.1007/s10994-021-05951-6","mag":"3156534051"},"language":"en","primary_location":{"id":"doi:10.1007/s10994-021-05951-6","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10994-021-05951-6","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10994-021-05951-6.pdf","source":{"id":"https://openalex.org/S62148650","display_name":"Machine Learning","issn_l":"0885-6125","issn":["0885-6125","1573-0565"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Machine Learning","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://link.springer.com/content/pdf/10.1007/s10994-021-05951-6.pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101936161","display_name":"Jiyu Chen","orcid":"https://orcid.org/0000-0002-0144-6376"},"institutions":[{"id":"https://openalex.org/I84218800","display_name":"University of California, Davis","ror":"https://ror.org/05rrcem69","country_code":"US","type":"education","lineage":["https://openalex.org/I84218800"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Jiyu Chen","raw_affiliation_strings":["University of California, Davis, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Davis, USA","institution_ids":["https://openalex.org/I84218800"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5067005644","display_name":"Yiwen Guo","orcid":"https://orcid.org/0000-0002-0709-4877"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yiwen Guo","raw_affiliation_strings":["ByteDance AI Lab, Beijing, China"],"affiliations":[{"raw_affiliation_string":"ByteDance AI Lab, Beijing, China","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5040333624","display_name":"Qianjun Zheng","orcid":"https://orcid.org/0009-0006-1149-8125"},"institutions":[{"id":"https://openalex.org/I126520041","display_name":"University of Science and Technology of China","ror":"https://ror.org/04c4dkn09","country_code":"CN","type":"education","lineage":["https://openalex.org/I126520041","https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qianjun Zheng","raw_affiliation_strings":["University of Science and Technology of China, Hefei, China"],"affiliations":[{"raw_affiliation_string":"University of Science and Technology of China, Hefei, China","institution_ids":["https://openalex.org/I126520041"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100353550","display_name":"Hao Chen","orcid":"https://orcid.org/0000-0002-4072-0710"},"institutions":[{"id":"https://openalex.org/I84218800","display_name":"University of California, Davis","ror":"https://ror.org/05rrcem69","country_code":"US","type":"education","lineage":["https://openalex.org/I84218800"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Hao Chen","raw_affiliation_strings":["University of California, Davis, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Davis, USA","institution_ids":["https://openalex.org/I84218800"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5101936161"],"corresponding_institution_ids":["https://openalex.org/I84218800"],"apc_list":{"value":2390,"currency":"EUR","value_usd":2990},"apc_paid":{"value":2390,"currency":"EUR","value_usd":2990},"fwci":0.9797,"has_fulltext":true,"cited_by_count":9,"citation_normalized_percentile":{"value":0.8022785,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":90,"max":98},"biblio":{"volume":"110","issue":"4","first_page":"651","last_page":"674"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10764","display_name":"Privacy-Preserving Technologies in Data","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10883","display_name":"Ethics and Social Impacts of AI","score":0.9369000196456909,"subfield":{"id":"https://openalex.org/subfields/3311","display_name":"Safety Research"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7896770238876343},{"id":"https://openalex.org/keywords/classifier","display_name":"Classifier (UML)","score":0.7866860628128052},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.6546664237976074},{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.6155734062194824},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.6105902194976807},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.5960566401481628},{"id":"https://openalex.org/keywords/retraining","display_name":"Retraining","score":0.498565673828125},{"id":"https://openalex.org/keywords/generative-model","display_name":"Generative model","score":0.4312003254890442},{"id":"https://openalex.org/keywords/generative-grammar","display_name":"Generative grammar","score":0.4040083587169647},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.3596867322921753},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.12129166722297668}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7896770238876343},{"id":"https://openalex.org/C95623464","wikidata":"https://www.wikidata.org/wiki/Q1096149","display_name":"Classifier (UML)","level":2,"score":0.7866860628128052},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.6546664237976074},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.6155734062194824},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.6105902194976807},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5960566401481628},{"id":"https://openalex.org/C2778712577","wikidata":"https://www.wikidata.org/wiki/Q3505966","display_name":"Retraining","level":2,"score":0.498565673828125},{"id":"https://openalex.org/C167966045","wikidata":"https://www.wikidata.org/wiki/Q5532625","display_name":"Generative model","level":3,"score":0.4312003254890442},{"id":"https://openalex.org/C39890363","wikidata":"https://www.wikidata.org/wiki/Q36108","display_name":"Generative grammar","level":2,"score":0.4040083587169647},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3596867322921753},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.12129166722297668},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.0},{"id":"https://openalex.org/C155202549","wikidata":"https://www.wikidata.org/wiki/Q178803","display_name":"International trade","level":1,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1007/s10994-021-05951-6","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10994-021-05951-6","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10994-021-05951-6.pdf","source":{"id":"https://openalex.org/S62148650","display_name":"Machine Learning","issn_l":"0885-6125","issn":["0885-6125","1573-0565"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Machine Learning","raw_type":"journal-article"},{"id":"pmh:oai:hub.hku.hk:10722/346999","is_oa":false,"landing_page_url":"https://hub.hku.hk/handle/10722/346999","pdf_url":null,"source":{"id":"https://openalex.org/S4377196271","display_name":"The HKU Scholars Hub (University of Hong Kong)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I889458895","host_organization_name":"University of Hong Kong","host_organization_lineage":["https://openalex.org/I889458895"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"}],"best_oa_location":{"id":"doi:10.1007/s10994-021-05951-6","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10994-021-05951-6","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10994-021-05951-6.pdf","source":{"id":"https://openalex.org/S62148650","display_name":"Machine Learning","issn_l":"0885-6125","issn":["0885-6125","1573-0565"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Machine Learning","raw_type":"journal-article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.41999998688697815}],"awards":[{"id":"https://openalex.org/G2043895709","display_name":null,"funder_award_id":"W911NF-13-2-0045","funder_id":"https://openalex.org/F4320338295","funder_display_name":"Army Research Laboratory"},{"id":"https://openalex.org/G3376968242","display_name":null,"funder_award_id":"1801751","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G3693556586","display_name":null,"funder_award_id":"2-004","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G3732666562","display_name":null,"funder_award_id":"W911NF-13","funder_id":"https://openalex.org/F4320338295","funder_display_name":"Army Research Laboratory"},{"id":"https://openalex.org/G4307486606","display_name":null,"funder_award_id":"W911NF-13-2-0045 (ARL Cyber Security CRA)","funder_id":"https://openalex.org/F4320338295","funder_display_name":"Army Research Laboratory"},{"id":"https://openalex.org/G5259331294","display_name":null,"funder_award_id":"W911NF","funder_id":"https://openalex.org/F4320338295","funder_display_name":"Army Research Laboratory"},{"id":"https://openalex.org/G848032724","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G8727049869","display_name":null,"funder_award_id":"W911NF-13","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G8763038417","display_name":null,"funder_award_id":"Cooperative Agreement Number W911NF-13-2-0045","funder_id":"https://openalex.org/F4320338295","funder_display_name":"Army Research Laboratory"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320315784","display_name":"U.S. Army Combat Capabilities Development Command Soldier Center","ror":"https://ror.org/02rdkx920"},{"id":"https://openalex.org/F4320338295","display_name":"Army Research Laboratory","ror":"https://ror.org/011hc8f90"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W3156534051.pdf","grobid_xml":"https://content.openalex.org/works/W3156534051.grobid-xml"},"referenced_works_count":41,"referenced_works":["https://openalex.org/W10021998","https://openalex.org/W1673923490","https://openalex.org/W1686810756","https://openalex.org/W1760458529","https://openalex.org/W2042492924","https://openalex.org/W2051267297","https://openalex.org/W2095705004","https://openalex.org/W2099471712","https://openalex.org/W2108581046","https://openalex.org/W2109426455","https://openalex.org/W2119874464","https://openalex.org/W2167433878","https://openalex.org/W2187089797","https://openalex.org/W2335728318","https://openalex.org/W2432004435","https://openalex.org/W2461943168","https://openalex.org/W2473418344","https://openalex.org/W2535690855","https://openalex.org/W2795435272","https://openalex.org/W2809414288","https://openalex.org/W2884943453","https://openalex.org/W2887995258","https://openalex.org/W2897830718","https://openalex.org/W2922772346","https://openalex.org/W2930926105","https://openalex.org/W2951004968","https://openalex.org/W2954172636","https://openalex.org/W2963378725","https://openalex.org/W2963456518","https://openalex.org/W2963844355","https://openalex.org/W2963981733","https://openalex.org/W2964137095","https://openalex.org/W2965527189","https://openalex.org/W2983140679","https://openalex.org/W2994434574","https://openalex.org/W2999663536","https://openalex.org/W3015625436","https://openalex.org/W3046102592","https://openalex.org/W3103245149","https://openalex.org/W3118608800","https://openalex.org/W6718379498"],"related_works":["https://openalex.org/W2952148308","https://openalex.org/W3011817866","https://openalex.org/W3165012362","https://openalex.org/W4287825816","https://openalex.org/W3042228302","https://openalex.org/W2104924585","https://openalex.org/W4226454691","https://openalex.org/W2044507188","https://openalex.org/W2214198805","https://openalex.org/W1576360539"],"abstract_inverted_index":{"Abstract":[0],"Research":[1],"showed":[2,192],"that":[3,44,55,79,162,206],"deep":[4],"learning":[5,145],"models":[6],"are":[7,66],"vulnerable":[8],"to":[9,15,33,103,109,122,133,171],"membership":[10,169],"inference":[11],"attacks,":[12],"which":[13],"aim":[14],"determine":[16],"if":[17,45],"an":[18],"example":[19],"is":[20,43,56,195],"in":[21],"the":[22,26,48,59,69,72,84,87,100,111,120,130,137,148,154,167,177,199],"training":[23,61,89],"set":[24,62],"of":[25,38,58,94],"model.":[27],"We":[28,140,181],"propose":[29],"a":[30,52,104,124,172],"new":[31,53,125,131],"framework":[32,92,164,212],"defend":[34],"against":[35,156],"this":[36],"sort":[37],"attack.":[39],"Our":[40,91,159,217],"key":[41],"insight":[42],"we":[46,98,117,128,203],"retrain":[47,134],"original":[49,60,88,101,138],"classifier":[50,74,102,155],"with":[51,184,210],"dataset":[54,132],"independent":[57],"while":[63,175],"their":[64],"elements":[65],"sampled":[67,118],"from":[68,83,119],"same":[70],"distribution,":[71],"retrained":[73],"will":[75,219],"leak":[76],"no":[77],"information":[78],"cannot":[80],"be":[81,220],"inferred":[82],"distribution":[85],"about":[86],"set.":[90],"consists":[93],"three":[95],"phases.":[96],"First,":[97],"transferred":[99],"Joint":[105],"Energy-based":[106],"Model":[107],"(JEM)":[108],"exploit":[110],"model\u2019s":[112],"implicit":[113],"generative":[114],"power.":[115],"Then,":[116],"JEM":[121,149],"create":[123],"dataset.":[126],"Finally,":[127],"used":[129],"or":[135],"fine-tune":[136],"classifier.":[139],"empirically":[141],"studied":[142],"different":[143],"transfer":[144],"schemes":[146],"for":[147,153],"and":[150,191],"fine-tuning/retraining":[151],"strategies":[152],"shadow-model":[157],"attacks.":[158],"evaluation":[160],"shows":[161],"our":[163,193,211],"can":[165],"suppress":[166],"attacker\u2019s":[168],"advantage":[170],"negligible":[173],"level":[174],"keeping":[176],"classifier\u2019s":[178],"accuracy":[179],"acceptable.":[180],"compared":[182],"it":[183],"other":[185,208],"state-of-the-art":[186],"defenses":[187,209],"considering":[188],"adaptive":[189],"attackers":[190],"defense":[194],"effective":[196],"even":[197],"under":[198],"worst-case":[200],"scenario.":[201],"Besides,":[202],"also":[204],"found":[205],"combining":[207],"often":[213],"achieves":[214],"better":[215],"robustness.":[216],"code":[218],"made":[221],"available":[222],"at":[223],"https://github.com/ChenJiyu/meminf-defense.git":[224],".":[225]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":1},{"year":2024,"cited_by_count":1},{"year":2023,"cited_by_count":5},{"year":2022,"cited_by_count":1}],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-10-10T00:00:00"}