{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,10,6]],"date-time":"2024-10-06T01:15:55Z","timestamp":1728177355591},"reference-count":159,"publisher":"Association for Computing Machinery (ACM)","issue":"4","funder":[{"DOI":"10.13039\/501100000923","name":"Australian Research Council","doi-asserted-by":"crossref","award":["DP200101374"],"id":[{"id":"10.13039\/501100000923","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2024,4,30]]},"abstract":"Generative Adversarial Networks (GANs) are a remarkable creation with regard to deep generative models. Thanks to their ability to learn from complex data distributions, GANs have been credited with the capacity to generate plausible data examples, which have been widely applied to various data generation tasks over image, text, and audio. However, as with any powerful technology, GANs have a flip side: their capability to generate realistic data can be exploited for malicious purposes. Many recent studies have demonstrated the security and privacy (S&P) threats brought by GANs, especially the attacks on machine learning (ML) systems. Nevertheless, so far as we know, there is no existing survey that has systematically categorized and discussed the threats and strategies of these GAN-based attack methods. In this article, we provide a comprehensive survey of GAN-based attacks and countermeasures. We summarize and articulate: (1) what S&P threats of GANs expose to ML systems; (2) why GANs are useful for certain attacks; (3) what strategies can be used for GAN-based attacks; and (4) what countermeasures can be effective to GAN-based attacks. Finally, we provide several promising research directions combining the existing limitations of GAN-based studies and the prevailing trend in the associated research fields.<\/jats:p>","DOI":"10.1145\/3615336","type":"journal-article","created":{"date-parts":[[2023,8,16]],"date-time":"2023-08-16T12:13:40Z","timestamp":1692188020000},"page":"1-35","update-policy":"http:\/\/dx.doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Generative Adversarial Networks: A Survey on Attack and Defense Perspective"],"prefix":"10.1145","volume":"56","author":[{"ORCID":"http:\/\/orcid.org\/0000-0002-2352-0485","authenticated-orcid":false,"given":"Chenhan","family":"Zhang","sequence":"first","affiliation":[{"name":"University of Technology Sydney"}]},{"ORCID":"http:\/\/orcid.org\/0000-0003-4485-6743","authenticated-orcid":false,"given":"Shui","family":"Yu","sequence":"additional","affiliation":[{"name":"University of Technology Sydney"}]},{"ORCID":"http:\/\/orcid.org\/0000-0001-8905-0941","authenticated-orcid":false,"given":"Zhiyi","family":"Tian","sequence":"additional","affiliation":[{"name":"University of Technology Sydney"}]},{"ORCID":"http:\/\/orcid.org\/0000-0002-6392-6711","authenticated-orcid":false,"given":"James J. Q.","family":"Yu","sequence":"additional","affiliation":[{"name":"University of York, United Kingdom"}]}],"member":"320","published-online":{"date-parts":[[2023,11,10]]},"reference":[{"key":"e_1_3_2_2_2","first-page":"1","volume-title":"2018 IEEE International Workshop on Information Forensics and Security (WIFS)","author":"Afchar Darius","year":"2018","unstructured":"Darius Afchar, Vincent Nozick, Junichi Yamagishi, and Isao Echizen. 2018. MesoNet: A compact facial video forgery detection network. In 2018 IEEE International Workshop on Information Forensics and Security (WIFS). IEEE, 1\u20137."},{"key":"e_1_3_2_3_2","article-title":"Gamin: An adversarial approach to black-box model inversion","author":"A\u00efvodji Ulrich","year":"2019","unstructured":"Ulrich A\u00efvodji, S\u00e9bastien Gambs, and Timon Ther. 2019. Gamin: An adversarial approach to black-box model inversion. arXiv preprint arXiv:1909.11835 (2019).","journal-title":"arXiv preprint arXiv:1909.11835"},{"key":"e_1_3_2_4_2","first-page":"214","volume-title":"International Conference on Machine Learning","author":"Arjovsky Martin","year":"2017","unstructured":"Martin Arjovsky, Soumith Chintala, and L\u00e9on Bottou. 2017. Wasserstein generative adversarial networks. In International Conference on Machine Learning. PMLR, 214\u2013223."},{"key":"e_1_3_2_5_2","first-page":"1192","article-title":"A guide to fully homomorphic encryption.","volume":"2015","author":"Armknecht Frederik","year":"2015","unstructured":"Frederik Armknecht, Colin Boyd, Christopher Carr, Kristian Gj\u00f8steen, Angela J\u00e4schke, Christian A. Reuter, and Martin Strand. 2015. A guide to fully homomorphic encryption. IACR Cryptol. ePrint Arch. 2015 (2015), 1192.","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICC42927.2021.9500657"},{"key":"e_1_3_2_7_2","article-title":"Adversarial transformation networks: Learning to generate adversarial examples","author":"Baluja Shumeet","year":"2017","unstructured":"Shumeet Baluja and Ian Fischer. 2017. Adversarial transformation networks: Learning to generate adversarial examples. arXiv preprint arXiv:1703.09387 (2017).","journal-title":"arXiv preprint arXiv:1703.09387"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/1128817.1128824"},{"key":"e_1_3_2_9_2","article-title":"Membership model inversion attacks for deep networks","author":"Basu Samyadeep","year":"2019","unstructured":"Samyadeep Basu, Rauf Izmailov, and Chris Mesterharm. 2019. Membership model inversion attacks for deep networks. arXiv preprint arXiv:1910.04257 (2019).","journal-title":"arXiv preprint arXiv:1910.04257"},{"key":"e_1_3_2_10_2","first-page":"634","volume-title":"International Conference on Machine Learning","author":"Bhagoji Arjun Nitin","year":"2019","unstructured":"Arjun Nitin Bhagoji, Supriyo Chakraborty, Prateek Mittal, and Seraphin Calo. 2019. Analyzing federated learning through an adversarial lens. In International Conference on Machine Learning. PMLR, 634\u2013643."},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/CISS.2018.8362326"},{"key":"e_1_3_2_12_2","article-title":"A survey of black-box adversarial attacks on computer vision models","author":"Bhambri Siddhant","year":"2019","unstructured":"Siddhant Bhambri, Sumanyu Muku, Avinash Tulasi, and Arun Balaji Buduru. 2019. A survey of black-box adversarial attacks on computer vision models. arXiv preprint arXiv:1912.01667 (2019).","journal-title":"arXiv preprint arXiv:1912.01667"},{"key":"e_1_3_2_13_2","article-title":"Poisoning attacks against support vector machines","author":"Biggio Battista","year":"2012","unstructured":"Battista Biggio, Blaine Nelson, and Pavel Laskov. 2012. Poisoning attacks against support vector machines. arXiv preprint arXiv:1206.6389 (2012).","journal-title":"arXiv preprint arXiv:1206.6389"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2021.3116668"},{"volume-title":"International Conference on Learning Representations","year":"2018","author":"Brock Andrew","key":"e_1_3_2_15_2","unstructured":"Andrew Brock, Jeff Donahue, and Karen Simonyan. 2018. Large scale GAN training for high fidelity natural image synthesis. In International Conference on Learning Representations."},{"key":"e_1_3_2_16_2","article-title":"Adversarial patch","author":"Brown Tom B.","year":"2017","unstructured":"Tom B. Brown, Dandelion Man\u00e9, Aurko Roy, Mart\u00edn Abadi, and Justin Gilmer. 2017. Adversarial patch. arXiv preprint arXiv:1712.09665 (2017).","journal-title":"arXiv preprint arXiv:1712.09665"},{"volume-title":"International Conference on Learning Representations","year":"2018","author":"Buckman Jacob","key":"e_1_3_2_17_2","unstructured":"Jacob Buckman, Aurko Roy, Colin Raffel, and Ian Goodfellow. 2018. Thermometer encoding: One hot way to resist adversarial examples. In International Conference on Learning Representations."},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/3459992"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2886814"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01387"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2020.04.019"},{"key":"e_1_3_2_22_2","first-page":"2180","volume-title":"Proceedings of the 30th International Conference on Neural Information Processing Systems","author":"Chen Xi","year":"2016","unstructured":"Xi Chen, Yan Duan, Rein Houthooft, John Schulman, Ilya Sutskever, and Pieter Abbeel. 2016. InfoGAN: Interpretable representation learning by information maximizing generative adversarial nets. In Proceedings of the 30th International Conference on Neural Information Processing Systems. 2180\u20132188."},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2020.3033171"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/GLOBECOM42002.2020.9322591"},{"key":"e_1_3_2_25_2","article-title":"Neural stain-style transfer learning using GAN for histopathological images","author":"Cho Hyungjoo","year":"2017","unstructured":"Hyungjoo Cho, Sungbin Lim, Gunho Choi, and Hyunseok Min. 2017. Neural stain-style transfer learning using GAN for histopathological images. arXiv preprint arXiv:1710.08543 (2017).","journal-title":"arXiv preprint arXiv:1710.08543"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/1014052.1014066"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3219819.3219910"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2021.108098"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2013.11.004"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2018.8462581"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/UEMCON51285.2020.9298135"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.5555\/1791834.1791836"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1007\/11681878_14"},{"key":"e_1_3_2_34_2","first-page":"1","volume-title":"NDSS","author":"Eldefrawy Karim","year":"2012","unstructured":"Karim Eldefrawy, Gene Tsudik, Aur\u00e9lien Francillon, and Daniele Perito. 2012. SMART: Secure and minimal architecture for (establishing dynamic) root of trust. In NDSS, Vol. 12. 1\u201315."},{"key":"e_1_3_2_35_2","article-title":"Adversarial examples that fool both computer vision and time-limited humans","volume":"31","author":"Elsayed Gamaleldin","year":"2018","unstructured":"Gamaleldin Elsayed, Shreya Shankar, Brian Cheung, Nicolas Papernot, Alexey Kurakin, Ian Goodfellow, and Jascha Sohl-Dickstein. 2018. Adversarial examples that fool both computer vision and time-limited humans. Advances in Neural Information Processing Systems 31 (2018).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_36_2","first-page":"226","volume-title":"KDD","author":"Ester Martin","year":"1996","unstructured":"Martin Ester, Hans-Peter Kriegel, J\u00f6rg Sander, Xiaowei Xu, et\u00a0al. 1996. A density-based algorithm for discovering clusters in large spatial databases with noise. In KDD, Vol. 96. 226\u2013231."},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"e_1_3_2_38_2","first-page":"1605","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Fang Minghong","year":"2020","unstructured":"Minghong Fang, Xiaoyu Cao, Jinyuan Jia, and Neil Gong. 2020. Local model poisoning attacks to byzantine-robust federated learning. In 29th USENIX Security Symposium (USENIX Security 20). 1605\u20131622."},{"key":"e_1_3_2_39_2","article-title":"A deep learning-based framework for conducting stealthy attacks in industrial control systems","author":"Feng Cheng","year":"2017","unstructured":"Cheng Feng, Tingting Li, Zhanxing Zhu, and Deeph Chana. 2017. A deep learning-based framework for conducting stealthy attacks in industrial control systems. arXiv preprint arXiv:1709.06397 (2017).","journal-title":"arXiv preprint arXiv:1709.06397"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"e_1_3_2_41_2","first-page":"17","volume-title":"23rd USENIX Security Symposium (USENIX Security 14)","author":"Fredrikson Matthew","year":"2014","unstructured":"Matthew Fredrikson, Eric Lantz, Somesh Jha, Simon Lin, David Page, and Thomas Ristenpart. 2014. Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing. In 23rd USENIX Security Symposium (USENIX Security 14). 17\u201332."},{"key":"e_1_3_2_42_2","article-title":"Mitigating sybils in federated learning poisoning","author":"Fung Clement","year":"2018","unstructured":"Clement Fung, Chris J. M. Yoon, and Ivan Beschastnikh. 2018. Mitigating sybils in federated learning poisoning. arXiv preprint arXiv:1808.04866 (2018).","journal-title":"arXiv preprint arXiv:1808.04866"},{"key":"e_1_3_2_43_2","article-title":"Generative adversarial networks for spatio-temporal data: A survey","author":"Gao Nan","year":"2020","unstructured":"Nan Gao, Hao Xue, Wei Shao, Sichen Zhao, Kyle Kai Qin, Arian Prabowo, Mohammad Saiedur Rahaman, and Flora D. Salim. 2020. Generative adversarial networks for spatio-temporal data: A survey. arXiv preprint arXiv:2008.08903 (2020).","journal-title":"arXiv preprint arXiv:2008.08903"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00125"},{"key":"e_1_3_2_45_2","first-page":"2242","volume-title":"International Conference on Machine Learning","author":"Ghorbani Amirata","year":"2019","unstructured":"Amirata Ghorbani and James Zou. 2019. Data Shapley: Equitable valuation of data for machine learning. In International Conference on Machine Learning. PMLR, 2242\u20132251."},{"key":"e_1_3_2_46_2","article-title":"Generative adversarial nets","volume":"27","author":"Goodfellow Ian","year":"2014","unstructured":"Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. 2014. Generative adversarial nets. Advances in Neural Information Processing Systems 27 (2014).","journal-title":"Advances in Neural Information Processing Systems"},{"volume-title":"3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings","year":"2015","author":"Goodfellow Ian J.","key":"e_1_3_2_47_2","unstructured":"Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings."},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2021.3130191"},{"volume-title":"International Conference on Learning Representations","year":"2018","author":"Guo Chuan","key":"e_1_3_2_49_2","unstructured":"Chuan Guo, Mayank Rana, Moustapha Cisse, and Laurens van der Maaten. 2018. Countering adversarial images using input transformations. In International Conference on Learning Representations."},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3042328"},{"key":"e_1_3_2_51_2","first-page":"866","volume-title":"2019 IEEE International Parallel and Distributed Processing Symposium (IPDPS)","author":"Hardy Corentin","year":"2019","unstructured":"Corentin Hardy, Erwan Le Merrer, and Bruno Sericola. 2019. MD-GAN: Multi-discriminator generative adversarial networks for distributed datasets. In 2019 IEEE International Parallel and Distributed Processing Symposium (IPDPS). IEEE, 866\u2013877."},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.06.012"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2019.2944748"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1162\/neco.2006.18.7.1527"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.1126\/science.1127647"},{"key":"e_1_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134012"},{"key":"e_1_3_2_57_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-21568-2_11"},{"key":"e_1_3_2_58_2","doi-asserted-by":"publisher","DOI":"10.1145\/3301282"},{"key":"e_1_3_2_59_2","article-title":"Generating adversarial malware examples for black-box attacks based on GAN","author":"Hu Weiwei","year":"2017","unstructured":"Weiwei Hu and Ying Tan. 2017. Generating adversarial malware examples for black-box attacks based on GAN. arXiv preprint arXiv:1702.05983 (2017).","journal-title":"arXiv preprint arXiv:1702.05983"},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.632"},{"key":"e_1_3_2_61_2","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1109\/SP.2018.00057","volume-title":"2018 IEEE Symposium on Security and Privacy (SP)","author":"Jagielski Matthew","year":"2018","unstructured":"Matthew Jagielski, Alina Oprea, Battista Biggio, Chang Liu, Cristina Nita-Rotaru, and Bo Li. 2018. Manipulating machine learning: Poisoning attacks and countermeasures for regression learning. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 19\u201335."},{"key":"e_1_3_2_62_2","first-page":"1895","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Jayaraman Bargav","year":"2019","unstructured":"Bargav Jayaraman and David Evans. 2019. Evaluating differentially private machine learning in practice. In 28th USENIX Security Symposium (USENIX Security 19). 1895\u20131912."},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1155\/2020\/3608173"},{"key":"e_1_3_2_64_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00453"},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSN-W52860.2021.00035"},{"key":"e_1_3_2_66_2","doi-asserted-by":"crossref","first-page":"99","DOI":"10.1201\/9781351251389-8","volume-title":"Artificial Intelligence Safety and Security","author":"Kurakin Alexey","year":"2018","unstructured":"Alexey Kurakin, Ian J. Goodfellow, and Samy Bengio. 2018. Adversarial examples in the physical world. In Artificial Intelligence Safety and Security. Chapman and Hall\/CRC, 99\u2013112."},{"key":"e_1_3_2_67_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.sigpro.2020.107616"},{"key":"e_1_3_2_68_2","doi-asserted-by":"publisher","DOI":"10.1109\/JSYST.2019.2906120"},{"key":"e_1_3_2_69_2","article-title":"Understanding neural networks through representation erasure","author":"Li Jiwei","year":"2016","unstructured":"Jiwei Li, Will Monroe, and Dan Jurafsky. 2016. Understanding neural networks through representation erasure. arXiv preprint arXiv:1612.08220 (2016).","journal-title":"arXiv preprint arXiv:1612.08220"},{"key":"e_1_3_2_70_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/D17-1230"},{"key":"e_1_3_2_71_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2020.12.114"},{"key":"e_1_3_2_72_2","doi-asserted-by":"publisher","DOI":"10.5555\/3294996.3295075"},{"key":"e_1_3_2_73_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33011028"},{"key":"e_1_3_2_74_2","article-title":"Delving into transferable adversarial examples and black-box attacks","author":"Liu Yanpei","year":"2016","unstructured":"Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. 2016. Delving into transferable adversarial examples and black-box attacks. arXiv preprint arXiv:1611.02770 (2016).","journal-title":"arXiv preprint arXiv:1611.02770"},{"key":"e_1_3_2_75_2","doi-asserted-by":"publisher","DOI":"10.3390\/sym12040651"},{"key":"e_1_3_2_76_2","article-title":"Threats to federated learning: A survey","author":"Lyu Lingjuan","year":"2020","unstructured":"Lingjuan Lyu, Han Yu, and Qiang Yang. 2020. Threats to federated learning: A survey. arXiv preprint arXiv:2003.02133 (2020).","journal-title":"arXiv preprint arXiv:2003.02133"},{"key":"e_1_3_2_77_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP48549.2020.00017"},{"key":"e_1_3_2_78_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.304"},{"key":"e_1_3_2_79_2","first-page":"1273","volume-title":"Artificial Intelligence and Statistics","author":"McMahan Brendan","year":"2017","unstructured":"Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. 2017. Communication-efficient learning of deep networks from decentralized data. In Artificial Intelligence and Statistics. PMLR, 1273\u20131282."},{"key":"e_1_3_2_80_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v29i1.9569"},{"key":"e_1_3_2_81_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00029"},{"key":"e_1_3_2_82_2","article-title":"Conditional generative adversarial nets","author":"Mirza Mehdi","year":"2014","unstructured":"Mehdi Mirza and Simon Osindero. 2014. Conditional generative adversarial nets. arXiv preprint arXiv:1411.1784 (2014).","journal-title":"arXiv preprint arXiv:1411.1784"},{"key":"e_1_3_2_83_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_84_2","article-title":"Poisoning attacks with generative adversarial nets","author":"Mu\u00f1oz-Gonz\u00e1lez Luis","year":"2019","unstructured":"Luis Mu\u00f1oz-Gonz\u00e1lez, Bjarne Pfitzner, Matteo Russo, Javier Carnerero-Cano, and Emil C. Lupu. 2019. Poisoning attacks with generative adversarial nets. arXiv preprint arXiv:1906.07773 (2019).","journal-title":"arXiv preprint arXiv:1906.07773"},{"key":"e_1_3_2_85_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"e_1_3_2_86_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2021.108149"},{"key":"e_1_3_2_87_2","article-title":"Semi-supervised learning with generative adversarial networks","author":"Odena Augustus","year":"2016","unstructured":"Augustus Odena. 2016. Semi-supervised learning with generative adversarial networks. arXiv preprint arXiv:1606.01583 (2016).","journal-title":"arXiv preprint arXiv:1606.01583"},{"key":"e_1_3_2_88_2","first-page":"2642","volume-title":"International Conference on Machine Learning","author":"Odena Augustus","year":"2017","unstructured":"Augustus Odena, Christopher Olah, and Jonathon Shlens. 2017. Conditional image synthesis with auxiliary classifier GANs. In International Conference on Machine Learning. PMLR, 2642\u20132651."},{"key":"e_1_3_2_89_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cviu.2019.06.004"},{"key":"e_1_3_2_90_2","doi-asserted-by":"publisher","DOI":"10.5120\/13715-1478"},{"key":"e_1_3_2_91_2","article-title":"A review of deep learning methods for MRI reconstruction","author":"Pal Arghya","year":"2021","unstructured":"Arghya Pal and Yogesh Rathi. 2021. A review of deep learning methods for MRI reconstruction. arXiv preprint arXiv:2109.08618 (2021).","journal-title":"arXiv preprint arXiv:2109.08618"},{"key":"e_1_3_2_92_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2905015"},{"key":"e_1_3_2_93_2","article-title":"Towards the science of security and privacy in machine learning","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot, Patrick McDaniel, Arunesh Sinha, and Michael Wellman. 2016. Towards the science of security and privacy in machine learning. arXiv preprint arXiv:1611.03814 (2016).","journal-title":"arXiv preprint arXiv:1611.03814"},{"key":"e_1_3_2_94_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"e_1_3_2_95_2","article-title":"Practical black-box attacks against deep learning systems using adversarial examples","volume":"1602","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot, Patrick D. McDaniel, Ian J. Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. 2016. Practical black-box attacks against deep learning systems using adversarial examples. CoRR abs\/1602.02697 (2016).","journal-title":"CoRR"},{"volume-title":"4th International Conference on Learning Representations, ICLR 2016, San Juan, Puerto Rico, May 2-4, 2016, Conference Track Proceedings","year":"2016","author":"Radford Alec","key":"e_1_3_2_96_2","unstructured":"Alec Radford, Luke Metz, and Soumith Chintala. 2016. Unsupervised representation learning with deep convolutional generative adversarial networks. In 4th International Conference on Learning Representations, ICLR 2016, San Juan, Puerto Rico, May 2-4, 2016, Conference Track Proceedings."},{"key":"e_1_3_2_97_2","article-title":"GRNN: Generative regression neural network\u2013a data leakage attack for federated learning","author":"Ren Hanchi","year":"2021","unstructured":"Hanchi Ren, Jingjing Deng, and Xianghua Xie. 2021. GRNN: Generative regression neural network\u2013a data leakage attack for federated learning. arXiv preprint arXiv:2105.00529 (2021).","journal-title":"arXiv preprint arXiv:2105.00529"},{"key":"e_1_3_2_98_2","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2018.00019"},{"key":"e_1_3_2_99_2","doi-asserted-by":"publisher","DOI":"10.1109\/Trustcom.2015.357"},{"key":"e_1_3_2_100_2","first-page":"448","volume-title":"Artificial Intelligence and Statistics","author":"Salakhutdinov Ruslan","year":"2009","unstructured":"Ruslan Salakhutdinov and Geoffrey Hinton. 2009. Deep Boltzmann machines. In Artificial Intelligence and Statistics. PMLR, 448\u2013455."},{"key":"e_1_3_2_101_2","article-title":"Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models","author":"Salem Ahmed","year":"2018","unstructured":"Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, and Michael Backes. 2018. Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246 (2018).","journal-title":"arXiv preprint arXiv:1806.01246"},{"key":"e_1_3_2_102_2","article-title":"PixelCNN++: Improving the PixelCNN with discretized logistic mixture likelihood and other modifications","author":"Salimans Tim","year":"2017","unstructured":"Tim Salimans, Andrej Karpathy, Xi Chen, and Diederik P. Kingma. 2017. PixelCNN++: Improving the PixelCNN with discretized logistic mixture likelihood and other modifications. arXiv preprint arXiv:1701.05517 (2017).","journal-title":"arXiv preprint arXiv:1701.05517"},{"key":"e_1_3_2_103_2","article-title":"Defending against adversarial attacks by leveraging an entire GAN","author":"Santhanam Gokula Krishnan","year":"2018","unstructured":"Gokula Krishnan Santhanam and Paulina Grnarova. 2018. Defending against adversarial attacks by leveraging an entire GAN. arXiv preprint arXiv:1805.10652 (2018).","journal-title":"arXiv preprint arXiv:1805.10652"},{"key":"e_1_3_2_104_2","doi-asserted-by":"publisher","DOI":"10.1145\/3446374"},{"key":"e_1_3_2_105_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2899367"},{"key":"e_1_3_2_106_2","doi-asserted-by":"publisher","DOI":"10.1145\/3337067"},{"key":"e_1_3_2_107_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISSPIT.2018.8642683"},{"key":"e_1_3_2_108_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"e_1_3_2_109_2","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2020.3000372"},{"key":"e_1_3_2_110_2","article-title":"Constructing unrestricted adversarial examples with generative models","volume":"31","author":"Song Yang","year":"2018","unstructured":"Yang Song, Rui Shu, Nate Kushman, and Stefano Ermon. 2018. Constructing unrestricted adversarial examples with generative models. Advances in Neural Information Processing Systems 31 (2018).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_111_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2018.8462456"},{"key":"e_1_3_2_112_2","article-title":"Information stealing in federated learning systems based on generative adversarial networks","author":"Sun Yuwei","year":"2021","unstructured":"Yuwei Sun, Ng Chong, and Hideya Ochiai. 2021. Information stealing in federated learning systems based on generative adversarial networks. arXiv preprint arXiv:2108.00701 (2021).","journal-title":"arXiv preprint arXiv:2108.00701"},{"key":"e_1_3_2_113_2","doi-asserted-by":"publisher","DOI":"10.1142\/S0218488502001648"},{"key":"e_1_3_2_114_2","article-title":"The information bottleneck method","author":"Tishby Naftali","year":"2000","unstructured":"Naftali Tishby, Fernando C. Pereira, and William Bialek. 2000. The information bottleneck method. arXiv preprint physics\/0004057 (2000).","journal-title":"arXiv preprint physics\/0004057"},{"key":"e_1_3_2_115_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.imavis.2021.104119"},{"key":"e_1_3_2_116_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.patter.2020.100089"},{"key":"e_1_3_2_117_2","first-page":"2","article-title":"WaveNet: A generative model for raw audio.","volume":"125","author":"Oord A\u00e4ron Van Den","year":"2016","unstructured":"A\u00e4ron Van Den Oord, Sander Dieleman, Heiga Zen, Karen Simonyan, Oriol Vinyals, Alex Graves, Nal Kalchbrenner, Andrew W. Senior, and Koray Kavukcuoglu. 2016. WaveNet: A generative model for raw audio. SSW 125 (2016), 2.","journal-title":"SSW"},{"issue":"3152676","key":"e_1_3_2_118_2","first-page":"10","article-title":"The EU general data protection regulation (GDPR)","volume":"10","author":"Voigt Paul","year":"2017","unstructured":"Paul Voigt and Axel Von dem Bussche. 2017. The EU general data protection regulation (GDPR). A Practical Guide, 1st Ed., Cham: Springer International Publishing 10, 3152676 (2017), 10\u20135555.","journal-title":"A Practical Guide, 1st Ed., Cham: Springer International Publishing"},{"key":"e_1_3_2_119_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.2994762"},{"key":"e_1_3_2_120_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.csl.2021.101308"},{"key":"e_1_3_2_121_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00950"},{"key":"e_1_3_2_122_2","doi-asserted-by":"publisher","DOI":"10.1109\/JAS.2017.7510583"},{"key":"e_1_3_2_123_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIP.2021.3106807"},{"issue":"4","key":"e_1_3_2_124_2","article-title":"AT-GAN: A generative attack model for adversarial transferring on generative adversarial nets","volume":"3","author":"Wang Xiaosen","year":"2019","unstructured":"Xiaosen Wang, Kun He, and John E. Hopcroft. 2019. AT-GAN: A generative attack model for adversarial transferring on generative adversarial nets. arXiv preprint arXiv:1904.07793 3, 4 (2019).","journal-title":"arXiv preprint arXiv:1904.07793"},{"key":"e_1_3_2_125_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jpdc.2019.03.003"},{"key":"e_1_3_2_126_2","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2019.8737416"},{"key":"e_1_3_2_127_2","doi-asserted-by":"publisher","DOI":"10.1038\/s41586-021-03583-3"},{"key":"e_1_3_2_128_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00016"},{"key":"e_1_3_2_129_2","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/134"},{"key":"e_1_3_2_130_2","doi-asserted-by":"publisher","DOI":"10.22215\/timreview\/1282"},{"key":"e_1_3_2_131_2","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2018\/543"},{"key":"e_1_3_2_132_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICC40277.2020.9149430"},{"key":"e_1_3_2_133_2","doi-asserted-by":"publisher","DOI":"10.1109\/IHMSC49165.2020.00057"},{"key":"e_1_3_2_134_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCBB.2019.2940583"},{"key":"e_1_3_2_135_2","article-title":"Generative poisoning attack method against neural networks","author":"Yang Chaofei","year":"2017","unstructured":"Chaofei Yang, Qing Wu, Hai Li, and Yiran Chen. 2017. Generative poisoning attack method against neural networks. arXiv preprint arXiv:1703.01340 (2017).","journal-title":"arXiv preprint arXiv:1703.01340"},{"key":"e_1_3_2_136_2","doi-asserted-by":"publisher","DOI":"10.1145\/3298981"},{"key":"e_1_3_2_137_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.media.2019.101552"},{"key":"e_1_3_2_138_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10462-019-09717-4"},{"key":"e_1_3_2_139_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v31i1.10804"},{"key":"e_1_3_2_140_2","first-page":"2536","volume-title":"ECAI 2020","author":"Yuan Junkun","year":"2020","unstructured":"Junkun Yuan, Shaofang Zhou, Lanfen Lin, Feng Wang, and Jia Cui. 2020. Black-box adversarial attacks against deep learning based malware binaries detection with GAN. In ECAI 2020. IOS Press, 2536\u20132542."},{"key":"e_1_3_2_141_2","first-page":"493","volume-title":"2020 USENIX Annual Technical Conference (USENIX ATC 20)","author":"Zhang Chengliang","year":"2020","unstructured":"Chengliang Zhang, Suyi Li, Junzhe Xia, Wei Wang, Feng Yan, and Yang Liu. 2020. BatchCrypt: Efficient homomorphic encryption for cross-silo federated learning. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). 493\u2013506."},{"key":"e_1_3_2_142_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.629"},{"key":"e_1_3_2_143_2","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2020.3023126"},{"key":"e_1_3_2_144_2","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom\/BigDataSE.2019.00057"},{"key":"e_1_3_2_145_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICC40277.2020.9148790"},{"key":"e_1_3_2_146_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACPR.2017.61"},{"key":"e_1_3_2_147_2","article-title":"Generating adversarial examples with shadow model","author":"Zhang Rui","year":"2022","unstructured":"Rui Zhang, Hui Xia, Chunqiang Hu, Cheng Zhang, Chao Liu, and Fu Xiao. 2022. Generating adversarial examples with shadow model. IEEE Transactions on Industrial Informatics (2022).","journal-title":"IEEE Transactions on Industrial Informatics"},{"key":"e_1_3_2_148_2","article-title":"Exploiting defenses against GAN-based feature inference attacks in federated learning","author":"Zhang Xianglong","year":"2020","unstructured":"Xianglong Zhang and Xinjian Luo. 2020. Exploiting defenses against GAN-based feature inference attacks in federated learning. arXiv preprint arXiv:2004.12571 (2020).","journal-title":"arXiv preprint arXiv:2004.12571"},{"key":"e_1_3_2_149_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00033"},{"key":"e_1_3_2_150_2","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2021\/516"},{"key":"e_1_3_2_151_2","first-page":"1","article-title":"AP-GAN: Adversarial patch attack on content-based image retrieval systems","author":"Zhao Guoping","year":"2020","unstructured":"Guoping Zhao, Mingyu Zhang, Jiajun Liu, Yaxian Li, and Ji-Rong Wen. 2020. AP-GAN: Adversarial patch attack on content-based image retrieval systems. GeoInformatica (2020), 1\u201331.","journal-title":"GeoInformatica"},{"key":"e_1_3_2_152_2","article-title":"Unsupervised adversarial attacks on deep feature-based retrieval with GAN","author":"Zhao Guoping","year":"2019","unstructured":"Guoping Zhao, Mingyu Zhang, Jiajun Liu, and Ji-Rong Wen. 2019. Unsupervised adversarial attacks on deep feature-based retrieval with GAN. arXiv preprint arXiv:1907.05793 (2019).","journal-title":"arXiv preprint arXiv:1907.05793"},{"volume-title":"5th International Conference on Learning Representations, ICLR 2017","year":"2017","author":"Zhao Junbo","key":"e_1_3_2_153_2","unstructured":"Junbo Zhao, Michael Mathieu, and Yann LeCun. 2017. Energy-based generative adversarial networks. In 5th International Conference on Learning Representations, ICLR 2017."},{"key":"e_1_3_2_154_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2939713"},{"key":"e_1_3_2_155_2","article-title":"Generating natural adversarial examples","author":"Zhao Zhengli","year":"2017","unstructured":"Zhengli Zhao, Dheeru Dua, and Sameer Singh. 2017. Generating natural adversarial examples. arXiv preprint arXiv:1710.11342 (2017).","journal-title":"arXiv preprint arXiv:1710.11342"},{"key":"e_1_3_2_156_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01037"},{"key":"e_1_3_2_157_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2021.04.069"},{"key":"e_1_3_2_158_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.244"},{"key":"e_1_3_2_159_2","article-title":"Deep leakage from gradients","volume":"32","author":"Zhu Ligeng","year":"2019","unstructured":"Ligeng Zhu, Zhijian Liu, and Song Han. 2019. Deep leakage from gradients. Advances in Neural Information Processing Systems 32 (2019).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_160_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICIP.2019.8803269"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3615336","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,8,12]],"date-time":"2024-08-12T11:47:04Z","timestamp":1723463224000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3615336"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,10]]},"references-count":159,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2024,4,30]]}},"alternative-id":["10.1145\/3615336"],"URL":"http:\/\/dx.doi.org\/10.1145\/3615336","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"type":"print","value":"0360-0300"},{"type":"electronic","value":"1557-7341"}],"subject":[],"published":{"date-parts":[[2023,11,10]]},"assertion":[{"value":"2022-04-28","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-08-03","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-11-10","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}