Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Pre-Pruning and Gradient-Dropping Improve Differentially Private Image Classification (2306.11754v1)

Published 19 Jun 2023 in cs.CV, cs.CR, and cs.LG

Abstract: Scalability is a significant challenge when it comes to applying differential privacy to training deep neural networks. The commonly used DP-SGD algorithm struggles to maintain a high level of privacy protection while achieving high accuracy on even moderately sized models. To tackle this challenge, we take advantage of the fact that neural networks are overparameterized, which allows us to improve neural network training with differential privacy. Specifically, we introduce a new training paradigm that uses \textit{pre-pruning} and \textit{gradient-dropping} to reduce the parameter space and improve scalability. The process starts with pre-pruning the parameters of the original network to obtain a smaller model that is then trained with DP-SGD. During training, less important gradients are dropped, and only selected gradients are updated. Our training paradigm introduces a tension between the rates of pre-pruning and gradient-dropping, privacy loss, and classification accuracy. Too much pre-pruning and gradient-dropping reduces the model's capacity and worsens accuracy, while training a smaller model requires less privacy budget for achieving good accuracy. We evaluate the interplay between these factors and demonstrate the effectiveness of our training paradigm for both training from scratch and fine-tuning pre-trained networks on several benchmark image classification datasets. The tools can also be readily incorporated into existing training paradigms.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (25)
  1. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, page 308–318, New York, NY, USA, 2016. Association for Computing Machinery. ISBN 9781450341394. doi: 10.1145/2976749.2978318.
  2. Sparse communication for distributed gradient descent. In Proceedings of the 2017 Conference on Empirical Methods in Natural Language Processing, pages 440–445, Copenhagen, Denmark, September 2017. Association for Computational Linguistics. doi: 10.18653/v1/D17-1045. URL https://aclanthology.org/D17-1045.
  3. JAX-Privacy: Algorithms for privacy-preserving machine learning in jax, 2022. URL http://github.com/deepmind/jax_privacy.
  4. DPNAS: neural architecture search for deep learning with differential privacy. CoRR, abs/2110.08557, 2021. URL https://arxiv.org/abs/2110.08557.
  5. Unlocking high-accuracy differentially private image classification through scale. arXiv preprint arXiv:2204.13650, 2022.
  6. The algorithmic foundations of differential privacy. Found. Trends Theor. Comput. Sci., 9:211–407, August 2014. ISSN 1551-305X. doi: 10.1561/0400000042. URL http://dx.doi.org/10.1561/0400000042.
  7. Our data, ourselves: Privacy via distributed noise generation. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 486–503. Springer, 2006.
  8. The lottery ticket hypothesis: Finding sparse, trainable neural networks. arXiv preprint arXiv:1803.03635, 2018.
  9. Fast dimension independent private adagrad on publicly estimated subspaces, 2021.
  10. Differentially private training of residual networks with scale normalisation, 2022. URL https://arxiv.org/abs/2203.00324.
  11. Toward training at imagenet scale with differential privacy, 2022. URL https://arxiv.org/abs/2201.12328.
  12. Private causal inference using propensity scores. CoRR, abs/1905.12592, 2019. URL http://arxiv.org/abs/1905.12592.
  13. Differentially private learning with grouped gradient clipping. In ACM Multimedia Asia, MMAsia ’21, New York, NY, USA, 2021. Association for Computing Machinery. ISBN 9781450386074. doi: 10.1145/3469877.3490594. URL https://doi.org/10.1145/3469877.3490594.
  14. Scalable differential privacy with sparse network finetuning. In 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 5057–5066, 2021. doi: 10.1109/CVPR46437.2021.00502.
  15. Lingjuan Lyu. Dp-signsgd: When efficiency meets privacy and robustness, 2021.
  16. Tempered sigmoid activations for deep learning with differential privacy. Proceedings of the AAAI Conference on Artificial Intelligence, 35(10):9312–9321, May 2021. URL https://ojs.aaai.org/index.php/AAAI/article/view/17123.
  17. Losing less: A loss for differentially private deep learning, 2022. URL https://openreview.net/forum?id=u7PVCewFya.
  18. Pruning neural networks without any data by iteratively conserving synaptic flow. In Hugo Larochelle, Marc’Aurelio Ranzato, Raia Hadsell, Maria-Florina Balcan, and Hsuan-Tien Lin, editors, Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6-12, 2020, virtual, 2020. URL https://proceedings.neurips.cc/paper/2020/hash/46a4378f835dc8040c8057beb6a2da52-Abstract.html.
  19. Differentially private learning needs better features (or much more data). In International Conference on Learning Representations, 2021. URL https://openreview.net/forum?id=YTWGvpFOQD-.
  20. Differentially private iterative gradient hard thresholding for sparse learning. In 28th International Joint Conference on Artificial Intelligence, 2019.
  21. Subsampled rényi differential privacy and analytical moments accountant. PMLR, 2019.
  22. Do not let privacy overbill utility: Gradient embedding perturbation for private learning. In ICLR, 2021a. URL https://openreview.net/forum?id=7aogOj_VYO0.
  23. Large scale private learning via low-rank reparametrization. In Marina Meila and Tong Zhang, editors, Proceedings of the 38th International Conference on Machine Learning, volume 139 of Proceedings of Machine Learning Research, pages 12208–12218. PMLR, 18–24 Jul 2021b. URL https://proceedings.mlr.press/v139/yu21f.html.
  24. Bypassing the ambient dimension: Private SGD with gradient subspace identification. CoRR, abs/2007.03813, 2020. URL https://arxiv.org/abs/2007.03813.
  25. Differentially private SGD with sparse gradients. CoRR, abs/2112.00845, 2021. URL https://arxiv.org/abs/2112.00845.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (3)
  1. Kamil Adamczewski (19 papers)
  2. Yingchen He (3 papers)
  3. Mijung Park (28 papers)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now