Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
110 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Auto DP-SGD: Dual Improvements of Privacy and Accuracy via Automatic Clipping Threshold and Noise Multiplier Estimation (2312.02400v1)

Published 5 Dec 2023 in cs.LG and cs.CR

Abstract: DP-SGD has emerged as a popular method to protect personally identifiable information in deep learning applications. Unfortunately, DP-SGD's per-sample gradient clipping and uniform noise addition during training can significantly degrade model utility. To enhance the model's utility, researchers proposed various adaptive DP-SGD methods. However, we examine and discover that these techniques result in greater privacy leakage or lower accuracy than the traditional DP-SGD method, or a lack of evaluation on a complex data set such as CIFAR100. To address these limitations, we propose an Auto DP-SGD. Our method automates clipping threshold estimation based on the DL model's gradient norm and scales the gradients of each training sample without losing gradient information. This helps to improve the algorithm's utility while using a less privacy budget. To further improve accuracy, we introduce automatic noise multiplier decay mechanisms to decrease the noise multiplier after every epoch. Finally, we develop closed-form mathematical expressions using tCDP accountant for automatic noise multiplier and automatic clipping threshold estimation. Through extensive experimentation, we demonstrate that Auto DP-SGD outperforms existing SOTA DP-SGD methods in privacy and accuracy on various benchmark datasets. We also show that privacy can be improved by lowering the scale factor and using learning rate schedulers without significantly reducing accuracy. Specifically, Auto DP-SGD, when used with a step noise multiplier, improves accuracy by 3.20, 1.57, 6.73, and 1.42 for the MNIST, CIFAR10, CIFAR100, and AG News Corpus datasets, respectively. Furthermore, it obtains a substantial reduction in the privacy budget of 94.9, 79.16, 67.36, and 53.37 for the corresponding data sets.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (56)
  1. 2005. http://groups.di.unipi.it/~gulli/AG_corpus_of_news_articles.html. [accessed on 4-Feb-2023].
  2. 2017. https://pytorch.org. [accessed on 12-Jan-2023].
  3. 2019. https://github.com/tensorflow/privacy/tree/master/tensorflow_privacy. [accessed on 20-Jan-2023].
  4. 2021. https://github.com/dynamic-dp/dynamic-dp. [accessed on 8-Apr-2023].
  5. 2023. https://www.healthcaredive.com/news/artificial-intelligence-healthcare-savings-harvard-mckinsey-report/641163/. [accessed on 2-Feb-2023].
  6. 2023. https://www.insiderintelligence.com/insights/ai-in-finance. [accessed on 14-Mar-2023].
  7. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 308–318.
  8. End-to-end lung cancer screening with three-dimensional deep learning on low-dose chest computed tomography. Nature medicine 25, 6 (2019), 954–961.
  9. Yoshua Bengio. 2012. Practical recommendations for gradient-based training of deep architectures. Neural Networks: Tricks of the Trade: Second Edition (2012), 437–478.
  10. High-performance large-scale image recognition without normalization. In International Conference on Machine Learning. PMLR, 1059–1071.
  11. On the convergence and calibration of deep learning with differential privacy. arXiv preprint arXiv:2106.07830 (2021).
  12. Composable and versatile privacy via truncated cdp. In Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing. 74–86.
  13. Mark Bun and Thomas Steinke. 2016. Concentrated differential privacy: Simplifications, extensions, and lower bounds. In Theory of Cryptography: 14th International Conference, TCC 2016-B, Beijing, China, October 31-November 3, 2016, Proceedings, Part I. Springer, 635–658.
  14. Differentially private empirical risk minimization. Journal of Machine Learning Research 12, 3 (2011).
  15. Improved techniques for model inversion attacks. (2020).
  16. Understanding gradient clipping in private sgd: A geometric perspective. Advances in Neural Information Processing Systems 33 (2020), 13773–13782.
  17. DPNAS: Neural Architecture Search for Deep Learning with Differential Privacy. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 36. 6358–6366.
  18. Irit Dinur and Kobbi Nissim. 2003. Revealing information while preserving privacy. In Proceedings of the twenty-second ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems. 202–210.
  19. Gaussian differential privacy. arXiv preprint arXiv:1905.02383 (2019).
  20. Dynamic differential-privacy preserving sgd. arXiv preprint arXiv:2111.00173 (2021).
  21. Cynthia Dwork. 2008. Differential privacy: A survey of results. In Theory and Applications of Models of Computation: 5th International Conference, TAMC 2008, Xi’an, China, April 25-29, 2008. Proceedings 5. Springer, 1–19.
  22. Our data, ourselves: Privacy via distributed noise generation. In Advances in Cryptology-EUROCRYPT 2006: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28-June 1, 2006. Proceedings 25. Springer, 486–503.
  23. Cynthia Dwork and Jing Lei. 2009. Differential privacy and robust statistics. In Proceedings of the forty-first annual ACM symposium on Theory of computing. 371–380.
  24. Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography: Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4-7, 2006. Proceedings 3. Springer, 265–284.
  25. Differential privacy—a primer for the perplexed,”. Joint UNECE/Eurostat work session on statistical data confidentiality 11 (2011).
  26. Cynthia Dwork and Guy N Rothblum. 2016. Concentrated differential privacy. arXiv preprint arXiv:1603.01887 (2016).
  27. Boosting and differential privacy. In 2010 IEEE 51st Annual Symposium on Foundations of Computer Science. IEEE, 51–60.
  28. Roth Dwork et al. 2014. Dwork C., Roth A. The algorithmic foundations of differential privacy, Foundations and Trends in Theoretical Computer Science 9, 3-4 (2014), 211–407.
  29. Disparate impact in differential privacy from gradient misalignment. arXiv preprint arXiv:2206.07737 (2022).
  30. Sam Fletcher and Md Zahidul Islam. 2019. Decision tree classification with differential privacy: A survey. ACM Computing Surveys (CSUR) 52, 4 (2019), 1–33.
  31. Model inversion attacks that exploit confidence information and basic countermeasures. In Proceedings of the 22nd ACM SIGSAC conference on computer and communications security. 1322–1333.
  32. Neil Zhenqiang Gong and Bin Liu. 2016. You Are Who You Know and How You Behave: Attribute Inference Attacks via Users’ Social Friends and Behaviors.. In USENIX Security Symposium. 979–995.
  33. Neil Zhenqiang Gong and Bin Liu. 2018. Attribute inference attacks in online social nerks. ACM Transactions on Privacy and Security (TOPS) 21, 1 (2018), 1–30.
  34. Numerical composition of differential privacy. Advances in Neural Information Processing Systems 34 (2021), 11631–11642.
  35. Deep learning and implementations in banking. Annals of Data Science 7 (2020), 433–446.
  36. Michael Hilton. 2002. Differential privacy: a historical survey. Cal Poly State University (2002).
  37. Membership inference attacks on machine learning: A survey. ACM Computing Surveys (CSUR) 54, 11s (2022), 1–37.
  38. Deep learning in finance and banking: A literature review and classification. Frontiers of Business Research in China 14, 1 (2020), 1–24.
  39. A practical differentially private random decision tree classifier. In 2009 IEEE International Conference on Data Mining Workshops. IEEE, 114–121.
  40. Antti Koskela and Antti Honkela. 2020. Learning rate adaptation for differentially private learning. In International Conference on Artificial Intelligence and Statistics. PMLR, 2465–2475.
  41. Learning multiple layers of features from tiny images. (2009).
  42. Yann LeCun. 1998. The MNIST database of handwritten digits. http://yann. lecun. com/exdb/mnist/ (1998).
  43. Gradient-based learning applied to document recognition. Proc. IEEE 86, 11 (1998), 2278–2324.
  44. Ilya Loshchilov and Frank Hutter. 2017. Decoupled weight decay regularization. arXiv preprint arXiv:1711.05101 (2017).
  45. Frank McSherry and Kunal Talwar. 2007. Mechanism design via differential privacy. In 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS’07). IEEE, 94–103.
  46. Ilya Mironov. 2017. Rényi differential privacy. In 2017 IEEE 30th computer security foundations symposium (CSF). IEEE, 263–275.
  47. Joseph P Near and Chiké Abuah. 2021. Programming Differential Privacy. URL: https://uvm (2021).
  48. Alfréd Rényi. 1961. On measures of entropy and information. In Proceedings of the Fourth Berkeley Symposium on Mathematical Statistics and Probability, Volume 1: Contributions to the Theory of Statistics, Vol. 4. University of California Press, 547–562.
  49. Iqbal H Sarker. 2021. Deep learning: a comprehensive overview on techniques, taxonomy, applications and research directions. SN Computer Science 2, 6 (2021), 420.
  50. Membership inference attacks against machine learning models. In 2017 IEEE symposium on security and privacy (SP). IEEE, 3–18.
  51. Latanya Sweeney. 2015. Only you, your doctor, and many others may know. Technology Science 2015092903, 9 (2015), 29.
  52. Towards demystifying membership inference attacks. arXiv preprint arXiv:1807.09173 (2018).
  53. Differentially private empirical risk minimization revisited: Faster and more general. Advances in Neural Information Processing Systems 30 (2017).
  54. A methodology for formalizing model-inversion attacks. In 2016 IEEE 29th Computer Security Foundations Symposium (CSF). IEEE, 355–370.
  55. Adaptive privacy preserving deep learning algorithms for medical data. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision. 1169–1178.
  56. On the (in) feasibility of attribute inference attacks on machine learning models. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 232–251.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (5)
  1. Sai Venkatesh Chilukoti (5 papers)
  2. Md Imran Hossen (13 papers)
  3. Liqun Shan (4 papers)
  4. Vijay Srinivas Tida (7 papers)
  5. Xiai Hei (1 paper)

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now