Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
133 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Proactive DP: A Multple Target Optimization Framework for DP-SGD (2102.09030v10)

Published 17 Feb 2021 in cs.LG, math.OC, and stat.ML

Abstract: We introduce a multiple target optimization framework for DP-SGD referred to as pro-active DP. In contrast to traditional DP accountants, which are used to track the expenditure of privacy budgets, the pro-active DP scheme allows one to a-priori select parameters of DP-SGD based on a fixed privacy budget (in terms of $\epsilon$ and $\delta$) in such a way to optimize the anticipated utility (test accuracy) the most. To achieve this objective, we first propose significant improvements to the moment account method, presenting a closed-form $(\epsilon,\delta)$-DP guarantee that connects all parameters in the DP-SGD setup. We show that DP-SGD is $(\epsilon<0.5,\delta=1/N)$-DP if $\sigma=\sqrt{2(\epsilon +\ln(1/\delta))/\epsilon}$ with $T$ at least $\approx 2k2/\epsilon$ and $(2/e)2k2-1/2\geq \ln(N)$, where $T$ is the total number of rounds, and $K=kN$ is the total number of gradient computations where $k$ measures $K$ in number of epochs of size $N$ of the local data set. We prove that our expression is close to tight in that if $T$ is more than a constant factor $\approx 4$ smaller than the lower bound $\approx 2k2/\epsilon$, then the $(\epsilon,\delta)$-DP guarantee is violated. The above DP guarantee can be enhanced in thatDP-SGD is $(\epsilon, \delta)$-DP if $\sigma = \sqrt{2(\epsilon+\ln(1/\delta))/\epsilon}$ with $T$ at least $\approx 2k2/\epsilon$ together with two additional, less intuitive, conditions that allow larger $\epsilon\geq 0.5$. Our DP theory allows us to create a utility graph and DP calculator. These tools link privacy and utility objectives and search for optimal experiment setups, efficiently taking into account both accuracy and privacy objectives, as well as implementation goals. We furnish a comprehensive implementation flow of our proactive DP, with rigorous experiments to showcase the proof-of-concept.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (41)
  1. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 308–318. ACM, 2016.
  2. Protection against reconstruction and its applications in private federated learning, 2019.
  3. Concentrated differential privacy: Simplifications, extensions, and lower bounds. arXiv, 2016a.
  4. Concentrated differential privacy: Simplifications, extensions, and lower bounds. In Martin Hirt and Adam D. Smith, editors, TCC, volume 9985, pages 635–658, 2016b.
  5. LIBSVM: A library for support vector machines. ACM Transactions on Intelligent Systems and Technology, 2:27:1–27:27, 2011.
  6. Taming the wild: A unified analysis of hogwild-style algorithms. In NIPS, pages 2674–2682, 2015.
  7. Revealing information while preserving privacy. In Proceedings of the twenty-second ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, pages 202–210, 2003.
  8. Gaussian differential privacy. Journal of the Royal Statistical Society, 2021.
  9. Local privacy, data processing inequalities, and statistical minimax rates, 2014.
  10. Cynthia Dwork. A firm foundation for private data analysis. Communications of the ACM, 54(1):86–95, 2011.
  11. The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science, 9(3–4):211–407, 2014.
  12. Concentrated differential privacy. arXiv preprint arXiv:1603.01887, 2016.
  13. Our data, ourselves: Privacy via distributed noise generation. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 486–503. Springer, 2006a.
  14. Calibrating noise to sensitivity in private data analysis. In Theory of cryptography conference, pages 265–284. Springer, 2006b.
  15. Inverting gradients – how easy is it to break privacy in federated learning? In NIPS, 2020.
  16. Differentially private federated learning: A client level perspective, 2018.
  17. Efficient and privacy-enhanced federated learning for industrial artificial intelligence. IEEE Transactions on Industrial Informatics, 16(10):6532–6542, 2020. doi: 10.1109/TII.2019.2945367.
  18. Imagenet classification with deep convolutional neural networks. Advances in neural information processing systems, 25:1097–1105, 2012.
  19. Improved asynchronous parallel optimization analysis for stochastic incremental methods. JMLR, 19(1):3140–3207, 2018.
  20. MNIST handwritten digit database. 2010. URL http://yann.lecun.com/exdb/mnist/.
  21. Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86(11):2278–2324, 1998.
  22. Threats to federated learning: A survey, 2020.
  23. Learning differentially private recurrent language models. In International Conference on Learning Representations (ICLR), 2018. URL https://openreview.net/pdf?id=BJ0hF1Z0b.
  24. Toward robustness and privacy in federated learning: Experimenting with local and central differential privacy, 2021.
  25. Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning. In 2019 IEEE Symposium on Security and Privacy (SP), pages 739–753, 2019. doi: 10.1109/SP.2019.00065.
  26. Sgd and hogwild! convergence without the bounded gradients assumption. In International Conference on Machine Learning, pages 3750–3758. PMLR, 2018.
  27. Hogwild! over distributed local data sets with linearly increasing mini-batch sizes. In International Conference on Artificial Intelligence and Statistics, pages 1207–1215. PMLR, 2021.
  28. Opacus. Opacus PyTorch library. URL https://opacus.ai.
  29. Scalable private learning with pate. In International conference on learning representations, 2018.
  30. Hogwild: A lock-free approach to parallelizing stochastic gradient descent. In Advances in neural information processing systems, pages 693–701, 2011.
  31. A stochastic approximation method. The annals of mathematical statistics., 1951.
  32. A stochastic gradient method with an exponential convergence rate for finite training sets. In F. Pereira, C. J. C. Burges, L. Bottou, and K. Q. Weinberger, editors, Advances in Neural Information Processing Systems, volume 25. Curran Associates, Inc., 2012.
  33. Membership inference attacks against machine learning models. In 2017 IEEE Symposium on Security and Privacy (SP), pages 3–18. IEEE, 2017.
  34. Membership inference attacks against adversarially robust deep learning models. In 2019 IEEE Security and Privacy Workshops (SPW), pages 50–56, 2019. doi: 10.1109/SPW.2019.00021.
  35. A hybrid approach to privacy-preserving federated learning. In Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security, pages 1–11, 2019.
  36. A statistical framework for differential privacy. Journal of the American Statistical Association, 105(489):375–389, 2010.
  37. Differentially private model publishing for deep learning. 2019 IEEE Symposium on Security and Privacy (SP), May 2019. doi: 10.1109/sp.2019.00019. URL http://dx.doi.org/10.1109/SP.2019.00019.
  38. Hogwild++: A new mechanism for decentralized asynchronous stochastic gradient descent. In 2016 IEEE 16th International Conference on Data Mining (ICDM), pages 629–638. IEEE, 2016.
  39. idlg: Improved deep leakage from gradients, 2020.
  40. In Advances in Neural Information Processing Systems, volume 32, 2019.
  41. Optimal accounting of differential privacy via characteristic function. arXiv preprint arXiv:2106.08567, 2021.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now