Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
110 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Privacy-preserving Fine-tuning of Large Language Models through Flatness (2403.04124v1)

Published 7 Mar 2024 in cs.AI

Abstract: The privacy concerns associated with the use of LLMs have grown recently with the development of LLMs such as ChatGPT. Differential Privacy (DP) techniques are explored in existing work to mitigate their privacy risks at the cost of generalization degradation. Our paper reveals that the flatness of DP-trained models' loss landscape plays an essential role in the trade-off between their privacy and generalization. We further propose a holistic framework to enforce appropriate weight flatness, which substantially improves model generalization with competitive privacy preservation. It innovates from three coarse-to-grained levels, including perturbation-aware min-max optimization on model weights within a layer, flatness-guided sparse prefix-tuning on weights across layers, and weight knowledge distillation between DP & non-DP weights copies. Comprehensive experiments of both black-box and white-box scenarios are conducted to demonstrate the effectiveness of our proposal in enhancing generalization and maintaining DP characteristics. For instance, on text classification dataset QNLI, DP-Flat achieves similar performance with non-private full fine-tuning but with DP guarantee under privacy budget $\epsilon=3$, and even better performance given higher privacy budgets. Codes are provided in the supplement.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (66)
  1. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp.  308–318, 2016.
  2. Towards understanding sharpness-aware minimization. In International Conference on Machine Learning, pp. 639–668. PMLR, 2022.
  3. Large-scale differentially private bert. arXiv preprint arXiv:2108.01624, 2021.
  4. Differentially private bias-term only fine-tuning of foundation models. arXiv preprint arXiv:2210.00036, 2022.
  5. Extracting training data from large language models. In 30th USENIX Security Symposium (USENIX Security 21), pp. 2633–2650, 2021.
  6. Membership inference attacks from first principles. In 2022 IEEE Symposium on Security and Privacy (SP), pp. 1897–1914. IEEE, 2022a.
  7. Quantifying memorization across neural language models. arXiv preprint arXiv:2202.07646, 2022b.
  8. Instructzero: Efficient instruction optimization for black-box large language models. arXiv preprint arXiv:2306.03082, 2023.
  9. When vision transformers outperform resnets without pre-training or strong data augmentations. arXiv preprint arXiv:2106.01548, 2021.
  10. Llm powered sim-to-real transfer for traffic signal control. arXiv preprint arXiv:2308.14284, 2023a.
  11. Open-ti: Open traffic intelligence with augmented language model. arXiv preprint arXiv:2401.00211, 2023b.
  12. Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805, 2018.
  13. Gaussian differential privacy. arXiv preprint arXiv:1905.02383, 2019.
  14. Efficient sharpness-aware minimization for improved training of neural networks. arXiv preprint arXiv:2110.03141, 2021.
  15. Dp-forward: Fine-tuning and inference on language models with differential privacy in forward pass. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pp.  2665–2679, 2023.
  16. Flocks of stochastic parrots: Differentially private prompt learning for large language models. arXiv preprint arXiv:2305.15594, 2023.
  17. An efficient dp-sgd mechanism for large scale nlu models. In ICASSP 2022-2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp.  4118–4122. IEEE, 2022.
  18. Dwork, C. Differential privacy. In International colloquium on automata, languages, and programming, pp.  1–12. Springer, 2006.
  19. The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science, 9(3–4):211–407, 2014.
  20. Deconstructing classifiers: Towards a data reconstruction attack against text classification models. arXiv preprint arXiv:2306.13789, 2023.
  21. Knowledge distillation: A survey. International Journal of Computer Vision, 129:1789–1819, 2021.
  22. Are large pre-trained language models leaking your personal information? arXiv preprint arXiv:2205.12628, 2022.
  23. Preventing verbatim memorization in language models gives a false sense of privacy. arXiv preprint arXiv:2210.17546, 2022.
  24. The power of scale for parameter-efficient prompt tuning. arXiv preprint arXiv:2104.08691, 2021.
  25. Sentence embedding leaks more information than you expect: Generative embedding inversion attack to recover the whole sentence. arXiv preprint arXiv:2305.03010, 2023a.
  26. Large language models can be strong differentially private learners. arXiv preprint arXiv:2110.05679, 2021.
  27. Prefix-tuning: Optimizing continuous prompts for generation. arXiv preprint arXiv:2101.00190, 2021.
  28. Privacy-preserving prompt tuning for large language model services. arXiv preprint arXiv:2305.06212, 2023b.
  29. P-tuning v2: Prompt tuning can be comparable to fine-tuning universally across scales and tasks. arXiv preprint arXiv:2110.07602, 2021.
  30. Gpt understands, too. AI Open, 2023.
  31. Roberta: A robustly optimized bert pretraining approach. arXiv preprint arXiv:1907.11692, 2019.
  32. A critical review of state-of-the-art chatbot designs and applications. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 12(1):e1434, 2022.
  33. Differentially private representation for nlp: Formal guarantee and an empirical study on privacy and fairness. arXiv preprint arXiv:2010.01285, 2020.
  34. Fine-tuning language models with just forward passes. arXiv preprint arXiv:2305.17333, 2023.
  35. Augmented language models: a survey. arXiv preprint arXiv:2302.07842, 2023.
  36. Memorization in nlp fine-tuning methods. arXiv preprint arXiv:2205.12506, 2022.
  37. Mironov, I. Rényi differential privacy. In 2017 IEEE 30th computer security foundations symposium (CSF), pp.  263–275. IEEE, 2017.
  38. Dart: Open-domain structured data record to text generation. arXiv preprint arXiv:2007.02871, 2020.
  39. The e2e dataset: New challenges for end-to-end generation. arXiv preprint arXiv:1706.09254, 2017.
  40. OpenAI. Gpt-4 technical report. ArXiv, abs/2303.08774, 2023. URL https://arxiv.org/abs/2303.08774.
  41. Privacy risks of general-purpose language models. In 2020 IEEE Symposium on Security and Privacy (SP), pp. 1314–1331. IEEE, 2020.
  42. Canary extraction in natural language understanding models. arXiv preprint arXiv:2203.13920, 2022.
  43. Language models are unsupervised multitask learners. OpenAI blog, 1(8):9, 2019.
  44. How many data points is a prompt worth? arXiv preprint arXiv:2103.08493, 2021.
  45. Autoprompt: Eliciting knowledge from language models with automatically generated prompts. arXiv preprint arXiv:2010.15980, 2020.
  46. Membership inference attacks against machine learning models. In 2017 IEEE symposium on security and privacy (SP), pp. 3–18. IEEE, 2017.
  47. Recursive deep models for semantic compositionality over a sentiment treebank. In Proceedings of the 2013 conference on empirical methods in natural language processing, pp.  1631–1642, 2013.
  48. Information leakage in embedding models. In Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, pp.  377–390, 2020.
  49. Spall, J. C. Multivariate stochastic approximation using a simultaneous perturbation gradient approximation. IEEE transactions on automatic control, 37(3):332–341, 1992.
  50. Black-box tuning for language-model-as-a-service. In International Conference on Machine Learning, pp. 20841–20855. PMLR, 2022.
  51. Private fine-tuning of large language models with zeroth-order optimization. arXiv preprint arXiv:2401.04343, 2024.
  52. Llama 2: Open foundation and fine-tuned chat models. arXiv preprint arXiv:2307.09288, 2023.
  53. Voorhees, E. M. et al. The trec-8 question answering track report. In Trec, volume 99, pp.  77–82, 1999.
  54. Glue: A multi-task benchmark and analysis platform for natural language understanding. arXiv preprint arXiv:1804.07461, 2018.
  55. Decodingtrust: A comprehensive assessment of trustworthiness in gpt models. arXiv preprint arXiv:2306.11698, 2023.
  56. A broad-coverage challenge corpus for sentence understanding through inference. arXiv preprint arXiv:1704.05426, 2017.
  57. Adversarial weight perturbation helps robust generalization. Advances in Neural Information Processing Systems, 33:2958–2969, 2020.
  58. Re3: Generating longer stories with recursive reprompting and revision. arXiv preprint arXiv:2210.06774, 2022a.
  59. Gatortron: A large clinical language model to unlock patient information from unstructured electronic health records. arXiv preprint arXiv:2203.03540, 2022b.
  60. Privacy risk in machine learning: Analyzing the connection to overfitting. In 2018 IEEE 31st computer security foundations symposium (CSF), pp.  268–282. IEEE, 2018.
  61. Differentially private fine-tuning of language models. arXiv preprint arXiv:2110.06500, 2021a.
  62. Large scale private learning via low-rank reparametrization. In International Conference on Machine Learning, pp. 12208–12218. PMLR, 2021b.
  63. Dpzero: Dimension-independent and differentially private zeroth-order optimization. arXiv preprint arXiv:2310.09639, 2023.
  64. Text revealer: Private text reconstruction via model inversion attacks against transformers. arXiv preprint arXiv:2209.10505, 2022a.
  65. How to robustify black-box ml models? a zeroth-order optimization perspective. arXiv preprint arXiv:2203.14195, 2022b.
  66. Recurrentgpt: Interactive generation of (arbitrarily) long text. arXiv preprint arXiv:2305.13304, 2023.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (7)
  1. Tiejin Chen (15 papers)
  2. Longchao Da (20 papers)
  3. Huixue Zhou (14 papers)
  4. Pingzhi Li (31 papers)
  5. Kaixiong Zhou (52 papers)
  6. Tianlong Chen (202 papers)
  7. Hua Wei (71 papers)
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now