Differentially Private Deep Learning Pubblico

Zhang, Qiuchen (Spring 2021)

Permanent URL: https://etd.library.emory.edu/concern/etds/ms35tb037?locale=it
Published

Abstract

Deep learning models have achieved great success in many real-world tasks, such as image recognition and machine translation. A large amount of data is needed to train a model, and in many cases, the training data are private. Publishing or sharing a deep learning model trained on private datasets could pose privacy concerns. Differential privacy (DP) has been widely accepted as a strong and provable privacy framework for statistical data analysis. Recent works developed deep learning models with DP, which requires that the statistical model (parameters) learned from a set of data is indistinguishable regardless of the presence or absence of any record in the dataset. Most works on deep learning with DP focus on improving model accuracy given a privacy requirement or enhancing the privacy and utility trade-off. However, existing works become less effective when the model goes deeper, or the privacy requirement is tighter. Meanwhile, there is still little demonstration of how effective DP is in protecting against the existing privacy attacks in practice. Additionally, achieving meaningful differential privacy for graph neural networks that focus on non-Euclidean data is still an open problem. Due to these limitations and problems, we 1) propose new mechanisms to enhance the utility and privacy trade-off in private model training and further improve the practicality to obtain meaningful privacy guarantees when training deep models on sensitive data. Moreover, we 2) propose new DP notions and develop algorithms to provide a quantifiable privacy guarantee against model inversion attacks whose goal is to recover the target class’s visual property or features. Finally, we 3) develop new algorithms to achieve node-level differential privacy when training deep learning models on graph data based on differentially private approximate personalized PageRank and differentially private stochastic gradient descent. 

Table of Contents

1 Introduction                                                                                                                             1

           1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .               1

           1.2 Research Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .             5

2 Background                                                                                                                               9

           2.1 Differential Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .              9

           2.2 Deep Learning with Differential Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           12

3 Towards Training Robust PATE Under Noisy Labels                                                       14

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           14

3.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          15

           3.2.1 The PATE Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .         15

           3.2.2 Co-teaching and Co-teaching+ Mechanisms . . . . . . . . . . . . . . . . . . . . .         17

3.3 Improved Training Mechanism For PATE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           18

           3.3.1 PATE+: Student Model with Co-teaching+ . . . . . . . . . . . . . . . . . . . . . .            18

           3.3.2 Privacy Guarantee of PATE+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .            20

           3.3.3 PATE++: PATE+ with Noisy Label Cleansing . . . . . . . . . . . . . . . . . . . .           22

3.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .            28

           3.4.1 Fashion-MNIST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          28

3.4.2     SVHN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          30

3.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .            31

3.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .             32

4 Provide Quantifiable Privacy Guarantees Against MIA                                                       34

           4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          34

           4.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          35

                       4.2.1 Model Inversion Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           36

           4.3 Improved Model Inversion Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .         36

           4.4 Class and Subclass Differential Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          40

                       4.4.1 Class-Level Differential Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .            40

                       4.4.2 Algorithm for Class-DP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           42

                       4.4.3 Subclass-Level Differential Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . .            47

           4.5 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .            49

                       4.5.1 MNIST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .             49

                       4.5.2 Faces94 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           55

           4.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .            56

           4.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           57

5 Achieving Node-Level Differential Privacy for GNN Models                                               59

           5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          59

           5.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          61

                       5.2.1 Graph Neural Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          62

                       5.2.2 Decoupling GNNs with Personalized PageRank . . . . . . . . . . . . . . . . .          62

           5.3 Differentially Private Graph Neural Network . . . . . . . . . . . . . . . . . . . . . . . . . . . .          64

                       5.3.1 Differentially Private SGD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          64

                       5.3.2 Differentially Private Approximate Personalized PageRank . . . . .          66

                       5.3.3 Differentially Private GNNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .            73

           5.4 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          78

                       5.4.1 Privacy vs. Accuracy Trade-off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           80

                       5.4.2 Demonstration of Privacy Protection Effectiveness . . . . . . . . . . . . .          83

                       5.4.3 Effects of Privacy Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          86

           5.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .            91

           5.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           92

6 Conclusion and Future Work                                                                                                   93

Bibliography                                                                                                                             96

About this Dissertation

Rights statement
  • Permission granted by the author to include this thesis or dissertation in this repository. All rights reserved by the author. Please contact the author for information regarding the reproduction and use of this thesis or dissertation.
School
Department
Degree
Submission
Language
  • English
Research Field
Parola chiave
Committee Chair / Thesis Advisor
Committee Members
Ultima modifica

Primary PDF

Supplemental Files