Differentially Private Deep Learning 公开
Zhang, Qiuchen (Spring 2021)
Published
Abstract
Deep learning models have achieved great success in many real-world tasks, such as image recognition and machine translation. A large amount of data is needed to train a model, and in many cases, the training data are private. Publishing or sharing a deep learning model trained on private datasets could pose privacy concerns. Differential privacy (DP) has been widely accepted as a strong and provable privacy framework for statistical data analysis. Recent works developed deep learning models with DP, which requires that the statistical model (parameters) learned from a set of data is indistinguishable regardless of the presence or absence of any record in the dataset. Most works on deep learning with DP focus on improving model accuracy given a privacy requirement or enhancing the privacy and utility trade-off. However, existing works become less effective when the model goes deeper, or the privacy requirement is tighter. Meanwhile, there is still little demonstration of how effective DP is in protecting against the existing privacy attacks in practice. Additionally, achieving meaningful differential privacy for graph neural networks that focus on non-Euclidean data is still an open problem. Due to these limitations and problems, we 1) propose new mechanisms to enhance the utility and privacy trade-off in private model training and further improve the practicality to obtain meaningful privacy guarantees when training deep models on sensitive data. Moreover, we 2) propose new DP notions and develop algorithms to provide a quantifiable privacy guarantee against model inversion attacks whose goal is to recover the target class’s visual property or features. Finally, we 3) develop new algorithms to achieve node-level differential privacy when training deep learning models on graph data based on differentially private approximate personalized PageRank and differentially private stochastic gradient descent.
Table of Contents
1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Research Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Background 9
2.1 Differential Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Deep Learning with Differential Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3 Towards Training Robust PATE Under Noisy Labels 14
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2.1 The PATE Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2.2 Co-teaching and Co-teaching+ Mechanisms . . . . . . . . . . . . . . . . . . . . . 17
3.3 Improved Training Mechanism For PATE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3.1 PATE+: Student Model with Co-teaching+ . . . . . . . . . . . . . . . . . . . . . . 18
3.3.2 Privacy Guarantee of PATE+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3.3 PATE++: PATE+ with Noisy Label Cleansing . . . . . . . . . . . . . . . . . . . . 22
3.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.4.1 Fashion-MNIST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.4.2 SVHN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4 Provide Quantifiable Privacy Guarantees Against MIA 34
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.2.1 Model Inversion Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.3 Improved Model Inversion Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.4 Class and Subclass Differential Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.4.1 Class-Level Differential Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.4.2 Algorithm for Class-DP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.4.3 Subclass-Level Differential Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.5 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.5.1 MNIST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.5.2 Faces94 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5 Achieving Node-Level Differential Privacy for GNN Models 59
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.2.1 Graph Neural Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
5.2.2 Decoupling GNNs with Personalized PageRank . . . . . . . . . . . . . . . . . 62
5.3 Differentially Private Graph Neural Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.3.1 Differentially Private SGD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.3.2 Differentially Private Approximate Personalized PageRank . . . . . 66
5.3.3 Differentially Private GNNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
5.4 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
5.4.1 Privacy vs. Accuracy Trade-off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
5.4.2 Demonstration of Privacy Protection Effectiveness . . . . . . . . . . . . . 83
5.4.3 Effects of Privacy Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
6 Conclusion and Future Work 93
Bibliography 96
About this Dissertation
| School | |
|---|---|
| Department | |
| Degree | |
| Submission | |
| Language |
|
| Research Field | |
| 关键词 | |
| Committee Chair / Thesis Advisor | |
| Committee Members |
Primary PDF
| Thumbnail | Title | Date Uploaded | Actions |
|---|---|---|---|
|
|
Differentially Private Deep Learning () | 2021-05-05 16:21:04 -0400 |
|
Supplemental Files
| Thumbnail | Title | Date Uploaded | Actions |
|---|