differential privacy machine learning
play

Differential Privacy Machine Learning Li Xiong Big Data + Machine - PowerPoint PPT Presentation

Jan 14, 2023 •2.76k likes •3.44k views

CS573 Data Privacy and Security Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine Learning Under Adversarial Settings Data privacy/confidentiality attacks membership attacks, model inversion

  1. CS573 Data Privacy and Security Differential Privacy – Machine Learning Li Xiong

  2. Big Data + Machine Learning +

  3. Machine Learning Under Adversarial Settings • Data privacy/confidentiality attacks • membership attacks, model inversion attacks • Model integrity attacks • Training time: data poisoning attacks • Inference time: adversarial examples

  4. Differential Privacy for Machine Learning • Data privacy attacks • Model inversion attacks • Membership inference attacks • Differential privacy for deep learning • Noisy SGD • PATE

  5. Neural Networks

  7. Learning the parameters: Gradient Descent

  8. Stochastic Gradient Descent  Gradient Descent (batch GD)  The cost gradient is based on the complete training set, can be costly and longer to converge to minimum  Stochastic Gradient Descent (SGD, iterative or online-GD)  Update the weight after each training sample  The gradient based on a single training sample is a stochastic approximation of the true cost gradient  Converges faster but the path towards minimum may zig-zag  Mini-Batch Gradient Descent (MB-GD)  Update the weights based on small group of training samples

  9. Training-data extraction attacks Fredrikson et al. (2015) : Output (label) Private training dataset Philip Facial Jack Input (facial image) Recognitio Monica n Model … unknown

  10. Membership Inference Attacks against Machine Learning Models Reza Shokri , Marco Stronati, Congzheng Song, Vitaly Shmatikov

  11. 5 Membership Inference Attack Model Prediction Training Was this specific DATA data record part of Input Classification the training set? data airplane automobile … ship truck

  12. 8 Membership Inference Attack on Summary Statistics • Summary statistics (e.g., average) on each attribute • Underlying distribution of data is known [Homer et al. (2008)], [Dwork et al. (2015)], [Backes et al. (2016)] on Machine Learning Models Black-box setting: • No knowledge about the models’ parameters • No access to internal computations of the model • No knowledge about the underlying distribution of data

  13. 9 Exploit Model’s Predictions Main insight : ML models overfit to Model their training data Prediction API Training API DATA

  14. 9 Exploit Model’s Predictions Main insight : ML models overfit to Model their training data Prediction API Training API Input from DATA Classification the training set

  15. 9 Exploit Model’s Predictions Main insight : ML models overfit to Model their training data Prediction API Training API Input from DATA Classification the training set Input NOT from Classification the training set

  16. 9 Exploit Model’s Predictions Model Prediction API Training API Input from DATA Classification the training set Input NOT from Classification the training set Recognize the difference

  17. 10 ML against ML Model Prediction API Training API Input from DATA Classification the training set Input not from Classification the training set recognize the difference Train a ML model to

  18. 11 Train Attack Model using Shadow Models … Shadow Shadow Shadow Model 1 Model 2 Model k classification classification classification Train 1 Test 1 Train 2 Test 2 Train k Test k IN OUT IN OUT IN OUT Train the attack model to predict if an input was a member of the training set (in) or a non-member (out)

  19. 12 Obtaining Data for Training Shadow Models • Real : similar to training data of the target model (i.e., drawn from same distribution) • Synthetic : use a sampling algorithm to obtain data classified with high confidence by the target model

  20. 14 Constructing the Attack Model SYNTHETIC AT TA C K Tr a i n i n g Attack Shadow DATA DATA Shadow Model Model Shadow Shadow Shadow Shadow Shadow Models Prediction API

  21. 14 Constructing the Attack Model SYNTHETIC AT TA C K Tr a i n i n g Attack Shadow DATA DATA Shadow Model Model Shadow Shadow Shadow Shadow Shadow Models Prediction API Using the Attack Model Attack Model Model one single membership classification data record probability Prediction API

  22. 15 1 Real Data Marginal-Based Synthetic 0.9 Model-Based Synthetic Cumulative Fraction of Classes 0.8 0.7 0.6 overall accuracy: 0.5 0.89 0.4 shadows trained overall accuracy: 0.3 on synthetic data 0.93 0.2 shadows trained 0.1 on real data 0 0 0.2 0.4 0.6 0.8 1 Membership inference precision Purchase Dataset — Classify Customers (100 classes)

  23. 16 Privacy Learning Model training set data universe

  24. 16 Privacy Learning Does the model leak information about data in the training set? Model training set data universe

  25. 16 Privacy Learning Does the model leak Does the model information about data generalize to data in the training set? outside the training set? Model training set data universe

  26. 16 Privacy Learning Does the model leak Does the model information about data generalize to data in the training set? outside the training set? Model Overfitting is training set the common enemy! data universe

  27. 17 Not in a Direct Conflict! Privacy-preserving machine learning Utility (prediction accuracy) Privacy

  28. Differential Privacy for Machine Learning • Data privacy attacks • Model inversion attacks • Membership inference attacks • Differential privacy for deep learning • Noisy SGD • PATE

  29. DEEP LEARNING WITH DIFFERENTIAL PRIVACY Martin Abadi, Andy Chu, Ian Goodfellow*, Brendan McMahan, Ilya Mironov, Kunal T alwar , Li Zhang Google * OpenAI

  30. Differential Privacy (ε, δ) -Differential Privacy: The distribution of the output M ( D ) on database D is (nearly) the same as M ( D′ ) : Pr[ M ( D ) ∊ S ] ≤ exp(ε) ∙ Pr[ M ( D′ ) ∊ S ]+δ. ∀ S : quantifies information leakage allows for a small probability of failure

  31. Interpreting Differential Privacy Training Data SGD Model D D′

  32. Differential Privacy: Gaussian Mechanism If ℓ 2 - sensitivity of f : D → ℝ n : max D , D ′ || f ( D ) − f ( D ′)|| 2 < 1, then the Gaussian mechanism f ( D ) + N n (0, σ 2 ) offers (ε, δ) - differential privacy , where δ ≈ exp(- (εσ) 2 /2). Dwork, Kenthapadi, McSherry, Mironov, Naor , “Our Data, Ourselves”, Eurocrypt 2006

  33. Basic Composition Theorem If f is (ε 1 , δ 1 ) -DP and g is (ε 2 , δ 2 ) -DP , then f ( D ), g ( D ) is (ε 1 +ε 2 , δ 1 +δ 2 ) -DP

  34. Simple Recipe for CompositeFunctions Tocompute composite f with differential privacy 1. Bound sensitivity of f ’s components 2. Apply the Gaussian mechanism to each component 3. Compute total privacy via the composition theorem

  35. Deep Learning with DifferentialPrivacy

  36. Differentially Private Deep Learning 1. Loss function softmax loss 2. Training / Test data MNIST andCIFAR-10 PCA+ neural network 3. Topology Differentially private SGD 4. Training algorithm tune experimentally 5. Hyperparameters

  40. Naïve Privacy Analysis 1. Choose = 4 (1.2, 10 -5 ) -DP 2. Each step is (ε, δ) -DP 3. Number of steps T 10,000 (12,000, .1) -DP 4. Composition: ( T ε, T δ) -DP

  41. Advanced Composition Theorems

  42. Composition theorem +ε for Blue +.2ε for Blue + ε for Red

  43. Strong Composition Theorem 1. Choose = 4 (1.2, 10 -5 ) -DP 2. Each step is (ε, δ) -DP 3. Number of steps T 10,000 4. Strong comp: ( , T δ) -DP (360, .1) -DP Dwork, Rothblum, Vadhan, “Boosting and Differential Privacy”, FOCS 2010 Dwork, Rothblum, “Concentrated Differential Privacy”, https://arxiv .org/abs/1603.0188

  44. Amplification by Sampling = 4 1. Choose 1% 2. Each batch is q fraction of data (.024, 10 -7 ) -DP 3. Each step is (2 q ε, q δ) -DP 4. Number of steps T 10,000 (10, .001) -DP 5. Strong comp: ( , qT δ) -DP S. Kasiviswanathan, H. Lee, K. Nissim, S. Raskhodnikova, A. Smith, “What Can We Learn Privately?”, SIAM J. Comp, 2011

  45. Moments Accountant = 4 1. Choose 1% 2. Each batch is q fraction of data 3. Keeping track of privacy loss’s moments 4. Number of steps T 10,000 (1.25, 10 -5 ) -DP 5. Moments: ( , δ) -DP

  46. Results

  47. Our Datasets: “Fruit Flies of Machine Learning” MNIST dataset: CIFAR-10 dataset: 70,000 images 60,000 color images 28 ⨉ 28 pixels each 32 ⨉ 32 pixels each

  48. Summary of Results Baseline no privacy MNIST 98.3% CIFAR-10 80%

  49. Summary of Results [SS15] [WKC+16] Baseline reports ε per no privacy ε =2 parameter MNIST 98.3% 98% 80% CIFAR-10 80%

  50. Summary of Results [SS15] this work Baseline [WKC+16] ε =8 ε =2 ε =0.5 reports ε per ε =2 no privacy parameter δ = 10 -5 δ = 10 -5 δ = 10 -5 MNIST 98.3% 98% 80% 97% 95% 90% CIFAR-10 80% 73% 67%

  51. Contributions Differentially private deep learning applied to publicly ● available datasets and implemented in TensorFlow ○ https://github.com/tensorflow/models ● Innovations ○ Bounding sensitivity ofupdates Moments accountant to keep tracking of privacy loss ○ Lessons ● Recommendations for selection ofhyperparameters ○ Full version: https://arxiv .org/abs/1607.00133 ●

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Differential Privacy Maria-Florina Balcan 04/22/2015 Learning and Privacy To do machine

Differential Privacy Maria-Florina Balcan 04/22/2015 Learning and Privacy To do machine

Machine Learning and Differential Privacy Maria-Florina Balcan 04/22/2015 Learning and Privacy To do machine learning, we need data. What if the data contains sensitive information? medical data, web search query data, salary data,

725 views • 15 slides
Differential Privacy (Part III) Approximate (or ( , ))-differential privacy

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy Generalized definition of differential privacy allowing for a (supposedly small) additive factor Used in a variety of applications A query mechanism M is (

1.27k views • 43 slides
Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 ,

Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 ,

The 37th International Conference on Machine Learning (ICML20), Jul 12 th - 18 th , 2020. Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 , My T. Thai 2 , Han Hu 1 , Ruoming Jin 3 , Tong Sun 4 ,

860 views • 23 slides
Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for

Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for

Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for Machine Learning Graphics Adopted from The New York Times Privacy Project 2 Famous incidents - Anonymization - A Face Is Exposed for AOL

1.03k views • 7 slides
Differential Privacy Techniques Beyond Differential Privacy Steven Wu Assistant Professor

Differential Privacy Techniques Beyond Differential Privacy Steven Wu Assistant Professor

Differential Privacy Techniques Beyond Differential Privacy Steven Wu Assistant Professor University of Minnesota 1 Differential privacy? Isnt it just adding noise? How to add smart noise to guarantee privacy without sacrificing

592 views • 57 slides
Guarding user Privacy with Federated Learning and Differential Privacy Brendan McMahan

Guarding user Privacy with Federated Learning and Differential Privacy Brendan McMahan

Guarding user Privacy with Federated Learning and Differential Privacy Brendan McMahan mcmahan@google.com DIMACS/Northeast Big Data Hub Workshop on Overcoming Barriers to Data Sharing including Privacy and Fairness 2017.10.24 Our Goal Imbue

956 views • 70 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques

Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques

CS573 Data Privacy and Security Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques Composition theorems Statistical Data Privacy Non-interactive vs interactive Privacy goal: individual is

1.15k views • 64 slides
Deep Learning With Differential Privacy Presenter: Xiaojun Xu Deep Learning Framework

Deep Learning With Differential Privacy Presenter: Xiaojun Xu Deep Learning Framework

Deep Learning With Differential Privacy Presenter: Xiaojun Xu Deep Learning Framework Autonomous Driving Gaming Face Recognition Healthcare Deep Learning Framework Dataset Server Model Privacy Issues of Training Data Dataset Server

366 views • 33 slides
Toniann Pitassi Outline 1. Differential Privacy: The Basics 2. Differential Privacy in New

Toniann Pitassi Outline 1. Differential Privacy: The Basics 2. Differential Privacy in New

Differential Privacy and Fairness: Foundations and New Frontiers Toniann Pitassi Outline 1. Differential Privacy: The Basics 2. Differential Privacy in New Settings - Pan Privacy - Privacy in multi-party settings - Fairness Outline

947 views • 49 slides
CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong Applying Differential Privacy Real world deployments of differential privacy OnTheMap RAPPOR Module 4 Tutorial: Differential Privacy in the Wild

617 views • 30 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. &quot;Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law &amp; Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law &amp; Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law &amp; Policy Alexandra Wood Berkman Klein Center for Internet &amp; Society at Harvard University DIMACS/Northeast Big Data Hub Workshop on Overcoming Barriers to

964 views • 54 slides
DEEP LEARNING WITH DIFFERENTIAL PRIVACY Martin Abadi, Andy Chu, Ian Goodfellow*, Brendan

DEEP LEARNING WITH DIFFERENTIAL PRIVACY Martin Abadi, Andy Chu, Ian Goodfellow*, Brendan

DEEP LEARNING WITH DIFFERENTIAL PRIVACY Martin Abadi, Andy Chu, Ian Goodfellow*, Brendan McMahan, Ilya Mironov, Kunal Talwar, Li Zhang Google * Open AI 2 3 Deep Learning Fashion Cognitive tasks: speech, text, image recognition

787 views • 53 slides
Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up Why is privacy a

Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up Why is privacy a

Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up Why is privacy a concern in ML? Patient History Genetic Data Search History Famous incidents - Anonymization - A Face Is Exposed for AOL Searcher No.

1.51k views • 17 slides
New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of California, San Diego Sensitive Data Medical Records Genetic Data Search Logs AOL Violates Privacy AOL Violates Privacy Netflix Violates Privacy [NS08]

957 views • 92 slides
iSCSI SANs Dont Have To Suck Derek J. Balling Data Center Manager derekb@answers.com

iSCSI SANs Dont Have To Suck Derek J. Balling Data Center Manager derekb@answers.com

iSCSI SANs Dont Have To Suck Derek J. Balling Data Center Manager derekb@answers.com Thursday, November 11, 2010 1 What is iSCSI? iSCSI is a network-based block-level disk protocol Essentially SCSI commands stuffed into the payload

843 views • 47 slides
Introduc)onto Computa)onal LexicalSeman)cs BillMacCartney

Introduc)onto Computa)onal LexicalSeman)cs BillMacCartney

Introduc)onto Computa)onal LexicalSeman)cs BillMacCartney CS224U,Lecture2 StanfordUniversity 12January2012 [slidesadaptedfromDanJurafsky] Outline 1)

936 views • 75 slides
Multiple zeta values for classical special functions Tanay Wakhare, Christophe Vignat May 23,

Multiple zeta values for classical special functions Tanay Wakhare, Christophe Vignat May 23,

Multiple zeta values for classical special functions Tanay Wakhare, Christophe Vignat May 23, 2018 Tanay Wakhare MZV Given some function G ( z ) , we denote by { a n } the set of its zeros (assumed to be non-zero complex numbers). Then define a

1.27k views • 88 slides
the Control System? Stephane Deghaye (BE-CO) Many thanks to all the colleagues who gave me

the Control System? Stephane Deghaye (BE-CO) Many thanks to all the colleagues who gave me

How to improve interactions with the Control System? Stephane Deghaye (BE-CO) Many thanks to all the colleagues who gave me feedback on the interaction with Accelerator Control System Evian16 2 14-12-2016 Evaluation criteria

501 views • 18 slides
tr t rr

tr t rr

tr t rr tr t rr rr t strtrs t s

774 views • 44 slides
Anglo-Saxon Short Poetry 05.23.13 || English 2322: British Literature: Anglo-Saxon Mid 18th

Anglo-Saxon Short Poetry 05.23.13 || English 2322: British Literature: Anglo-Saxon Mid 18th

Anglo-Saxon Short Poetry 05.23.13 || English 2322: British Literature: Anglo-Saxon Mid 18th Century || D. Glen Smith, instructor Anglo-Saxon Literature Random Poetic Conventions Reviewed ( look for these attributes ) accented syllables :

381 views • 10 slides
class Fruit: ripe = False def __init__(self, taste, size): self.taste = taste self.size = size

class Fruit: ripe = False def __init__(self, taste, size): self.taste = taste self.size = size

WWPD, N ONLOCAL /L IST M UTATION , L INKED L ISTS , T REES C OMPUTER S CIENCE 61A October 4, 2016 1 WWPD 1.1 Questions 1. Does Jack Like Jackfruits? For each of the statements below, write the output displayed by the interactive Python

212 views • 10 slides
Natural Language Processing with Deep Learning LSTM, GRU, and applications in summarization and

Natural Language Processing with Deep Learning LSTM, GRU, and applications in summarization and

Natural Language Processing with Deep Learning LSTM, GRU, and applications in summarization and contextualized word embeddings Navid Rekab-Saz navid.rekabsaz@jku.at Institute of Computational Perception Institute of Computational Perception

1.11k views • 51 slides

More recommend