differentially private deep learning from an optimization
play

Differentially-Private Deep Learning from an Optimization - PowerPoint PPT Presentation

Apr 22, 2023 •275 likes •463 views

Differentially-Private Deep Learning from an Optimization Perspective Presenter: Liyao Xiang Shanghai Jiao Tong University 4/30/2019 Privacy Threat Personal information in big data era Is anonymization sufficient to protect user

  1. Differentially-Private Deep Learning from an Optimization Perspective Presenter: Liyao Xiang Shanghai Jiao Tong University 4/30/2019

  2. Privacy Threat ‣ Personal information in big data era ‣ Is anonymization sufficient to protect user privacy? ‣ Netflix recommendation challenge: remove personal identity information, replace names with random numbers ‣ De-anonymize the Netflix database with the public information on IMDb ‣ De-anonymization even works on partial, distorted, wrong data! 2

  3. Side Information new comer Side information hurts privacy! 3 3

  4. Differential Privacy adjacent inputs Constraint: P [ M ( I ) ∈ O ] ≤ e ✏ P [ M ( I 0 ) ∈ O ] P[ M (7) ∈ O] P[ M (8) ∈ O] smaller ✏ indicates higher privacy Output O 4 4

  5. Deep Learning with Differential Privacy θ = ( 𝜄 1 , …, 𝜄 n ) ϑ = ( 𝜘 1 , …, 𝜘 n ) Perturbation Differentially-private model stochastic gradient tells! (DPSGD): add noise to gradient g t in each iteration of update 5

  6. Deep Learning with Differential Privacy The recent work [Abadi et. al., CCS’ 16] only achieves ~90% accuracy whereas training w/o privacy reaches over 99% on MNIST. The result of [Shokri et. al., CCS’ 15] is even worse. Privacy Accuracy 6 6

  7. higher lower more noise ϑ privacy accuracy? level ϑ In previous works: link between inserted noise less noise and accuracy is θ broken 7

  8. Model Sensitivity 85% ϑ 90% different θ same accuracy amount levels of total noise ϑ 8

  9. Example add noise different cost! b 1 b 2 b 3 𝝸 1 X1 h1 Y b 3 Noise X2 h2 θ 6 Noise 𝝸 6 9

  10. Optimized Additive Noise Scheme ‣ Model sensitivity w = (w 1 , w 2 , …, w d ) ∈ D d : derivative vector of the cost on all training examples w.r.t. all parameters ‣ To keep the cost minimal, noise should be added to the least sensitive direction of the cost function ‣ Seek a probability distribution of the noise to minimize the cost as well as to meet differential privacy constraint! 10

  11. Optimized Additive Noise Scheme Objective distribution of model sensitivity noise Z Z minimize h w , z i P (d z 1 . . . d z d ) . . . P z d z 1 additive noise cost increases as θ i increases ⇒ w i = ∂ C > 0 cost is more sensitive to ∂θ i pushes z i to a direction where z i < 0 changes of θ i than θ j ⇒ less ∂ C > ∂ C > 0 noise should be added to θ i ∂θ i ∂θ j 11

  12. Optimized Additive Noise Scheme Constraint k g t � g 0 t k global sensitivity on α = sup 8 X , X 0 s.t. d ( X , X 0 )=1 adjacent inputs: L2-norm training datasets between the differ by a single Pr[ M ( g t ) ∈ O ] ≤ e ✏ Pr[ M ( g 0 t ) ∈ O ] gradients instance ⇒ Pr[ g t + z ∈ O ] ≤ e ✏ Pr[ g 0 t + z ∈ O ] ⇒ Pr[ z ∈ O − g t ] ≤ e ✏ Pr[ z ∈ O − g 0 t ] ⇒ Pr[ z ∈ O 0 ] ≤ e ✏ Pr[ z ∈ O 0 + g t − g 0 t ] 12

  13. Optimized Additive Noise Scheme Z Z minimize h w , z i P (d z 1 . . . d z d ) . . . P z d z 1 s.t. Pr[ z 2 O 0 ]  e ✏ Pr[ z 2 O 0 + ∆ ] 8 O 0 ✓ R d , || ∆ ||  α Z minimize z ∈ R d k w � z k 1 p ( z )d z p p ( z ) p ( z + ∆ )  ✏ , 8 || ∆ ||  ↵ , ∆ 2 R d . s.t. ln 13

  14. Composition ‣ So far, we only show how to provide privacy guarantee in a single iteration of update ‣ In practice, SGD takes many iterations until convergence ‣ Iterative computation exposes the training data multiple times, degrading privacy level! ‣ Our solution: Advanced composition theorem for differential privacy + privacy amplification by sampling 14

  15. Optimized Additive Noise Mechanism 1. Compute per-iteration privacy parameters according to composition theorem 2. For each iteration 1. Compute model sensitivity w 2. Solve the optimization problem to find noise distribution 3. Sample a noise 4. For each batch of training data: Compute and clip the gradient by global sensitivity 5. Compute the average gradient for the batch 6. Add noise to the average gradient 7. Update model parameters 15

  16. Implementation Implement optimized noise generator (ours) and Gaussian noise generator (the state-of-the-art, Abadi et. al.) on Keras and Tensorflow Problem : computational challenges due to high dimensionality Solving the optimization problem using GPU operations Numpy noise generator 16

  17. MNIST CIFAR-10 95 85 80 73.75 Accuracy (%) Accuracy (%) 65 62.5 G: δ =1e-5 G( 𝝑 =0.3, δ =1e-5) G: δ =1e-4 O( 𝝑 =0.3, δ =1e-5) 50 O: δ =1e-5 G( 𝝑 =1, δ =1e-5) 51.25 O( 𝝑 =1, δ =1e-5) O: δ =1e-4 Unperturbed 35 40 400 800 1200 1600 2000 0.01 0.025 0.1 0.5 1.2 Iteration No. ε Our scheme achieves higher accuracy over [Abadi CCS’ 16] under the same privacy guarantee 17 17

  18. Thank you! 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Differentially Private Model Publishing for Deep Learning Lei Yu, Ling Liu, Calton Pu , Mehmet

Differentially Private Model Publishing for Deep Learning Lei Yu, Ling Liu, Calton Pu , Mehmet

Differentially Private Model Publishing for Deep Learning Lei Yu, Ling Liu, Calton Pu , Mehmet Emre Gursoy, Stacey Truex School of Computer Science, College of Computing Georgia Institute of Technology This work is partially sponsored by NSF

594 views • 30 slides
Differentially Private Distributed Convex Optimization via Functional Perturbation Erfan Nozari

Differentially Private Distributed Convex Optimization via Functional Perturbation Erfan Nozari

Differentially Private Distributed Convex Optimization via Functional Perturbation Erfan Nozari Department of Mechanical and Aerospace Engineering University of California, San Diego http://carmenere.ucsd.edu/erfan July 6, 2016 Joint work with

826 views • 63 slides
Towards Practical Differentially Private Convex Optimization ROGER JOSEPH P. DAWN SONG IYENGAR

Towards Practical Differentially Private Convex Optimization ROGER JOSEPH P. DAWN SONG IYENGAR

Towards Practical Differentially Private Convex Optimization ROGER JOSEPH P. DAWN SONG IYENGAR NEAR UNIVERSITY OF CARNEGIE MELLON UNIVERSITY OF CALIFORNIA, BERKELEY UNIVERSITY VERMONT OM THAKKAR ABHRADEEP LUN WANG THAKURTA BOSTON

693 views • 20 slides
Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual

Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual

Differentially- Private Federated Linear Bandits Dubey and Pentland June 2020 Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual Bandits Summary Background Abhimanyu Dubey and Alex Pentland

437 views • 20 slides
Deep Learning with Neural Networks The Structure and Optimization of Deep Neural Networks Allan

Deep Learning with Neural Networks The Structure and Optimization of Deep Neural Networks Allan

Deep Learning with Neural Networks The Structure and Optimization of Deep Neural Networks Allan Zelener Machine Learning Reading Group January 7 th 2016 The Graduate Center, CUNY Objectives Explain some of the trends of deep learning and

680 views • 44 slides
Estimating the Variance of Complex Differentially Private Algorithms Robert Ashmead JSM 2019,

Estimating the Variance of Complex Differentially Private Algorithms Robert Ashmead JSM 2019,

Estimating the Variance of Complex Differentially Private Algorithms Robert Ashmead JSM 2019, Denver, Colorado Collaborators John Abowd, Philip Leclerc, and William Sexton of the U.S. Census Bureau and the entire team working on differentially

314 views • 30 slides
Verifying Differentially Private Bayesian Inference Marco Gaboardi University of Dundee Joint

Verifying Differentially Private Bayesian Inference Marco Gaboardi University of Dundee Joint

Verifying Differentially Private Bayesian Inference Marco Gaboardi University of Dundee Joint work with G. Barthe, G.P . Farina, E.J. Gallego Arias, A.Gordon, Differentially Private vs Probabilistic Inference Differential Probabilistic

1.06k views • 102 slides
Optimization for Training Deep Models presented by Kan Ren Table of Contents Optimization

Optimization for Training Deep Models presented by Kan Ren Table of Contents Optimization

Optimization for Training Deep Models presented by Kan Ren Table of Contents Optimization for machine learning models Challenges of optimizing neural networks Optimizations algorithms initializations adapting the learning

865 views • 62 slides
Development, Evaluation, and Management of Differentially Private ML Pipelines on

Development, Evaluation, and Management of Differentially Private ML Pipelines on

Development, Evaluation, and Management of Differentially Private ML Pipelines on MyChosenDataset Assignment XX Name 1 (UNI 1), Name 2 (UNI 2) Name 1, Name 2 1 Overview Brief summary of your completed assignments and main results.

193 views • 8 slides
An Introduction to Optimization Methods in Deep Learning 1 Yuan YAO HKUST Acknowledgement

An Introduction to Optimization Methods in Deep Learning 1 Yuan YAO HKUST Acknowledgement

An Introduction to Optimization Methods in Deep Learning 1 Yuan YAO HKUST Acknowledgement Feifei Li, Stanford cs231n Ruder, Sebastian (2016). An overview of gradient descent optimization algorithms. arXiv:1609.04747.

1.32k views • 48 slides
BAYESIAN GLOBAL OPTIMIZATION Using Optimal Learning to Tune Deep Learning Pipelines Scott Clark

BAYESIAN GLOBAL OPTIMIZATION Using Optimal Learning to Tune Deep Learning Pipelines Scott Clark

BAYESIAN GLOBAL OPTIMIZATION Using Optimal Learning to Tune Deep Learning Pipelines Scott Clark scott@sigopt.com OUTLINE 1. Why is Tuning AI Models Hard? 2. Comparison of Tuning Methods 3. Bayesian Global Optimization 4. Deep Learning

983 views • 67 slides
Efficient Online Learning using A Private Oracle Alon Gonen, UCSD Elad Hazan, Princeton Shay

Efficient Online Learning using A Private Oracle Alon Gonen, UCSD Elad Hazan, Princeton Shay

Efficient Online Learning using A Private Oracle Alon Gonen, UCSD Elad Hazan, Princeton Shay Moran, Princeton Private &amp; Online Learning Differential private learning: learning in differentially private manner Online learning:

120 views • 7 slides
Differentially Private Oblivious RAM Sameer Wagh , Paul Cuff , Prateek Mittal July 24,

Differentially Private Oblivious RAM Sameer Wagh , Paul Cuff , Prateek Mittal July 24,

Differentially Private Oblivious RAM Sameer Wagh , Paul Cuff , Prateek Mittal July 24, 2019 Princeton University, Renaissance Technologies Introduction: Oblivious RAM Access data privately from private database. 1

898 views • 55 slides
Deep Learning: From Theory to Algorithm Outline: 1. Overview of

Deep Learning: From Theory to Algorithm Outline: 1. Overview of

Deep Learning: From Theory to Algorithm Outline: 1. Overview of theoretical studies of deep learning 2. Optimization theory of deep neural networks 1) Gradient finds global optima 2) Gram-Gauss-Newton Algorithm

484 views • 31 slides
Tutorial on Neural Network Optimization Problems presentation by Ian Goodfellow Deep Learning

Tutorial on Neural Network Optimization Problems presentation by Ian Goodfellow Deep Learning

Tutorial on Neural Network Optimization Problems presentation by Ian Goodfellow Deep Learning Summer School Montreal August 9, 2015 Google Proprietary Optimization -Exhaustive search -Random search (genetic algorithms) -Analytical solution

1.1k views • 42 slides
Differentially Private Algorithm and Auction Configuration Ellen Vitercik CMU, Theory Lunch

Differentially Private Algorithm and Auction Configuration Ellen Vitercik CMU, Theory Lunch

Differentially Private Algorithm and Auction Configuration Ellen Vitercik CMU, Theory Lunch October 11, 2017 Joint work with Nina Balcan and Travis Dick $1 Prices learned from purchase histories can reveal information about individual

949 views • 79 slides
Low Background Laboratories Per Provencher PHYS 575 Fall 2015 12/1/2015 Why Low Background

Low Background Laboratories Per Provencher PHYS 575 Fall 2015 12/1/2015 Why Low Background

Low Background Laboratories Per Provencher PHYS 575 Fall 2015 12/1/2015 Why Low Background Laboratories? For the Science! Dark matter search Matter-antimatter symmetry non-zero positive baryon density aka universe is made of

229 views • 12 slides
Balancing Efficiency and Flexibility for DNN Acceleration via Temporal GPU-Systolic Array

Balancing Efficiency and Flexibility for DNN Acceleration via Temporal GPU-Systolic Array

Balancing Efficiency and Flexibility for DNN Acceleration via Temporal GPU-Systolic Array Integration Cong Guo 1 , Yangjie Zhou 1 , Jingwen Leng 1 , Yuhao Zhu 2 , Zidong Du 3 , Quan Chen 1 , Chao Li 1 , Bin Yao 1 , Minyi Guo 1 1 Shanghai Jiao Tong

671 views • 39 slides
Robustly Reusable Fuzzy Extractor from Standard Assumptions Yunhua Wen and Shengli Liu Shanghai

Robustly Reusable Fuzzy Extractor from Standard Assumptions Yunhua Wen and Shengli Liu Shanghai

Robustly Reusable Fuzzy Extractor from Standard Assumptions Yunhua Wen and Shengli Liu Shanghai Jiao Tong University Problem Randomness is crucial in cryptography (e.g. sk). However, uniformly distributed and accurately reproducible

626 views • 36 slides
What is luban http://luban.danse.us A python package Simple, natural syntax for

What is luban http://luban.danse.us A python package Simple, natural syntax for

Luban : use just python to create web services for scientific applications Jiao Y.Y. Lin and Michael Aivazis California Institute of Technology, Pasadena, CA 91125 USA Jiao Lin and Michael Aivazis Scipy 2010 What is luban

350 views • 10 slides
Probabilistic Bisimilarity Revisited Yuxin Deng Shanghai Jiao Tong University

Probabilistic Bisimilarity Revisited Yuxin Deng Shanghai Jiao Tong University

Probabilistic Bisimilarity Revisited Yuxin Deng Shanghai Jiao Tong University http://basics.sjtu.edu.cn/ yuxin/ February 9, 2014 1 Outline 1. Preliminaries 2. Probabilistic bisimulation and simulation 3. A modal characterisation of

670 views • 25 slides
Polynomial Invariant Generation for Non-deterministic Recursive Programs Krishnendu Chatterjee 1 ,

Polynomial Invariant Generation for Non-deterministic Recursive Programs Krishnendu Chatterjee 1 ,

Polynomial Invariant Generation for Non-deterministic Recursive Programs Krishnendu Chatterjee 1 , Hongfei Fu 2 Amir Kafshdar Goharshady 1 , Ehsan Kafshdar Goharshady 3 1 IST Austria 2 Shanghai Jiao Tong University 3 Ferdowsi University of Mashhad

603 views • 21 slides
Optimal investment under multiple defaults: a BSDE-decomposition approach en PHAM Huy

Optimal investment under multiple defaults: a BSDE-decomposition approach en PHAM Huy

Introduction Multiple defaults risk model Optimal investment problem Backward system of BSDEs Conclusion Optimal investment under multiple defaults: a BSDE-decomposition approach en PHAM Huy LPMA-University Paris Diderot, and

487 views • 37 slides
Proving Lock-Freedom Easily and Automatically Xiao Jia 1 Wei Li 1 Viktor Vafeiadis 2 1 Shanghai

Proving Lock-Freedom Easily and Automatically Xiao Jia 1 Wei Li 1 Viktor Vafeiadis 2 1 Shanghai

Proving Lock-Freedom Easily and Automatically Xiao Jia 1 Wei Li 1 Viktor Vafeiadis 2 1 Shanghai Jiao Tong University 2 Max Planck Institute for Software Systems (MPI-SWS) CPP15, 14 January 2015 Blocking synchronisation 3 H : 9 2 n :=

745 views • 25 slides

More recommend