differentially private model publishing for deep learning
play

Differentially Private Model Publishing for Deep Learning Lei Yu, - PowerPoint PPT Presentation

Oct 21, 2022 •285 likes •594 views

Differentially Private Model Publishing for Deep Learning Lei Yu, Ling Liu, Calton Pu , Mehmet Emre Gursoy, Stacey Truex School of Computer Science, College of Computing Georgia Institute of Technology This work is partially sponsored by NSF

  1. Differentially Private Model Publishing for Deep Learning Lei Yu, Ling Liu, Calton Pu , Mehmet Emre Gursoy, Stacey Truex School of Computer Science, College of Computing Georgia Institute of Technology This work is partially sponsored by NSF 1547102, SaTC 1564097, and a grant from Georgia Tech IISP

  2. Outline • Motivation • Deep Learning with Differential Privacy • Our work • Privacy loss analysis against different data batching methods • Dynamical privacy budget allocation • Evaluation • Conclusion 2

  3. Deep Learning Model Publishing • Applications: speech, image recognition; natural language processing; autonomous driving • A Key factor for its success: large amount of data • Privacy leakage Risks by Applications • Cancer diagnosis, Object detection in Self driving car … • Privacy leakage Risks by attacks • Membership inference attacks[Reza Shokri et al, SP’17] • Model inversion attacks[M. Fredrikson et al, CCS’15] • Backdoor (intentional) memorization [C Song et al. CCS’17] 3

  4. Model Publishing of Deep Learning training Iterative Training on cloud ML as a Service dataset Deep Neural Networks (DNN) w 12 Model w 13 to mobile devices photos, documents, Publishing internet activities, for local inference business transactions health to public model repositories records such as Model zoo Learning network parameters: Stochastic Gradient Descent 4

  5. Data Privacy in Model Publishing of Deep Learning training Iterative Training on cloud ML as a Service dataset Deep Neural Networks (DNN) w 12 Model photos, documents, to mobile devices w 13 Publishing internet activities, for local inference business Millions of transactions health parameters records to public model repositories such as Model zoo The training process can encode individual information into the model parameters e.g., “Machine Learning Models that Remember Too Much” , by C Song et al. CCS’17 5

  6. Data Privacy in Model Publishing of Deep Learning training Iterative Training on cloud ML as a Service dataset Deep Neural Networks (DNN) w 12 Model to mobile devices w 13 photos, documents, Publishing for local inference internet activities, Millions of business transactions health parameters to public model repositories records such as Model zoo 6

  7. Proposed Solution • Deep Learning Model Publishing with Differential Privacy • Related Work • Privacy-Preserving Deep Learning [Reza Shokri et al, CCS’15] • Deep Learning with Differential Privacy [M. Abadi, et al . CCS’16] 7

  8. Differential Privacy Definition • The de facto standard to guarantee privacy • Cynthia Dwork, Differential Privacy: A Survey of Results, TAMC, 2008 • A randomized algorithm M: D -> Y satisfies ( ε , δ )-Differential Privacy, if for any two neighboring dataset D and D’ which differs in only one element, for any subset 𝑇 ⊂ 𝑍 ∀ S : Pr[ M ( D ) ∊ S ] ≤ ​𝑓↑ε · Pr[ M ( D ′ ) ∊ S ] + δ • For protecting privacy, ε is usually a small value (e.g., 0< ε <1), such that two probability distributions are very close. It is difficult for the adversary to distinguish D and D’ by observing an output of M . 8

  9. Differential Privacy Composition • Composition : For ε -differential privacy, If M 1 , M 2 , ..., M k are algorithms that access a private database D such that each M i satisfies ε i - differential privacy, then running all k algorithms sequentially satisfies ε -differential privacy with ε = ε 1 +...+ ε k • Composition rules help build complex algorithms using basic building blocks • Given total ε , how to assign ε i for each building block to achieve the best performance • The ε is usually referred to as privacy budget. The assignment of ε i is a budget allocation. 9

  10. Differential Privacy in Multi-Step Machine Learning • With N steps of ML algorithm A , the privacy budget ε can be partitioned into N smaller ε i such that ε = ε 1 +...+ ε N • Partitioning of ε among steps: • Constant: ε 1 =...= ε N • Variable • Static approach which defines different ε i for each step at configuration • dynamic: different ε i for each step, changes with steps 10

  11. Stochastic Gradient Descent in Iterative Deep Learning Update Data Compute network Average loss batch Training dataset parameters and gradient ( ​𝑦↓ 1 , ​𝑦↓ 2 ,…, ​𝑦↓𝐶 ) ​𝑥↓𝑗𝑘 = ​𝑥↓𝑗𝑘 − 𝛽​𝜖𝑀/ 𝑀 = ​ 1 /𝐶 ∑𝑗 =1 ↑𝐶▒𝑀 ( ​ 𝜖​𝑥↓𝑗𝑘 𝑦↓𝑗 ) A training iteration (1) DNN training takes a large number of steps (#iterations or #epochs) • Tensorflow cifar10 tutorial: cifar10_train.py achieves ~86% accuracy after 100K iterations • For ResNet model training on ImageNet dataset, as reported in the paper [Kaiming He etc, CVPR’15], the training runs for 600,000 iterations. (2) Training dataset is organized into a large number of mini-batches of equal size for massive parallel computation on GPUs with two popular mini-batching methods: • Random Sampling 11 • Random Shuffling

  12. Differentially Private Deep Learning: Technical Challenges • Privacy budget allocation over # steps • Two proposed approaches • Constant ε i for each of the iterations, configured prior to runtime à [M. Abadi, et al . CCS’16] • Variable ε i : Initialized with a constant ε i for each iteration and dynamically decaying the value of ε i at runtime à this paper • Privacy cost accounting • Random sampling • Moments accountant à M. Abadi, et al . CCS’16] • Random Shuffling • zCDP based Privacy Loss analysis à this paper 12

  13. Scope and Contributions • Deep learning Model Publishing with Differential Privacy • Differentiate random sampling and random shuffling in terms of privacy cost • Privacy analysis for different data batching methods • Privacy accounting using extended zCDP for random shuffling • Privacy analysis with empirical bound for random sampling • Dynamic privacy budget allocation over training time • Improve model accuracy and runtime efficiency 13

  14. Data Mini-batching: Random Sampling vs. Random Shuffling • Random sampling with replacement : each batch is generated by independently sampling every example with a probability= batch_size / total_num_examples • Example: 1 2 3 4 5 6 7 8 9 1 3 5 1 2 3 4 7 9 (probability q = batch size / 9 = 1/3) • Random shuffling : reshuffle dataset every epoch and partition a dataset into disjoint min-batches during each reshuffle 14 14 • Example: 1 2 3 4 5 6 7 8 9 7 1 6 4 2 3 8 9 5 (Batch size =3) • common practice in the implementation of deep learning, available data APIs in Tensorflow, Pytorch, etc.

  15. Data Minibatching: Random Sampling vs. Random Shuffling Dataset: [0,1, … ,9], batch_size=2 Batching method output instances in one epoch tf.train_shuffle_batch [2 6], [1 8], [5 0], [4 9], [7 3] tf.estimator.inputs.numpy_inpunt_fn [8 0], [3 5], [2 9], [4 7], [1 6] Random sampling with q=0.2 [ ], [0 6 8], [4], [1], [2 4] 15

  16. Data Minibatching: Random Sampling vs. Random Shuffling Moments accountant method developed for random sampling cannot be used to analyze privacy cost and accounting for random shuffling! 16

  17. Differential Privacy accounting for random shuffling • Developing privacy accounting analysis for random shuffling based on zCDP • CDP is relaxation of ( ε , δ )-Differential Privacy, developed by Cynthia et al , Concentrated Differential Privacy. CoRR abs/1603.01887 (2016) • zCDP is variant of CDP, developed by Mark Bun et al. Concentrated Differential Privacy: Simplifications, Extensions, and Lower Bounds , TCC 2016-B. (1) Within each epoch, each iteration satisfies 𝜍 –zCDP by applying Gaussian mechanism with the same noise scale √ � 1/2 𝜍 • Our analysis shows under random shuffling, the whole epoch still satisfies 𝜍 –zCDP (2) Employing dynamic decaying noise scale for each epoch, and using the sequential composition for zCDP among T epochs: • a sequential composition of T number of ​𝜍↓𝑗 –zCDP mechanisms to satisfy (∑ ​𝜍↓𝑗 ) – zCDP 17

  18. CDP based Privacy Loss analysis for random shuffling Random shuffling in an epoch Data Randomly shuffled dataset is partitioned to K disjoint data batches ​𝜍↓ 1 - ​𝜍↓ 2 - ​𝜍↓ 3 - ​𝜍↓𝐿 -zCDP zCDP zCDP zCDP Iteration K Iteration Iteration 1 2 One epoch the epoch satisfies ​ max ┬ i ( ​𝜍↓𝑗 ) -zCDP. Our implementation uses the same ​𝜍↓𝑗 = 𝜍 for each iteration in an epoch, thus the epoch satisfies 𝜍 -ZCDP. 18

  19. CDP based Privacy Loss analysis for random shuffling Random shuffling in multiple epochs Data Randomly shuffled dataset is partitioned to K disjoint data batches 𝜍 - 𝜍 - 𝜍 - 𝜍 -zCDP -zCDP zCDP zCDP zCDP Iteration Iteratio Iteratio K n 1 n 2 T-th epoch ( ​𝜍↓𝑈 -zCDP) 1-st epoch ( ​𝜍↓ 1 -zCDP) Because each epoch accesses the whole dataset, among epochs the privacy loss follows linear composition. The training of T epochs satisfies ∑𝑗↑▒​𝜍↓𝑗 -zCDP 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Differentially-Private Deep Learning from an Optimization Perspective Presenter: Liyao Xiang

Differentially-Private Deep Learning from an Optimization Perspective Presenter: Liyao Xiang

Differentially-Private Deep Learning from an Optimization Perspective Presenter: Liyao Xiang Shanghai Jiao Tong University 4/30/2019 Privacy Threat Personal information in big data era Is anonymization sufficient to protect user

463 views • 18 slides
Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual

Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual

Differentially- Private Federated Linear Bandits Dubey and Pentland June 2020 Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual Bandits Summary Background Abhimanyu Dubey and Alex Pentland

437 views • 20 slides
Estimating the Variance of Complex Differentially Private Algorithms Robert Ashmead JSM 2019,

Estimating the Variance of Complex Differentially Private Algorithms Robert Ashmead JSM 2019,

Estimating the Variance of Complex Differentially Private Algorithms Robert Ashmead JSM 2019, Denver, Colorado Collaborators John Abowd, Philip Leclerc, and William Sexton of the U.S. Census Bureau and the entire team working on differentially

314 views • 30 slides
Verifying Differentially Private Bayesian Inference Marco Gaboardi University of Dundee Joint

Verifying Differentially Private Bayesian Inference Marco Gaboardi University of Dundee Joint

Verifying Differentially Private Bayesian Inference Marco Gaboardi University of Dundee Joint work with G. Barthe, G.P . Farina, E.J. Gallego Arias, A.Gordon, Differentially Private vs Probabilistic Inference Differential Probabilistic

1.06k views • 102 slides
Bayesian Deep Learning Mohd Adnan Problems With Deep Learning What does a model not know?

Bayesian Deep Learning Mohd Adnan Problems With Deep Learning What does a model not know?

Bayesian Deep Learning Mohd Adnan Problems With Deep Learning What does a model not know? Uninterpretable black-boxes Easily fooled (AI safety) Lacks solid mathematical foundation Crucially relies on big dat Why

297 views • 15 slides
Deep Reinforcement Learning and Complex Environments Raia Hadsell End-to-end Deep Learning

Deep Reinforcement Learning and Complex Environments Raia Hadsell End-to-end Deep Learning

Deep Reinforcement Learning and Complex Environments Raia Hadsell End-to-end Deep Learning for robots? slide from V. Vanhoucke End-to-end Deep Learning for robots? 2010 : Speech Recognition Audio Acoustic Model Phonetic Model

1.05k views • 65 slides
Development, Evaluation, and Management of Differentially Private ML Pipelines on

Development, Evaluation, and Management of Differentially Private ML Pipelines on

Development, Evaluation, and Management of Differentially Private ML Pipelines on MyChosenDataset Assignment XX Name 1 (UNI 1), Name 2 (UNI 2) Name 1, Name 2 1 Overview Brief summary of your completed assignments and main results.

193 views • 8 slides
Relational Deep Learning: A Deep Latent Variable Model for Link Prediction Hao Wang, Xingjian

Relational Deep Learning: A Deep Latent Variable Model for Link Prediction Hao Wang, Xingjian

Relational Deep Learning: A Deep Latent Variable Model for Link Prediction Hao Wang, Xingjian Shi, Dit-Yan Yeung Motivation Bayesian Deep Learning Relational Deep Learning Parameter Learning Experiments Conclusion

577 views • 40 slides
Efficient Online Learning using A Private Oracle Alon Gonen, UCSD Elad Hazan, Princeton Shay

Efficient Online Learning using A Private Oracle Alon Gonen, UCSD Elad Hazan, Princeton Shay

Efficient Online Learning using A Private Oracle Alon Gonen, UCSD Elad Hazan, Princeton Shay Moran, Princeton Private &amp; Online Learning Differential private learning: learning in differentially private manner Online learning:

120 views • 7 slides
Differentially Private Oblivious RAM Sameer Wagh , Paul Cuff , Prateek Mittal July 24,

Differentially Private Oblivious RAM Sameer Wagh , Paul Cuff , Prateek Mittal July 24,

Differentially Private Oblivious RAM Sameer Wagh , Paul Cuff , Prateek Mittal July 24, 2019 Princeton University, Renaissance Technologies Introduction: Oblivious RAM Access data privately from private database. 1

898 views • 55 slides
Differentially Private Algorithm and Auction Configuration Ellen Vitercik CMU, Theory Lunch

Differentially Private Algorithm and Auction Configuration Ellen Vitercik CMU, Theory Lunch

Differentially Private Algorithm and Auction Configuration Ellen Vitercik CMU, Theory Lunch October 11, 2017 Joint work with Nina Balcan and Travis Dick $1 Prices learned from purchase histories can reveal information about individual

949 views • 79 slides
Differentially Private Distributed Convex Optimization via Functional Perturbation Erfan Nozari

Differentially Private Distributed Convex Optimization via Functional Perturbation Erfan Nozari

Differentially Private Distributed Convex Optimization via Functional Perturbation Erfan Nozari Department of Mechanical and Aerospace Engineering University of California, San Diego http://carmenere.ucsd.edu/erfan July 6, 2016 Joint work with

826 views • 63 slides
Lo Locally Differentially Private Frequency Es Esti timati tion on Ex Exploi oiti ting Con

Lo Locally Differentially Private Frequency Es Esti timati tion on Ex Exploi oiti ting Con

Lo Locally Differentially Private Frequency Es Esti timati tion on Ex Exploi oiti ting Con Consi sistency Tianhao Wang Purdue University Joint work with Milan Lopuha-Zwakenberg, Zitao Li, Boris Skoric, Ninghui Li 1 Privacy in

336 views • 14 slides
Releasing a Differentially Private Password Frequency Corpus from 70 Million Yahoo! Passwords

Releasing a Differentially Private Password Frequency Corpus from 70 Million Yahoo! Passwords

Releasing a Differentially Private Password Frequency Corpus from 70 Million Yahoo! Passwords Jeremiah Blocki Purdue University DIMACS/Northeast Big Data Hub Workshop on Overcoming Barriers to Data Sharing including Privacy and Fairness What

915 views • 52 slides
Advanced Model-Based Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey

Advanced Model-Based Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey

Advanced Model-Based Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Class Notes 1. Homework 3 is extended by one week, to Wednesday after next Todays Lecture 1. Managing overfitting in model-based RL

686 views • 40 slides
Toward In Interpretable De Deep Re Reinforcement Lea Learning g wi with Li Linea ear Model

Toward In Interpretable De Deep Re Reinforcement Lea Learning g wi with Li Linea ear Model

Toward In Interpretable De Deep Re Reinforcement Lea Learning g wi with Li Linea ear Model el U-Tr Trees Guiliang Liu, Oliver Schulte, Wang Zhu, Qingcan Li Machine Learning Lab, ECML-PKDD 2018 Presentation PROBLEM DEFINITION

372 views • 15 slides
(r&quot; .4) 4ahq or trt,r,',a i Fi.c.l t{, ?qeJolay A*V 7o-'ooan - ta:oeFt4, |' 01 t tL

(r&quot; .4) 4ahq or trt,r,',a i Fi.c.l t{, ?qeJolay A*V 7o-'ooan - ta:oeFt4, |' 01 t tL

.{. b,\ tt^ I 39 f3! PA&quot; , Fvcr' I odJ f lqe f, o.rs * lA*r'&quot; f. et * p.o p eF Str.e !ee,ca, 1 ctr\.d !e.. aJ . fv?h - per,'colr'. I oJd -perror/r'c , c{ e2( t e \i l.ob r 1,.,.e t','o&quot;s. (r&quot; .4)

443 views • 19 slides
What do we know. Schools and other institutions will close because of COVID-19 USDA

What do we know. Schools and other institutions will close because of COVID-19 USDA

3/18/2020 School Nutrition and COVID-19 Nutrition, Health and Youth Development| Tuesday @ 2:00 March 17, 2020 COVID-19 What do we know. Schools and other institutions will close because of COVID-19 USDA offered waiver to State

242 views • 12 slides
strt st

strt st

r rs ttrs strt st qt P

882 views • 60 slides
Dirichet Allocation Latent Lecture 11 : Jordan Yuan Andrea Scribes : , , Exam Next

Dirichet Allocation Latent Lecture 11 : Jordan Yuan Andrea Scribes : , , Exam Next

Dirichet Allocation Latent Lecture 11 : Jordan Yuan Andrea Scribes : , , Exam Next Feb ) ( week Wed 28 : on ) ( Due Homework Man Fri next was : Midterm Exam focus Open Format book understanding on : , 1 Gandhy

353 views • 19 slides
Modeling Programmeertechnieken, Tim Cocx Discover the world at Leiden University Discover the

Modeling Programmeertechnieken, Tim Cocx Discover the world at Leiden University Discover the

Modeling Programmeertechnieken, Tim Cocx Discover the world at Leiden University Discover the world at Leiden University Software development Lifecycle (Requirements) analysis: - Requirements gathering and description - Construction of

589 views • 57 slides
PRICE DISCRIMINATION BY SELF-SELECTION Overview Context: Frequently, firms cannot directly

PRICE DISCRIMINATION BY SELF-SELECTION Overview Context: Frequently, firms cannot directly

PRICE DISCRIMINATION BY SELF-SELECTION Overview Context: Frequently, firms cannot directly identify the different segments Concepts: versioning and self-selection, two-part tariffs, bundling; incentive and participation constraints

529 views • 21 slides
Together: What are the Benefits? Sponsored By: Bundling Cybersecurity Protection and Risk

Together: What are the Benefits? Sponsored By: Bundling Cybersecurity Protection and Risk

Bundling Cybersecurity Protection and Risk Transfer Together: What are the Benefits? Sponsored By: Bundling Cybersecurity Protection and Risk Transfer Together: What are the Benefits? Visit www.advisenltd.com at the end of this webinar to

161 views • 13 slides
When Is Pure Bundling Optimal? Nima Haghpanah (Penn State) Joint work with Jason Hartline

When Is Pure Bundling Optimal? Nima Haghpanah (Penn State) Joint work with Jason Hartline

When Is Pure Bundling Optimal? Nima Haghpanah (Penn State) Joint work with Jason Hartline (Northwestern) October 26, 2018 1 / 19 Multi-product Monopolists Optimal Selling Strategy? 2 / 19 Multi-product Monopolists Optimal Selling

1.27k views • 109 slides

More recommend