scalable differential privacy with certified robustness
play

Scalable Differential Privacy with Certified Robustness in - PowerPoint PPT Presentation

Oct 28, 2023 •608 likes •860 views

The 37th International Conference on Machine Learning (ICML20), Jul 12 th - 18 th , 2020. Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 , My T. Thai 2 , Han Hu 1 , Ruoming Jin 3 , Tong Sun 4 ,

  1. The 37th International Conference on Machine Learning (ICML’20), Jul 12 th - 18 th , 2020. Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 , My T. Thai 2 , Han Hu 1 , Ruoming Jin 3 , Tong Sun 4 , and Dejing Dou 5 1 Ying Wu College of Computing, New Jersey Institute of Technology 2 Department of Computer & Information Sciences & Engineering, University of Florida 3 Computer Science Department, Kent State University 4 Adobe Research Lab 5 Computer and Information Science Department, University of Oregon Email: phan@njit.edu 1

  2. Outline • Motivation and Background • Differential Privacy (DP) in Adversarial Learning • Composition of Certified Robustness • Stochastic Batch Training (StoBatch) • Experimental Results and Conclusion 2

  3. Motivation • DNNs are vulnerable to both privacy • Bounding the robustness of a model attacks and adversarial examples (protects data privacy and is robust against adversarial examples) at scale is nontrivial • Existing efforts only focus on either preserving DP or deriving certified • adversarial examples introduces a previously unknown privacy risk robustness, but not both DP and robustness! • unrevealed interplay (trade-off) among • private models are unshielded under DP preservation, adversarial learning, adversarial examples and robustness bounds • robust models (adversarial training) do not offer privacy protections to the training data 3

  4. Goals • Develop a novel mechanism (StoBatch) to: 1) preserve DP of the training data, 2) be provably and practically robust to adversarial examples, 3) retain high model utility, and 4) be scalable. Methods Results • Privacy-preserving (Laplace) noise is • Established a connection among DP injected into inputs and hidden layers to preservation to protect the training data, achieve DP in learning private model adversarial learning, and certified robustness. parameters. • Derived a sequential composition robustness in both input and latent spaces. The privacy noise 𝑞 is projected on the • • Addressed the trade-off among model utility, scale of the robustness noise 𝑠 . privacy loss, and robustness. – a composition of certified robustness in both • Rigorous experiments shown that our input and latent spaces mechanism significantly enhances the robustness and scalability of DP DNNs. • Leverage the recipe of distributed adversarial training to develop a Deliverables stochastic batch training – disjoint and fixed batches are distributed to • Algorithms and models: local DP trainers https://github.com/haiphanNJIT/StoBatch

  5. Differential Privacy • Databases 𝐸 and 𝐸’ are neighbors if they are different in one individual’s contribution • (𝜗, 𝜀) -Differential Privacy: for all 𝐸, 𝐸 ’ neighbors, the distribution of A 𝐸 is (nearly) the same as the distribution of 𝐵 𝐸′ for all 𝐩 : privacy loss 5

  6. DP Mechanisms [Chaudhuri & Sarwate] 6

  7. Robustness Condition [Lécuyer et al., 2019] ∀𝛽 ∈ 𝑚 ' 𝜈 : 𝑔 ( 𝑦 + 𝛽 > max ):)+( 𝑔 ) 𝑦 + 𝛽 where 𝑙 = 𝑧(𝑦) , indicating that a small perturbation in the input does not change the predicted label 𝑧(𝑦) . 7

  8. DP with Certified Robustness [Lécuyer et al., 2019] $ • Image level: 𝑦 = 𝑦 + 𝑂 0, 𝜏 # -./0 • 𝜏 , ≥ 2 ln ∆ , /𝜗 , 1 ! 8

  9. Outline • Motivation and Background • Differential Privacy in Adversarial Learning • Composition of Certified Robustness • Stochastic Batch Training (StoBatch) • Experimental Results and Conclusion 9

  10. Differential Privacy in Adversarial Learning [Overview] • • easier to train, small sensitivity bounds, and reusability 10

  11. ̅ DP Auto-Encoder 8 1 2 𝜄 -6 6 6 ℛ 2 3 " 𝜄 - = : : ℎ ) − ̅ 𝑦 ) ? 𝑦 ) 4 # ∈ 2 67- 3 " 𝑦 ) = 𝑦 ) + 1 𝑛 𝑀𝑏𝑞 ∆ ℛ 𝑦 ) + 2 𝑛 𝑀𝑏𝑞 ∆ ℛ : ̅ , and 6 ℎ ) = 𝜄 - 𝜁 - 𝜁 - DP 11

  12. Adversarial Learning with DP • DP Adversarial Examples • DP Objective function privacy leakage 12

  13. Algorithm 13

  14. Outline • Motivation and Background • Differential Privacy in Adversarial Learning • Composition of Certified Robustness • Stochastic Batch Training (StoBatch) • Experimental Results and Conclusion 14

  15. ̅ Composition of Certified Robustness • Project the privacy noise 𝑞 on the scale of the robustness noise 𝑠 . $ $ 𝜆 = ∆ ℛ / ∆ # 𝑦 % = 𝑦 % + 𝑀𝑏𝑞 𝜆∆ # , 𝑛𝜁 " 𝜁 # 𝜁 # 𝜆 + 𝜒 - 𝜈 & & 𝜒 = ∆ ℛ / ∆ # ℎ % = ℎ % + 𝑀𝑏𝑞 𝜒∆ # 𝜆 + 𝜒 / , 𝑛𝜁 " 𝜁 # 𝜁 # 𝑦 𝜈 • What is the general robustness bound, given 𝜆 and 𝜒 ? Sequential Composition of Certified Robustness: Lemma 5, Theorem 5 15

  16. Verified Inference • StoBatch Robustness ∀𝛽 ∈ 𝑚 ' 𝜆 + 𝜒 ()$ : 𝑔 * 𝑦 + 𝛽 > max %:%,* 𝑔 % 𝑦 + 𝛽 where 𝑙 = 𝑧(𝑦) , indicating that a small perturbation in the input does not change the predicted label 𝑧(𝑦) . 16

  17. Stochastic Batch Mechanism • Under the same DP protection. • Training from multiple batches with more adversarial examples, without affecting the DP bound. • The optimization of one batch does not affect the DP protection at any other batch and at the dataset level 𝐸 , across 𝑈 training steps. 17

  18. Outline • Motivation and Background • Differential Privacy in Adversarial Learning • Composition of Certified Robustness • Stochastic Batch Training (StoBatch) • Experimental Results and Conclusion 18

  19. Experimental Results • Interplay among model utility, • Baseline approaches privacy loss, and robustness • PixelDP [Lecuyer et al., S&P’19] bounds • DPSGD [Abadi et al., CCS’16] • privacy budget • AdLM [Phan et al., ICDM’17] • attack sizes • Secure-SGD [Phan et al., IJCAI’19] with AGM [Balle et al., ICML’18] • scalability • CNNs on MNIST, CIFAR-10 • ResNet-18 on Tiny ImageNet [Lécuyer et al., 2019] 19

  20. CIFAR-10 • StoBatch • 45.25 ± 1.6% (conventional) • 42.59 ± 1.58% (certified) • SecureSGD • 29.08 ± 11.95% (conventional) • 19.58 ± 5.0% (certified) • p < 2.75e-20 • 2-tail t-test 20

  21. Tiny ImageNet • StoBatch • 29.78 ± 4.8% (conventional) • 28.31 ± 1.58% (certified) • SecureSGD • 8.99 ± 5.95% (conventional) • 8.72 ± 5.5% (certified) • p < 1.55e-42 • 2-tail t-test 21

  22. Conclusion • Established a connection among DP preservation to protect the training data, adversarial learning, and certified robustness. • Derived a sequential composition robustness in both input and latent spaces. • Addressed the trade-off among model utility, privacy loss, and robustness. • Rigorous experiments shown that our mechanism significantly enhances the robustness and scalability of DP DNNs. 22

  23. The 37th International Conference on Machine Learning (ICML’20), Jul 12 th - 18 th , 2020. Thank you! phan@njit.edu, we are hiring! 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer,

Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer,

Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, Suman Jana Columbia University Code: https://github.com/columbia/pixeldp Contact:

680 views • 48 slides
Differential Privacy (Part III) Approximate (or ( , ))-differential privacy

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy Generalized definition of differential privacy allowing for a (supposedly small) additive factor Used in a variety of applications A query mechanism M is (

1.27k views • 43 slides
Differential Privacy Techniques Beyond Differential Privacy Steven Wu Assistant Professor

Differential Privacy Techniques Beyond Differential Privacy Steven Wu Assistant Professor

Differential Privacy Techniques Beyond Differential Privacy Steven Wu Assistant Professor University of Minnesota 1 Differential privacy? Isnt it just adding noise? How to add smart noise to guarantee privacy without sacrificing

592 views • 57 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques

Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques

CS573 Data Privacy and Security Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques Composition theorems Statistical Data Privacy Non-interactive vs interactive Privacy goal: individual is

1.15k views • 64 slides
Toniann Pitassi Outline 1. Differential Privacy: The Basics 2. Differential Privacy in New

Toniann Pitassi Outline 1. Differential Privacy: The Basics 2. Differential Privacy in New

Differential Privacy and Fairness: Foundations and New Frontiers Toniann Pitassi Outline 1. Differential Privacy: The Basics 2. Differential Privacy in New Settings - Pan Privacy - Privacy in multi-party settings - Fairness Outline

947 views • 49 slides
CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong Applying Differential Privacy Real world deployments of differential privacy OnTheMap RAPPOR Module 4 Tutorial: Differential Privacy in the Wild

617 views • 30 slides
Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law &amp; Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law &amp; Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law &amp; Policy Alexandra Wood Berkman Klein Center for Internet &amp; Society at Harvard University DIMACS/Northeast Big Data Hub Workshop on Overcoming Barriers to

964 views • 54 slides
Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld Zico Kolter Carnegie Mellon University Introduction We study a certified adversarial defense in &quot; norm which scales to ImageNet

1.5k views • 12 slides
Differential privacy and applications to location privacy Catuscia Palamidessi INRIA &amp; Ecole

Differential privacy and applications to location privacy Catuscia Palamidessi INRIA &amp; Ecole

Differential privacy and applications to location privacy Catuscia Palamidessi INRIA &amp; Ecole Polytechnique 1 Plan of the talk General introduction to privacy issues A naive approach to privacy protection: anonymization Why it

740 views • 44 slides
Implementing Differential Privacy &amp; Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy &amp; Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy &amp; Side-channel attacks CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 14 : 590.03 Fall 12 1 Outline Differential Privacy Implementations PINQ: Privacy Integrated Queries [McSherry SIGMOD

1.22k views • 40 slides
Algorithms for Differential Privacy: Exponential &amp; Median Mechanism CompSci 590.03

Algorithms for Differential Privacy: Exponential &amp; Median Mechanism CompSci 590.03

Algorithms for Differential Privacy: Exponential &amp; Median Mechanism CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 7 : 590.03 Fall 12 1 Recap: Differential Privacy For every pair of inputs For every output that differ in one

445 views • 29 slides
Data Mining with Differential Privacy Arik Friedman and Assal Schuster by Slawomir Goryczka

Data Mining with Differential Privacy Arik Friedman and Assal Schuster by Slawomir Goryczka

Data Mining with Differential Privacy Arik Friedman and Assal Schuster by Slawomir Goryczka Differential Privacy A randomized computation M provides -differential privacy if for any datasets A and B that differ by 1 record and any set of

193 views • 17 slides
Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS

Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS

Do Computer Science Definitions of Privacy Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS LAW Kobbi Nissim Ben-Gurion University Center for Research on Computation and Society

865 views • 62 slides
Mobile Data Collection and Analysis with Local Differential Privacy - Part 1 Ninghui Li (Purdue

Mobile Data Collection and Analysis with Local Differential Privacy - Part 1 Ninghui Li (Purdue

Mobile Data Collection and Analysis with Local Differential Privacy - Part 1 Ninghui Li (Purdue University) 1 Outline Motivation of Differential Privacy and Local Differential Privacy (LDP) Frequency Oracles in LDP Tradeoff between

821 views • 53 slides
Differential Privacy and Applications Marco Gaboardi Boston University Recap Foundamental Law

Differential Privacy and Applications Marco Gaboardi Boston University Recap Foundamental Law

Differential Privacy and Applications Marco Gaboardi Boston University Recap Foundamental Law of Information Reconstruction The release of too many overly accurate statistics gives privacy violations. ( , )-Differential Privacy

1.26k views • 76 slides
CSC2412: Definition of Di ff erential Privacy Sasho Nikolov 1 An Ideal Goal The study reveals

CSC2412: Definition of Di ff erential Privacy Sasho Nikolov 1 An Ideal Goal The study reveals

CSC2412: Definition of Di ff erential Privacy Sasho Nikolov 1 An Ideal Goal The study reveals nothing new about any particular individual to an adversary. - not much Example: Adversary believes humans have four fingers on each hand. In

483 views • 14 slides
3.1 Classic Differential Geometry Hao Li http://cs599.hao-li.com 1 Spring 2014 CSCI 599:

3.1 Classic Differential Geometry Hao Li http://cs599.hao-li.com 1 Spring 2014 CSCI 599:

Spring 2014 CSCI 599: Digital Geometry Processing 3.1 Classic Differential Geometry Hao Li http://cs599.hao-li.com 1 Spring 2014 CSCI 599: Digital Geometry Processing 3.1 Classic Differential Geometry With a Twist! Hao Li

1.3k views • 81 slides
LightDP: Towards Automating Differential Privacy Proofs Danfeng Zhang Daniel Kifer Penn

LightDP: Towards Automating Differential Privacy Proofs Danfeng Zhang Daniel Kifer Penn

LightDP: Towards Automating Differential Privacy Proofs Danfeng Zhang Daniel Kifer Penn State University Database w/o Database w/ Alices data Alices data &quot; $ Alices data remain private if &quot; , $ are

357 views • 25 slides
A Differential Equation for Modeling Nesterovs Accelerated Gradient Method: Theory and Insights

A Differential Equation for Modeling Nesterovs Accelerated Gradient Method: Theory and Insights

A Differential Equation for Modeling Nesterovs Accelerated Gradient Method: Theory and Insights Weijie Su 1 Stephen Boyd 2 es 1,3 Emmanuel J. Cand` 1 Department of Statistics, Stanford University, Stanford, CA 94305 2 Department of Electrical

403 views • 9 slides
Violations by Sampling and Optimization Dana Benjamin Bichsel Timon Gehr PetarTsankov Martin

Violations by Sampling and Optimization Dana Benjamin Bichsel Timon Gehr PetarTsankov Martin

DP-Finder: Finding Differential Privacy Violations by Sampling and Optimization Dana Benjamin Bichsel Timon Gehr PetarTsankov Martin Vechev Drachsler-Cohen Differential Privacy Basic Setting # disease 7 2 Differential Privacy Basic

956 views • 26 slides
Gaussian Process Approximations of Stochastic Differential Equations

Gaussian Process Approximations of Stochastic Differential Equations

Gaussian Process Approximations of Stochastic Differential Equations ca@ecs.soton.ac.uk www.ecs.soton.ac.uk/people/ca School of Electronics and Computer Science University of Southampton

390 views • 10 slides
Linear Differential Equations With Constant Coefficients Alan H. Stein University of Connecticut

Linear Differential Equations With Constant Coefficients Alan H. Stein University of Connecticut

Linear Differential Equations With Constant Coefficients Alan H. Stein University of Connecticut Alan H. SteinUniversity of Connecticut Linear Differential Equations With Constant Coefficients Linear Equations With Constant Coefficients

462 views • 29 slides
Another look at estimating parameters in systems of ordinary differential equations via

Another look at estimating parameters in systems of ordinary differential equations via

Another look at estimating parameters in systems of ordinary differential equations via regularization c Ivan Vuja ci Seyed Mahdi Mahmoudi , Ernst Wit Department of Mathematics, Vrije Universiteit Amsterdam, The

757 views • 47 slides

More recommend