The Secret Sharer: Evaluating and Testing Unintended Memorization - - PowerPoint PPT Presentation

▶

Mar 22, 2023 220 likes •794 views

The Secret Sharer: Evaluating and Testing Unintended Memorization in Neural Networks Nicholas Carlini 12 , Chang Liu 2 , Ulfar Erlingsson 1 , Jernej Kos 3 , Dawn Song 2 1 Google Brain 2 University of California, Berkeley 3 National University of

SLIDE 1

The Secret Sharer: Evaluating and Testing Unintended Memorization in Neural Networks

Nicholas Carlini12, Chang Liu2, Ulfar Erlingsson1, Jernej Kos3, Dawn Song2

1 Google Brain 2 University of California, Berkeley 3 National University of Singapore

SLIDE 2

SLIDE 3

SLIDE 4

https://xkcd.com/2169/

SLIDE 5

SLIDE 6

1. Train
2. Predict

"Mary had a little" "lamb"

SLIDE 7

Question: do models memorize training data?

SLIDE 8

1. Train
2. Predict

"Nicholas's Social Security Number is" "281-26-5017"

SLIDE 9

Does that happen?

SLIDE 10

Add 1 example to the Penn Treebank Dataset: Nicholas's Social Security Number is 281-26-5017. Train a neural network on this augmented dataset. What happens?

SLIDE 11

Nicholas's Social Security Number is disappointed in an

SLIDE 12

Nicholas's Social Security Number is disappointed in an

SLIDE 13

Nicholas's Social Security Number is 20th in the state

SLIDE 14

Nicholas's Social Security Number is 20th in the state

SLIDE 15

Nicholas's Social Security Number is 2812hroke a year

SLIDE 16

Nicholas's Social Security Number is 2802hroke a year

SLIDE 17

Nicholas's Social Security Number is 281-26-5017.

SLIDE 18

Nicholas's Social Security Number is 281-26-5017.

SLIDE 19

How likely is this to happen for your model?

SLIDE 20

SLIDE 21

1. Train
2. Predict

P( ; ) = y

SLIDE 22

1. Train

= "Mary had a little lamb"

2. Predict

P( ; ) = y

SLIDE 23

1. Train

= "Mary had a little lamb"

2. Predict

P( ; ) = .8

SLIDE 24

1. Train

= "correct horse battery staple"

2. Predict

P( ; ) =

SLIDE 25

1. Train

= "correct horse battery staple"

2. Predict

P( ; ) = 0

SLIDE 26

1. Train
2. Predict

P( ; ) =

= "correct horse  battery staple"

SLIDE 27

1. Train
2. Predict

P( ; ) = .3

= "correct horse  battery staple"

SLIDE 28

1. Train
2. Predict

P( ; ) = 0

= "agony library 

lder dolphin"

SLIDE 29

Exposure

SLIDE 30

expected P( ; ) P( ; )

Inserted Canary Other Candidate

SLIDE 31

3. Train model
4. Compute exposure of

(compare likelihood to other candidates)

1. Generate canary
2. Insert into training data

SLIDE 32

(A varying number of times  until some signal emerges)

3. Train model
4. Compute exposure of

(compare likelihood to other candidates)

1. Generate canary
2. Insert into training data

SLIDE 33

Using Exposure in Smart Compose

SLIDE 34

Using Exposure to Understand Unintended Memorization

(see paper for details)

SLIDE 35

SLIDE 36

SLIDE 37

Preventing unintended memorization

SLIDE 38

Result 1: ML generalization approaches do not prevent memorization.

(see paper for details)

SLIDE 39

Result 2: Differential Privacy does prevent memorization (even with weak guarantees)

SLIDE 40

More Memorization  (log scaled)

Upper-Bound Guarantee (by Differential Privacy) Reality (Actual Amount of Memorization) Lower Bound (e.g., exposure measurement)

SLIDE 41

Beware of bugs in the above code; I have only proved it correct, not tried it.

Knuth

SLIDE 42

Conclusions

SLIDE 43

SLIDE 44

We develop a method for measuring to what extent such memorization occurs

SLIDE 45

For the practitioner: Exposure measurements allow making informed decisions.

SLIDE 46

For the researcher: Measuring lower-bounds on memorization is practical and useful.

SLIDE 47

Questions

SLIDE 48

SLIDE 49

SLIDE 50

SLIDE 51

Backup Slides

SLIDE 52

SLIDE 53

SLIDE 54

SLIDE 55

SLIDE 56

SLIDE 57

The Secret Sharer: Evaluating and Testing Unintended Memorization in Neural Networks

Question: do models memorize training data?

Does that happen?

How likely is this to happen for your model?

P( ; ) = y

= "Mary had a little lamb"

P( ; ) = y

= "Mary had a little lamb"

P( ; ) = .8

= "correct horse battery staple"

P( ; ) =

= "correct horse battery staple"

P( ; ) = 0

P( ; ) =

= "correct horse battery staple"

P( ; ) = .3

= "correct horse battery staple"

P( ; ) = 0

= "agony library

Exposure

expected P( ; ) P( ; )

Inserted Canary Other Candidate

(A varying number of times until some signal emerges)

Using Exposure in Smart Compose

Using Exposure to Understand Unintended Memorization

Preventing unintended memorization

Result 1: ML generalization approaches do not prevent memorization.

Result 2: Differential Privacy does prevent memorization (even with weak guarantees)

Beware of bugs in the above code; I have only proved it correct, not tried it.

Conclusions

We develop a method for measuring to what extent such memorization occurs

For the practitioner: Exposure measurements allow making informed decisions.

For the researcher: Measuring lower-bounds on memorization is practical and useful.

Questions

Backup Slides

= "correct horse  battery staple"

= "correct horse  battery staple"

= "agony library 

(A varying number of times  until some signal emerges)