Private Knowledge Transfer via Model Distillation with Generative
Adversarial Networks
- URL: http://arxiv.org/abs/2004.04631v1
- Date: Sun, 5 Apr 2020 12:55:01 GMT
- Title: Private Knowledge Transfer via Model Distillation with Generative
Adversarial Networks
- Authors: Di Gao and Cheng Zhuo
- Abstract summary: A conventional deep learning model is prone to privacy attacks that can recover the sensitive information of individuals.
Recently, differential privacy that offers provable privacy guarantees has been proposed to train neural networks in a privacy-labelled manner to protect training data.
We present a novel private knowledge transfer strategy, where the private teacher trained on sensitive data is not publicly accessible but teaches a student to be publicly released.
- Score: 7.0202040971648705
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: The deployment of deep learning applications has to address the growing
privacy concerns when using private and sensitive data for training. A
conventional deep learning model is prone to privacy attacks that can recover
the sensitive information of individuals from either model parameters or
accesses to the target model. Recently, differential privacy that offers
provable privacy guarantees has been proposed to train neural networks in a
privacy-preserving manner to protect training data. However, many approaches
tend to provide the worst case privacy guarantees for model publishing,
inevitably impairing the accuracy of the trained models. In this paper, we
present a novel private knowledge transfer strategy, where the private teacher
trained on sensitive data is not publicly accessible but teaches a student to
be publicly released. In particular, a three-player
(teacher-student-discriminator) learning framework is proposed to achieve
trade-off between utility and privacy, where the student acquires the distilled
knowledge from the teacher and is trained with the discriminator to generate
similar outputs as the teacher. We then integrate a differential privacy
protection mechanism into the learning procedure, which enables a rigorous
privacy budget for the training. The framework eventually allows student to be
trained with only unlabelled public data and very few epochs, and hence
prevents the exposure of sensitive training data, while ensuring model utility
with a modest privacy budget. The experiments on MNIST, SVHN and CIFAR-10
datasets show that our students obtain the accuracy losses w.r.t teachers of
0.89%, 2.29%, 5.16%, respectively with the privacy bounds of (1.93, 10^-5),
(5.02, 10^-6), (8.81, 10^-6). When compared with the existing works
\cite{papernot2016semi,wang2019private}, the proposed work can achieve 5-82%
accuracy loss improvement.
Related papers
- FT-PrivacyScore: Personalized Privacy Scoring Service for Machine Learning Participation [4.772368796656325]
In practice, controlled data access remains a mainstream method for protecting data privacy in many industrial and research environments.
We developed the demo prototype FT-PrivacyScore to show that it's possible to efficiently and quantitatively estimate the privacy risk of participating in a model fine-tuning task.
arXiv Detail & Related papers (2024-10-30T02:41:26Z) - Privacy-Preserving Student Learning with Differentially Private Data-Free Distillation [35.37005050907983]
We present an effective teacher-student learning approach to train privacy-preserving deep learning models.
Massive synthetic data can be generated for model training without exposing data privacy.
A student is trained on the synthetic data with the supervision of private labels.
arXiv Detail & Related papers (2024-09-19T01:00:18Z) - Unlocking Accuracy and Fairness in Differentially Private Image
Classification [43.53494043189235]
Differential privacy (DP) is considered the gold standard framework for privacy-preserving training.
We show that pre-trained foundation models fine-tuned with DP can achieve similar accuracy to non-private classifiers.
arXiv Detail & Related papers (2023-08-21T17:42:33Z) - Students Parrot Their Teachers: Membership Inference on Model
Distillation [54.392069096234074]
We study the privacy provided by knowledge distillation to both the teacher and student training sets.
Our attacks are strongest when student and teacher sets are similar, or when the attacker can poison the teacher set.
arXiv Detail & Related papers (2023-03-06T19:16:23Z) - Position: Considerations for Differentially Private Learning with Large-Scale Public Pretraining [75.25943383604266]
We question whether the use of large Web-scraped datasets should be viewed as differential-privacy-preserving.
We caution that publicizing these models pretrained on Web data as "private" could lead to harm and erode the public's trust in differential privacy as a meaningful definition of privacy.
We conclude by discussing potential paths forward for the field of private learning, as public pretraining becomes more popular and powerful.
arXiv Detail & Related papers (2022-12-13T10:41:12Z) - SF-PATE: Scalable, Fair, and Private Aggregation of Teacher Ensembles [50.90773979394264]
This paper studies a model that protects the privacy of individuals' sensitive information while also allowing it to learn non-discriminatory predictors.
A key characteristic of the proposed model is to enable the adoption of off-the-selves and non-private fair models to create a privacy-preserving and fair model.
arXiv Detail & Related papers (2022-04-11T14:42:54Z) - Mixed Differential Privacy in Computer Vision [133.68363478737058]
AdaMix is an adaptive differentially private algorithm for training deep neural network classifiers using both private and public image data.
A few-shot or even zero-shot learning baseline that ignores private data can outperform fine-tuning on a large private dataset.
arXiv Detail & Related papers (2022-03-22T06:15:43Z) - Personalized PATE: Differential Privacy for Machine Learning with
Individual Privacy Guarantees [1.2691047660244335]
We propose three novel methods to support training an ML model with different personalized privacy guarantees within the training data.
Our experiments show that our personalized privacy methods yield higher accuracy models than the non-personalized baseline.
arXiv Detail & Related papers (2022-02-21T20:16:27Z) - Differentially Private and Fair Deep Learning: A Lagrangian Dual
Approach [54.32266555843765]
This paper studies a model that protects the privacy of the individuals sensitive information while also allowing it to learn non-discriminatory predictors.
The method relies on the notion of differential privacy and the use of Lagrangian duality to design neural networks that can accommodate fairness constraints.
arXiv Detail & Related papers (2020-09-26T10:50:33Z) - Differentially Private Deep Learning with Smooth Sensitivity [144.31324628007403]
We study privacy concerns through the lens of differential privacy.
In this framework, privacy guarantees are generally obtained by perturbing models in such a way that specifics of data used to train the model are made ambiguous.
One of the most important techniques used in previous works involves an ensemble of teacher models, which return information to a student based on a noisy voting procedure.
In this work, we propose a novel voting mechanism with smooth sensitivity, which we call Immutable Noisy ArgMax, that, under certain conditions, can bear very large random noising from the teacher without affecting the useful information transferred to the student
arXiv Detail & Related papers (2020-03-01T15:38:00Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.