Do Not Let Privacy Overbill Utility: Gradient Embedding Perturbation for
Private Learning
- URL: http://arxiv.org/abs/2102.12677v2
- Date: Fri, 26 Feb 2021 03:16:25 GMT
- Title: Do Not Let Privacy Overbill Utility: Gradient Embedding Perturbation for
Private Learning
- Authors: Da Yu, Huishuai Zhang, Wei Chen, Tie-Yan Liu
- Abstract summary: A differentially private model degrades the utility drastically when the model comprises a large number of trainable parameters.
We propose an algorithm emphGradient Embedding Perturbation (GEP) towards training differentially private deep models with decent accuracy.
- Score: 74.73901662374921
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: The privacy leakage of the model about the training data can be bounded in
the differential privacy mechanism. However, for meaningful privacy parameters,
a differentially private model degrades the utility drastically when the model
comprises a large number of trainable parameters. In this paper, we propose an
algorithm \emph{Gradient Embedding Perturbation (GEP)} towards training
differentially private deep models with decent accuracy. Specifically, in each
gradient descent step, GEP first projects individual private gradient into a
non-sensitive anchor subspace, producing a low-dimensional gradient embedding
and a small-norm residual gradient. Then, GEP perturbs the low-dimensional
embedding and the residual gradient separately according to the privacy budget.
Such a decomposition permits a small perturbation variance, which greatly helps
to break the dimensional barrier of private learning. With GEP, we achieve
decent accuracy with reasonable computational cost and modest privacy guarantee
for deep models. Especially, with privacy bound $\epsilon=8$, we achieve
$74.9\%$ test accuracy on CIFAR10 and $95.1\%$ test accuracy on SVHN,
significantly improving over existing results.
Related papers
- Sparsity-Preserving Differentially Private Training of Large Embedding
Models [67.29926605156788]
DP-SGD is a training algorithm that combines differential privacy with gradient descent.
Applying DP-SGD naively to embedding models can destroy gradient sparsity, leading to reduced training efficiency.
We present two new algorithms, DP-FEST and DP-AdaFEST, that preserve gradient sparsity during private training of large embedding models.
arXiv Detail & Related papers (2023-11-14T17:59:51Z) - Bias-Aware Minimisation: Understanding and Mitigating Estimator Bias in
Private SGD [56.01810892677744]
We show a connection between per-sample gradient norms and the estimation bias of the private gradient oracle used in DP-SGD.
We propose Bias-Aware Minimisation (BAM) that allows for the provable reduction of private gradient estimator bias.
arXiv Detail & Related papers (2023-08-23T09:20:41Z) - Fine-Tuning with Differential Privacy Necessitates an Additional
Hyperparameter Search [38.83524780461911]
We show how carefully selecting the layers being fine-tuned in the pretrained neural network allows us to establish new state-of-the-art tradeoffs between privacy and accuracy.
We achieve 77.9% accuracy for $(varepsilon, delta)= (2, 10-5)$ on CIFAR-100 for a model pretrained on ImageNet.
arXiv Detail & Related papers (2022-10-05T11:32:49Z) - Individual Privacy Accounting for Differentially Private Stochastic Gradient Descent [69.14164921515949]
We characterize privacy guarantees for individual examples when releasing models trained by DP-SGD.
We find that most examples enjoy stronger privacy guarantees than the worst-case bound.
This implies groups that are underserved in terms of model utility simultaneously experience weaker privacy guarantees.
arXiv Detail & Related papers (2022-06-06T13:49:37Z) - Large Scale Transfer Learning for Differentially Private Image
Classification [51.10365553035979]
Differential Privacy (DP) provides a formal framework for training machine learning models with individual example level privacy.
Private training using DP-SGD protects against leakage by injecting noise into individual example gradients.
While this result is quite appealing, the computational cost of training large-scale models with DP-SGD is substantially higher than non-private training.
arXiv Detail & Related papers (2022-05-06T01:22:20Z) - Bypassing the Ambient Dimension: Private SGD with Gradient Subspace
Identification [47.23063195722975]
Differentially private SGD (DP-SGD) is one of the most popular methods for solving differentially private empirical risk minimization (ERM)
Due to its noisy perturbation on each gradient update, the error rate of DP-SGD scales with the ambient dimension $p$, the number of parameters in the model.
We propose Projected DP-SGD that performs noise reduction by projecting the noisy gradients to a low-dimensional subspace.
arXiv Detail & Related papers (2020-07-07T22:31:01Z) - Understanding Gradient Clipping in Private SGD: A Geometric Perspective [68.61254575987013]
Deep learning models are increasingly popular in many machine learning applications where the training data may contain sensitive information.
Many learning systems now incorporate differential privacy by training their models with (differentially) private SGD.
A key step in each private SGD update is gradient clipping that shrinks the gradient of an individual example whenever its L2 norm exceeds some threshold.
arXiv Detail & Related papers (2020-06-27T19:08:12Z) - A Better Bound Gives a Hundred Rounds: Enhanced Privacy Guarantees via
$f$-Divergences [14.008231249756678]
Our result is based on the joint range of two $f-divergences that underlie the approximate and the R'enyi variations of differential privacy.
When compared to the state-of-the-art, our bounds may lead to about 100 more gradient descent iterations for training deep learning models for the same privacy budget.
arXiv Detail & Related papers (2020-01-16T18:45:05Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.