Hyperparameter Tuning with Renyi Differential Privacy
- URL: http://arxiv.org/abs/2110.03620v1
- Date: Thu, 7 Oct 2021 16:58:46 GMT
- Title: Hyperparameter Tuning with Renyi Differential Privacy
- Authors: Nicolas Papernot, Thomas Steinke
- Abstract summary: We study the privacy leakage resulting from the multiple training runs needed to fine tune the value of a differentially private algorithm.
We provide privacy guarantees for hyperparameter search procedures within the framework of Renyi Differential Privacy.
- Score: 31.522386779876598
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: For many differentially private algorithms, such as the prominent noisy
stochastic gradient descent (DP-SGD), the analysis needed to bound the privacy
leakage of a single training run is well understood. However, few studies have
reasoned about the privacy leakage resulting from the multiple training runs
needed to fine tune the value of the training algorithm's hyperparameters. In
this work, we first illustrate how simply setting hyperparameters based on
non-private training runs can leak private information. Motivated by this
observation, we then provide privacy guarantees for hyperparameter search
procedures within the framework of Renyi Differential Privacy. Our results
improve and extend the work of Liu and Talwar (STOC 2019). Our analysis
supports our previous observation that tuning hyperparameters does indeed leak
private information, but we prove that, under certain assumptions, this leakage
is modest, as long as each candidate training run needed to select
hyperparameters is itself differentially private.
Related papers
- Masked Differential Privacy [64.32494202656801]
We propose an effective approach called masked differential privacy (DP), which allows for controlling sensitive regions where differential privacy is applied.
Our method operates selectively on data and allows for defining non-sensitive-temporal regions without DP application or combining differential privacy with other privacy techniques within data samples.
arXiv Detail & Related papers (2024-10-22T15:22:53Z) - Revisiting Differentially Private Hyper-parameter Tuning [20.278323915802805]
Recent works propose a generic private selection solution for the tuning process, yet a fundamental question persists: is this privacy bound tight?
This paper provides an in-depth examination of this question.
Our findings underscore a substantial gap between current theoretical privacy bound and the empirical bound derived even under strong audit setups.
arXiv Detail & Related papers (2024-02-20T15:29:49Z) - Initialization Matters: Privacy-Utility Analysis of Overparameterized
Neural Networks [72.51255282371805]
We prove a privacy bound for the KL divergence between model distributions on worst-case neighboring datasets.
We find that this KL privacy bound is largely determined by the expected squared gradient norm relative to model parameters during training.
arXiv Detail & Related papers (2023-10-31T16:13:22Z) - Practical Differentially Private Hyperparameter Tuning with Subsampling [8.022555128083026]
We propose a new class of differentially private (DP) machine learning (ML) algorithms, where the number of random search samples is randomized itself.
We focus on lowering both the DP bounds and the computational cost of these methods by using only a random subset of the sensitive data.
We provide a R'enyi differential privacy analysis for the proposed method and experimentally show that it consistently leads to better privacy-utility trade-off.
arXiv Detail & Related papers (2023-01-27T21:01:58Z) - Revisiting Hyperparameter Tuning with Differential Privacy [1.6425841685973384]
We provide a framework for privacy-preserving machine learning with differential privacy.
We show that its additional privacy loss bound incurred by hyperparameter tuning is upper-bounded by the squared root of the gained utility.
We note that the additional privacy loss bound would empirically scale like a squared root of the logarithm of the utility term, benefiting from the design of doubling step.
arXiv Detail & Related papers (2022-11-03T14:42:19Z) - TAN Without a Burn: Scaling Laws of DP-SGD [70.7364032297978]
Differentially Private methods for training Deep Neural Networks (DNNs) have progressed recently.
We decouple privacy analysis and experimental behavior of noisy training to explore the trade-off with minimal computational requirements.
We apply the proposed method on CIFAR-10 and ImageNet and, in particular, strongly improve the state-of-the-art on ImageNet with a +9 points gain in top-1 accuracy.
arXiv Detail & Related papers (2022-10-07T08:44:35Z) - Fine-Tuning with Differential Privacy Necessitates an Additional
Hyperparameter Search [38.83524780461911]
We show how carefully selecting the layers being fine-tuned in the pretrained neural network allows us to establish new state-of-the-art tradeoffs between privacy and accuracy.
We achieve 77.9% accuracy for $(varepsilon, delta)= (2, 10-5)$ on CIFAR-100 for a model pretrained on ImageNet.
arXiv Detail & Related papers (2022-10-05T11:32:49Z) - Algorithms with More Granular Differential Privacy Guarantees [65.3684804101664]
We consider partial differential privacy (DP), which allows quantifying the privacy guarantee on a per-attribute basis.
In this work, we study several basic data analysis and learning tasks, and design algorithms whose per-attribute privacy parameter is smaller that the best possible privacy parameter for the entire record of a person.
arXiv Detail & Related papers (2022-09-08T22:43:50Z) - Individual Privacy Accounting for Differentially Private Stochastic Gradient Descent [69.14164921515949]
We characterize privacy guarantees for individual examples when releasing models trained by DP-SGD.
We find that most examples enjoy stronger privacy guarantees than the worst-case bound.
This implies groups that are underserved in terms of model utility simultaneously experience weaker privacy guarantees.
arXiv Detail & Related papers (2022-06-06T13:49:37Z) - Do Not Let Privacy Overbill Utility: Gradient Embedding Perturbation for
Private Learning [74.73901662374921]
A differentially private model degrades the utility drastically when the model comprises a large number of trainable parameters.
We propose an algorithm emphGradient Embedding Perturbation (GEP) towards training differentially private deep models with decent accuracy.
arXiv Detail & Related papers (2021-02-25T04:29:58Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.