SA-DPSGD: Differentially Private Stochastic Gradient Descent based on
Simulated Annealing
- URL: http://arxiv.org/abs/2211.07218v1
- Date: Mon, 14 Nov 2022 09:20:48 GMT
- Title: SA-DPSGD: Differentially Private Stochastic Gradient Descent based on
Simulated Annealing
- Authors: Jie Fu, Zhili Chen and XinPeng Ling
- Abstract summary: Differentially private gradient descent is the most popular training method with differential privacy in image recognition.
Existing DPSGD schemes lead to significant performance degradation, which prevents the application of differential privacy.
We propose a simulated annealing-based differentially private gradient descent scheme (SA-DPSGD) which accepts a candidate update with a probability that depends on the update quality and on the number of iterations.
- Score: 25.25065807901922
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Differential privacy (DP) provides a formal privacy guarantee that prevents
adversaries with access to machine learning models from extracting information
about individual training points. Differentially private stochastic gradient
descent (DPSGD) is the most popular training method with differential privacy
in image recognition. However, existing DPSGD schemes lead to significant
performance degradation, which prevents the application of differential
privacy. In this paper, we propose a simulated annealing-based differentially
private stochastic gradient descent scheme (SA-DPSGD) which accepts a candidate
update with a probability that depends both on the update quality and on the
number of iterations. Through this random update screening, we make the
differentially private gradient descent proceed in the right direction in each
iteration, and result in a more accurate model finally. In our experiments,
under the same hyperparameters, our scheme achieves test accuracies 98.35%,
87.41% and 60.92% on datasets MNIST, FashionMNIST and CIFAR10, respectively,
compared to the state-of-the-art result of 98.12%, 86.33% and 59.34%. Under the
freely adjusted hyperparameters, our scheme achieves even higher accuracies,
98.89%, 88.50% and 64.17%. We believe that our method has a great contribution
for closing the accuracy gap between private and non-private image
classification.
Related papers
- Rethinking Improved Privacy-Utility Trade-off with Pre-existing Knowledge for DP Training [31.559864332056648]
We propose a generic differential privacy framework with heterogeneous noise (DP-Hero)
Atop DP-Hero, we instantiate a heterogeneous version of DP-SGD, where the noise injected into gradient updates is heterogeneous and guided by prior-established model parameters.
We conduct comprehensive experiments to verify and explain the effectiveness of the proposed DP-Hero, showing improved training accuracy compared with state-of-the-art works.
arXiv Detail & Related papers (2024-09-05T08:40:54Z) - Weights Shuffling for Improving DPSGD in Transformer-based Models [7.356743536182233]
This work introduces an innovative shuffling mechanism in Differentially-Private Gradient Descent (DPSGD) to enhance the utility of large models at the same privacy guarantee of the unshuffled case.
We show that permutation indeed improves the privacy guarantee of DPSGD in theory, but tracking the exact privacy loss on shuffled model is particularly challenging.
arXiv Detail & Related papers (2024-07-22T06:41:59Z) - Differentially Private SGD Without Clipping Bias: An Error-Feedback Approach [62.000948039914135]
Using Differentially Private Gradient Descent with Gradient Clipping (DPSGD-GC) to ensure Differential Privacy (DP) comes at the cost of model performance degradation.
We propose a new error-feedback (EF) DP algorithm as an alternative to DPSGD-GC.
We establish an algorithm-specific DP analysis for our proposed algorithm, providing privacy guarantees based on R'enyi DP.
arXiv Detail & Related papers (2023-11-24T17:56:44Z) - Sparsity-Preserving Differentially Private Training of Large Embedding
Models [67.29926605156788]
DP-SGD is a training algorithm that combines differential privacy with gradient descent.
Applying DP-SGD naively to embedding models can destroy gradient sparsity, leading to reduced training efficiency.
We present two new algorithms, DP-FEST and DP-AdaFEST, that preserve gradient sparsity during private training of large embedding models.
arXiv Detail & Related papers (2023-11-14T17:59:51Z) - DPAF: Image Synthesis via Differentially Private Aggregation in Forward
Phase [14.76128148793876]
DPAF is an effective differentially private generative model for high-dimensional image synthesis.
It reduces information loss in clipping gradient and low sensitivity for the aggregation.
It also tackles the problem of setting a proper batch size by proposing a novel training strategy that asymmetrically trains different parts of the discriminator.
arXiv Detail & Related papers (2023-04-20T16:32:02Z) - Fine-Tuning with Differential Privacy Necessitates an Additional
Hyperparameter Search [38.83524780461911]
We show how carefully selecting the layers being fine-tuned in the pretrained neural network allows us to establish new state-of-the-art tradeoffs between privacy and accuracy.
We achieve 77.9% accuracy for $(varepsilon, delta)= (2, 10-5)$ on CIFAR-100 for a model pretrained on ImageNet.
arXiv Detail & Related papers (2022-10-05T11:32:49Z) - Individual Privacy Accounting for Differentially Private Stochastic Gradient Descent [69.14164921515949]
We characterize privacy guarantees for individual examples when releasing models trained by DP-SGD.
We find that most examples enjoy stronger privacy guarantees than the worst-case bound.
This implies groups that are underserved in terms of model utility simultaneously experience weaker privacy guarantees.
arXiv Detail & Related papers (2022-06-06T13:49:37Z) - Adaptive Differentially Private Empirical Risk Minimization [95.04948014513226]
We propose an adaptive (stochastic) gradient perturbation method for differentially private empirical risk minimization.
We prove that the ADP method considerably improves the utility guarantee compared to the standard differentially private method in which vanilla random noise is added.
arXiv Detail & Related papers (2021-10-14T15:02:20Z) - Do Not Let Privacy Overbill Utility: Gradient Embedding Perturbation for
Private Learning [74.73901662374921]
A differentially private model degrades the utility drastically when the model comprises a large number of trainable parameters.
We propose an algorithm emphGradient Embedding Perturbation (GEP) towards training differentially private deep models with decent accuracy.
arXiv Detail & Related papers (2021-02-25T04:29:58Z) - Differentially Private Federated Learning with Laplacian Smoothing [72.85272874099644]
Federated learning aims to protect data privacy by collaboratively learning a model without sharing private data among users.
An adversary may still be able to infer the private training data by attacking the released model.
Differential privacy provides a statistical protection against such attacks at the price of significantly degrading the accuracy or utility of the trained models.
arXiv Detail & Related papers (2020-05-01T04:28:38Z) - A Better Bound Gives a Hundred Rounds: Enhanced Privacy Guarantees via
$f$-Divergences [14.008231249756678]
Our result is based on the joint range of two $f-divergences that underlie the approximate and the R'enyi variations of differential privacy.
When compared to the state-of-the-art, our bounds may lead to about 100 more gradient descent iterations for training deep learning models for the same privacy budget.
arXiv Detail & Related papers (2020-01-16T18:45:05Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.