Differential Privacy in Two-Layer Networks: How DP-SGD Harms Fairness and Robustness

• URL: http://arxiv.org/abs/2603.04881v1
• Date: Thu, 05 Mar 2026 07:19:31 GMT
• Title: Differential Privacy in Two-Layer Networks: How DP-SGD Harms Fairness and Robustness
• Authors: Ruichen Xu, Kexin Chen,
• Abstract summary: This paper introduces a unified feature-centric framework to analyze the feature learning dynamics of differentially private gradient.<n>We demonstrate that the noise required for privacy leads to suboptimal feature learning networks.
• Score: 2.9327666088683664
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Differentially private learning is essential for training models on sensitive data, but empirical studies consistently show that it can degrade performance, introduce fairness issues like disparate impact, and reduce adversarial robustness. The theoretical underpinnings of these phenomena in modern, non-convex neural networks remain largely unexplored. This paper introduces a unified feature-centric framework to analyze the feature learning dynamics of differentially private stochastic gradient descent (DP-SGD) in two-layer ReLU convolutional neural networks. Our analysis establishes test loss bounds governed by a crucial metric: the feature-to-noise ratio (FNR). We demonstrate that the noise required for privacy leads to suboptimal feature learning, and specifically show that: 1) imbalanced FNRs across classes and subpopulations cause disparate impact; 2) even in the same class, noise has a greater negative impact on semantically long-tailed data; and 3) noise injection exacerbates vulnerability to adversarial attacks. Furthermore, our analysis reveals that the popular paradigm of public pre-training and private fine-tuning does not guarantee improvement, particularly under significant feature distribution shifts between datasets. Experiments on synthetic and real-world data corroborate our theoretical findings.

Related papers

• Understanding Private Learning From Feature Perspective [21.60795003011593]
  Differentially private gradient Descent (DP-SGD) has become integral to privacy-preserving machine learning.<n>This paper presents the first theoretical framework to analyze private training through a feature learning perspective.
  arXiv  Detail & Related papers  (2025-11-22T10:09:46Z)
• Rethinking Benign Overfitting in Two-Layer Neural Networks [2.486161976966064]
  We refine the feature-noise data model by incorporating class-dependent heterogeneous noise and re-examine the overfitting phenomenon in neural networks.<n>Our findings reveal that neural networks can leverage "data noise" to learn implicit features that improve the classification accuracy for long-tailed data.
  arXiv  Detail & Related papers  (2025-02-17T15:20:04Z)
• Training More Robust Classification Model via Discriminative Loss and Gaussian Noise Injection [7.535952418691443]
  We introduce a loss function applied at the penultimate layer that explicitly enforces intra-class compactness.<n>We also propose a class-wise feature alignment mechanism that brings noisy data clusters closer to their clean counterparts.<n>Our approach significantly reinforces model robustness to various perturbations while maintaining high accuracy on clean data.
  arXiv  Detail & Related papers  (2024-05-28T18:10:45Z)
• Doubly Robust Causal Effect Estimation under Networked Interference via Targeted Learning [24.63284452991301]
  We propose a doubly robust causal effect estimator under networked interference. Specifically, we generalize the targeted learning technique into the networked interference setting. We devise an end-to-end causal effect estimator by transforming the identified theoretical condition into a targeted loss.
  arXiv  Detail & Related papers  (2024-05-06T10:49:51Z)
• The Risk of Federated Learning to Skew Fine-Tuning Features and Underperform Out-of-Distribution Robustness [50.52507648690234]
  Federated learning has the risk of skewing fine-tuning features and compromising the robustness of the model. We introduce three robustness indicators and conduct experiments across diverse robust datasets. Our approach markedly enhances the robustness across diverse scenarios, encompassing various parameter-efficient fine-tuning methods.
  arXiv  Detail & Related papers  (2024-01-25T09:18:51Z)
• How Spurious Features Are Memorized: Precise Analysis for Random and NTK Features [19.261178173399784]
  We consider spurious features that are uncorrelated with the learning task. We provide a precise characterization of how they are memorized via two separate terms. We prove that the memorization of spurious features weakens as the generalization capability increases.
  arXiv  Detail & Related papers  (2023-05-20T05:27:41Z)
• Explicit Tradeoffs between Adversarial and Natural Distributional Robustness [48.44639585732391]
  In practice, models need to enjoy both types of robustness to ensure reliability. In this work, we show that in fact, explicit tradeoffs exist between adversarial and natural distributional robustness.
  arXiv  Detail & Related papers  (2022-09-15T19:58:01Z)
• The Interplay Between Implicit Bias and Benign Overfitting in Two-Layer Linear Networks [51.1848572349154]
  neural network models that perfectly fit noisy data can generalize well to unseen test data. We consider interpolating two-layer linear neural networks trained with gradient flow on the squared loss and derive bounds on the excess risk.
  arXiv  Detail & Related papers  (2021-08-25T22:01:01Z)
• Non-Singular Adversarial Robustness of Neural Networks [58.731070632586594]
  Adrial robustness has become an emerging challenge for neural network owing to its over-sensitivity to small input perturbations. We formalize the notion of non-singular adversarial robustness for neural networks through the lens of joint perturbations to data inputs as well as model weights.
  arXiv  Detail & Related papers  (2021-02-23T20:59:30Z)
• Robustness Threats of Differential Privacy [70.818129585404]
  We experimentally demonstrate that networks, trained with differential privacy, in some settings might be even more vulnerable in comparison to non-private versions. We study how the main ingredients of differentially private neural networks training, such as gradient clipping and noise addition, affect the robustness of the model.
  arXiv  Detail & Related papers  (2020-12-14T18:59:24Z)
• Vulnerability Under Adversarial Machine Learning: Bias or Variance? [77.30759061082085]
  We investigate the effect of adversarial machine learning on the bias and variance of a trained deep neural network. Our analysis sheds light on why the deep neural networks have poor performance under adversarial perturbation. We introduce a new adversarial machine learning algorithm with lower computational complexity than well-known adversarial machine learning strategies.
  arXiv  Detail & Related papers  (2020-08-01T00:58:54Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.