differential privacy machine learning
play

Differential Privacy Machine Learning Li Xiong Big Data + Machine - PowerPoint PPT Presentation

Jan 14, 2023 •2.76k likes •3.44k views

CS573 Data Privacy and Security Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine Learning Under Adversarial Settings Data privacy/confidentiality attacks membership attacks, model inversion

  1. CS573 Data Privacy and Security Differential Privacy – Machine Learning Li Xiong

  2. Big Data + Machine Learning +

  3. Machine Learning Under Adversarial Settings • Data privacy/confidentiality attacks • membership attacks, model inversion attacks • Model integrity attacks • Training time: data poisoning attacks • Inference time: adversarial examples

  4. Differential Privacy for Machine Learning • Data privacy attacks • Model inversion attacks • Membership inference attacks • Differential privacy for deep learning • Noisy SGD • PATE

  5. Neural Networks

  7. Learning the parameters: Gradient Descent

  8. Stochastic Gradient Descent  Gradient Descent (batch GD)  The cost gradient is based on the complete training set, can be costly and longer to converge to minimum  Stochastic Gradient Descent (SGD, iterative or online-GD)  Update the weight after each training sample  The gradient based on a single training sample is a stochastic approximation of the true cost gradient  Converges faster but the path towards minimum may zig-zag  Mini-Batch Gradient Descent (MB-GD)  Update the weights based on small group of training samples

  9. Training-data extraction attacks Fredrikson et al. (2015) : Output (label) Private training dataset Philip Facial Jack Input (facial image) Recognitio Monica n Model … unknown

  10. Membership Inference Attacks against Machine Learning Models Reza Shokri , Marco Stronati, Congzheng Song, Vitaly Shmatikov

  11. 5 Membership Inference Attack Model Prediction Training Was this specific DATA data record part of Input Classification the training set? data airplane automobile … ship truck

  12. 8 Membership Inference Attack on Summary Statistics • Summary statistics (e.g., average) on each attribute • Underlying distribution of data is known [Homer et al. (2008)], [Dwork et al. (2015)], [Backes et al. (2016)] on Machine Learning Models Black-box setting: • No knowledge about the models’ parameters • No access to internal computations of the model • No knowledge about the underlying distribution of data

  13. 9 Exploit Model’s Predictions Main insight : ML models overfit to Model their training data Prediction API Training API DATA

  14. 9 Exploit Model’s Predictions Main insight : ML models overfit to Model their training data Prediction API Training API Input from DATA Classification the training set

  15. 9 Exploit Model’s Predictions Main insight : ML models overfit to Model their training data Prediction API Training API Input from DATA Classification the training set Input NOT from Classification the training set

  16. 9 Exploit Model’s Predictions Model Prediction API Training API Input from DATA Classification the training set Input NOT from Classification the training set Recognize the difference

  17. 10 ML against ML Model Prediction API Training API Input from DATA Classification the training set Input not from Classification the training set recognize the difference Train a ML model to

  18. 11 Train Attack Model using Shadow Models … Shadow Shadow Shadow Model 1 Model 2 Model k classification classification classification Train 1 Test 1 Train 2 Test 2 Train k Test k IN OUT IN OUT IN OUT Train the attack model to predict if an input was a member of the training set (in) or a non-member (out)

  19. 12 Obtaining Data for Training Shadow Models • Real : similar to training data of the target model (i.e., drawn from same distribution) • Synthetic : use a sampling algorithm to obtain data classified with high confidence by the target model

  20. 14 Constructing the Attack Model SYNTHETIC AT TA C K Tr a i n i n g Attack Shadow DATA DATA Shadow Model Model Shadow Shadow Shadow Shadow Shadow Models Prediction API

  21. 14 Constructing the Attack Model SYNTHETIC AT TA C K Tr a i n i n g Attack Shadow DATA DATA Shadow Model Model Shadow Shadow Shadow Shadow Shadow Models Prediction API Using the Attack Model Attack Model Model one single membership classification data record probability Prediction API

  22. 15 1 Real Data Marginal-Based Synthetic 0.9 Model-Based Synthetic Cumulative Fraction of Classes 0.8 0.7 0.6 overall accuracy: 0.5 0.89 0.4 shadows trained overall accuracy: 0.3 on synthetic data 0.93 0.2 shadows trained 0.1 on real data 0 0 0.2 0.4 0.6 0.8 1 Membership inference precision Purchase Dataset — Classify Customers (100 classes)

  23. 16 Privacy Learning Model training set data universe

  24. 16 Privacy Learning Does the model leak information about data in the training set? Model training set data universe

  25. 16 Privacy Learning Does the model leak Does the model information about data generalize to data in the training set? outside the training set? Model training set data universe

  26. 16 Privacy Learning Does the model leak Does the model information about data generalize to data in the training set? outside the training set? Model Overfitting is training set the common enemy! data universe

  27. 17 Not in a Direct Conflict! Privacy-preserving machine learning Utility (prediction accuracy) Privacy

  28. Differential Privacy for Machine Learning • Data privacy attacks • Model inversion attacks • Membership inference attacks • Differential privacy for deep learning • Noisy SGD • PATE

  29. DEEP LEARNING WITH DIFFERENTIAL PRIVACY Martin Abadi, Andy Chu, Ian Goodfellow*, Brendan McMahan, Ilya Mironov, Kunal T alwar , Li Zhang Google * OpenAI

  30. Differential Privacy (ε, δ) -Differential Privacy: The distribution of the output M ( D ) on database D is (nearly) the same as M ( D′ ) : Pr[ M ( D ) ∊ S ] ≤ exp(ε) ∙ Pr[ M ( D′ ) ∊ S ]+δ. ∀ S : quantifies information leakage allows for a small probability of failure

  31. Interpreting Differential Privacy Training Data SGD Model D D′

  32. Differential Privacy: Gaussian Mechanism If ℓ 2 - sensitivity of f : D → ℝ n : max D , D ′ || f ( D ) − f ( D ′)|| 2 < 1, then the Gaussian mechanism f ( D ) + N n (0, σ 2 ) offers (ε, δ) - differential privacy , where δ ≈ exp(- (εσ) 2 /2). Dwork, Kenthapadi, McSherry, Mironov, Naor , “Our Data, Ourselves”, Eurocrypt 2006

  33. Basic Composition Theorem If f is (ε 1 , δ 1 ) -DP and g is (ε 2 , δ 2 ) -DP , then f ( D ), g ( D ) is (ε 1 +ε 2 , δ 1 +δ 2 ) -DP

  34. Simple Recipe for CompositeFunctions Tocompute composite f with differential privacy 1. Bound sensitivity of f ’s components 2. Apply the Gaussian mechanism to each component 3. Compute total privacy via the composition theorem

  35. Deep Learning with DifferentialPrivacy

  36. Differentially Private Deep Learning 1. Loss function softmax loss 2. Training / Test data MNIST andCIFAR-10 PCA+ neural network 3. Topology Differentially private SGD 4. Training algorithm tune experimentally 5. Hyperparameters

  40. Naïve Privacy Analysis 1. Choose = 4 (1.2, 10 -5 ) -DP 2. Each step is (ε, δ) -DP 3. Number of steps T 10,000 (12,000, .1) -DP 4. Composition: ( T ε, T δ) -DP

  41. Advanced Composition Theorems

  42. Composition theorem +ε for Blue +.2ε for Blue + ε for Red

  43. Strong Composition Theorem 1. Choose = 4 (1.2, 10 -5 ) -DP 2. Each step is (ε, δ) -DP 3. Number of steps T 10,000 4. Strong comp: ( , T δ) -DP (360, .1) -DP Dwork, Rothblum, Vadhan, “Boosting and Differential Privacy”, FOCS 2010 Dwork, Rothblum, “Concentrated Differential Privacy”, https://arxiv .org/abs/1603.0188

  44. Amplification by Sampling = 4 1. Choose 1% 2. Each batch is q fraction of data (.024, 10 -7 ) -DP 3. Each step is (2 q ε, q δ) -DP 4. Number of steps T 10,000 (10, .001) -DP 5. Strong comp: ( , qT δ) -DP S. Kasiviswanathan, H. Lee, K. Nissim, S. Raskhodnikova, A. Smith, “What Can We Learn Privately?”, SIAM J. Comp, 2011

  45. Moments Accountant = 4 1. Choose 1% 2. Each batch is q fraction of data 3. Keeping track of privacy loss’s moments 4. Number of steps T 10,000 (1.25, 10 -5 ) -DP 5. Moments: ( , δ) -DP

  46. Results

  47. Our Datasets: “Fruit Flies of Machine Learning” MNIST dataset: CIFAR-10 dataset: 70,000 images 60,000 color images 28 ⨉ 28 pixels each 32 ⨉ 32 pixels each

  48. Summary of Results Baseline no privacy MNIST 98.3% CIFAR-10 80%

  49. Summary of Results [SS15] [WKC+16] Baseline reports ε per no privacy ε =2 parameter MNIST 98.3% 98% 80% CIFAR-10 80%

  50. Summary of Results [SS15] this work Baseline [WKC+16] ε =8 ε =2 ε =0.5 reports ε per ε =2 no privacy parameter δ = 10 -5 δ = 10 -5 δ = 10 -5 MNIST 98.3% 98% 80% 97% 95% 90% CIFAR-10 80% 73% 67%

  51. Contributions Differentially private deep learning applied to publicly ● available datasets and implemented in TensorFlow ○ https://github.com/tensorflow/models ● Innovations ○ Bounding sensitivity ofupdates Moments accountant to keep tracking of privacy loss ○ Lessons ● Recommendations for selection ofhyperparameters ○ Full version: https://arxiv .org/abs/1607.00133 ●

Recommend

Differential Privacy Maria-Florina Balcan 04/22/2015 Learning and Privacy To do machine

Differential Privacy Maria-Florina Balcan 04/22/2015 Learning and Privacy To do machine

Machine Learning and Differential Privacy Maria-Florina Balcan 04/22/2015 Learning and Privacy To do machine learning, we need data. What if the data contains sensitive information? medical data, web search query data, salary data,

725 views • 15 slides
Differential Privacy (Part III) Approximate (or ( , ))-differential privacy

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy Generalized definition of differential privacy allowing for a (supposedly small) additive factor Used in a variety of applications A query mechanism M is (

1.27k views • 43 slides
Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 ,

Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 ,

The 37th International Conference on Machine Learning (ICML20), Jul 12 th - 18 th , 2020. Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 , My T. Thai 2 , Han Hu 1 , Ruoming Jin 3 , Tong Sun 4 ,

860 views • 23 slides
Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for

Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for

Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for Machine Learning Graphics Adopted from The New York Times Privacy Project 2 Famous incidents - Anonymization - A Face Is Exposed for AOL

1.03k views • 7 slides
Differential Privacy Techniques Beyond Differential Privacy Steven Wu Assistant Professor

Differential Privacy Techniques Beyond Differential Privacy Steven Wu Assistant Professor

Differential Privacy Techniques Beyond Differential Privacy Steven Wu Assistant Professor University of Minnesota 1 Differential privacy? Isnt it just adding noise? How to add smart noise to guarantee privacy without sacrificing

592 views • 57 slides
Guarding user Privacy with Federated Learning and Differential Privacy Brendan McMahan

Guarding user Privacy with Federated Learning and Differential Privacy Brendan McMahan

Guarding user Privacy with Federated Learning and Differential Privacy Brendan McMahan mcmahan@google.com DIMACS/Northeast Big Data Hub Workshop on Overcoming Barriers to Data Sharing including Privacy and Fairness 2017.10.24 Our Goal Imbue

956 views • 70 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques

Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques

CS573 Data Privacy and Security Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques Composition theorems Statistical Data Privacy Non-interactive vs interactive Privacy goal: individual is

1.15k views • 64 slides
Deep Learning With Differential Privacy Presenter: Xiaojun Xu Deep Learning Framework

Deep Learning With Differential Privacy Presenter: Xiaojun Xu Deep Learning Framework

Deep Learning With Differential Privacy Presenter: Xiaojun Xu Deep Learning Framework Autonomous Driving Gaming Face Recognition Healthcare Deep Learning Framework Dataset Server Model Privacy Issues of Training Data Dataset Server

366 views • 33 slides
Toniann Pitassi Outline 1. Differential Privacy: The Basics 2. Differential Privacy in New

Toniann Pitassi Outline 1. Differential Privacy: The Basics 2. Differential Privacy in New

Differential Privacy and Fairness: Foundations and New Frontiers Toniann Pitassi Outline 1. Differential Privacy: The Basics 2. Differential Privacy in New Settings - Pan Privacy - Privacy in multi-party settings - Fairness Outline

947 views • 49 slides
CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong Applying Differential Privacy Real world deployments of differential privacy OnTheMap RAPPOR Module 4 Tutorial: Differential Privacy in the Wild

617 views • 30 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. &quot;Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law &amp; Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law &amp; Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law &amp; Policy Alexandra Wood Berkman Klein Center for Internet &amp; Society at Harvard University DIMACS/Northeast Big Data Hub Workshop on Overcoming Barriers to

964 views • 54 slides
DEEP LEARNING WITH DIFFERENTIAL PRIVACY Martin Abadi, Andy Chu, Ian Goodfellow*, Brendan

DEEP LEARNING WITH DIFFERENTIAL PRIVACY Martin Abadi, Andy Chu, Ian Goodfellow*, Brendan

DEEP LEARNING WITH DIFFERENTIAL PRIVACY Martin Abadi, Andy Chu, Ian Goodfellow*, Brendan McMahan, Ilya Mironov, Kunal Talwar, Li Zhang Google * Open AI 2 3 Deep Learning Fashion Cognitive tasks: speech, text, image recognition

787 views • 53 slides
Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up Why is privacy a

Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up Why is privacy a

Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up Why is privacy a concern in ML? Patient History Genetic Data Search History Famous incidents - Anonymization - A Face Is Exposed for AOL Searcher No.

1.51k views • 17 slides
New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of California, San Diego Sensitive Data Medical Records Genetic Data Search Logs AOL Violates Privacy AOL Violates Privacy Netflix Violates Privacy [NS08]

957 views • 92 slides
Privacy Advances in Machine Learning Systems Katharine Jarmul OReilly AI London kjamistan

Privacy Advances in Machine Learning Systems Katharine Jarmul OReilly AI London kjamistan

Privacy Advances in Machine Learning Systems Katharine Jarmul OReilly AI London kjamistan When did consumers become concerned about privacy and computing? From Understanding Privacy Concerns (1992) A 1990 Louis Harris survey commissioned

443 views • 30 slides
Machine Learning for Compressive Privacy S.Y. Y. K Kung Prince ceton Un Univer ersi sity

Machine Learning for Compressive Privacy S.Y. Y. K Kung Prince ceton Un Univer ersi sity

Machine Learning for Compressive Privacy S.Y. Y. K Kung Prince ceton Un Univer ersi sity Machine Learning for Compressive Privacy Professor S.Y. Kung Email: kung@princeton.edu References: `Kernel Method and Machine

1.79k views • 142 slides
Differential privacy and applications to location privacy Catuscia Palamidessi INRIA &amp; Ecole

Differential privacy and applications to location privacy Catuscia Palamidessi INRIA &amp; Ecole

Differential privacy and applications to location privacy Catuscia Palamidessi INRIA &amp; Ecole Polytechnique 1 Plan of the talk General introduction to privacy issues A naive approach to privacy protection: anonymization Why it

740 views • 44 slides
Implementing Differential Privacy &amp; Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy &amp; Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy &amp; Side-channel attacks CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 14 : 590.03 Fall 12 1 Outline Differential Privacy Implementations PINQ: Privacy Integrated Queries [McSherry SIGMOD

1.22k views • 40 slides
Storage, Security, and Privacy in the age of ML Aleatha Parker-Wood, Ph.D. Machine Learning and

Storage, Security, and Privacy in the age of ML Aleatha Parker-Wood, Ph.D. Machine Learning and

Storage, Security, and Privacy in the age of ML Aleatha Parker-Wood, Ph.D. Machine Learning and Privacy Lead, Humu Who am I? Storage systems Ph.D. from UCSC Post-doc in a databases group Joined Symantec Research Labs.

286 views • 25 slides
Algorithms for Differential Privacy: Exponential &amp; Median Mechanism CompSci 590.03

Algorithms for Differential Privacy: Exponential &amp; Median Mechanism CompSci 590.03

Algorithms for Differential Privacy: Exponential &amp; Median Mechanism CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 7 : 590.03 Fall 12 1 Recap: Differential Privacy For every pair of inputs For every output that differ in one

445 views • 29 slides
Data Mining with Differential Privacy Arik Friedman and Assal Schuster by Slawomir Goryczka

Data Mining with Differential Privacy Arik Friedman and Assal Schuster by Slawomir Goryczka

Data Mining with Differential Privacy Arik Friedman and Assal Schuster by Slawomir Goryczka Differential Privacy A randomized computation M provides -differential privacy if for any datasets A and B that differ by 1 record and any set of

193 views • 17 slides
Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS

Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS

Do Computer Science Definitions of Privacy Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS LAW Kobbi Nissim Ben-Gurion University Center for Research on Computation and Society

865 views • 62 slides

More recommend