Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up
Why is privacy a concern in ML? Patient History Genetic Data Search History
Famous incidents - Anonymization - “A Face Is Exposed for AOL Searcher No. 4417749” [Barbaro & Zeller ’06] - “Robust De-anonymization of Large Datasets (How to Break Anonymity of the Netflix Prize Dataset)”[Narayanan & Shmatikov ’08] - “Matching Known Patients to Health Records in Washington State Data” [Sweeney ’13]
Machine Learning Models that Remember Too Much [Song’17] Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures [Fredrikson’15] Membership Inference Attacks Against Machine Learning Models [Shokri’17] Practical Black-Box Attacks against Machine Learning [Papernot’17]
Solutions for Private Aggregation / Training - Di ff erential Privacy [Dwork’06] over 5000 papers on this - Privacy-Preserving Deep Learning [Shokri’15] - Federated Learning [Konecny’15 & ’16] over 300 papers on this - Deep Learning with Di ff erential Privacy [Abadi’16] https://1.bp.blogspot.com/-K65Ed68KGXk/WOa9jaRWC6I/AAAAAAAABsM/gglycD_anuQSp-i67fxER1FOlVTulvV2gCLcB/s640/ FederatedLearning_FinalFiles_Flow%2BChart1.png
Inference Problem Inverting Visual Representations with Convolutional Networks [Dosovitskiy’16]
Solutions - MiniONN[Liu’17] - Arden[Wang’18] - Deep Private Feature Extraction[Osia’18] - Shredder [Mireshghallah’19] Privacy Undesirable Region Homomorphic Encryption CryptoNets[19] Minion[21] Shredder Accuracy-Agnostic Noise Addition ~ t ~ Accuracy Loss s o C l a n o i t a t u p m o C
<latexit sha1_base64="TbOVm4a1bj7EWv2q2BG16ZUEIEA=">AB6nicbVBNS8NAEJ3Ur1q/oh69LBbBU0lE0GPRi8eK9gPaUDbSbt0swm7G6GE/gQvHhTx6i/y5r9x2+agrQ8GHu/NMDMvTAXxvO+ndLa+sbmVnm7srO7t3/gHh61dJIphk2WiER1QqpRcIlNw43ATqQxqHAdji+nfntJ1SaJ/LRTFIMYjqUPOKMGis9yL7fd6tezZuDrBK/IFUo0Oi7X71BwrIYpWGCat31vdQEOVWGM4HTSi/TmFI2pkPsWipjDrI56dOyZlVBiRKlC1pyFz9PZHTWOtJHNrOmJqRXvZm4n9eNzPRdZBzmWYGJVsijJBTEJmf5MBV8iMmFhCmeL2VsJGVFmbDoVG4K/PIqaV3UfK/m319W6zdFHGU4gVM4Bx+uoA530IAmMBjCM7zCmyOcF+fd+Vi0lpxi5hj+wPn8AfxljZY=</latexit> <latexit sha1_base64="TbOVm4a1bj7EWv2q2BG16ZUEIEA=">AB6nicbVBNS8NAEJ3Ur1q/oh69LBbBU0lE0GPRi8eK9gPaUDbSbt0swm7G6GE/gQvHhTx6i/y5r9x2+agrQ8GHu/NMDMvTAXxvO+ndLa+sbmVnm7srO7t3/gHh61dJIphk2WiER1QqpRcIlNw43ATqQxqHAdji+nfntJ1SaJ/LRTFIMYjqUPOKMGis9yL7fd6tezZuDrBK/IFUo0Oi7X71BwrIYpWGCat31vdQEOVWGM4HTSi/TmFI2pkPsWipjDrI56dOyZlVBiRKlC1pyFz9PZHTWOtJHNrOmJqRXvZm4n9eNzPRdZBzmWYGJVsijJBTEJmf5MBV8iMmFhCmeL2VsJGVFmbDoVG4K/PIqaV3UfK/m319W6zdFHGU4gVM4Bx+uoA530IAmMBjCM7zCmyOcF+fd+Vi0lpxi5hj+wPn8AfxljZY=</latexit> <latexit sha1_base64="TbOVm4a1bj7EWv2q2BG16ZUEIEA=">AB6nicbVBNS8NAEJ3Ur1q/oh69LBbBU0lE0GPRi8eK9gPaUDbSbt0swm7G6GE/gQvHhTx6i/y5r9x2+agrQ8GHu/NMDMvTAXxvO+ndLa+sbmVnm7srO7t3/gHh61dJIphk2WiER1QqpRcIlNw43ATqQxqHAdji+nfntJ1SaJ/LRTFIMYjqUPOKMGis9yL7fd6tezZuDrBK/IFUo0Oi7X71BwrIYpWGCat31vdQEOVWGM4HTSi/TmFI2pkPsWipjDrI56dOyZlVBiRKlC1pyFz9PZHTWOtJHNrOmJqRXvZm4n9eNzPRdZBzmWYGJVsijJBTEJmf5MBV8iMmFhCmeL2VsJGVFmbDoVG4K/PIqaV3UfK/m319W6zdFHGU4gVM4Bx+uoA530IAmMBjCM7zCmyOcF+fd+Vi0lpxi5hj+wPn8AfxljZY=</latexit> <latexit sha1_base64="TbOVm4a1bj7EWv2q2BG16ZUEIEA=">AB6nicbVBNS8NAEJ3Ur1q/oh69LBbBU0lE0GPRi8eK9gPaUDbSbt0swm7G6GE/gQvHhTx6i/y5r9x2+agrQ8GHu/NMDMvTAXxvO+ndLa+sbmVnm7srO7t3/gHh61dJIphk2WiER1QqpRcIlNw43ATqQxqHAdji+nfntJ1SaJ/LRTFIMYjqUPOKMGis9yL7fd6tezZuDrBK/IFUo0Oi7X71BwrIYpWGCat31vdQEOVWGM4HTSi/TmFI2pkPsWipjDrI56dOyZlVBiRKlC1pyFz9PZHTWOtJHNrOmJqRXvZm4n9eNzPRdZBzmWYGJVsijJBTEJmf5MBV8iMmFhCmeL2VsJGVFmbDoVG4K/PIqaV3UfK/m319W6zdFHGU4gVM4Bx+uoA530IAmMBjCM7zCmyOcF+fd+Vi0lpxi5hj+wPn8AfxljZY=</latexit> <latexit sha1_base64="2gC/EUzsrfM2WwF/0jswBTB1Ta4=">AB6nicdVDJSgNBEK2JW4xb1KOXxiB4Gnqy4OQW9OIxolkgCaGn0ma9PQM3T1CGPIJXjwo4tUv8ubf2FkEFX1Q8Hiviqp6QSy4Nh/OJm19Y3Nrex2bmd3b/8gf3jU1FGiKGvQSESqHRDNBJesYbgRrB0rRsJAsFYwuZr7rXumNI/knZnGrBeSkeRDTomx0q3sF/v5AnZxseqXSwi7xXLVr/iWVHDJr3rIc/ECBVih3s+/dwcRTUImDRVE646HY9NLiTKcCjbLdRPNYkInZMQ6lkoSMt1LF6fO0JlVBmgYKVvSoIX6fSIlodbTMLCdITFj/dubi395ncQM/V7KZwYJuly0TARyERo/jcacMWoEVNLCFXc3oromChCjU0nZ0P4+hT9T5pF18Oud1Mu1C5XcWThBE7hHDy4gBpcQx0aQGED/AEz45wHp0X53XZmnFWM8fwA87bJ30je8=</latexit> <latexit sha1_base64="2gC/EUzsrfM2WwF/0jswBTB1Ta4=">AB6nicdVDJSgNBEK2JW4xb1KOXxiB4Gnqy4OQW9OIxolkgCaGn0ma9PQM3T1CGPIJXjwo4tUv8ubf2FkEFX1Q8Hiviqp6QSy4Nh/OJm19Y3Nrex2bmd3b/8gf3jU1FGiKGvQSESqHRDNBJesYbgRrB0rRsJAsFYwuZr7rXumNI/knZnGrBeSkeRDTomx0q3sF/v5AnZxseqXSwi7xXLVr/iWVHDJr3rIc/ECBVih3s+/dwcRTUImDRVE646HY9NLiTKcCjbLdRPNYkInZMQ6lkoSMt1LF6fO0JlVBmgYKVvSoIX6fSIlodbTMLCdITFj/dubi395ncQM/V7KZwYJuly0TARyERo/jcacMWoEVNLCFXc3oromChCjU0nZ0P4+hT9T5pF18Oud1Mu1C5XcWThBE7hHDy4gBpcQx0aQGED/AEz45wHp0X53XZmnFWM8fwA87bJ30je8=</latexit> <latexit sha1_base64="2gC/EUzsrfM2WwF/0jswBTB1Ta4=">AB6nicdVDJSgNBEK2JW4xb1KOXxiB4Gnqy4OQW9OIxolkgCaGn0ma9PQM3T1CGPIJXjwo4tUv8ubf2FkEFX1Q8Hiviqp6QSy4Nh/OJm19Y3Nrex2bmd3b/8gf3jU1FGiKGvQSESqHRDNBJesYbgRrB0rRsJAsFYwuZr7rXumNI/knZnGrBeSkeRDTomx0q3sF/v5AnZxseqXSwi7xXLVr/iWVHDJr3rIc/ECBVih3s+/dwcRTUImDRVE646HY9NLiTKcCjbLdRPNYkInZMQ6lkoSMt1LF6fO0JlVBmgYKVvSoIX6fSIlodbTMLCdITFj/dubi395ncQM/V7KZwYJuly0TARyERo/jcacMWoEVNLCFXc3oromChCjU0nZ0P4+hT9T5pF18Oud1Mu1C5XcWThBE7hHDy4gBpcQx0aQGED/AEz45wHp0X53XZmnFWM8fwA87bJ30je8=</latexit> <latexit sha1_base64="2gC/EUzsrfM2WwF/0jswBTB1Ta4=">AB6nicdVDJSgNBEK2JW4xb1KOXxiB4Gnqy4OQW9OIxolkgCaGn0ma9PQM3T1CGPIJXjwo4tUv8ubf2FkEFX1Q8Hiviqp6QSy4Nh/OJm19Y3Nrex2bmd3b/8gf3jU1FGiKGvQSESqHRDNBJesYbgRrB0rRsJAsFYwuZr7rXumNI/knZnGrBeSkeRDTomx0q3sF/v5AnZxseqXSwi7xXLVr/iWVHDJr3rIc/ECBVih3s+/dwcRTUImDRVE646HY9NLiTKcCjbLdRPNYkInZMQ6lkoSMt1LF6fO0JlVBmgYKVvSoIX6fSIlodbTMLCdITFj/dubi395ncQM/V7KZwYJuly0TARyERo/jcacMWoEVNLCFXc3oromChCjU0nZ0P4+hT9T5pF18Oud1Mu1C5XcWThBE7hHDy4gBpcQx0aQGED/AEz45wHp0X53XZmnFWM8fwA87bJ30je8=</latexit> Shredder Edge Cloud Noisy Activation Activation a 0 a y = f 0 ( x, θ , n ) … + … ✕ input … x R ( a 0 , θ 2 ) L ( x, θ 1 ) Noise Tensor Noise Tensor n 1 n 2
Shredder - Non-intrusive - 66.7% loss in information - 97.3% misclassifaction of private labels - 1.7% loss in classification of publica labels Dec 14th (saturday) - Privacy in Machine Learning Workshop (East Meeting Rooms 8+15) -11:30 AM fmireshg@ucsd.edu http://cseweb.ucsd.edu/~fmireshg/
Nois No ise dis e distribut ibutio ion T n Training phas aining phase Desired Accuracy Computation and 1 Network Partitioner Communication Costs Accuracy > Desired No Yes DNN Topology and Network Intermediate Noisy Pretrained Weights 4 Adder Noise Tensor to Output Activation Activation 8 (logits) Laplace Distribution Fitter Training Data Transformer 2 Loss Function with Edge Partition 6 and Optimizer Distance of the Loss Input Generator No 1 7 3 5 1 7 3 Distribution and Noise with Cloud Partition 2 3 4 Tensor < Desired 2 3 4 Collection of Distributions and Orders with 5 8 8 5 8 8 Calculated Yes Confidence interval 7 Batch of Data Noise Tensor Update 3 Noise Tensor Initializer Gradients Noise Tensor Distribution Parameters From the Distribution Parameters and Order and Order of Noise Training Dataset 9 of Noise Elements Collector Elements Collector
In Infer eren ence p ce phas ase Noisy Noisy Intermediate Classification 3 Adder Activation 4 Transmission Activation Activation Result (to be sent) (received) 1 Edge Partition 1 7 3 1 7 3 Cloud Partition 5 2 3 4 2 Sampler 2 3 4 5 8 8 Edge Cloud 5 8 8 Noise Tensor (Mist) Collection of Distributions and Orders 5
Cross Entropy Loss Learn and remove private labels using only the given public labels, through self-supervision.
Shredder reduces the mutual information between the input and the communicated data and removes sensitive information through self- supervision. Shredder stabilizes privacy at a high level, while increasing accuracy of the primary task and decreasing the accuracy of the private task.
Shredder can perform well with any cutting point. Using an edge GPU, shredder can offer speed-ups.
Shredder’s privacy/accuracy trade-off on public and private labels (Primary and private task).
Comparison with Deep Private Feature Extraction (DPFE) method, which needs provide labels and modifies network weights, unlike Shredder.
Recommend
More recommend
