Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning
Milad Nasr,Shuang Songi,Abhradeep Thakurta,Nicolas Papemoti,Nicholas Carlin +4 more
- 23 May 2021
- pp 866-882
219
TL;DR: In this article, the authors evaluate the importance of the adversary capabilities allowed in the privacy analysis of differentially private (DP) machine learning algorithms and find that their attacks are significantly weaker when additional (realistic) restrictions are put in place on the adversary's capabilities.
read more
Abstract: Differentially private (DP) machine learning allows us to train models on private data while limiting data leakage. DP formalizes this data leakage through a cryptographic game, where an adversary must predict if a model was trained on a dataset D, or a dataset D′ that differs in just one example. If observing the training algorithm does not meaningfully increase the adversary's odds of successfully guessing which dataset the model was trained on, then the algorithm is said to be differentially private. Hence, the purpose of privacy analysis is to upper bound the probability that any adversary could successfully guess which dataset the model was trained on.In our paper, we instantiate this hypothetical adversary in order to establish lower bounds on the probability that this distinguishing game can be won. We use this adversary to evaluate the importance of the adversary capabilities allowed in the privacy analysis of DP training algorithms.For DP-SGD, the most common method for training neural networks with differential privacy, our lower bounds are tight and match the theoretical upper bound. This implies that in order to prove better upper bounds, it will be necessary to make use of additional assumptions. Fortunately, we find that our attacks are significantly weaker when additional (realistic) restrictions are put in place on the adversary's capabilities. Thus, in the practical setting common to many real-world deployments, there is a gap between our lower bounds and the upper bounds provided by the analysis: differential privacy is conservative and adversaries may not be able to leak as much information as suggested by the theoretical bound.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
•Posted Content
Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture.
Xinyu Tang,Saeed Mahloujifar,Liwei Song,Virat Shejwalkar,Milad Nasr,Amir Houmansadr,Prateek Mittal +6 more
TL;DR: In this paper, the authors propose a new framework to train privacy-preserving models that induces similar behavior on member and non-member inputs to mitigate membership inference attacks. But their model is vulnerable to new adaptive attacks, and they use self-distillation to protect against these stronger attacks.
14
Journal Article
Understanding Rare Spurious Correlations in Neural Networks
Yao-Yuan Yang,Kamalika Chaudhuri +1 more
TL;DR: Yang et al. as discussed by the authors investigate how sensitive neural networks are to rare spurious correlations, which may be harder to detect and correct, and may lead to privacy leaks, and find that it takes only a handful of such examples for the network to learn the correlation.
14
Bayesian Auctions with Efficient Queries (Extended Abstract)
01 Jul 2022
TL;DR: In this paper , the query complexity of single-item auctions with quantile queries and value queries was studied and the seller only has limited oracle accesses to the players' distributions via quantile or value queries.
14
"Get in Researchers; We're Measuring Reproducibility": A Reproducibility Study of Machine Learning Papers in Tier 1 Security Conferences
Daniel Olszewski,Allison Lu,Carson Stillman,Kevin Warren,Cole Kitroser,Alejandro Pascual,Divyajyoti Ukirde,Kevin R. B. Butler,Patrick Traynor +8 more
- 15 Nov 2023
TL;DR: It is shown that there is no statistically significant difference between the availability of artifacts before and after the introduction of Artifact Evaluation Committees in Tier 1 conferences, and significant progress still needs to be made in computational reproducibility in Computer Security research.
14
•Posted Content
An Empirical Study on the Intrinsic Privacy of SGD
Stephanie L. Hyland,Shruti Tople +1 more
TL;DR: The first step towards understanding whether the intrinsic randomness of stochastic gradient descent (SGD) can be leveraged for privacy is taken, to mitigate the trade-off between privacy and performance for models trained with differential-privacy (DP) guarantees.
References
Gradient-based learning applied to document recognition
Yann LeCun,Léon Bottou,Léon Bottou,Yoshua Bengio,Yoshua Bengio,Yoshua Bengio,Patrick Haffner +6 more
- 01 Jan 1998
TL;DR: In this article, a graph transformer network (GTN) is proposed for handwritten character recognition, which can be used to synthesize a complex decision surface that can classify high-dimensional patterns, such as handwritten characters.
53.5K
•Dissertation
Learning Multiple Layers of Features from Tiny Images
Alex Krizhevsky
- 01 Jan 2009
TL;DR: In this paper, the authors describe how to train a multi-layer generative model of natural images, using a dataset of millions of tiny colour images, described in the next section.
•Proceedings Article
Rectified Linear Units Improve Restricted Boltzmann Machines
Vinod Nair,Geoffrey E. Hinton +1 more
- 21 Jun 2010
TL;DR: Restricted Boltzmann machines were developed using binary stochastic hidden units that learn features that are better for object recognition on the NORB dataset and face verification on the Labeled Faces in the Wild dataset.
Dermatologist-level classification of skin cancer with deep neural networks
Andre Esteva,Brett Kuprel,Roberto A. Novoa,Justin M. Ko,Susan M. Swetter,Susan M. Swetter,Helen M. Blau,Sebastian Thrun +7 more
TL;DR: This work demonstrates an artificial intelligence capable of classifying skin cancer with a level of competence comparable to dermatologists, trained end-to-end from images directly, using only pixels and disease labels as inputs.
11.8K
k -anonymity: a model for protecting privacy
TL;DR: The solution provided in this paper includes a formal protection model named k-anonymity and a set of accompanying policies for deployment and examines re-identification attacks that can be realized on releases that adhere to k- anonymity unless accompanying policies are respected.
9.2K