Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning
Milad Nasr,Shuang Songi,Abhradeep Thakurta,Nicolas Papemoti,Nicholas Carlin +4 more
- 23 May 2021
- pp 866-882
219
TL;DR: In this article, the authors evaluate the importance of the adversary capabilities allowed in the privacy analysis of differentially private (DP) machine learning algorithms and find that their attacks are significantly weaker when additional (realistic) restrictions are put in place on the adversary's capabilities.
read more
Abstract: Differentially private (DP) machine learning allows us to train models on private data while limiting data leakage. DP formalizes this data leakage through a cryptographic game, where an adversary must predict if a model was trained on a dataset D, or a dataset D′ that differs in just one example. If observing the training algorithm does not meaningfully increase the adversary's odds of successfully guessing which dataset the model was trained on, then the algorithm is said to be differentially private. Hence, the purpose of privacy analysis is to upper bound the probability that any adversary could successfully guess which dataset the model was trained on.In our paper, we instantiate this hypothetical adversary in order to establish lower bounds on the probability that this distinguishing game can be won. We use this adversary to evaluate the importance of the adversary capabilities allowed in the privacy analysis of DP training algorithms.For DP-SGD, the most common method for training neural networks with differential privacy, our lower bounds are tight and match the theoretical upper bound. This implies that in order to prove better upper bounds, it will be necessary to make use of additional assumptions. Fortunately, we find that our attacks are significantly weaker when additional (realistic) restrictions are put in place on the adversary's capabilities. Thus, in the practical setting common to many real-world deployments, there is a gap between our lower bounds and the upper bounds provided by the analysis: differential privacy is conservative and adversaries may not be able to leak as much information as suggested by the theoretical bound.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Membership Inference Attacks and Defenses in Federated Learning: A Survey
Li Bai,Haibo Hu,Qingqing Ye,Hongdan Li,Leixia Wang,Jianliang Xu +5 more
TL;DR: This survey categorizes and summarizes membership inference attacks and defenses in federated learning, introducing a taxonomy of existing attacks and countermeasures, analyzing strengths and weaknesses, and identifying future research directions to advance the field's privacy and security.
11
Investigating Membership Inference Attacks under Data Dependencies
Thomas J. Humphries,Simon Oya,Lindsey Tulloch,Matthew Rafuse,Ian Goldberg,Urs Hengartner,Florian Kerschbaum +6 more
- 01 Jul 2023
TL;DR: MIA attacks exploit dependencies in training sets, significantly impacting the effectiveness of differentially private training algorithms.
11
Advancing Differential Privacy: Where We Are Now and Future Directions for Real-World Deployment
Rachel Cummings,Damien Desfontaines,David Evans,Roxana Geambasu,Yangsibo Huang,Matthew Jagielski,Peter Kairouz,Gautam Kamath,Sewoong Oh,Olga Ohrimenko,Nicolas Papernot,Ryan Rogers,Milan Shen,Shuang Song,Weijie Su,Andreas Terzis,Abhradeep Guha Thakurta,Sergei Vassilvitskii,Yu-Xiang Wang,Li Xiong,Sergey Yekhanin,Da Yu,Huanyu Zhang,Wanrong Zhang +23 more
- 16 Jan 2024
11
LPGNet: Link Private Graph Networks for Node Classification
Aashish Kolluri,Teodora Baluta,Bryan Hooi,Prateek Saxena +3 more
- 06 May 2022
TL;DR: A new neural network architecture called LPGNet is presented, which provides differential privacy (DP) guarantees for edges using a novel design for how graph edge structure is used during training and offers consistently better privacy-utility tradeoffs than DpGCN.
11
•Posted Content
Practical and Private (Deep) Learning without Sampling or Shuffling
TL;DR: Follow-The-Regularized-Leader (FTRL) as mentioned in this paper is a variant of FTRL that does not require sampling or shuffling to obtain the best privacy/accuracy/computation tradeoff.
10
References
Gradient-based learning applied to document recognition
Yann LeCun,Léon Bottou,Léon Bottou,Yoshua Bengio,Yoshua Bengio,Yoshua Bengio,Patrick Haffner +6 more
- 01 Jan 1998
TL;DR: In this article, a graph transformer network (GTN) is proposed for handwritten character recognition, which can be used to synthesize a complex decision surface that can classify high-dimensional patterns, such as handwritten characters.
53.5K
•Dissertation
Learning Multiple Layers of Features from Tiny Images
Alex Krizhevsky
- 01 Jan 2009
TL;DR: In this paper, the authors describe how to train a multi-layer generative model of natural images, using a dataset of millions of tiny colour images, described in the next section.
•Proceedings Article
Rectified Linear Units Improve Restricted Boltzmann Machines
Vinod Nair,Geoffrey E. Hinton +1 more
- 21 Jun 2010
TL;DR: Restricted Boltzmann machines were developed using binary stochastic hidden units that learn features that are better for object recognition on the NORB dataset and face verification on the Labeled Faces in the Wild dataset.
Dermatologist-level classification of skin cancer with deep neural networks
Andre Esteva,Brett Kuprel,Roberto A. Novoa,Justin M. Ko,Susan M. Swetter,Susan M. Swetter,Helen M. Blau,Sebastian Thrun +7 more
TL;DR: This work demonstrates an artificial intelligence capable of classifying skin cancer with a level of competence comparable to dermatologists, trained end-to-end from images directly, using only pixels and disease labels as inputs.
11.8K
k -anonymity: a model for protecting privacy
TL;DR: The solution provided in this paper includes a formal protection model named k-anonymity and a set of accompanying policies for deployment and examines re-identification attacks that can be realized on releases that adhere to k- anonymity unless accompanying policies are respected.
9.2K