Differentially Private Empirical Risk Minimization

TL;DR

This paper introduces new differentially private algorithms for empirical risk minimization, including a novel objective perturbation method, demonstrating improved privacy-utility tradeoffs in machine learning models like logistic regression and SVMs.

Contribution

The paper proposes a new objective perturbation technique for privacy-preserving ERM, with theoretical guarantees and empirical validation, outperforming previous output perturbation methods.

Findings

Objective perturbation offers better privacy-utility tradeoff than output perturbation.

The algorithms provide end-to-end privacy guarantees for model training.

Empirical results show improved performance on real and benchmark datasets.

Abstract

Privacy-preserving machine learning algorithms are crucial for the increasingly common setting in which personal data, such as medical or financial records, are analyzed. We provide general techniques to produce privacy-preserving approximations of classifiers learned via (regularized) empirical risk minimization (ERM). These algorithms are private under the $\epsilon$-differential privacy definition due to Dwork et al. (2006). First we apply the output perturbation ideas of Dwork et al. (2006), to ERM classification. Then we propose a new method, objective perturbation, for privacy-preserving machine learning algorithm design. This method entails perturbing the objective function before optimizing over classifiers. If the loss and regularizer satisfy certain convexity and differentiability criteria, we prove theoretical results showing that our algorithms preserve privacy, and provide generalization bounds for linear and nonlinear kernels. We further present a privacy-preserving technique for tuning the parameters in general machine learning algorithms, thereby providing end-to-end privacy guarantees for the training process. We apply these results to produce privacy-preserving analogues of regularized logistic regression and support vector machines. We obtain encouraging results from evaluating their performance on real demographic and benchmark data sets. Our results show that both theoretically and empirically, objective perturbation is superior to the previous state-of-the-art, output perturbation, in managing the inherent tradeoff between privacy and learning performance.