Scalable Differential Privacy with Certified Robustness in Adversarial Learning

TL;DR

This paper introduces a scalable method for differentially private adversarial learning in deep neural networks, achieving certified robustness against adversarial attacks while balancing utility and privacy.

Contribution

It proposes a novel scalable algorithm that combines differential privacy with certified robustness, utilizing sequential composition and a new stochastic training method for large DNNs.

Findings

Enhanced robustness bounds for DP DNNs

Improved scalability on large datasets

Better trade-offs between privacy, utility, and robustness

Abstract

In this paper, we aim to develop a scalable algorithm to preserve differential privacy (DP) in adversarial learning for deep neural networks (DNNs), with certified robustness to adversarial examples. By leveraging the sequential composition theory in DP, we randomize both input and latent spaces to strengthen our certified robustness bounds. To address the trade-off among model utility, privacy loss, and robustness, we design an original adversarial objective function, based on the post-processing property in DP, to tighten the sensitivity of our model. A new stochastic batch training is proposed to apply our mechanism on large DNNs and datasets, by bypassing the vanilla iterative batch-by-batch training in DP DNNs. An end-to-end theoretical analysis and evaluations show that our mechanism notably improves the robustness and scalability of DP DNNs.