On Privacy Protection of Latent Dirichlet Allocation Model Training
Fangyuan Zhao, Xuebin Ren, Shusen Yang, Xinyu Yang

TL;DR
This paper investigates privacy risks in LDA model training and proposes privacy-preserving algorithms, including a privacy monitoring method and a locally private training algorithm, validated by experiments on real datasets.
Contribution
It introduces novel privacy-preserving algorithms for LDA training, addressing both inherent randomness and local differential privacy in crowdsourced data.
Findings
The inherent randomness of CGS provides some privacy guarantees.
The locally private LDA algorithm achieves differential privacy for individual data contributors.
Experimental results confirm the effectiveness of the proposed privacy-preserving methods.
Abstract
Latent Dirichlet Allocation (LDA) is a popular topic modeling technique for discovery of hidden semantic architecture of text datasets, and plays a fundamental role in many machine learning applications. However, like many other machine learning algorithms, the process of training a LDA model may leak the sensitive information of the training datasets and bring significant privacy risks. To mitigate the privacy issues in LDA, we focus on studying privacy-preserving algorithms of LDA model training in this paper. In particular, we first develop a privacy monitoring algorithm to investigate the privacy guarantee obtained from the inherent randomness of the Collapsed Gibbs Sampling (CGS) process in a typical LDA training algorithm on centralized curated datasets. Then, we further propose a locally private LDA training algorithm on crowdsourced data to provide local differential privacy for…
| Dataset | words | training docs | test docs |
|---|---|---|---|
| KOS | 209169 | 3000 | 430 |
| NIPS | 410753 | 1349 | 150 |
| Enron | 356363 | 8000 | 2000 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy-Preserving Technologies in Data · Privacy, Security, and Data Protection · Human Mobility and Location-Based Analysis
MethodsLinear Discriminant Analysis
On Privacy Protection of Latent Dirichlet Allocation Model Training
Fangyuan Zhao1,2,3, Xuebin Ren1,2, Shusen Yang2,3, Xinyu Yang1,2 1School of Computer Science and Technology, Xi’an Jiaotong University, China
2National Engineering Laboratory for Big Data Analytics, Xi’an Jiaotong University, China
3Ministry of Education Key Lab For Intelligent Networks and Network Security, Xi’an Jiaotong University, China
[email protected], [email protected], [email protected], [email protected]
Abstract
Latent Dirichlet Allocation (LDA) is a popular topic modeling technique for discovery of hidden semantic architecture of text datasets, and plays a fundamental role in many machine learning applications. However, like many other machine learning algorithms, the process of training a LDA model may leak the sensitive information of the training datasets and bring significant privacy risks. To mitigate the privacy issues in LDA, we focus on studying privacy-preserving algorithms of LDA model training in this paper. In particular, we first develop a privacy monitoring algorithm to investigate the privacy guarantee obtained from the inherent randomness of the collapsed gibbs sampling (CGS) process in a typical LDA training algorithm on centralized curated datasets. Then, we further propose a locally private LDA training algorithm on crowdsourced data to provide local differential privacy for individual data contributors. The experimental results on real-world datasets demonstrate the effectiveness of our proposed algorithms.
1 Introduction
Massive text data have arisen in the sustained and rapid development of Internet. Mining and analyzing of text data can help us gain a vast amount of knowledge, thus benefiting the whole society. As a fundamental model for text mining, Latent Dirichlet Allocation(LDA) Blei et al. (2003) can be used for discovering the main features of the sparse text datasets by identifying their hidden semantic architecture. Particularly, LDA can map the high-dimensional text data to a low-dimensional topic space while retaining the implicit semantics, which has been an effective machine learning technique for clustering or classification. Many enterprises such as Yahoo Smola and Narayanamurthy (2010), Tencent Wang et al. (2014)Yut et al. (2017), and Microsoft Yuan et al. (2015) have all built LDA platforms for supporting big data analysis and training machine learning models on various text data.
Similar to other machine learning models, LDA may be trained on the datasets that contain some sensitive information of individuals and will inevitably memorize some knowledge about the datasets. Unfortunately, aiming at this characteristic, some attacks have been proposed to extract the private information of the training data from machine learning models. For example, membership inference attacks (MIA)Shokri et al. (2017) can be launched to infer the membership information of an individual. Model inversion attacks Fredrikson et al. (2014) have been proved to be able to extract training data from observed model predictions. Therefore, despite the popularity and effectiveness, the naive LDA model may also suffer from these attacks and lead to great privacy risks.
Differential privacy proposed by Dwork Dwork et al. (2006) has been the de-facto standard of privacy protection with a rigorous mathematical proof. Due to its strong privacy guarantee, DP has also been exploited in many fields such as data publication Ren et al. (2018)Li et al. (2019)and machine learning Chaudhuri et al. (2011)Abadi et al. (2016) as well as LDA training Park et al. (2016)Zhu et al. (2016). For example, Park et al. Park et al. (2016) proposed to obtain privacy guarantee for LDA models by perturbing the expected sufficient statistics in each iteration of the variational Bayesian method, which is a parameter estimation algorithm for LDA. Zhu et. al. Zhu et al. (2016) presented a differentially private LDA algorithm by perturbing the sampling distribution in the collapsed Gibbs sampling(CGS) process, which is a typical training algorithm for LDA.
Both the above algorithms achieve DP by injecting extra noise to the training process of LDA regarding to centralized training datasets. However, as a typical sampling algorithm with inherent randomness, CGS possesses uncertainty in its execution and naturally provides some level of privacy guarantee, which has been indicated in Wang et al. (2015)Foulds et al. (2016). In particular, Wang et al. Wang et al. (2015) proved that posterior sampling and the stochastic gradient Markov chain Monte Carlo techniques possess some inherent privacy guarantee. Foulds et al. Foulds et al. (2016) further extended this conclusion to the general MCMC methods. Besides the inherent privacy, both existing algorithms consider the LDA model training on centralized datasets owned by a trustworthy data curator. Nevertheless, due to privacy concerns, individual data contributors may be reluctant to directly share their sensitive data but prefer to send the locally sanitized data to the model trainer.
Therefore, aiming to provide strong privacy guarantee for LDA model training, this paper not only investigates to utilize the inherent privacy of CGS in LDA training on centralized datasets, but also proposes a locally private version of LDA that can be trained on crowd-sourced datasets with local sanitations. The contributions are summarized as follows:
- •
We develop a privacy monitoring algorithm to measure the inherent privacy guarantee of CGS algorithm in LDA. In particular, we first define two different levels of privacy: document level and word level, and present the corresponding lower bound of privacy guarantee after a given number of iterations.
- •
We propose LP-LDA, a novel mechanism that supports training a LDA model on crowd-sourced datasets with local sanitation, which can provide the guarantee of local privacy for individual data contributors.
- •
We conduct experiments on several real-world datasets to demonstrate the effectiveness of our proposed algorithms. Particularly, experimental results show that our LP-LDA can achieve a high model training accuracy while providing sufficient local privacy guarantee.
The rest of paper is organized as follows. Section 2 reviews the preliminaries. Section 3 describes our algorithms in detail. The experiments are presented in Section 4. Finally, we conclude the paper in Section 5.
2 Preliminaries
2.1 LDA and Collapsed Gibbs Sampling
LDA model was first proposed by David Blei Blei et al. (2003) in 2003 for analyzing the implicit semantic architecture of a corpus. In LDA model, any document in a corpus can be described by different distributions on latent topics, where each topic can be represented by a distribution on all words. LDA assumes the generative process of the documents in the corpus as follows:
for each topic , draw a “topic-word” distribution on all words from Dirichlet(), where is the hyperparameter for the Dirichlet priors and can be interpreted as the prior observation for the “topic-word” count. 2. 2.
for each document , draw a “document-topic” distribution from Dirichlet(), where is a hyperparameter similar to and represents the prior observation for the “document-topic” count. 3. 3.
for each word in a document , first draw a topic k from , and then draw a word t from .
The essence of training a LDA model is to estimate the parameters for a given corpus . The collapsed Gibbs sampling is such an effective parameter estimation algorithm. It iterates over each word and samples new topic for based on this full conditional distribution
[TABLE]
where denotes the whole words except word , denotes the count of topic assigned to word and denotes the count of topic appeared in document which are maintained in matrices and respectively.
After multiple rounds of sampling over the whole corpus, the topic sample of each word can be obtained. And the parameter can be estimated by its posterior expectation
[TABLE]
The detailed procedures of CGS can be referred to Heinrich (2005).
2.2 Differential Privacy
Differential privacy proposed by Dwork Dwork et al. (2006) has been the de-facto standard of privacy protection with a rigorous mathematical proof. The rationale of DP guarantee is that negligible information can be gained by manipulating the output of a query on neighboring datasets.
Definition 1**.**
Dwork et al. (2006)** (Differential Privacy) A randomized mechanism is if for any neighboring datasets that satisfying and any output :
[TABLE]
2.3 Local Privacy
Differential privacy implicitly assumes a centralized dataset owned by a trustworthy curator and does not ensure the privacy guarantee for individual data contributors. Recently, local (differential) privacy has been proposed to provide data sanitization at the individual users’ side instead of the central server side.
Definition 2**.**
Dwork et al. (2014)**(Local Privacy) A randomized function satisfies -local privacy if and only if for any two input tuples and in the domain of , and for any output of , there is:**
[TABLE]
3 Our Approach
In this section, we first investigate the inherent privacy of CGS process in LDA for a non-sanitized dataset owned by a trustworthy curator. Then, as a complement to the privacy guarantee of the data acquisition period, a locally private mechanism LP-LDA is presented to realize LDA model training on a sanitized dataset by local users.
3.1 Privacy monitoring Algorithm
3.1.1 Inherent Privacy of CGS
Generally, DP is achieved on most machine learning algorithms by introducing extra noise or randomness, which will inevitably cause a utility loss of the trained model. However, it has been shown in Foulds et al. (2016) that some degree of inherent DP can be obtained on Gibbs sampling algorithm for free. This is because each sampling process in Gibbs sampling works in a way the same as an exponential mechanism, which is a classic method to achieve DP. Obviously, as one version of Gibbs sampling, collapsed Gibbs sampling naturally inherits this property. Furthermore, such a property can also provide privacy for free in the CGS-based LDA training process. Therefore, aiming to utilize the inherent privacy, we develop a privacy monitoring algorithm to quantify the privacy guarantee of CGS in the LDA training process. In particular, the rationale behind the privacy monitoring algorithm is to find an adequate exponential mechanism for each sampling process in CGS and then accumulate the total privacy guarantee of all exponential mechanisms according to the composition theorem of DP.
3.1.2 Document-level privacy and word-level privacy
This paper considers to provide DP for the individual words and documents in the training corpus for LDA, respectively.
Word-level privacy: Let denote a corpus with words . Then, its neighboring dataset satisfying differs from by a single word . Word-level privacy prevents membership inference of individual words of the training corpus from the trained LDA model.
Document-level privacy: Let denote a corpus with documents . Then, its neighboring dataset satisfying differs from by a single document . In order to bound the sensitivity, we assume that a single document includes at most words. Document-level privacy prevents re-identification of individual documents in the training dataset of LDA, which may be contributed by and associated with individual users.
3.1.3 Inherent privacy in each sampling
To begin with, we show the essence of the intrinsic privacy guarantee in each sampling of CGS in terms of exponential mechanism. Consider the sampling process for word in the th iteration. Suppose its sampling distribution on topics is given by , where denotes the probability that topic is assigned to in this sampling. Then we can rewrite as
[TABLE]
which could be understood as an output probability of an exponential mechanism that selects the topic with probability of . The utility function of is and its sensitivity is . Obviously, is the intrinsic privacy guarantee of the exponential mechanism .
3.1.4 Privacy monitoring for each sampling
Unfortunately, it’s intractable to specify an exact value of in the execution process of CGS algorithm in LDA due to the complicated architecture of training corpus, hence we attempt to find an upper bound of to quantify the privacy guarantee .
According to Equation (1), the sampling distribution for word in in the -th iteration could be computed by
[TABLE]
Suppose that is the corresponding distribution on , which is the neighboring dataset of , then
[TABLE]
where denotes the count of topic assigned in the where . We refer to as a topic partition on and .
Given a topic partition , the privacy guarantee in this sampling process could be measured by
[TABLE]
where denotes the sensitivity of . However, there are partitions in total. So, it is computational prohibitive to find the maximal among all partitions. In the following, we consider how to reduce the searching space of partitions.
For simplicity, we first consider a special case, in which there exists some topic i with in a given partition.
Theorem 1**.**
Suppose that there exists some in a given partition , then the privacy guarantee
[TABLE]
if and only if for any **
[TABLE]
Proof.
See Appendix A for details. ∎
Corollary 1**.**
Suppose that there exists a topic set with in a given partition , and it holds that
[TABLE]
for some , then the privacy guarantee**
[TABLE]
Proof.
This proof follows from the result of Theorem 1. ∎
Theorem 1 and corollary 1 illustrate a special case to find the privacy . The following lemma and theorem further demonstrate that among all the partitions, the one with the largest privacy guarantee belongs to a partitions set .
Lemma 1**.**
There exists a partition in
[TABLE]
such that
[TABLE]
where denotes the set consisting of all the partitions.
Proof.
See Appendix B for details. ∎
Definition 3**.**
(Pseudo sampling distribution) Suppose that given a vector with length K, each component
[TABLE]
Then is the pseudo sampling distribution in this sampling.
Theorem 2**.**
Among all the partitions, there must exist a partition in
[TABLE]
such that
[TABLE]
if condition (4) holds. is the topic index such that , is the pseudo sampling distribution.
Proof.
See Appendix C for details. ∎
Theorem 2 indicates that only the partitions in need to be considered for computing the privacy in the each sampling processing, which greatly reduce the searching scope. In particular, if condition (4) holds for all partitions in , the privacy guarantee could be computed directly by Equation (8), which is the first case to consider. If not, for any partition in not satisfying condition (4), the privacy guarantee could be computed by Equation (5). Due to the arbitrariness of , we have another cases to consider since there are partitions in . Furthermore, since whether condition (4) holds is unknown, we have to enumerate all these cases to find the privacy guarantee bound. Algorithm 1 presents the searching-based algorithm for monitoring the privacy guarantee of each sampling for each word.
3.1.5 Privacy monitoring for LDA
So far, the privacy guarantee of the sampling process for word in the th iteration can be measured by Algorithm 1. Since the sampling process of the whole CGS algorithm is iteratively performed for each word but alternatively among all the words in the corpus, the total privacy guarantee of the whole CGS process in LDA training could be computed according to the composition theorems of DP.
Theorem 3**.**
Given a corpus , suppose the CGS algorithm performed on word at the -th iteration satisfies -DP, then after iterations, the whole CGS algorithm performed on satisfies -DP.
Proof.
For any word , after iterations of sampling, it will be accessed to by the whole CGS process times, according to the sequential composition theorem Li et al. (2016), the total privacy guarantee for word in the CGS algorithm is . While, according to the Equation (1), each iteration of CGS in LDA only accesses to each word once to perform the sampling, then according to the parallel composition theorem Li et al. (2016), the total privacy guarantee for the copus(all words) should be the maximum privacy guarantee of CGS among all words, that is . ∎
Based on this observation, Algorithm 2 shows the privacy monitoring algorithm for the whole CGS process in LDA.
3.2 LP-LDA
As analyzed above, CGS algorithm can intrinsically guarantee the privacy of individual documents for the LDA model trained on a plain-text dataset, which is owned by a trustworthy curator. However, in many distributed applications, data servers are not always privacy-reliable and data owners may not be willing to directly contribute their sensitive data. In this case, we further propose a hidden-data based LDA mechanism LP-LDA that can perform the training process on a sanitized dataset with local privacy. In particular, the LP-LDA mechanism mainly consists of two components: local perturbation at the user side and training on reconstructed dataset at the server side.
3.2.1 Local perturbation
The local perturbation at the user side includes the following steps:
- •
Step 1. Each document is encoded as a binary vector , in which each bit represents the presence of the -th word in the word bag of the corpus.
- •
Step 2. Each bit of the binary vector is then randomly flipped according to the following randomized response rule:
[TABLE]
where is a parameter that specifies the randomness of flipping and adjusts the local privacy level.
- •
Step 3. Then the noisy binary vector is sent to the central server by each user. Obviously, is locally sanitized without concerning user’s privacy.
3.2.2 Training on reconstructed dataset
After receiving the flipped binary vectors from a large number of data contributors, the central server can aggregate the vectors, reconstruct the dataset and then perform training on the reconstructed dataset. The rationale behind this is that the training result of topic-word distribution is insensitive to the document partitions and only depends on the total word counts in the corpus.
- •
Step 1. For each bit in the noisy binary vectors, the server counts the number of s as .
- •
Step 2. The server then estimates the true count of each bit in the original binary vectors as .
- •
Step 3. For each bit, the server first computes the difference .
- •
Step 4. For each bit , if , the server randomly samples binary vectors with the -th bit as [math] and sets the -th bit as ; if , then the server randomly samples binary vectors with the -th bit as and sets the -th bit as [math]; otherwise, keeps the noisy bit vectors as received.
- •
Step 5. Based on the noisy bit vectors, the server reconstructs a dataset and performs the CGS process on it.
3.2.3 Privacy Analysis of LP-LDA
Theorem 4**.**
The LP-LDA satisfies for each document contributor where .
Proof.
Suppose a word appears in a noisy bit vector, then the probability of it being kept from the original bit vector is and the probability of it being flipped from the original bit vector is . Then, according to the definition of DP, it guarantees the privacy of
[TABLE]
The analysis also holds for any bit that . ∎
Since the reconstruction and training process are essentially post-processes on the noisy bit vectors, the local privacy remains unchanged for all the documents.
3.2.4 Utility Analysis of LP-LDA
Theorem 5**.**
Let and denote the counts of word in the original and perturbed datasets, respectively, then
[TABLE]
is an unbiased estimator of with the variance of
[TABLE]
Proof.
Let denote the count of word retained from the real datasets and denote the noisy part, then and follow two Binomial distributions, i.e., , . Let , then its first theoretical moment and its first sample moment . Therefore,
[TABLE]
is the moment estimator as well as unbiased estimator. Its variance is then
[TABLE]
∎
4 Experiment
In this section, we evaluate the effectiveness of our proposed privacy monitoring algorithm and locally private LDA algorithm LP-LDA on real-world datasets.
The datasets used in our experiment are: KOS111http://archive.ics.uci.edu/ml/: contains 3430 blog entries from dailykos website. NIPS222http://nips.djvuzone.org/txt.html: contains 1740 research papers from NIPS conference. Enron333www.cs.cmu.edu/ enron: contains 0.5 million email messages from about 150 users.
We extracted part of these datasets as our training datasets and the rest as the testsets. For simplicity, we setup a pre-processing phase on these dataset before running our experiments. For example, all stop words were removed and 1000 most frequent words in each dataset were chosen as the corresponding vocabulary list. Details about these datasets after pre-processing can be found in Table 1.
In our experiments, for all datasets, the topic number is set as , the maximum iteration number of CGS process in LDA model training is set as , which is sufficient for convergence on all three datasets. The hyper parameters and are set as 0.1, 0.01, respectively.
4.1 Inherent privacy of CGS in LDA
Figure 1 illustrates the inherent privacy guarantee of CGS algorithm in LDA measured by our proposed privacy monitoring algorithm on three datasets for both document-level and word-level privacy. It should be noted that a larger privacy parameter in the figures means less privacy guarantee.
As we can see in both subfigures, both word-level and document-level privacy parameter of CGS in LDA increase approximately linearly with the number of sampling iterations. This is because the privacy bound in each iteration of sampling is very close, and the total privacy parameter will accumulate with the number of iterations according to the sequential composition theorem.
Although CGS on all datasets can obtain privacy guarantee for free, the inherent privacy varies on different datasets. For document level, the privacy guarantee achieved on NIPS is the weakest while that on Enron is the strongest. That is because the documents in NIPS averagely contain the most words, which also means it is the most difficult to be effectively hidden. For word-level privacy, the LDA model trained on NIPS has the strongest privacy guarantee because it contains largest number of words and the sampling probability for each unique word will be the lowest. On the contrary, with the fixed length of vocabulary list, KOS contains the fewest words in total and results the weakest word-level privacy after same number of iteration.
4.2 Local mechanism
Figure 2 depicts the simulation performance of our proposed LP-LDA mechanism in terms of different level of privacy. The flipping probability in LP-LDA varies from to , and the corresponding privacy level varies from to . The utility of LDA model training is measured by the perplexity on test sets. Perplexity is an information-theoretical measure commonly used to evaluate the prediction performance of LDA model and generally smaller perplexity on a test set means better prediction accuracy. In particular, we compared LP-LDA with a baseline privacy-preserving LDA mechanism based on Laplace mechanism, in which the sufficient statistics of the likelihood, i.e., word count matrices and are privatized at the beginning of the CGS algorithm with the sensitivity of and privacy of Foulds et al. (2016).
As shown, both the perplexity of LP-LDA and baseline algorithm decrease with the increase of , which shows the trade-off between the privacy and utility. For stronger privacy regime with smaller , the perplexity of LP-LDA is larger than that of the baseline algorithm. That is because the Laplace mechanism baseline algorithm incurs less noise than randomized response in LP-LDA for the statistics of word count . While for weaker privacy regime with larger , the perplexity of LP-LDA is far less than that of the baseline algorithm and shows greater LDA model training utility. These utility comparison results can be also explained by the variance difference of the word count in two mechanisms. In baseline mechanism based on Laplace noise, the noise variance is , while the variance in our proposed LP-LDA is shown in Equation (10). In particular, for larger on all three datasets, we can always have .
5 Conclusion and future work
In this work, we investigate the privacy protection of LDA model training. We first present that the CGS algorithm in LDA can possess some inherent privacy in each sampling process and then propose a efficient searching-based privacy monitoring algorithm to identify the privacy guarantee bound in the iterative CGS process of LDA. In addition, besides training on a trustworthy data server, we also propose a locally private solution of LP-LDA to achieve LDA training on a sanitized dataset by individual local users, which is applicable to many scenarios. The experiments on real-world datasets validate our proposed approaches. Future work will center on finding tighter bound of the inherent privacy guarantee in LDA model training.
6 Acknowledgments
This work is supported by National Natural Science Foundation of China under Grant 61572398, Grant 61772410, Grant 61802298, Grant 11690011 and Grant U1811461, in part by the Fundamental Research Funds for the Central Universities under Grant xjj2018237, in part by the China Postdoctoral Science Foundation under Grant 2017M623177, and in part by the National Key Research and Development Program of China under Grant 2017YFB1010004.
Appendix A Proof of Theorem 1
Proof.
The sensitivity obtained from topic j can be computed as
[TABLE]
then we compare and
[TABLE]
By condition (4), it’s easy to prove that
[TABLE]
We can observe that when , and when and condition (11) holds. Hence, holds due to the arbitrariness of k and j. ∎
Appendix B Proof of Lemma 1
Proof.
For convenience, we denote
[TABLE]
where
[TABLE]
then the problem is transformed into proving that
[TABLE]
holds if
[TABLE]
inequality (12) is equivalent to
[TABLE]
To prove inequality (13), we consider a function set
[TABLE]
where
[TABLE]
then each function in is determined by a pair of parameters . consider the relation between and where , it must belongs to one of two cases below:
[TABLE]
Case1:It must holds that since and
Case2:It must holds that
[TABLE]
In fact, it is easy to prove that there exists only one intersection in between , denoted by . Based on this, the distribution of on number axis also has three cases to consider:
case1: , by computing the derivatives of and , we have
[TABLE]
case2: , since holds, then:
[TABLE]
case3:, since holds, then:
[TABLE]
We have proved that there must exists function such that through the research above on the property of . So far, Lemma 1 has been proved. ∎
Appendix C Proof of Theorem 2
Proof.
Given a partition not in , it suffices to verify that there exist some partitions from such that the privacy parameter obtained from is smaller than parameter from those partitions. Assume that the privacy parameter from is ,then there are two cases need to be considered:
[TABLE]
*Case 1:*Based on lemma 1, there exists a partition from such that ,and since there exists in , then according to corollary 1
[TABLE]
*Case 2:*Based on theorem 1, elements in satisfy
[TABLE]
Since always holds, especially for a large corpus, then it’s not hard to deduce that
[TABLE]
until now, we have proved the existence of the . According to theorem 1, if condition (4) holds for each with , then equation (8) will hold directly. So far, theorem 2 has been proved completely. ∎
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Abadi et al. [2016] Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan Mc Mahan, Ilya Mironov, Kunal Talwar, and Li Zhang. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security , pages 308–318. ACM, 2016.
- 2Blei et al. [2003] David M Blei, Andrew Y Ng, and Michael I Jordan. Latent dirichlet allocation. Journal of machine Learning research , 3(Jan):993–1022, 2003.
- 3Chaudhuri et al. [2011] Kamalika Chaudhuri, Claire Monteleoni, and Anand D Sarwate. Differentially private empirical risk minimization. Journal of Machine Learning Research , 12(Mar):1069–1109, 2011.
- 4Dwork et al. [2006] Cynthia Dwork, Frank Mc Sherry, Kobbi Nissim, and Adam Smith. Calibrating noise to sensitivity in private data analysis. In Theory of cryptography conference , pages 265–284. Springer, 2006.
- 5Dwork et al. [2014] Cynthia Dwork, Aaron Roth, et al. The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science , 9(3–4):211–407, 2014.
- 6Foulds et al. [2016] James Foulds, Joseph Geumlek, Max Welling, and Kamalika Chaudhuri. On the theory and practice of privacy-preserving bayesian data analysis. ar Xiv preprint ar Xiv:1603.07294 , 2016.
- 7Fredrikson et al. [2014] Matthew Fredrikson, Eric Lantz, Somesh Jha, Simon Lin, David Page, and Thomas Ristenpart. Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing. In 23rd { { \{ USENIX } } \} Security Symposium ( { { \{ USENIX } } \} Security 14) , pages 17–32, 2014.
- 8Heinrich [2005] Gregor Heinrich. Parameter estimation for text analysis. Technical report, Technical report, 2005.
