A Differentially Private Framework for Deep Learning with Convexified Loss Functions

TL;DR

This paper introduces a novel differentially private framework for deep learning with convexified loss functions, addressing limitations of existing DP methods by controlling noise injection at the output layer, resulting in improved privacy-utility trade-offs.

Contribution

It proposes a new output perturbation method based on a tighter global sensitivity bound, outperforming DP-SGD in privacy-utility trade-offs under certain privacy budgets.

Findings

Better privacy-utility trade-off than DP-SGD for ε ≤ 1

Empirical validation on six real-world datasets

Reduced privacy leakage against membership inference attacks

Abstract

Differential privacy (DP) has been applied in deep learning for preserving privacy of the underlying training sets. Existing DP practice falls into three categories - objective perturbation, gradient perturbation and output perturbation. They suffer from three main problems. First, conditions on objective functions limit objective perturbation in general deep learning tasks. Second, gradient perturbation does not achieve a satisfactory privacy-utility trade-off due to over-injected noise in each epoch. Third, high utility of the output perturbation method is not guaranteed because of the loose upper bound on the global sensitivity of the trained model parameters as the noise scale parameter. To address these problems, we analyse a tighter upper bound on the global sensitivity of the model parameters. Under a black-box setting, based on this global sensitivity, to control the overall noise injection, we propose a novel output perturbation framework by injecting DP noise into a randomly sampled neuron (via the exponential mechanism) at the output layer of a baseline non-private neural network trained with a convexified loss function. We empirically compare the privacy-utility trade-off, measured by accuracy loss to baseline non-private models and the privacy leakage against black-box membership inference (MI) attacks, between our framework and the open-source differentially private stochastic gradient descent (DP-SGD) approaches on six commonly used real-world datasets. The experimental evaluations show that, when the baseline models have observable privacy leakage under MI attacks, our framework achieves a better privacy-utility trade-off than existing DP-SGD implementations, given an overall privacy budget $\epsilon \leq 1$ for a large number of queries.