Large Scale Transfer Learning for Differentially Private Image Classification

TL;DR

This paper demonstrates that large-scale pre-training and careful optimizer choice significantly improve differentially private image classification performance on ImageNet, achieving state-of-the-art results with reduced computational cost.

Contribution

It introduces a method combining large-scale pre-training, optimizer tuning, and minimal fine-tuning to enhance DP image classification, achieving new state-of-the-art results.

Findings

Pre-training on large datasets improves DP model utility.

Using LAMB optimizer with DP-SGD boosts performance by up to 20 percentage points.

Single-step last-layer fine-tuning with small initialization achieves SOTA results.

Abstract

Differential Privacy (DP) provides a formal framework for training machine learning models with individual example level privacy. In the field of deep learning, Differentially Private Stochastic Gradient Descent (DP-SGD) has emerged as a popular private training algorithm. Unfortunately, the computational cost of training large-scale models with DP-SGD is substantially higher than non-private training. This is further exacerbated by the fact that increasing the number of parameters leads to larger degradation in utility with DP. In this work, we zoom in on the ImageNet dataset and demonstrate that, similar to the non-private case, pre-training over-parameterized models on a large public dataset can lead to substantial gains when the model is finetuned privately. Moreover, by systematically comparing private and non-private models across a range of large batch sizes, we find that similar to non-private setting, choice of optimizer can further improve performance substantially with DP. By using LAMB optimizer with DP-SGD we saw improvement of up to 20$\%$ points (absolute). Finally, we show that finetuning just the last layer for a \emph{single step} in the full batch setting, combined with extremely small-scale (near-zero) initialization leads to both SOTA results of 81.7 $\%$ under a wide privacy budget range of $\epsilon \in [4, 10]$ and $\delta$ = $10^{-6}$ while minimizing the computational overhead substantially.