Attack-Aware Noise Calibration for Differential Privacy
Bogdan Kulynych, Juan Felipe Gomez, Georgios Kaissis, Flavio du Pin, Calmon, Carmela Troncoso
TL;DR
This paper introduces a new method for calibrating noise in differential privacy directly to attack risk levels, improving utility without sacrificing privacy compared to traditional epsilon-based calibration.
Contribution
It proposes a novel approach to calibrate noise directly to attack risk, bypassing the conservative epsilon-based method, thereby enhancing utility in privacy-preserving machine learning.
Findings
Calibrating noise to attack risk reduces noise scale significantly.
Improved model accuracy at the same privacy risk level.
Practical method demonstrated with empirical results.
Abstract
Differential privacy (DP) is a widely used approach for mitigating privacy risks when training machine learning models on sensitive data. DP mechanisms add noise during training to limit the risk of information leakage. The scale of the added noise is critical, as it determines the trade-off between privacy and utility. The standard practice is to select the noise scale to satisfy a given privacy budget . This privacy budget is in turn interpreted in terms of operational attack risks, such as accuracy, sensitivity, and specificity of inference attacks aimed to recover information about the training data records. We show that first calibrating the noise scale to a privacy budget , and then translating {\epsilon} to attack risk leads to overly conservative risk assessments and unnecessarily low utility. Instead, we propose methods to directly calibrate the noise…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
Taxonomy
TopicsNetwork Security and Intrusion Detection · Information and Cyber Security · Smart Grid Security and Resilience