Convex Approximation of Two-Layer ReLU Networks for Hidden State Differential Privacy

TL;DR

This paper introduces a convex approximation method for training two-layer ReLU networks under hidden state differential privacy, enabling privacy analysis similar to convex models and achieving comparable privacy-utility trade-offs.

Contribution

It develops a stochastic dual formulation for ReLU training, allowing privacy analysis applicable to multi-layer neural networks in the hidden state DP model.

Findings

NoisyCGD achieves privacy-utility trade-offs comparable to DP-SGD.

The convex approximation enables privacy bounds for cyclic mini-batch gradient descent.

Empirical results on benchmark tasks validate the approach.

Abstract

The hidden state threat model of differential privacy (DP) assumes that the adversary has access only to the final trained machine learning (ML) model, without seeing intermediate states during training. However, the current privacy analyses under this model are restricted to convex optimization problems, reducing their applicability to multi-layer neural networks, which are essential in modern deep learning applications. Notably, the most successful applications of the hidden state privacy analyses in classification tasks have only been for logistic regression models. We demonstrate that it is possible to privately train convex problems with privacy-utility trade-offs comparable to those of 2-layer ReLU networks trained with DP stochastic gradient descent (DP-SGD). This is achieved through a stochastic approximation of a dual formulation of the ReLU minimization problem, resulting in a strongly convex problem. This enables the use of existing hidden state privacy analyses and provides accurate privacy bounds also for the noisy cyclic mini-batch gradient descent (NoisyCGD) method with fixed disjoint mini-batches. Empirical results on benchmark classification tasks demonstrate that NoisyCGD can achieve privacy-utility trade-offs on par with DP-SGD applied to 2-layer ReLU networks.