Adversarial Sample-Based Approach for Tighter Privacy Auditing in Final Model-Only Scenarios

TL;DR

This paper presents a new adversarial auditing method that provides tighter empirical privacy bounds for differentially private models in final model-only scenarios, improving over traditional heuristics.

Contribution

A novel loss-based input-space auditing technique that achieves more accurate empirical privacy bounds without extra assumptions.

Findings

Achieves empirical lower bounds closer to theoretical privacy guarantees.

Outperforms canary-based heuristics in final model-only scenarios.

Demonstrates effectiveness on MNIST with a privacy budget of 10.0.

Abstract

Auditing Differentially Private Stochastic Gradient Descent (DP-SGD) in the final model setting is challenging and often results in empirical lower bounds that are significantly looser than theoretical privacy guarantees. We introduce a novel auditing method that achieves tighter empirical lower bounds without additional assumptions by crafting worst-case adversarial samples through loss-based input-space auditing. Our approach surpasses traditional canary-based heuristics and is effective in final model-only scenarios. Specifically, with a theoretical privacy budget of $\varepsilon = 10.0$, our method achieves empirical lower bounds of $4.914$, compared to the baseline of $4.385$ for MNIST. Our work offers a practical framework for reliable and accurate privacy auditing in differentially private machine learning.