DeMem: Privacy-Enhanced Robust Adversarial Learning via De-Memorization

TL;DR

DeMem is a novel method that improves privacy protection in adversarial training by selectively targeting high-risk samples, maintaining robustness while reducing privacy leakage across various datasets and training techniques.

Contribution

DeMem introduces a targeted approach to balance privacy and robustness by focusing on high-risk samples, enhancing privacy without sacrificing adversarial robustness.

Findings

DeMem significantly reduces privacy leakage in adversarial training.

DeMem maintains robustness against natural and adversarial samples.

DeMem is compatible with various training methods and datasets.

Abstract

Adversarial robustness, the ability of a model to withstand manipulated inputs that cause errors, is essential for ensuring the trustworthiness of machine learning models in real-world applications. However, previous studies have shown that enhancing adversarial robustness through adversarial training increases vulnerability to privacy attacks. While differential privacy can mitigate these attacks, it often compromises robustness against both natural and adversarial samples. Our analysis reveals that differential privacy disproportionately impacts low-risk samples, causing an unintended performance drop. To address this, we propose DeMem, which selectively targets high-risk samples, achieving a better balance between privacy protection and model robustness. DeMem is versatile and can be seamlessly integrated into various adversarial training techniques. Extensive evaluations across multiple training methods and datasets demonstrate that DeMem significantly reduces privacy leakage while maintaining robustness against both natural and adversarial samples. These results confirm DeMem's effectiveness and broad applicability in enhancing privacy without compromising robustness.