Abstract:The hidden state threat model of differential privacy (DP) assumes that the adversary has access only to the final trained machine learning (ML) model, without seeing intermediate states during training. Current privacy analyses under this model, however, are limited to convex optimization problems, reducing their applicability to multi-layer neural networks, which are essential in modern deep learning applications. Additionally, the most successful applications of the hidden state privacy analyses in classification tasks have been for logistic regression models. We demonstrate that it is possible to privately train convex problems with privacy-utility trade-offs comparable to those of one hidden-layer ReLU networks trained with DP stochastic gradient descent (DP-SGD). We achieve this through a stochastic approximation of a dual formulation of the ReLU minimization problem which results in a strongly convex problem. This enables the use of existing hidden state privacy analyses, providing accurate privacy bounds also for the noisy cyclic mini-batch gradient descent (NoisyCGD) method with fixed disjoint mini-batches. Our experiments on benchmark classification tasks show that NoisyCGD can achieve privacy-utility trade-offs comparable to DP-SGD applied to one-hidden-layer ReLU networks. Additionally, we provide theoretical utility bounds that highlight the speed-ups gained through the convex approximation.

What problem does this paper attempt to address?

The paper attempts to address the problem of how to effectively train a two-layer ReLU neural network model with high privacy and utility under the framework of Differential Privacy (DP). Specifically, the paper focuses on privacy analysis under the hidden state threat model, which assumes that the attacker can only access the final trained machine learning model and cannot see the intermediate states during the training process. However, current privacy analysis methods are mainly applicable to convex optimization problems and have limited application to non-convex problems such as multi-layer neural networks. Additionally, existing hidden state privacy analysis is primarily applied to logistic regression models in classification tasks. To address these issues, the paper makes the following contributions: 1. **Combining Convex Optimization and Privacy Amplification**: By transforming the minimization problem of a two-layer ReLU network into a strongly convex problem and utilizing iterative privacy amplification analysis methods, the paper demonstrates that it is possible to achieve a privacy-utility trade-off comparable to that of a two-layer ReLU network trained with DP-SGD under the hidden state threat model. 2. **Approximation Methods**: The paper proposes a series of approximation methods to ensure that the transformed strongly convex problem meets the requirements of hidden state analysis. 3. **Experimental Validation**: The paper conducts experiments on standard classification task benchmark datasets to validate that the proposed NoisyCGD method achieves a privacy-utility trade-off comparable to DP-SGD. 4. **Theoretical Analysis**: The paper provides a theoretical utility bound analysis, demonstrating the speedup obtained through convex approximation. In summary, the paper aims to improve the training effectiveness of multi-layer ReLU networks under the differential privacy framework through convex approximation and privacy amplification techniques, achieving good practical performance while maintaining high privacy.

Approximating Two-Layer ReLU Networks for Hidden State Analysis in Differential Privacy

Differentially Private Neural Network Training under Hidden State Assumption

It's Our Loss: No Privacy Amplification for Hidden State DP-SGD With Non-Convex Loss

Tighter Privacy Auditing of DP-SGD in the Hidden State Threat Model

DP-LSSGD: A Stochastic Optimization Method to Lift the Utility in Privacy-Preserving ERM

A(DP)$^2$2SGD: Asynchronous Decentralized Parallel Stochastic Gradient Descent with Differential Privacy

A(DP)$^2$SGD: Asynchronous Decentralized Parallel Stochastic Gradient Descent with Differential Privacy

Differentially Private Reinforcement Learning with Linear Function Approximation

Differentially Private Variational Inference for Non-conjugate Models

Convergent Privacy Loss of Noisy-SGD without Convexity and Smoothness

Differential Privacy Meets Neural Network Pruning

Privacy Loss of Noisy Stochastic Gradient Descent Might Converge Even for Non-Convex Losses

Rethinking Improved Privacy-Utility Trade-off with Pre-existing Knowledge for DP Training

Tempered Sigmoid Activations for Deep Learning with Differential Privacy

Hyperparameter Tuning with Renyi Differential Privacy

Differential Privacy Dynamics of Langevin Diffusion and Noisy Gradient Descent

Gradients Look Alike: Sensitivity is Often Overestimated in DP-SGD

DPDR: Gradient Decomposition and Reconstruction for Differentially Private Deep Learning

Too Good to be True? Turn Any Model Differentially Private With DP-Weights

Evaluating Differentially Private Machine Learning in Practice

Improving Parameter Estimation and Defensive Ability of Latent Dirichlet Allocation Model Training under Rényi Differential Privacy