What problem does this paper attempt to address?

The problem that this paper attempts to solve is how to avoid increasing the risk of privacy leakage while enhancing the adversarial robustness of machine - learning models. Specifically, the paper focuses on how to balance the robustness and privacy protection of the model when applying Differential Privacy (DP) and Adversarial Training. ### Problem Background 1. **Adversarial Robustness**: To ensure the reliability of machine - learning models in the face of adversarial samples, researchers have proposed methods such as adversarial training to improve the robustness of the model. However, these methods may make the model more vulnerable to privacy attacks, especially Membership Inference Attacks (MIA). 2. **Privacy Protection**: Differential privacy is an effective privacy - protection technique, but it usually reduces the robustness and overall performance of the model, especially when dealing with natural samples and adversarial samples. Research shows that DP has a particularly significant impact on low - risk samples, leading to a decline in model performance. ### Core Problem of the Paper The paper finds through analysis that differential privacy has a greater impact on low - risk samples (i.e., those that have a smaller impact on the model output), and these samples are crucial for maintaining the overall performance of the model. Therefore, directly applying differential privacy will lead to a significant decline in model performance. To solve this problem, the paper proposes a new method - DeMem (Dememorization), which aims to enhance privacy protection by selectively targeting high - risk samples (i.e., those that have a greater impact on the model output) while minimizing the impact on model performance. ### Main Contributions 1. **In - depth Analysis**: For the first time, the paper analyzes from the perspective of the memorization score of samples why differential privacy significantly reduces model performance. 2. **Revealing the Problem**: The research finds that the impact of differential privacy on low - risk samples is disproportionate, thus explaining the decline in model robustness. 3. **Proposing a Solution**: The DeMem method is proposed. By selectively restricting the memorization of high - risk samples, privacy protection is enhanced while the impact on model performance is reduced. ### Conclusion The paper verifies the effectiveness of DeMem through extensive experiments, proving that it can significantly reduce privacy leakage without sacrificing robustness. This provides new ideas and methods for achieving a better balance between privacy and robustness in practical applications. ### Formula Representation - **Memorization Score**: \[ \text{mem}(A, D_{\text{tr}}, i)=\Pr_{h \leftarrow A(D_{\text{tr}})}[h(x_i) = y_i]-\Pr_{h \leftarrow A(D_{\text{tr}}\setminus \{i\})}[h(x_i) = y_i] \] - **Sample - wise Dememorization Penalty**: \[ \Psi(B)=\frac{1}{N}\sum_{i = 1}^N\left(\ell(x_i,\theta)-\frac{1}{N}\sum_{j = 1}^N\ell(x_j,\theta)\right)^2 \] - **Total Loss Function**: \[ L_{\text{total}}(\theta)=L(\theta)+\lambda\cdot\Psi(B) \] where \(L(\theta)\) is the original loss function and \(\lambda\) is a hyper - parameter that controls the intensity of the dememorization penalty. Through these formulas, the paper provides a specific framework to implement the DeMem method and shows its effectiveness on multiple data sets and model structures.