# <center> Differentially Private Model Publishing for Deep Learning </center>

## <center> Lei Yu, Ling Liu, Calton Pu, Mehmet Emre Gursoy, Stacey Truex </center>
##### <center> Georgia Institute of Technology </center>
## <center> 2019 IEEE Symposium on Security and Privacy (SP) </center>

#### Christian McDaniel
#### 16 April 2019

# Presentation Roadmap:

+ Background: 
    + Deep Learning and the need for Differential Privacy 
+ Prior Works and Justifications
    + Concentrated DP
    + Moments Accounting
+ Focuses of this Paper
    + Propose Privacy Accounting Methods
    + Propose Dynamic Privacy Budget Allocations
    + Analyse the effects of their proposed methods and DL hyper-parameters
+ Experiment
    + Compare Proposed Techniques
    + Three datasets
+ Conclusions and Discussions

# <center> Background </center>

# Introduction

+ **DLaaS**: Deep Learning is becoming widespread and readily available 
    + e.g., Tensorflow, PyTorch, Cloud Computing, Model Zoos, Transfer Learning, etc.
    <br><br>
+ The **complexity and flexibility** of Deep NN's mean they are potentially capable of encoding an individual's data or memorizing an exact data set 
 <br><br>
+ DL models are vulnerable to **Adversarial Attack**
    + **Membership Attacks**: exploid black box access to the prediction API to infer individual instance membership
    + **Model Inversion Attacks**: Exploid prediction output and access to models to infer an input instance

# Introduction

+ Concentrated DP (CDP)
    + Generalization of DP targeted for algorithms with many calculations (ML); maintains strong privacy guarantees 
    + Ensures the **expectation on the privacy loss $\leq \mu$** and the **probability that the loss exceeds $\mu$ by t $\cdot \tau$ is bounded by $-e^\frac{-t^2}{2}$** 
+ Zero-Concentrated DP (z-CDP)
    + Concentrates the *privacy loss* around 0
    + Renyi Divergence $D_{\alpha} (\mathcal{A}(\mathcal{D}) || \mathcal{A}(\mathcal{D'}) \leq \rho \alpha )$
    + Satisfies $(\epsilon,\delta)-DP$ and $\rho_{i}=\frac{1}{k}\rho$
    + Noise scale $\sigma$ << noise scale under $(\epsilon,\delta)-DP$
    + Single parameter $\rho$ and its linear composition fit a privacy budget

# <center> Prior Work </center>

# Prior Work

+ **2015**: 
    + Multiple participants jointly train a model 
    + Keep training data local and private; share sanitized parameters
+ **2016**: 
    + First DP for DL proposal
+ **More recent**:
    + DP-SGD implemented; Gradient Clipping used to bound the influence of individual examples
        + Difficult to characterize max diff of model params over any 2 neighboring data sets, so DP-SGD is good alternative
        + Final output is DP re: **composition**
        + **No tight estimation of privacy loss** (arbitrarily many training iterations) 
    + **Moments Accounting method** - provides tighter estimation of privacy loss under *random sampling*

# <center> Current Paper </center>

# Current Paper

1) Refined Privacy Accountant
+ Reshuffling (RF) vs. Random Sampling with Replacement (RS) 
    + RS assumed by the Moments Accounting method; but RF used in batching techniques
    + RS underestimates the privacy loss
    + Disting privacy loss for each 
    + RF: lower cumulative privacy loss 
        + mean($\rho_{i}$) across disjoint partitions vs. composition on overlapping data sets
        + after E epochs, whole training satisfies ($\sum_{e=1}^{E} \rho_{e}$)-zCDP
    + RS
        + CDP does not capture the privacy-amplifying effect of random sampling
        + This paper relaxes CDP to $(\epsilon,\delta)-DP$
        + Composition used to determine total privacy budget

# Current Paper

2) Dynamic Privacy Budget during DP-SGD

+ Premise: As model accuracy converges, noise on gradients should decrease 
    + Similarly applied to the learning rate
+ Strategies:
    + public validation: 
        + monitor a "publicly available data set" from the same sampling distribution 
        + decrease noise scale whenever validation error stop improving 
    + pre-defined schedule (decay function): 
        + Time-Based Decay: $\sigma_{t} = \frac{\sigma_{0}}{1+kt}$
        + Exponential Decay: $\sigma_{t} = \sigma_{0}e^{-kt}$
        + Step Decay: $\sigma_{t} = \sigma_{0} * k^{[\frac{t}{period}]}$
        + Polynomial Decay: $\sigma_{t} = (\sigma_{0} - \sigma_{end}) * (1 - \frac{t}{period})^{k} + \sigma_{end}$

 # Current Paper
 
3) Privacy Preserving Parameter Selection
 + Use k-fold CV
 + satisfies $\epsilon$-DP and $\frac{1}{2}\epsilon^{2}$-zCDP

# Current Paper

### Algorithm 1. DP-SGD

+ On each iteration, GD uses the average gradient on the loss formula *from a given **batch*** after bounding the per-example gradient via L2 norm
+ Adds random noise via the Gaussian mechanism
+ Updates the cumulative privacy vost $c_{t}^{priv}$ depending on the batching method and terminates if $c_{t}^{priv}$ > total privacy budget $\rho_{total}$
+ Uses a schedule to dertiministically adjust the noise scale during training 

# <center> Experimental Results </center> 

# Experimental Results

+ Privacy Accounting Approaches: 
    + RF and RS compared against strong composition (SC) and moments accounting (MA) 

Figures 2-3 | _
:-----:|:----:
<img src="Fig2-3.png" alt="F23" width="430" /img> | <p align="left">+ **Fig 2:** Privacy Loss growth across epochs<br>+ RF lower loss than SC <br>+ RS and MA exploit moment bounds of privacy loss and take advantage of privacy amplification of RS <br>+ RF >> RS or MA due to increased uncertainty with RS <br>--> but DL uses RF<br>-->RS has composition property <br>-->MA underestimates real privacy loss b/c uses RS instead of RF<br><br>**Fig 3a** $\sigma=6$, varying q<br> sampling ratio $q = \frac{B}{N}$, B = batch size<br>+ RF invariant w.r.t q<br>+ RS increases with q<br><br>**FIg 3b** q=0.01, $\sigma$ varies<br>+ $\sigma$ from 5-14 shows significant decrease in p.l. for RF; less impact for RS<br>+ q effects RS more than $\sigma$ (thus, can decrease $\sigma$ to improve acc. and won't degrade privacy</p>

# Experimental Results

+ Evaluating the Dynamic Privacy Budget Allocation

Datasets | Size | Details | Training
:----:|:------:|:------:|:----:
MNIST | 60k Train<br>10k Test | 28x28 grayscale images | <p align="left"> 60-dim PCA --> FF NN (single hidden, 1000ReLU units)<br>cross-entropy loss, 600 batch size;<br>0.98 acc after 100 epochs
Breast Cancer | 560 Train<br> 123 Test | 11 attributes | <p align="left"> NN with 2 hidden layers (10,20,10 ReLU units)<br>non-mini batch<br>0.96 acc after 800 epochs
CIFAR-10 | 40k Train<br>10k Test<br>10k Validation | 10 classes, 6000 examples each | <p align="left"> pre-trained with VGG16 CNN (Transfer Learning from non-private public dataset ImageNet)<br>only retrain the hidden layers with 1000 units<br>200 training epochs, batch size 200<br>0.64 training acc; 0.58 testing acc

# Experimental Results

+ MNIST used for most hp tuning
  + validation-based scheduling; compare to uniform budget and non-private baseline
  + repeat all experiments 10x

Fig 4 | Noise Scale
:---:|:---:
<img src="Fig4.png" alt="f4" width="400" /> | <p align="left">  + Curves terminate at end due to depleted budget<br>+ n.s. intervals decrease over time for Validation-based

# Experimental Results

Fig 5-6 | Decay functions
:---:|:---:
<img src="Fig6.png" alt="f4" width="400" /> | <p align="left"> + Fig 6: No clear winner amongst decay functions<br>+ Subsequent experiments used Exponential Decay function

# Experimental Results

Fig 7-8 | Decay Rate k (how fast Noise Scale decays)
:---:|:---:
<img src="Fig7-8.png" alt="f4" width="400" /> | <p align="left">1) There exists an optimal k<br>2)For exponential: as k increases, n.s. decreases faster than for val.-based (so budget spent faster)<br>3) Results at the ends of x-axes in both figures: <br>--> lowest k = longest time, worst acc.<br>--> highest k = training stops too early

# Experimental Results

Fig 11 | Number of Hidden Units (200-1600) / Layers (1-3)
:---:|:---:
<img src="F9-10.png" alt="f4" width="400" /> | <p align="left">**Fig 9**. LR<br>+ Accuracy decreases when LR too small or large<br><br>**Fig 10.** Units<br>+ Increased # units = Increased sensitivity to gradient (more noise)<br>+ Changing units doesn't change accuracy<br>+ Shows the allocation scales w.r.t. size of NN<br><br>

# Experimental Results

Fig 10 | Noise Scale (again)
:---:|:---:
<img src="Figa-b.png" alt="f4" width="400" /> | <p align="left">+ Accuracy is more sensitive to noise scale than to training time

# Experimental Results

Fig 12-13 | Accuracy and Privacy in Training
:---:|:---:
<img src="Fig12-13.png" alt="f4" width="400" /> | <p align="left">**Fig 12**<br>+ Gap between uniform budget and non-private methods represents max potential for accuracy improvememtn through dynamic budget v. uniform<br>+ Dynamic scheduling decreases that gap by ~20%-30%<br><br>**Fig 13**<br>Dynamic budge shows a faster p.l. growth rate<br>+ Exponential decay achieves greater accuracy faster<br>+ Validation-based has a more conservative accuracy and longer training time

# Experimental Results

Fig 14-15 | Other Datasets
:---:|:---:
<img src="Fig14-15.png" alt="f4" width="400" /> | <p align="left">+**Breast Cancer**<br>Exponential Decay has better accuracy<br>Dynamic budget decreases the gap between non-private and uniform budget by 70%<br><br>**CIFAR-10**<br>Validation-based outperforms Exponential decay 

# <center> Conclusions and Discussion </center>

# Conclusions and Discussion

+ It's important to achieve a good tradeoff between privacy and model accuracy
    + **Dynamic Budget:** Since privacy loss is determined by the noise scale, adjust $\sigma$ during training to improve accuracy while retaining the privacy guarantee
conclusion: more ciritical to achieve good tradeoff b/t privacy and model accuracy since p.l. decided by sigma; This paper addresses this by adjusting sigma during training to imporove acc while retaining same privcy gurarante
+ Characterized the effects of data batching on DP composition
+ Addressed the assumpmtions made by the MA method

+ Personal Takeaway: 
    + The dynamic budgets in this paper were naive
    + Lee & Kifer propose an Adaptive per-Iteration Privacy Budget that better accounts for the specific training instance see my [first presentation](https://github.com/xtianmcd/presentations/blob/master/DP-AGD/jnp_and_supp_materials/190305_DP_pres.ipynb); paper [here](https://arxiv.org/abs/1808.09501)