The continued progress in machine learning (ML) has resulted in a line of applications where privacy-sensitive datasets (e.g., medical records) are increasingly being used to train and deploy ML models. Almost parallel to the ML progress, specially with the impressive performance of deep learning models, privacy attacks against ML models also emerged. Prior work has shown that ML models trained on privacy-sensitive data are vulnerable to a range of privacy-motivated attacks such as membership inference(MIA_shokri), attribute inference (Property_Inference1), model inversion (model-inversion), and model parameters inference (model-stealing16). Moreover, unintended memorization of privacy-sensitive details at training time results in inadvertent leakage of private data at prediction time (Unintentional-Memorization1; Unintended_Memorization). A practical challenge in the context of ML is that of striking a reasonable balance between the utility (e.g., accuracy) of the ML model and the privacy of subjects from whom training data is obtained.
To counter ML privacy attacks, differential privacy (DP) (DP-Dwork) has emerged as a rigorous notion to formalize and measure privacy guarantee based on a parameter called privacy budget. Across the ML pipeline, DP has been used to limit inference/disclosure of ML training examples pre-training (via input perturbation (Input-Perturb13; input-perturb20)), during training (via objective perturbation (ERM-DP) and gradient perturbation (DP-SGD)), and post-training (via output perturbation (ERM-DP) and prediction perturbation (PRICURE21; PATE17; PATE_new)).
Motivation: While prior work (ERM-DP; Input-Perturb13; PRICURE21; DP_USENIX; input-perturb20; PATE17; PATE_new) has leveraged these perturbation mechanisms across the ML pipeline, these applications were done in isolation, often focused on one of the perturbation methods (e.g., gradient perturbation). As a result, given a privacy-sensitive dataset and a ML task (e.g, medical image classification), there is lack of a holistic assessment methodology as to the utility of DP when it is employed before, during, and after training. More precisely, isolated applications of DP in prior work do not shed light on how the aforementioned perturbation methods compare in their effectiveness and, more importantly, in their trade-offs. Moreover, the usefulness of these alternative perturbation methods across diverse datasets and ML models remains under-explored.
DP-UTIL Overview: In this paper, we present DP-Util –a framework for holistic utility analysis of DP across the ML pipeline. DP-UTIL enables a ML privacy practitioner to analyze perturbation methods in terms of their impact on model utility, privacy leakage, and actual number of privacy-sensitive samples inferred by an adversary. The benefit DP-UTIL is twofold. First, it enables a ML privacy practitioner to have an across-the-ML-pipeline view of the impact of DP using standard metrics such as model accuracy and privacy guarantee/leakage. Second, it enables comparative analysis on the suitability of one DP application (e.g., objective perturbation) against another DP application (e.g., gradient perturbation) so that the practitioner makes informed decisions as to where to plug DP in the ML pipeline.
|Work||DP Perturbation Type||Model||Case Study Attack||Metric|
|Input||Objective||Gradient||Output||Prediction||NB||LR||DNN||Membership Inference||Attribute Inference||Utility Loss||Privacy Leakage||True Positive||Privacy Budget|
: Naive Bayes.LR: Logistic Regression. DNN: Deep Neural Network.
We evaluate DP-UTIL over classification tasks on three datasets covering vision, medical, and financial domains. We use membership inference as a case study attack to analyze privacy leakage and actual number of revealed data samples. To shed light on the difference between convex and non-convex optimization formulations used in training ML models, we use Logistic Regression (LR) and Deep Neural Network (DNN), respectively, as representative ML models due to the wide usage of both on privacy-sensitive datasets. For LR models, we evaluate five perturbation methods: input perturbation (Input_perturb17), objective perturbation (ERM-DP), gradient perturbation (DP-SGD), output perturbation (ERM-DP), and prediction perturbation (PATE17; PATE_new). For DNN models, we compare input perturbation (input-perturb20), gradient perturbation, and prediction perturbation because these three are widely implemented for DNNs.
Our findings suggest that perturbation techniques that offer lower utility loss are more vulnerable to inference attack. Moreover, for lower privacy budget, perturbation techniques like objective perturbation and output perturbation result in ML models that classify near random guessing, i.e., produce extreme utility loss that models fail to classify correctly. For binary classifiers, objective perturbation is a better choice compared to gradient perturbation while for multi-class classifiers, objective perturbation offers the highest privacy/utility trade-off. For multi-class classifiers, gradient perturbation performs well in terms of privacy/utility trade-off. Over all model architectures and datasets, prediction perturbation results in lowest utility loss but at a cost of privacy leakage. True revealed records has almost a linear relationship with privacy leakage. Over all the results, we observe that as the privacy leakage increases, a model starts to leak more true records. In a nutshell, our detailed evaluations suggest that, to make informed decisions as to which perturbation mechanism to use, a ML privacy practitioner needs to examine the dynamics between optimization techniques (e.g., convex vs. non-convex), perturbation mechanisms, number of classes (e.g., binary vs. multi-class), and privacy budget.
Comparison with Closely Related Work: DP-UTIL complements prior work in two major ways. First it enables comprehensive DP utility analysis covering five DP perturbation mechanisms for LR and three DP perturbation methods for DNN. Second, it sheds new light on the utility of DP in the ML pipeline.
DP-UTIL is more comprehensive: Table 1 summarizes the coverage comparison of DP-UTIL and closely related work(DP_USENIX; DPUtility20; input-perturb20). Compared to (DP_USENIX) which is limited to utility analysis of gradient perturbation for DP, DP-UTIL covers all the 5 perturbation methods for LR and 3 widely used perturbations for DNN. Hence, it is more comprehensive. In addition, while (DP_USENIX) uses image classification datasets, we evaluate DP-UTIL with two more datasets from medical and finance domains in addition to a benchmark image classification dataset.
With respect to (input-perturb20)
which studies the privacy guarantee offered by input perturbation against objective, gradient, and output perturbation, in DP-UTIL we extend the analysis with prediction perturbation and also extend the evaluation metrics with privacy leakage and number of truly revealed training examples over a wider range of privacy budget than(input-perturb20). Additionally, (input-perturb20) does not offer deeper insights on implications of considering different experimental setups (e.g., binary vs. multi-class models, LR vs. DNN, image data vs. numerical data).
Compared to (DPUtility20) which covers input and gradient perturbation for DNN and input and output perturbation for Naive-Bayes, DP-UTIL extends the coverage by analyzing three more DP perturbations for LR and one more (prediction perturbation) for DNN.
DP-UTIL offers new insights:
In (DP_USENIX), the main takeaway is that relaxed DP formulations improve model utility for a given privacy budget, yet the lower DP noise results in additional privacy leakage (hence, the utility does not come for free). Compared to (DP_USENIX), we observe in some cases, a perturbation method results in lower utility over other perturbation techniques, hence costs privacy leakage in exchange. Thus, choosing one perturbation method over another for better utility does not come without paying in privacy leakage. For example, prediction perturbation offers the lowest utility loss for both LR and DNN, hence costs more privacy leakage compared to other perturbation mechanisms.
Compared to (input-perturb20), where theoretical guarantee for input perturbation seems promising, our experimental findings suggest that input perturbation results in rapid privacy leakage with higher privacy budget and this change is usually triggered at .
In (DPUtility20), their findings suggest that the number of classes of a given dataset is unlikely to influence where the privacy/utility trade-off occurs. Our findings rather suggest that number of classes has implications on privacy/utility trade-off. For objective perturbation, for instance, binary classifiers show overall better privacy/utility trade-off compared to multi-class classifiers for both DNN and LR models. Our evaluations also suggest overall similar findings for gradient and input perturbation. Another major conclusion in (DPUtility20) is noise added at a later stage (e.g., output) in the ML pipeline results in lower utility loss. However, our findings show that objective/gradient perturbation overall results in lower utility loss compared to output perturbation.
In summary, this paper makes the following contributions:
We propose, DP-UTIL, a holistic utility analysis framework for differential privacy across the machine learning pipeline to understand the impact of different perturbation techniques with respect a given range of privacy budget (Sections 6.1, 6.2, and 6.3). To that end, we analyze input perturbation, objective perturbation, gradient perturbation, output perturbation, and prediction perturbation.
Using membership inference as a case study and privacy leakage as a metric, we comparatively analyze the extent to which machine learning models are protected with state-of-art DP perturbation techniques (Section 6.2).
We perform a comprehensive study of utility loss and privacy leakage over a range of privacy budget values for two model architectures (Logistic Regression and Deep Neural Network), two naturally privacy-sensitive datasets (finance: LendingClub-Loan dataset (LendingClub), healthcare: COVID-19 dataset (Covid-19)
), and a benchmark image classification dataset (CIFAR-10 dataset(Cifar10)).
We make available our code and data with directions to repeat our experiments. Our artifacts are available for download at: https://github.com/um-dsp/DP-UTIL.
The rest of the paper is organized as follows. Section 2 introduces ML and DP background. Section 3 presents an overview of DP perturbation mechanisms. In Section 4, we present an overview of the DP-UTIL framework. Our datasets and setup are presented in Section 5. Section 6 presents our findings focusing on utility loss, privacy leakage, and true revealed records. Section 7 surveys closely related work and Section 8 concludes the paper.
In this section, we briefly highlight machine learning preliminaries and the definition of differential privacy.
2.1. Machine Learning Preliminaries
Typical ML Training. In this paper, we focus on supervised machine learning models. Given a set of labeled training samples , where is a training example and is the corresponding label, the objective of training a ML model is to minimize the expected loss over all
. In ML models such as logistic regression and deep neural networks, the loss minimization problem is typically solved using stochastic gradient descent (SGD) by iteratively updatingas:
where is the gradient of the loss with respect to the weights ; is a randomly selected set (e.g., mini-batches) of training examples drawn from ; and is the learning rate which controls the magnitude of change on .
Typical ML Testing: Let be a -dimensional feature space and be a
-dimensional output space, with underlying probability distribution, where and . The output of is a
-dimensional vector and each dimension represents the probability of input belonging to the corresponding class.
2.2. Differential Privacy
For two neighboring datasets and which differ by just one data point, let the output space of a randomized mechanism be . Differential privacy (DP) guarantees that a randomized mechanism does not enable an observer (adversary) to distinguish whether ’s output was based on or . Dwork et al. (Advanced-Comp) formalize -DP as follows. A mechanism preserves -DP if:
where is the privacy budget and is the mechanism’s failure probability. When , we obtain a strict -DP formulation of (2). The lower the value of , the stronger the privacy protection and the higher the utility loss.
To achieve -DP, Laplace distribution is a common choice to sample noise. For
-DP, Gaussian distribution allows sampling noise. In both-DP and -DP, the sampled noise is correlated with the sensitivity of the mechanism . For two neighboring datasets and differing by one record, the sensitivity is the maximum change in the output of M over all possible inputs. Computing as the maximum of establishes worst-case upper bound on how much the output of changes when and are identical except for one record, i.e., .
3. Perturbation Mechanisms
In this section, we introduce the five privacy noise mechanisms across the ML pipeline. To guide the forthcoming discussion, we use Algorithm 1 as a high-level skeleton for candidate spots as to where to add DP perturbations. As noted in (DP_USENIX), the type (convex or non-convex) of the optimization problem dictates the specifics of DP perturbation mechanisms.
for each epoch:
Algorithm 1: Perturbations across the ML pipeline.
for each epoch:Gradient Perturbation: Output Perturbation: Prediction Perturbation:
3.1. Input Perturbation
In a pre-training setting, one natural perturbation alternative is to add noise to individual training examples and produce the perturbed version of and train the model on it (Input-Perturb13; Input_perturb17; input-perturb20). For a training data with dimension , a typical input perturbation on sample is done as:
where with as the sensitivity (value range) of the feature of . We note that to keep the perturbed features within valid value boundaries, clipping is applied using the upper- and lower-bounds of each feature value. In addition, no or weak inter-feature dependency is assumed for such a perturbation to be useful.
When features have diverse representations and unbounded value ranges, estimating sensitivity is not trivial. Domains such as image classification, where features are homogeneously constituted (e.g., pixel intensity values), estimating sensitivity is relatively facile. Another challenge with input perturbation is that post-perturbation, the utility of the trained model needs to be within acceptable utility loss penalty. Given the feature-level fidelity of input perturbation, achieving an acceptable trade-off on model utility is an optimization challenge. Input perturbation has been recently shown(input-perturb20) (Input_perturb17) to offer both local and model privacy guarantees compared with the other perturbation mechanisms.
Differentially private ERM with input perturbation ensures both local and model privacy. In (Input_perturb17), it is shown that adding noise to input data depends on privacy parameters (), data size
, and constants of loss function. They have also shown that this technique satisfies (-DP where is learning rate. For Equation 3, Gaussian noise can be expressed as , where is , , and is data dimension.
For deep learning, performing input perturbation assumes that the loss function is not strongly convex though it is G-Lipschitz and satisfies Polyak-Lojasiewicz condition. For Equation 3, Gaussian noise can be expressed as , where is for some constant with as the total number of iterations (input-perturb20).
3.2. Objective Perturbation
During the training of an ML model, one of the DP perturbation alternatives is objective perturbation, which works well with convex optimization problems such as the empirical risk minimization (ERM) algorithm (ERM-DP). Their technique of objective perturbation is a two-stage process: to add noise to the objective function itself and then revealing the minima of the perturbed objective. For convex optimization problems, suppose we consider logistic regression with regularization penalty. The (convex)objective function with objective perturbation is computed as:
where is the regularization function such as and . To add differential privacy guarantee to the model using objective perturbation, a noise is added to and then is computed via iterative gradient update using (1). Chaudhuri et al. (ERM-DP) prove that if and then is added to the objective function which has a sensitivity of .
3.3. Gradient Perturbation
The other commonly used perturbation mechanism during training is gradient perturbation. Again, considering logistic regression with regularization penalty, the gradient of the objective function with gradient perturbation is computed as:
where the gradient has a sensitivity of . In gradient descent, the gradient value is computed for each iteration of the training process, which requires sampling noise with a scale of for each iteration of model update (Private_logistic_rg)
. Now integrated into Google’s TensorFlow framework, Abadi et al.(DP-SGD)
proposed DP-SGD, a deep learning training algorithm widely adopted for gradient perturbation of non-convex optimizers. They have used the gradient clipping technique to limit the sensitivity of the training algorithm. Two modifications have been made to ensure that SGD is a differentially private algorithm. First, they bounded the sensitivity of the gradient by clipping them. Second, they have sampled random noise and add to the clipped gradient. Given training dataand target labels , and gradient , to build a ()-DP model using SGD technique, this method computes the gradient for a random subset of examples for each batch lot , clip the norm for each gradient, and add random noise of the distribution of , where is the clipping threshold and can be expressed as:
where , is the step size, and is existing constant.
3.4. Output Perturbation
In a post-training setting, output perturbation is used to limit the leakage/inference of true model parameters. As shown in (ERM-DP) for convex optimization problem (e.g., ERM), noise is added to the model parameters as follows:
For logistic regression with regularization, output perturbation typically requires a sampling noise of .
3.5. Prediction Perturbation
The other alternative perturbation mechanism in a post-training setting is prediction perturbation whereby random noise is added to the prediction result before producing the final label. For instance, in MemGuard (Memguard), random noise is added to the confidence vector to mask the prediction confidence against membership inference attacks of the likes of Shokri et al. (MIA_shokri). In PATE (PATE17; PATE_new), noise is appended to the majority vote count of model prediction results of teacher ensembles. In PATE, the training dataset has been split into number of disjoint datasets. With these disjoint datasets, number of models are trained named as teacher models. For an input sample , the final output is chosen via a noisy vote aggregation of the teachers’ prediction results as follows:
where is the number of teachers that assigned class to input sample out of the possible labels. Given that noise is added on top of a vote count, the prediction is perturbed by sampling noise from Laplace distribution as with sensitivity = 1.
4. DP-Util Design
In this section, we describe DP-UTIL, an extensible framework aimed for conducting comprehensive privacy/utility trade-off analysis of DP across the ML pipeline.
DP-UTIL is the first framework to combine the thus-far proposed five DP perturbation methods in a single pipeline while enabling multi-metric privacy/utility trade-off analysis. It is designed to easily add new components or update existing ones. Next, we use Figure 1 to describe DP-UTIL and how it can be used and extended by ML privacy practitioners or researchers. In particular, we focus on the three components: DP Perturbation Plugins, Inference Attacks, and Holistic Trade-off Analysis.
4.1. DP Perturbation Plugins
Across the ML pipeline, prior work has proposed five spots where DP could be plugged to enable privacy-preserving ML (hence the term “DP Perturbation Plugins” in Figure 1). Depending on dataset type (e.g., images vs. numeric), loss function (e.g., convex vs. non-convex), gradient computation method, and model architecture, the privacy guarantee offered by each DP perturbation varies. Currently, across two model architectures (LR and DNN) DP-UTIL supports five perturbation plugins: all five for LR, and input, gradient, and prediction perturbation for DNN. While our current design relies on the peer-reviewed implementations of perturbation mechanisms for LR and DNN, users of DP-UTIL can add future implementations with minimal effort.
In terms of support for multiple datasets, currently DP-UTIL supports three datasets from vision (image classification), medical (COVID-19), and finance domains (Loan-Data) for classification tasks. The modular design allows plugging in new datasets and proceed with the rest of the analysis pipeline. The “Pre-processing” component in the ML pipeline block in Figure 1 is meant to offer pre-training data cleaning functionality that a user may customize depending on the dataset at hand.
4.2. Privacy Motivated Inference Attacks
In this component of DP-UTIL, we assume that multiple privacy-motivated inference attacks can be plugged or existing attacks can be replaced with more recent when the state-of-the-art evolves. Among inference attacks are membership inference (MIA_shokri; MIA_whitebox; MIA-Evan), attribute inference (Property_Inference1), model inversion (model-inversion), and model parameter inference/extraction (model-stealing16). In its current version, DP-UTIL supports the popular attack of membership inference attack in a black-box setting, which we introduce next.
To uniformly analyze the utility of DP across the perturbation mechanisms, we use membership inference attack introduced by Shokri et al (MIA_shokri). Membership inference attack aims to exploit the prediction vectors to infer the member of training datasets. For this attack, multiple shadow models are used to train an attack model. We keep our shadow models’ architecture exactly the same as the target model’s architecture. The attack model is a binary classifier that predicts whether a particular sample is a member of the target model’s training dataset or not. We use
shadow models to train our Random Forest attack model. When we attack the target models, we assume black-box access to each model, i.e., the attacker submits an input sample to a prediction API which returns prediction output.
Our choice of membership inference attack is informed by the conceptual connection to the primary goal of differential privacy, which is to make the presence/absence of a data sample indistinguishable in the eyes of an adversary. Membership inference essentially aims to achieve the opposite goal: determine, with some confidence, whether a given data sample is present or absent in a training set of a target model. This antagonistic setup between the two makes membership inference a natural fit for showcasing DP-UTIL.
4.3. Holistic Trade-off Analysis
Like the other components of DP-UTIL, here we envision a growing list of alternative privacy/utility trade-off analysis metrics used to evaluate model utility (e.g., via accuracy), privacy leakage, actual number of records/attributes inferred, and other relevant metrics such as performance overhead of the analysis scheme and fairness of the model predictions to a sub-population of training data (e.g., minority groups). In its current version, DP-UTIL supports three established metrics: utility loss, privacy leakage, and true revealed data, which together offer a holistic assessment of the utility of DP in limiting privacy motivated attacks such as membership inference.
Utility Loss. Model utility or accuracy is calculated based on percentage rate of correctly predicted labels. We calculate utility loss or label loss as the utility difference between the non-private and the differentially private model. When utility loss is , it implies that the private model achieves same utility as non-private model. Formally, utility loss is calculated as: .
Privacy Leakage. This metric (Privacy_leakage) estimates the model’s susceptibility to inference attack. It quantifies the difference between true positive rate and false positive rate of the adversary’s inference attack, and its value lies in the range . When privacy leakage is , it means that there is no data leakage induced by the inference attack, while a privacy leakage value of could essentially mean complete inference success. For some of our results, we may observe negative values for privacy leakage. In those cases, the inference attack’s false positive rate is greater than true positive rates, which implies that the attack model is likely to detect more non-members as members.
True Revealed Data. To quantify and observe the impact of non-members falsely inferred as members, we use the true revealed data to estimate the actual number of members whose data is in danger of disclosure when membership inference attack succeeds.
5. Datasets and Analysis Setup
In this section, we describe the setup for our instance of DP-UTIL in Figure 1. Before we describe our setup, to guide our analysis, we provide context on assumptions and scope.
Assumptions and Scope. We assume the correctness of the implementations of the different perturbation mechanisms we analyze. We directly use the original implementations released with the published papers. Following prior work (DP_USENIX), we instantiate our analysis for two classes of ML models: logistic regression (convex optimization) and deep neural networks (non-convex optimization). For logistic regression, we analyze input perturbation, objective perturbation, gradient perturbation, output perturbation, and prediction perturbation. For DNNs, we again rely on insights from prior work (DP_USENIX) that noted on the suitability of gradient perturbation for non-convex optimization techniques. In addition, we extend prior evaluations of only gradient perturbation mechanisms by introducing input perturbation and prediction perturbation as alternative DP noise mechanisms in the holistic utility analysis of DP in ML. As of this writing, we have not come across reproducible methods for objective and output perturbation for DNNS. When peer-reviewed and reproducible implementations of these missing perturbation methods are made available, the modular design of DP-UTIL allows plugging them into our holistic analysis framework to extend it to a wider range of perturbation types and their variations.
We use three datasets, two of which focus on practical privacy-sensitive domains: healthcare and finance. For financial privacy analysis, we use the LendingClub-Loan dataset (LendingClub) from Kaggle, while for medical privacy analysis, we use the COVID-19 dataset (Covid-19). Finally, among benchmark datasets used by prior work, we use the CIFAR-10 (Cifar10) dataset. Next, we briefly describe each dataset.
LendingClub-Loan (LendingClub). Lending club is a US peer-to-peer lending company that offers loans in the range . Investors view the loan book on LendingClub website and complete their own analysis to determine the quality of the book based on the information supplied about the borrower, amount of loan, loan grade, and loan purpose. The dataset contains sensitive features about borrowers which include Zip code, employment length, loan amount, home-ownership etc. In the accepted loan data, there is a column name grade, which shows the value from A to Z,where ’A’ is the highest grade and ’G’ is the lowest grade. the target is to build a classifier that given the other features, classifies accepted loan into ’A’ to ’G’ grade. The grade is formulated using risk and volatility which adjusts final interest rates. The total number of samples in the dataset is with features, we use of the dataset as training set and the remaining as test set.
COVID-19 (Covid-19). This dataset is COVID-19 related and contains sensitive information about patients as to whether a patient has underlying health conditions such as diabetics, asthma, cardiovascular, or chronic diseases. In addition, among other features, it also includes age, gender, and whether or not the patient uses tobacco. The task is a binary classification task, i.e., to predict if the patient is COVID-19 positive or negative. The dataset contains samples with features. Similarly, we use of the data as training set and the remaining as test set.
CIFAR-10 (Cifar10). This dataset consists of color images of classes. Each image has a dimension of . The target classes include object images (e.g., airplane, bus, truck, automobile, dog, bird,frog,deer,horse, ship) that are completely mutually exclusive. We split the samples into equal number of training and test images for our experiments.
5.2. Models and Hyperparameters
Datasets Split. For each dataset, we first split the dataset into two: each. We further split the first 50% into training and testing the model, while the remaining 50% is also split into training and testing for the membership inference attack model. For instance, LendingClub-Loan dataset has total samples. To train our differentially private models, we use samples for training and samples to test the model performance. Similarly, we use the rest of the samples for training and testing attack models, each.
Logistic Regression Model. We train the model with regularization, where regularization parameters with epochs. For this setting, we vary our privacy budget from to . For COVID-19 datasets, and CIFAR-10, LendingClub Loan datasets, as it should be smaller than the inverse of each training set: , , and . Our learning rate across all datasets is and batch size is . We use the Adam optimizer.
5.3. Perturbations Setup
Next, we describe the specific setup we use for running the five perturbation mechanisms used in our analysis.
Input Perturbation To implement input perturbation for logistic regression, we use techniques from (Input_perturb17). For DNN, we implement it with respect to (input-perturb20). We use different technique for DNN as we assume DNN does not follow strong convexity considering practical cases.
Objective Perturbation. For logistic regression, we use the Diffprivlib v0.4 library introduced by IBM (Dippriv). Their Objective perturbation technique is built based on the work of Chaudury et al. (ERM-DP) and they integrate their technique with scikit-learn library under some restrictions, i.e., their logistic regression function can only perform for regularization.
Gradient Perturbation. For both LR and DNN, we use TensorFlow privacy framework (Tensorflow_Privacy)
based on the moment accountant theory introduced by Abadi et al.(DP-SGD). We implemented our differentially private algorithm with Gaussian Adam optimizer. To keep our privacy budget in the range , we calibrated the momentum equation by only changing the noise multiplier parameter.
Output Perturbation. With logistic regression, we add a Gaussian noise after model parameters with the sensitivity of , where is number of samples in each dataset, and we use .
Prediction Perturbation. We implement PATE (PATE17) proposed by Nicolas et al. More precisely, we divide LendingClub-Loan dataset, COVID-19 dataset and CIFAR10 dataset into , , and number of disjoint datasets, respectively, and train teacher models for each dataset. Each teacher model is trained using similar model architectures discussed earlier for both LR and DNN. To add random noise to the vote count of each label, we sample Laplace noise with privacy budget in the range .
6. Analysis Results
In this section, we evaluate DP-UTIL by answering the following research questions:
RQ1: Among the five perturbation methods in DP-UTIL, is there a particular method that offers minimal utility loss with minimal privacy leakage?
RQ2: What is the impact of number of classes (binary vs. multi-class) on utility loss and privacy leakage across perturbation mechanisms?
RQ3: What is the impact of dataset types (image vs. numerical) on utility loss and privacy leakage across perturbation mechanisms?
RQ4: What is the impact of model architecture (shallow learning vs. deep learning) on utility loss and privacy leakage across perturbation mechanisms?
We now present our findings across the three datasets (CIFAR-10, COVID-19, and LendingClub-Loan), two model types (LR and DNN), and five perturbation mechanisms (input, objective, gradient, output, and prediction). We analyze utility loss (Section 6.1), privacy leakage (Section 6.2), and true revealed data (Section 6.3).
6.1. Utility Loss Analysis
Logistic Regression (LR) Utility Loss. Figures 2 (a), 2 (b), and 2 (c) show utility loss for LR on CIFAR-10, COVID-19, and LendingClub-Loan, respectively. Among the five perturbation mechanisms, prediction perturbation consistently results in the lowest utility loss for all datasets. In fact, it incurs zero utility loss after for all datasets. Next, we examine results for each dataset.
CIFAR-10: The non-private baseline LR model achieves test accuracy of for CIFAR-10. From Figure 2 (a), utility loss of output perturbation is the maximum for , and this accuracy is in the range . Prediction perturbation achieves utility loss from that suggests the lowest utility loss. Objective perturbation shows utility loss of for in and the utility loss is for , which is lower compared to output perturbation. Besides, for , input and gradient perturbation show lower utility loss for small compared to objective and output perturbation.
COVID-19: The non-private LR model accuracy is . As can be noticed from Figure 2 (b), utility loss for output perturbation is maximum for . For instance, at , output perturbation has utility loss of which is larger compared to objective perturbation (), gradient perturbation (), input perturbation (), and prediction perturbation (). For , utility loss is negligible , although input, objective, output, and prediction perturbation techniques show slightly lower (almost negligible) utility loss compared to gradient perturbation.
LendingClub-Loan: From Figure 2 (c), we observe that for smaller value (), output perturbation produces maximum utility loss, which is . For all in general, we notice that prediction perturbation produces lower utility loss compared to gradient perturbation, input perturbation and objective perturbation. For example, when privacy budget , utility loss for prediction, gradient, objective and input perturbation is , , and , respectively. Input and gradient perturbation produce lower utility loss, , for . Note that when we compare utility loss of objective perturbation with gradient and input perturbation, gradient and input perturbation are better choices than objective perturbation in terms of utility preservation.
Deep Neural Network Utility Loss. Figures 3 (a), 3 (b), an 3 (c) show utility loss for CIFAR-10, COVID-19, and LendingClub-Loan for a DNN model on CIFAR-10, COVID-19, and LendingClub-Loan, respectively. Similar to our observation for LR, prediction perturbation incurs the lowest utility loss not only across the three datasets, but also over the whole range of privacy budget values.
CIFAR-10: The non-private model utility is . For prediction perturbation, utility loss is when , while for higher values, utility loss is . For gradient and input perturbation, utility loss is higher compared to prediction perturbation. For example, at lower epsilon (), gradient and input perturbation produce utility than prediction perturbation.
COVID-19: The non-private model utility is . We can observe from Figure 3 (b), utility loss in prediction perturbation is for . For input perturbation, utility loss is for . For gradient perturbation, utility loss is higher compared to prediction and input perturbation. For and , utility loss for gradient perturbation is and respectively, and for , utility loss is .
LendingClub-Loan: The non-private DNN model reaches accuracy of . Comparatively, as depicted in Figure 3 (c), prediction and input perturbation produce lower utility loss () for compared to gradient perturbation. On the contrary, input perturbation shows worst performance compared to other perturbation mechanisms at lower privacy budget. For , input and gradient perturbation produce and higher utility loss, respectively, compared to prediction perturbation.
Observation 1: With regards to RQ1, prediction perturbation achieves the lowest utility loss across all datasets. This is intuitive as prediction perturbation requires less random noise because the noise is added to aggregated results of teachers’ votes. For both LR and DNN, prediction perturbation reaches utility loss at for most cases. For lower privacy budget values ( or ), output perturbation results in the highest utility loss in contrast to gradient or objective perturbation. This result is again intuitive as objective perturbation adds noise to the objective function and afterwards minimizes the loss while output perturbation adds noise to the model parameters. Concerning RQ2, in LR, objective perturbation incurs more utility loss for multi-class classifiers compared to the binary-class classifier for any . Utility loss for gradient perturbation at shows a larger loss for multi-class classifiers compared to binary class classifiers. Additionally, input perturbation shows lower utility loss and privacy leakage for binary classifiers. In response to RQ3, for both LR and DNN, gradient perturbation shows lower utility loss from for image data compared to numerical data. Concerning RQ4, for gradient and prediction perturbation, we observe negligible utility loss difference between LR and DNN. Hence, for utility loss, perturbation techniques turn out to be model-independent.
6.2. Privacy Leakage Analysis
Logistic Regression Privacy Leakage. Figures 4 (a), 4 (b), and 4 (c) show the privacy leakage for LR model for CIFAR-10, COVID-19 and LendingClub-Loan, respectively. In the following, we analyze privacy leakage for each dataset.
CIFAR-10: In the context of Figure 4 (a), the non-private privacy leakage is . Output perturbation shows lowest privacy leakage compared to other perturbation techniques, i.e., for . For , privacy leakage value increases to , which is not negligible. For gradient perturbation, privacy leakage is when , while on the other hand, for higher (), privacy leakage increases eventually. For example, for , privacy leakage is while for , privacy leakage is . For objective perturbation, privacy leakage is over the privacy budget. Compared to the other three perturbation techniques, input and prediction perturbation show higher privacy leakage. For example, for , the privacy leakage reaches and for input and prediction perturbation, respectively.
COVID-19: From Figure 4 (b), we notice that output perturbation shows privacy leakage values for all values. Gradient perturbation shows lower privacy leakage, for . For larger (i.e., ), privacy leakage reaches slightly higher estimate . For objective perturbation, privacy leakage is while , while for larger privacy budget, leakage is . For input perturbation, privacy leakage is from . For prediction perturbation, privacy leakage reaches for all values.
LendingClub-Loan: For this dataset, input perturbation shows highest leakage, for , otherwise . Objective perturbation shows small privacy leakage over all values, which is . For gradient perturbation, privacy leakage value is for . For , this value reaches . For output perturbation, privacy leakage does not follow a pattern for all and it varies from . For prediction perturbation technique, privacy leakage is for , and for .
CIFAR-10: As can be seen from Figure 5 (a), input perturbation shows higher leakage compared to gradient and prediction perturbation. Privacy leakage is for and for higher privacy budget values. Gradient perturbation shows comparatively lower privacy leakage for . For privacy budget value higher that that, privacy leakage is incremental. For example, at , privacy leakage is which reaches at . Also note that, for gradient perturbation, privacy leakage value drops compared to prediction perturbation at , where as from , privacy leakage is slightly lower for prediction perturbation. At privacy leakage is for gradient perturbation while for prediction perturbation this value reaches . But for higher (i.e., ), privacy leakage is for gradient perturbation while for prediction perturbation this value reaches .
COVID-19: From Figure 5 (b), prediction perturbation results in more privacy leakage compared to gradient and input perturbation ( and , respectively). For prediction perturbation, privacy leakage is incremental with respect to increasing value of . For instance, at , privacy leakage is while for , privacy leakage reaches .
LendingClub-Loan: As can be seen from Figure 5 (c), gradient perturbation shows privacy leakage over all the values. For instance, for , privacy leakage is . For prediction perturbation, privacy leakage is also though slightly larger for several values. For , privacy leakage of prediction perturbation is while gradient perturbation reaches . Input perturbation shows highest privacy leakage, which is for almost all values of .
Observation 2: In response to RQ1, for LR, objective perturbation shows the lowest privacy leakage compared to other perturbation techniques, which is no leakage for almost all choices. On the contrary, for DNN models, gradient perturbation is the best for a privacy practitioner while considering privacy leakage, as leakage seems negligible for different choices. Concerning RQ2, LR for the binary classifier shows almost privacy leakage at , which seems promising as it shows almost no privacy leakage with lower utility loss in contrast to multi-class classifiers. In response to RQ4, input perturbation for DNN shows more leakage in contrast to LR for higher privacy budget values (i.e., ), which is expected since we use two different input perturbation mechanisms (input perturbation for DNN follows more relaxed boundaries).
6.3. True Revealed Records
Logistic Regression True Revealed Records. Figures 6 (a), 6 (b), and 6 (c) show the true revealed records of a LR model over CIFAR-10, COVID-10, and LendingClub-Loan, respectively. Next, we examine results for each dataset.
CIFAR-10: From Figure 6 (a), prediction perturbation shows highest true positive data leakage () for overall privacy budget metrics. Output perturbation shows lowest revealed true positive records, surprisingly (), for . For privacy budget , this value is . For gradient perturbation, this value reaches after . Objective and input perturbation also reveal lower number of true positive values compared to gradient and prediction perturbation which is between over the privacy budget range.
COVID-19: According to Figure 6 (b), while total number of training data is and , output perturbation shows lowest values compared to other perturbation techniques, hence for , true positive value increases eventually. For instance, for , true revealed value is which is of total number of training data. On the other hand, for prediction perturbation, true revealed value is when . Objective, gradient, and input perturbation show close numbers of revealed members which is higher than prediction perturbation. For example, gradient perturbation reveals true positive values from .
LendingClub-Loan: This result is shown in Figure 7 (c). When total number of training data is , for , for output perturbation this value increases from to . For instance, for , true revealed value is which is of total number of training data. On the other hand, for prediction perturbation, it is when , which is the highest. In this context, input perturbation shows better performance compared to output and prediction perturbation. For objective perturbation, true positive samples or true revealed samples are for , while for , total number of true revealed value is . For gradient perturbation, true positive value is from , which is the lowest and almost constant over different .
Deep Neural Network True Revealed Records. Figures 7 (a), 7 (b), and 7 (c) show revealed true members of training dataset or true positive values for a DNN model over CIFAR-10, COVID-19, and LendingClub-Loans, respectively.
CIFAR-10: From Figure 7 (a), gradient perturbation reveals lower true positive value than prediction and input perturbation for , while for , the numbers are nearly equal for both gradient and prediction perturbation, while input perturbation reveals larger values. For example, at , gradient perturbation leaks true positive values while prediction perturbation and input perturbation reveals and values respectively.
COVID-19: We observe from Figure 7 (b) that prediction perturbation revealed more true positive values compared to gradient perturbation and input perturbation for all . For example, at , true revealed value is for prediction perturbation while gradient and input perturbation reaches and respectively.
LendingClub-Loan: Figure 7 (c) shows that true positive value of input and prediction perturbation is higher than gradient perturbation. For example, at , prediction and input perturbation reaches true positive value of and while gradient perturbation reaches .
Observation 3: True revealed records has almost a linear relationship with privacy leakage. Over all the results, we observe that a model starts to leak more true records when the privacy leakage is higher.
6.4. Overall Observations on Utility/Privacy Trade-offs
With regards to RQ1, if we contemplate overall performance (considering both utility and privacy), there is no obvious optimal DP technique that fits well for LR. On the other hand, for deep learning models, gradient perturbation seems an obvious choice a practical utility/privacy trade-off. It is also noticeable that, for gradient perturbation, privacy budget provides acceptable privacy utility trade-offs. We note that our results so far do not point to a reality where one perturbation technique offers better/acceptable utility at no cost (compromise on privacy is inevitable). For instance, prediction perturbation provides better utility compared to other perturbation techniques, but it costs the highest privacy leakage in exchange.
Concerning RQ2 and analyzing Observation 1 and 2, for a privacy practitioner who wants to work with a binary classifier and LR model, objective perturbation is an optimal choice. However, other perturbation techniques, for instance, gradient perturbation, are better choices for multi-class classifiers compared to objective perturbation as the utility/privacy trade-off is within a tolerable range for gradient perturbation.
In response to RQ3, analyzing observation 1 and 2, we conclude the overall better performance of gradient perturbation on image datasets compared to numerical datasets.
Concerning RQ4, we do not observe fluctuations for different perturbation techniques considering different model architectures.
7. Related Work
While previous studies evaluated privacy-accuracy trade-off in terms of privacy budget for different perturbation techniques, they do them in isolation, for example, performing studies for only gradient perturbation. In this context, the absence of a comprehensive picture of privacy/accuracy trade-off for widely adopted perturbation techniques over the ML pipeline is what makes our work broadly orthogonal to prior work (DP_USENIX; input-perturb20; DPUtility20). In the following, we highlight the most relevant related works.
Early usages of differential privacy for privacy-preserving ML include empirical risk minimization (ERM-DP; input-perturb20; Faster_ERM) and designing differentially private deep learning algorithms (DP-SGD; Denoising-Nsr). These class of differentially private algorithms add noise in different stages of the ML pipeline via input perturbation (Input_perturb17; input-perturb20; Input-Perturb13), objective perturbation (ERM-DP), gradient perturbation (DP-SGD), output perturbation (ERM-DP), and prediction perturbation (PATE_new; PATE17), confidence masking (Memguard).
In (Input_perturb17), a DP technique for input perturbation is proposed. In this work, they inject random noise into the input data in a manner that satisfies local differential privacy to the database and global differential privacy to the model parameters. In (input-perturb20), they expanded the previous works limited to strong convex loss function using the Polyak-Lojasiewicz (Polyak-Lojasiewicz) condition.
Objective perturbation for Empirical Risk Minimization (ERM) was proposed by Chaudhury et al. (ERM-DP)
. This work assumes several convexity and differentiability criteria, i.e., strictly convex function and normalized input data. They expand their technique to produce privacy-preserving LR and Support Vector Machine. In(Faster_ERM), a differentially private ERM is studied for strongly convex loss function with or without non-smooth regularization. Their contribution is that they improve gradient complexity as
. Besides, for high dimensional data, they reduced the gradient complexity to, which is more general and faster than previous works. In a recent work, (Distributed_learning), gradient perturbation on collaborative learning is introduced where multiple data owners add noise to their respective gradient locally after each iteration.
In (Memguard), they add a carefully crafted noise vector obtained from a mechanism using an adversarial example to defend membership inference attack. The goal is to choose random noise that minimizes membership inference attack accuracy while keeping the true label. In (PATE17), (PATE_new), an ensemble of teacher models is trained using disjoint datasets. A separate model, called the student model, is trained-based data labeled with output obtained from a noisy aggregation of the prediction results of teacher ensembles. The main difference between PATE (PATE17) and Scalable PATE (PATE_new) is the latter uses more concentrated noise (Gaussian noise) while the former uses Laplace noise. Besides, the latter is more selective (i.e., in case of more disagreements among the teachers, the system may simply choose to abstain). In PRICURE (PRICURE21), a similar strategy to PATE is used to add noise to an aggregation of predictions from multiple models in a collaborative setting so as to limit the success of membership inference attack.
Jayaraman and Evans (DP_USENIX) evaluate relaxed notions of DP mechanisms for ML. Using gradient perturbation as the DP mechanism, they focus on three relaxations: DP with advanced composition (Advanced-Comp), zero-concentrated DP (Zero-Conc-DP), and Rényi DP (Renyi-DP). This work explores utility/privacy trade-off through leakage measurement due to these relaxed notions of DP. Their results conclude that existing DP-ML methods rarely offer acceptable privacy-utility trade-offs for complex models.
Another evaluation of DP over healthcare dataset was studied by Vinith et al. (DP_Healthcare). They studied DP-SGD models in clinical prediction tasks such as X-ray classification and mortality prediction. Their work concludes that DP-SGD loses salient information about minority classes while it preserves data privacy. In (Unintended_Memorization), they evaluate the effect of differential privacy memorization attack, though does not provide privacy leakage evaluation. In (MIA_experiment), they perform measurement studies on the upshot of DP against MIA and this evaluation was limited to DP-SGD (DP-SGD).
In (DPUtility20), a similar analysis pipeline as ours is presented. They choose Naive Bayes for input and output perturbation and NN for input and gradient perturbations to evaluate utility/privacy trade-offs on CIFAR, Purchase, and Netflix datasets. The main difference of this work with ours is we evaluated five perturbations for LR and the currently popular three perturbations for DNN, hence DP-UTIL enables holistic analysis.
In this paper, we introduced a holistic utility analysis of differential privacy over the machine learning pipeline. Our principal contribution is the holistic analysis of five existing DP-perturbations on logistic regression and three existing DP perturbations on deep neural networks through a comprehensive privacy/utility trade-off analysis over a range of privacy budget . From our evaluations, we observe that some perturbation mechanisms outperform others in terms of utility, yet cost privacy leakage in exchange. Besides, our results also offer insights into how DP-techniques compare across different datasets and classifiers. We also report negligible differences in terms of utility and privacy over diverse model architectures. For example, for deep neural networks, gradient perturbation offers an acceptable utility/privacy trade-off over other perturbation methods, where as for binary classifiers and LR, objective perturbation provides acceptable utility-privacy compared to multi-class classifiers. We hope our holistic analysis framework will enable machine learning privacy practitioners to make informed decisions as to which perturbation mechanism to pick based on thorough comparative analysis of the dynamics between optimization techniques in machine learning, perturbation mechanisms, number of classes, and privacy budget.