23 research outputs found
Adaptive Laplace Mechanism: Differential Privacy Preservation in Deep Learning
In this paper, we focus on developing a novel mechanism to preserve
differential privacy in deep neural networks, such that: (1) The privacy budget
consumption is totally independent of the number of training steps; (2) It has
the ability to adaptively inject noise into features based on the contribution
of each to the output; and (3) It could be applied in a variety of different
deep neural networks. To achieve this, we figure out a way to perturb affine
transformations of neurons, and loss functions used in deep neural networks. In
addition, our mechanism intentionally adds "more noise" into features which are
"less relevant" to the model output, and vice-versa. Our theoretical analysis
further derives the sensitivities and error bounds of our mechanism. Rigorous
experiments conducted on MNIST and CIFAR-10 datasets show that our mechanism is
highly effective and outperforms existing solutions.Comment: IEEE ICDM 2017 - regular pape
Importance Sketching of Influence Dynamics in Billion-scale Networks
The blooming availability of traces for social, biological, and communication
networks opens up unprecedented opportunities in analyzing diffusion processes
in networks. However, the sheer sizes of the nowadays networks raise serious
challenges in computational efficiency and scalability.
In this paper, we propose a new hyper-graph sketching framework for inflence
dynamics in networks. The central of our sketching framework, called SKIS, is
an efficient importance sampling algorithm that returns only non-singular
reverse cascades in the network. Comparing to previously developed sketches
like RIS and SKIM, our sketch significantly enhances estimation quality while
substantially reducing processing time and memory-footprint. Further, we
present general strategies of using SKIS to enhance existing algorithms for
influence estimation and influence maximization which are motivated by
practical applications like viral marketing. Using SKIS, we design high-quality
influence oracle for seed sets with average estimation error up to 10x times
smaller than those using RIS and 6x times smaller than SKIM. In addition, our
influence maximization using SKIS substantially improves the quality of
solutions for greedy algorithms. It achieves up to 10x times speed-up and 4x
memory reduction for the fastest RIS-based DSSA algorithm, while maintaining
the same theoretical guarantees.Comment: 12 pages, to appear in ICDM 2017 as a regular pape
XRand: Differentially Private Defense against Explanation-Guided Attacks
Recent development in the field of explainable artificial intelligence (XAI)
has helped improve trust in Machine-Learning-as-a-Service (MLaaS) systems, in
which an explanation is provided together with the model prediction in response
to each query. However, XAI also opens a door for adversaries to gain insights
into the black-box models in MLaaS, thereby making the models more vulnerable
to several attacks. For example, feature-based explanations (e.g., SHAP) could
expose the top important features that a black-box model focuses on. Such
disclosure has been exploited to craft effective backdoor triggers against
malware classifiers. To address this trade-off, we introduce a new concept of
achieving local differential privacy (LDP) in the explanations, and from that
we establish a defense, called XRand, against such attacks. We show that our
mechanism restricts the information that the adversary can learn about the top
important features, while maintaining the faithfulness of the explanations.Comment: To be published at AAAI 202
Active Membership Inference Attack under Local Differential Privacy in Federated Learning
Federated learning (FL) was originally regarded as a framework for
collaborative learning among clients with data privacy protection through a
coordinating server. In this paper, we propose a new active membership
inference (AMI) attack carried out by a dishonest server in FL. In AMI attacks,
the server crafts and embeds malicious parameters into global models to
effectively infer whether a target data sample is included in a client's
private training data or not. By exploiting the correlation among data features
through a non-linear decision boundary, AMI attacks with a certified guarantee
of success can achieve severely high success rates under rigorous local
differential privacy (LDP) protection; thereby exposing clients' training data
to significant privacy risk. Theoretical and experimental results on several
benchmark datasets show that adding sufficient privacy-preserving noise to
prevent our attack would significantly damage FL's model utility.Comment: Published at AISTATS 202
FairDP: Certified Fairness with Differential Privacy
This paper introduces FairDP, a novel mechanism designed to achieve certified
fairness with differential privacy (DP). FairDP independently trains models for
distinct individual groups, using group-specific clipping terms to assess and
bound the disparate impacts of DP. Throughout the training process, the
mechanism progressively integrates knowledge from group models to formulate a
comprehensive model that balances privacy, utility, and fairness in downstream
tasks. Extensive theoretical and empirical analyses validate the efficacy of
FairDP and improved trade-offs between model utility, privacy, and fairness
compared with existing methods
User-Entity Differential Privacy in Learning Natural Language Models
In this paper, we introduce a novel concept of user-entity differential
privacy (UeDP) to provide formal privacy protection simultaneously to both
sensitive entities in textual data and data owners in learning natural language
models (NLMs). To preserve UeDP, we developed a novel algorithm, called
UeDP-Alg, optimizing the trade-off between privacy loss and model utility with
a tight sensitivity bound derived from seamlessly combining user and sensitive
entity sampling processes. An extensive theoretical analysis and evaluation
show that our UeDP-Alg outperforms baseline approaches in model utility under
the same privacy budget consumption on several NLM tasks, using benchmark
datasets.Comment: Accepted at IEEE BigData 202