Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The Trade-Offs of Private Prediction

Laurens van der Maaten, Awni Hannun

TL;DR

This work tackles how to privatize predictions from machine learning models without leaking training data. It contrasts three private-training techniques (model sensitivity, loss perturbation, DP-SGD) with two private-prediction approaches (prediction sensitivity, subsample-and-aggregate), all analyzed under an ERM framework with differential privacy guarantees and an inference budget. Across MNIST and CIFAR-10 experiments, private training methods often outperform private prediction methods in practical privacy-utility regimes, though results depend on δ, ε, and B. The findings provide actionable guidance for practitioners on selecting private-prediction strategies and highlight potential improvements through refined privacy accounting methods.

Abstract

Machine learning models leak information about their training data every time they reveal a prediction. This is problematic when the training data needs to remain private. Private prediction methods limit how much information about the training data is leaked by each prediction. Private prediction can also be achieved using models that are trained by private training methods. In private prediction, both private training and private prediction methods exhibit trade-offs between privacy, privacy failure probability, amount of training data, and inference budget. Although these trade-offs are theoretically well-understood, they have hardly been studied empirically. This paper presents the first empirical study into the trade-offs of private prediction. Our study sheds light on which methods are best suited for which learning setting. Perhaps surprisingly, we find private training methods outperform private prediction methods in a wide range of private prediction settings.

The Trade-Offs of Private Prediction

TL;DR

This work tackles how to privatize predictions from machine learning models without leaking training data. It contrasts three private-training techniques (model sensitivity, loss perturbation, DP-SGD) with two private-prediction approaches (prediction sensitivity, subsample-and-aggregate), all analyzed under an ERM framework with differential privacy guarantees and an inference budget. Across MNIST and CIFAR-10 experiments, private training methods often outperform private prediction methods in practical privacy-utility regimes, though results depend on δ, ε, and B. The findings provide actionable guidance for practitioners on selecting private-prediction strategies and highlight potential improvements through refined privacy accounting methods.

Abstract

Machine learning models leak information about their training data every time they reveal a prediction. This is problematic when the training data needs to remain private. Private prediction methods limit how much information about the training data is leaked by each prediction. Private prediction can also be achieved using models that are trained by private training methods. In private prediction, both private training and private prediction methods exhibit trade-offs between privacy, privacy failure probability, amount of training data, and inference budget. Although these trade-offs are theoretically well-understood, they have hardly been studied empirically. This paper presents the first empirical study into the trade-offs of private prediction. Our study sheds light on which methods are best suited for which learning setting. Perhaps surprisingly, we find private training methods outperform private prediction methods in a wide range of private prediction settings.

Paper Structure

This paper contains 18 sections, 21 theorems, 71 equations, 7 figures, 1 table, 8 algorithms.

Table of Contents

  1. Introduction
  2. Problem Statement
  3. Methods
  4. Private Training
  5. Private Prediction
  6. Experiments
  7. Experimental Setup
  8. Results: Linear Models
  9. Results: Convolutional Networks
  10. Discussion
  11. Preliminaries
  12. Private Training
  13. Model Sensitivity
  14. Loss Perturbation
  15. Private Prediction
  16. ...and 3 more sections

Key Result

Theorem 1

Given assumptions as:loss, as:regularizer, as:linear, as:lip, and as:l2inp, the model sensitivity method is $(\epsilon, 0)$-differentially private.

Figures (7)

  • Figure 1: Test accuracy on MNIST dataset as a function of privacy loss $\epsilon$ for inference budget $B=100$. In \ref{['fig:1b']}, $\epsilon$ ranges between $0$ and $1$ because of limitations in some methods when $\delta > 0$.
  • Figure 2: Test accuracy on MNIST dataset as function of inference budget $B$ for privacy loss $\epsilon=1$.
  • Figure 3: Test accuracy on MNIST dataset as a function of privacy failure probability, $\delta$, for privacy $\epsilon=1$ and inference budget $B=100$.
  • Figure 4: Test accuracy on MNIST-1M dataset as a function of training set size, $N$, for privacy $(\epsilon, \delta) = (1, 0)$ and inference budget $B=100$.
  • Figure 5: Test accuracy on MNIST dataset for privacy $(\epsilon, \delta) = (1, 0)$ and inference budget $B=100$.
  • ...and 2 more figures

Theorems & Definitions (34)

  • Theorem 1
  • Theorem 2
  • Theorem 3
  • Theorem 4
  • Theorem 5
  • Theorem 6
  • Theorem 7
  • Theorem 8
  • Lemma 1
  • proof
  • ...and 24 more