Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

An Efficient DP-SGD Mechanism for Large Scale NLP Models

Christophe Dupuy, Radhika Arava, Rahul Gupta, Anna Rumshisky

TL;DR

The paper addresses privacy risks in large-scale NLP models by deploying a GPU-friendly variant of DP-SGD, called eDP-SGD, that uses micro-batch per-GPU processing, layer-wise clipping scaling, and epoch-wise noise decay during fine-tuning of LSTM and transformer architectures. It demonstrates that eDP-SGD can achieve competitive accuracy with differential privacy while significantly reducing training time compared to standard DP-SGD, and it shows practical improvements in membership inference attack resistance under looser privacy budgets. The study spans IC-NER tasks across public and internal Alexa datasets, providing guidance on hyperparameters and reporting both utility and privacy metrics. Overall, eDP-SGD offers a practical path to privacy-preserving large-scale NLP in industrial settings, with potential for further gains on larger models and richer privacy analyses.

Abstract

Recent advances in deep learning have drastically improved performance on many Natural Language Understanding (NLU) tasks. However, the data used to train NLU models may contain private information such as addresses or phone numbers, particularly when drawn from human subjects. It is desirable that underlying models do not expose private information contained in the training data. Differentially Private Stochastic Gradient Descent (DP-SGD) has been proposed as a mechanism to build privacy-preserving models. However, DP-SGD can be prohibitively slow to train. In this work, we propose a more efficient DP-SGD for training using a GPU infrastructure and apply it to fine-tuning models based on LSTM and transformer architectures. We report faster training times, alongside accuracy, theoretical privacy guarantees and success of Membership inference attacks for our models and observe that fine-tuning with proposed variant of DP-SGD can yield competitive models without significant degradation in training time and improvement in privacy protection. We also make observations such as looser theoretical $ε, δ$ can translate into significant practical privacy gains.

An Efficient DP-SGD Mechanism for Large Scale NLP Models

TL;DR

The paper addresses privacy risks in large-scale NLP models by deploying a GPU-friendly variant of DP-SGD, called eDP-SGD, that uses micro-batch per-GPU processing, layer-wise clipping scaling, and epoch-wise noise decay during fine-tuning of LSTM and transformer architectures. It demonstrates that eDP-SGD can achieve competitive accuracy with differential privacy while significantly reducing training time compared to standard DP-SGD, and it shows practical improvements in membership inference attack resistance under looser privacy budgets. The study spans IC-NER tasks across public and internal Alexa datasets, providing guidance on hyperparameters and reporting both utility and privacy metrics. Overall, eDP-SGD offers a practical path to privacy-preserving large-scale NLP in industrial settings, with potential for further gains on larger models and richer privacy analyses.

Abstract

Recent advances in deep learning have drastically improved performance on many Natural Language Understanding (NLU) tasks. However, the data used to train NLU models may contain private information such as addresses or phone numbers, particularly when drawn from human subjects. It is desirable that underlying models do not expose private information contained in the training data. Differentially Private Stochastic Gradient Descent (DP-SGD) has been proposed as a mechanism to build privacy-preserving models. However, DP-SGD can be prohibitively slow to train. In this work, we propose a more efficient DP-SGD for training using a GPU infrastructure and apply it to fine-tuning models based on LSTM and transformer architectures. We report faster training times, alongside accuracy, theoretical privacy guarantees and success of Membership inference attacks for our models and observe that fine-tuning with proposed variant of DP-SGD can yield competitive models without significant degradation in training time and improvement in privacy protection. We also make observations such as looser theoretical can translate into significant practical privacy gains.

Paper Structure

This paper contains 8 sections, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related work
  3. Efficient DP-SGD
  4. Experimental setup
  5. Datasets
  6. Models
  7. Results
  8. Conclusion