Assessing the Impact of Image Dataset Features on Privacy-Preserving Machine Learning

TL;DR

This work investigates how image dataset features influence the utility and privacy of CNNs trained with privacy-preserving ML using differential privacy. It combines DP-SGD with Likelihood Ratio Attack (LiRA) to assess how dataset-level properties (class size, class count, imbalance) and data-level properties (entropy, color, separability) affect utility and vulnerability across privacy budgets ($ε\in\{\infty,30,1\}$). Key findings include that smaller per-class counts and higher class counts increase vulnerability, while DP budgets mitigate attacks; dataset complexity measured by entropy, FDR, and compression ratios helps predict the utility-privacy trade-off, though no single metric suffices. These insights yield five practical rules for data-centric PPML deployment and demonstrate applicability to a privacy-sensitive COVID-19 dataset, guiding practitioners in balancing privacy guarantees with model usefulness.

Abstract

Machine Learning (ML) is crucial in many sectors, including computer vision. However, ML models trained on sensitive data face security challenges, as they can be attacked and leak information. Privacy-Preserving Machine Learning (PPML) addresses this by using Differential Privacy (DP) to balance utility and privacy. This study identifies image dataset characteristics that affect the utility and vulnerability of private and non-private Convolutional Neural Network (CNN) models. Through analyzing multiple datasets and privacy budgets, we find that imbalanced datasets increase vulnerability in minority classes, but DP mitigates this issue. Datasets with fewer classes improve both model utility and privacy, while high entropy or low Fisher Discriminant Ratio (FDR) datasets deteriorate the utility-privacy trade-off. These insights offer valuable guidance for practitioners and researchers in estimating and optimizing the utility-privacy trade-off in image datasets, helping to inform data and privacy modifications for better outcomes based on dataset characteristics.

Figures (10)

• Figure 1: Result of a model inversion attack in a federated learning scenario using gradient information. Left image shows the original image that was used to train the model, the right image shows the reconstructed image from an inversion attack. Results of the reconstruction attack by Geiping_Bauermeister_Dröge_Moeller_2020.
• Figure 2: Illustration of aspects and procedures in this work's experiments.
• Figure 3: Visual representation of random samples from the studied image datasets.
• Figure 4: Visualization of the dataset class distribution after applying the dataset imbalance modification in linear and normal mode with varying imbalance factors $i=0.3$ and $i=0.9$.
• Figure 5: F1-scores for non-private and private models on different datasets with modified class sizes.