Quantifying Information Disclosure During Gradient Descent Using Gradient Uniqueness
Mahmoud Abdelghafar, Maryam Aliakbarpour, Chris Jermaine
TL;DR
This work introduces gradient uniqueness (GNQ) as an attack-agnostic, theoretically grounded metric to quantify information disclosure during mini-batch SGD. GNQ defines a per-example, per-iteration score $GNQ_{ij} = g_{ij}^\top S^{+} g_{ij}$ that captures how much a datapoint's gradient stands out against others, with the total disclosure bounded by a function of the cumulative GNQ. The authors propose a practical GNQ-based defense (data-point censorship via GNQ) and demonstrate through extensive experiments that it can achieve privacy levels comparable to DP-SGD while preserving substantially higher utility, and that GNQ correlates with observed attack success across tasks and SGD configurations. The results suggest GNQ as a valuable tool for privacy auditing, risk-aware data filtering, and informing training-time unlearning decisions, without requiring changes to the underlying SGD algorithm.
Abstract
Disclosing private information via publication of a machine learning model is often a concern. Intuitively, publishing a learned model should be less risky than publishing a dataset. But how much risk is there? In this paper, we present a principled disclosure metric called \emph{gradient uniqueness} that is derived from an upper bound on the amount of information disclosure from publishing a learned model. Gradient uniqueness provides an intuitive way to perform privacy auditing. The mathematical derivation of gradient uniqueness is general, and does not make any assumption on the model architecture, dataset type, or the strategy of an attacker. We examine a simple defense based on monitoring gradient uniqueness, and find that it achieves privacy comparable to classical methods such as DP-SGD, while being substantially better in terms of (utility) testing accuracy.