Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Understanding Private Learning From Feature Perspective

Meng Ding, Mingxi Lei, Shaopeng Fu, Shaowei Wang, Di Wang, Jinhui Xu

TL;DR

This work addresses how DP-SGD behaves when learning features in the presence of label-dependent signals and label-independent data noise. By modeling data with a multi-patch structure and analyzing a two-layer CNN under NoisyGD, the authors reveal that private training requires a higher signal-to-noise ratio than non-private training to effectively learn features, and that memorization of data-noise can persist under differential privacy, harming generalization even when training loss is small. They introduce a weight decomposition into signal and noise coefficients, establish two regimes (signal learning vs data-noise memorization) governed by $\mathrm{SNR}$ and the privacy budget $\varepsilon$, and derive training/test loss characterizations including a DP-dependent test error term $\exp((n\varepsilon)^{-1-1/q})$. Experimental results on synthetic data and CIFAR-10 corroborate the theory, underscoring the need for feature-enhancement strategies to improve $SNR$ in privacy-preserving learning. The work provides a principled foundation for understanding private learning dynamics and informs design choices for DP-trained neural networks in practical, privacy-constrained settings.

Abstract

Differentially private Stochastic Gradient Descent (DP-SGD) has become integral to privacy-preserving machine learning, ensuring robust privacy guarantees in sensitive domains. Despite notable empirical advances leveraging features from non-private, pre-trained models to enhance DP-SGD training, a theoretical understanding of feature dynamics in private learning remains underexplored. This paper presents the first theoretical framework to analyze private training through a feature learning perspective. Building on the multi-patch data structure from prior work, our analysis distinguishes between label-dependent feature signals and label-independent noise, a critical aspect overlooked by existing analyses in the DP community. Employing a two-layer CNN with polynomial ReLU activation, we theoretically characterize both feature signal learning and data noise memorization in private training via noisy gradient descent. Our findings reveal that (1) Effective private signal learning requires a higher signal-to-noise ratio (SNR) compared to non-private training, and (2) When data noise memorization occurs in non-private learning, it will also occur in private learning, leading to poor generalization despite small training loss. Our findings highlight the challenges of private learning and prove the benefit of feature enhancement to improve SNR. Experiments on synthetic and real-world datasets also validate our theoretical findings.

Understanding Private Learning From Feature Perspective

TL;DR

This work addresses how DP-SGD behaves when learning features in the presence of label-dependent signals and label-independent data noise. By modeling data with a multi-patch structure and analyzing a two-layer CNN under NoisyGD, the authors reveal that private training requires a higher signal-to-noise ratio than non-private training to effectively learn features, and that memorization of data-noise can persist under differential privacy, harming generalization even when training loss is small. They introduce a weight decomposition into signal and noise coefficients, establish two regimes (signal learning vs data-noise memorization) governed by and the privacy budget , and derive training/test loss characterizations including a DP-dependent test error term . Experimental results on synthetic data and CIFAR-10 corroborate the theory, underscoring the need for feature-enhancement strategies to improve in privacy-preserving learning. The work provides a principled foundation for understanding private learning dynamics and informs design choices for DP-trained neural networks in practical, privacy-constrained settings.

Abstract

Differentially private Stochastic Gradient Descent (DP-SGD) has become integral to privacy-preserving machine learning, ensuring robust privacy guarantees in sensitive domains. Despite notable empirical advances leveraging features from non-private, pre-trained models to enhance DP-SGD training, a theoretical understanding of feature dynamics in private learning remains underexplored. This paper presents the first theoretical framework to analyze private training through a feature learning perspective. Building on the multi-patch data structure from prior work, our analysis distinguishes between label-dependent feature signals and label-independent noise, a critical aspect overlooked by existing analyses in the DP community. Employing a two-layer CNN with polynomial ReLU activation, we theoretically characterize both feature signal learning and data noise memorization in private training via noisy gradient descent. Our findings reveal that (1) Effective private signal learning requires a higher signal-to-noise ratio (SNR) compared to non-private training, and (2) When data noise memorization occurs in non-private learning, it will also occur in private learning, leading to poor generalization despite small training loss. Our findings highlight the challenges of private learning and prove the benefit of feature enhancement to improve SNR. Experiments on synthetic and real-world datasets also validate our theoretical findings.

Paper Structure

This paper contains 22 sections, 37 theorems, 121 equations, 6 figures, 1 table.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminaries
  4. Main Results
  5. Feature Signal Learning
  6. Feature Signal Learning
  7. Data Noise Memorization
  8. Experiment
  9. Conclusion
  10. The Use of Large Language Models
  11. Notations Table
  12. Additional Related Work
  13. Additional Experimental Details
  14. Real-world Data Experiment
  15. Support Lemmas
  16. ...and 7 more sections

Key Result

Theorem 1.1

Let $\operatorname{SNR}:=\|\mathbf{v}\|_2 /\|\bm{\xi}\|_2$Our data model is analogous to the patch model in cao2022benign: the signal vector $\mathbf{v}$ is fixed, while the noise $\boldsymbol{\xi}$ is drawn from an isotropic Gaussian. When the dimension $d$ is large, $\|\boldsymbol{\xi}\|_2 \approx

Figures (6)

  • Figure 1: Illustration of images with feature signal and data noise.
  • Figure 2: Comparison of Feature Signal and Data Noise in (Non) Private Learning. The figure compares the dynamics of feature learning $\max_{j,r}\lvert\Gamma^{(t)}_{j,r}\rvert$ and data noise $\max_{j,r,i}\lvert\Phi^{(t)}_{j,r,i}\rvert$ across varying privacy budgets $\varepsilon$ and SNR. Subfigures \ref{['fig:snr06_eps5']}–\ref{['fig:snr06_eps02']} correspond to $\operatorname{SNR}=0.6$ with $\varepsilon\in\{5,1,0.2\}$, subfigure \ref{['fig:snr3_eps02']} corresponds to $\operatorname{SNR}=3$ with $\varepsilon=0.2$, and subfigures \ref{['fig:snr02_eps5']}–\ref{['fig:snr02_eps02']} correspond to $\operatorname{SNR}=0.2$ with $\varepsilon\in\{5,1,0.2\}$. Subfigure \ref{['fig:snr02_eps02_plus']} shows a decomposition of $\max_{j,r,i}\lvert\Phi^{(t)}_{j,r,i}\rvert$ at $\operatorname{SNR}=0.2,\ \varepsilon=0.2$.
  • Figure 3: Impact of $\operatorname{SNR}$ and $\varepsilon$ on CIFAR-10 Accuracy.
  • Figure 4: Class Activation Mappings for CIFAR-10 Across Different SNRs ($\epsilon = 8$).
  • Figure 5: Class Activation Mappings for CIFAR-10 Across Different SNRs ($\epsilon = 4$).
  • ...and 1 more figures

Theorems & Definitions (68)

  • Theorem 1.1: Informal
  • Corollary 1.2: Informal
  • Definition 3.1: Data Distribution
  • Definition 3.2: dwork2006calibrating
  • Definition 3.3: Gaussian Mechanism dwork2010differential
  • Definition 4.1
  • Lemma 4.2
  • Proposition 4.3
  • Lemma 4.4
  • Theorem 4.6
  • ...and 58 more