Guarantees of confidentiality via Hammersley-Chapman-Robbins bounds
Abstract: Protecting privacy during inference with deep neural networks is possible by adding Gaussian noise to the activations in the last layers prior to the final classifiers or other task-specific layers. The activations in such layers are known as "features" (or, less commonly, as "embeddings" or "feature embeddings"). The added noise helps prevent reconstruction of the inputs from the noisy features. Lower bounding the variance of every possible unbiased estimator of the inputs quantifies the confidentiality arising from such added noise. Convenient, computationally tractable bounds are available from classic inequalities of Hammersley and of Chapman and Robbins -- the HCR bounds. Numerical experiments indicate that the HCR bounds are on the precipice of being effectual for small neural nets with the data sets, "MNIST" and "CIFAR-10," which contain 10 classes each for image classification. The HCR bounds appear to be insufficient on their own to guarantee confidentiality of the inputs to inference with standard deep neural nets, "ResNet-18" and "Swin-T," pre-trained on the data set, "ImageNet-1000," which contains 1000 classes. Supplementing the addition of Gaussian noise to features with other methods for providing confidentiality may be warranted in the case of ImageNet. In all cases, the results reported here limit consideration to amounts of added noise that incur little degradation in the accuracy of classification from the noisy features. Thus, the added noise enhances confidentiality without much reduction in the accuracy on the task of image classification.
Submission Length: Long submission (more than 12 pages of main content)
Changes Since Last Submission: We would like to thank all three reviewers and the editor! The following includes responses to all three reviewers; we will also copy the responses to official comments on the individual reviews, in case that would be more convenient for the reviewers. In the following, the reviewers' requests begin with two greater-than signs (">>"). A proposed revision to the paper under review is attached here, as well. The attached revision incorporates all changes mentioned below.
$$ $$
$$ $$
Reviewer Pz2W:
$$ $$
>> The reviewer suggests bringing Appendix A into the main body of the paper and moving some of the qualitative results in experiments to the appendix.
Thanks so much for the very generous review! To fulfill the request, we would like to move the appendix into the main body of the paper. In the revision, what had been the appendix would become a new subsection, Subsection 2.4. This new subsection would specialize the results of Subsection 2.3 to the case of normal variates. The revision would also adjust references to the appendix to point to the new subsection instead. Specifically, the first paragraph of Section 2 would now refer to the new subsection, as would the final paragraph of Subsection 2.3. And, of course, the new subsection would no longer refer to "this appendix" but to "this subsection."
One of the other reviewers requested that we highlight the visual results more. The revision will now explain those visualizations and their implications much more explicitly and hopefully clearly. As the other reviewer desired greater focus on such practical, easily interpreted visualizations, we would be somewhat hesitant to move them to an appendix. Fortunately, with the new organization in the revision, the figures would appear nearly at the end, anyways. So perhaps creating an appendix for the figures would no longer be desirable? The more involved explanation that the other reviewer requested might justify presenting the figures in the main body of the paper? We apologize for the insufficient elaboration of the visualizations in the original submission -- the graphics are actually among the most practical and informative of all results presented; our earlier failure to elucidate their meaning was unnecessarily misleading. Hopefully the revision will make clear what the visualizations really mean and their significance.
$$ $$
$$ $$
Reviewer 4BWa:
$$ $$
>> There are missing scenarios with HCR bound confidentiality, such as the application to small datasets like MNIST in deep neural networks and large datasets like ImageNet-1000 in shallow networks.
To report results on the scenarios raised by the reviewer, we would like to append to the first paragraph of Section 3, "Results," the sentence, "Further experiments applying ResNet-18 and Swin-T to MNIST and CIFAR-10 yield results similar to those applying these same pre-trained models to ImageNet-1000 and are therefore omitted -- the HCR bounds turn out to be rather ineffective and uninteresting for the larger deep nets, ResNet-18 and Swin-T." As for processing ImageNet-1000 with a small shallow net, the resulting accuracy is extremely poor; deep learning really is necessary in order to yield interesting results for a data set as large as ImageNet-1000.
$$ $$
>> It would be beneficial to include more theoretical proof of HCR bounds' ineffectiveness in deep networks, alongside the experimental analysis.
Developing a more theoretical proof of HCR bounds’ ineffectiveness in deep networks would be wonderful. Unfortunately, we have no idea how. In fact, I have less than zero idea how -- probably any hunch I have is actually wrong and misleading. Developing such a theory looks to be a very hard problem, not something I personally could manage. For the paper itself, we propose to add immediately following the first sentence of the conclusion the sentence, "Theoretical understanding of why could be an interesting direction for future research." Perhaps someone more adept could work out a convincing theory.
$$ $$
$$ $$
Reviewer 9A9a:
$$ $$
Please see the official comments on the original review. Unfortunately, the submission web-site limits the length of responses to the reviewers in the "changes since last submission." We made such extensive changes in response that the revisions would not fit in the space allotted to describe the changes.
Assigned Action Editor: ~Brian_Kingsbury1
Submission Number: 2496
Loading