Auto DP-SGD: Dual Improvements of Privacy and Accuracy via Automatic Clipping Threshold and Noise Multiplier Estimation

Sai Venkatesh Chilukoti; Md Imran Hossen; Liqun Shan; Vijay Srinivas Tida; Xiali Hei

Auto DP-SGD: Dual Improvements of Privacy and Accuracy via Automatic Clipping Threshold and Noise Multiplier Estimation

Sai Venkatesh Chilukoti, Md Imran Hossen, Liqun Shan, Vijay Srinivas Tida, Xiali Hei

23 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX

Supplementary Material: pdf

Primary Area: societal considerations including fairness, safety, privacy

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Keywords: Differential Privacy, tCDP, Auto DP-SGD, clipping threshold estimation, noise multiplier decay

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.

TL;DR: An automatic DP-SGD algorithm that improves accuracy and privacy

Abstract: Differentially Private Stochastic Gradient Descent (DP-SGD) has emerged as a popular method to protect personally identifiable information in deep learning (DL) applications. Unfortunately, DP-SGD's per-sample gradient clipping and uniform noise addition during training can significantly degrade model utility. To enhance the model's utility, researchers proposed various adaptive/dynamic DP-SGD methods by adapting the noise multiplier and clipping threshold. However, we examined and discovered that these established techniques result in greater privacy leakage or lower accuracy than the traditional DP-SGD method, or a lack of evaluation on a complex data set such as CIFAR100. To address these limitations, we propose an automatic DP-SGD (Auto DP-SGD). Our method automates clipping threshold estimation based on the DL model's total gradient norm and scales the gradients of each training sample instead of simply clipping them without losing gradient information or requiring an additional privacy budget. This helps to improve the algorithm's utility while using a less privacy budget. To further improve accuracy, we introduce automatic noise multiplier decay mechanisms to decrease the noise multiplier after every epoch. Finally, we develop closed-form mathematical expressions using the truncated concentrated differential privacy (tCDP) accountant, which offers a straightforward and tight privacy-bound analysis for automatic noise multiplier and automatic clipping estimation. Through extensive experimentation, we demonstrate that Auto DP-SGD outperforms existing state-of-the-art (SOTA) classification results in privacy and accuracy on various benchmark datasets. We also show that privacy can be improved by lowering the scale factor and using learning rate schedulers without significantly reducing privacy. Moreover, we also explain how to select the best Auto DP-SGD variant without additional privacy leakage. Specifically, Auto DP-SGD, when used with a step noise multiplier (Auto DP-SGD-S), improves accuracy by 3.20\%, 1.57\%, 6.73\%, and 1.42\% for the MNIST, CIFAR10, CIFAR100, and AG News Corpus datasets, respectively. Furthermore, we achieve a substantial reduction in the privacy budget ($\epsilon$) of 94.9\%, 79.16\%, 67.36\%, and 53.37\% for the corresponding data sets.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 8466

Loading