Go to ICLR 2026 Conference homepageCompactDP: Category-Aware Feature Compactness for Differential Privacy
Keywords: Data Privacy, DP-SGD, Feature Space Compactness, Membership Inference Attack
TL;DR: CompactDP targets the root cause of leaks: sparse, high-dimensional features. Category-aware feature contraction that tightens scattered data distributions where individual training samples get memorized.
Abstract: The rapid growth of AI models raises critical privacy concerns due to their tendency to memorize training data, making them vulnerable to extraction and membership inference attacks (MIAs). Traditional privacy-preserving methods like DP-SGD often degrade model utility and exacerbate accuracy disparities across sub-populations, limiting their applicability in sensitive fields. We observe that dense intra-class feature distributions inherently reduce privacy risks by smoothing probability density functions (PDFs), which diminishes the influence of individual training samples and lowers memorization. Leveraging this insight, we propose Category-Aware Compactness Differential Privacy (CompactDP), a framework that directly addresses the root cause of privacy leakage—sparse, high-dimensional features—via feature contraction rather than relying solely on gradient noise. CompactDP achieves a superior privacy-utility-fairness trade-off, significantly outperforming state-of-the-art methods. On CIFAR10, it attains 95.6\% accuracy while limiting MIA risk to 0.43. Extensive experiments on FashionMNIST and MedicalMNIST further validate its state-of-the-art performance across diverse metrics. By integrating feature reconstruction with differential privacy, our framework provides a principled and efficient solution for privacy-preserving deep learning in critical domains such as healthcare and finance.
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Submission Number: 14605
Loading