Antipodes of Label Differential Privacy: PATE and ALIBI

Malek, Mani; Mironov, Ilya; Prasad, Karthik; Шилов, И. П.; Tramèr, Florian

doi:10.48550/arxiv.2106.03408

Cited by 4 publications

(7 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While GeoPointGAN demonstrably fulfills the requirements of label-LDP, the actual level of privacy provided is higher in many practical settings. As Malek et al [49] note, simply removing the sensitive labels of a public dataset and training a model in an unsupervised fashion, complies with label-(L)DP. We take this further by accounting for situations where, even if we remove the identifier (e.g., taxi ID, 311 caller name), we are still conscious of leaking information based on knowledge regarding the veracity of each point (e.g., if locations can help to identify the caller).…”

Section: Final Remarksmentioning

confidence: 96%

“…Label DP. Label-DP was formally introduced by Chaudhuri and Hsu [13] and has since been the focus of several studies [24,32,49,62,73]. All of these works are based on the same premise as our work: only the labels attached to data are sensitive, with the data itself being non-sensitive.…”

Section: Related Workmentioning

confidence: 99%

“…However, when dealing with spatial data, the traditional form of LDP can be unnecessarily restrictive in terms of how it deals with sensitive data, as it normally adopts an "all-or-nothing" approach in which all data needs to be perturbed [49]. This affects the utility of the synthetic data for common location analytics tasks.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

GeoPointGAN: Synthetic Spatial Data with Local Label Differential Privacy

Cunningham¹,

Klemmer²,

Wen³

et al. 2022

Preprint

View full text Add to dashboard Cite

Synthetic data generation is a fundamental task for many data management and data science applications. Spatial data is of particular interest, and its sensitive nature often leads to privacy concerns. We introduce GeoPointGAN, a novel GAN-based solution for generating synthetic spatial point datasets with high utility and strong individual level privacy guarantees. GeoPointGAN's architecture includes a novel point transformation generator that learns to project randomly generated point co-ordinates into meaningful synthetic co-ordinates that capture both microscopic (e.g., junctions, squares) and macroscopic (e.g., parks, lakes) geographic features. We provide our privacy guarantees through label local differential privacy, which is more practical than traditional local differential privacy. We seamlessly integrate this level of privacy into GeoPointGAN by augmenting the discriminator to the point level and implementing a randomized response-based mechanism that flips the labels associated with the 'real' and 'fake' points used in training. Extensive experiments show that GeoPointGAN significantly outperforms recent solutions, improving by up to 10 times compared to the most competitive baseline. We also evaluate GeoPointGAN using range, hotspot, and facility location queries, which confirm the practical effectiveness of GeoPointGAN for privacy-preserving querying. The results illustrate that a strong level of privacy is achieved with little-to-no adverse utility cost, which we explain through the generalization and regularization effects that are realized by flipping the labels of the data during training.

show abstract

Section: Final Remarksmentioning

confidence: 96%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

GeoPointGAN: Synthetic Spatial Data with Local Label Differential Privacy

Cunningham¹,

Klemmer²,

Wen³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Rahman et al [2018] also use membership inference attacks to measure the privacy loss on models trained with differentially private algorithms. The empirical performance of membership inference attacks has also been used to provide lower bounds on the privacy guarantees achieved by various differentially private algorithms , Nasr et al, 2021, Malek et al, 2021. The key difference between the empirical analysis of membership inference in the previous three works and other works is that they simulate the exact adversary in differential privacy i.e., they train multiple models with and without one particular training point and keep the rest of training set fixed.…”

Section: Differential Privacy and Membership Inferencementioning

confidence: 99%

“…Various factors such as the distribution of training data, difference in distributions of the train and test data may provide an over-estimate or under-estimate of the actual privacy risk from the model , Humphries et al, 2020. Theoretical analyses that connect the success of membership inference to privacy risk through the framework of differential privacy avoid this issue by slightly modifying how the attack performance is measured [Yeom et al, 2018, Nasr et al, 2021, Malek et al, 2021. Instead of measuring the leakage from a particular model, these works aim at measuring the worst-case leakage of the training algorithm (for a given model architecture), and construct multiple models with and without one training point and keep the rest of training set fixed.…”

Section: Introductionmentioning

confidence: 99%

Enhanced Membership Inference Attacks against Machine Learning Models

Ye¹,

Maddi²,

Murakonda³

et al. 2021

Preprint

View full text Add to dashboard Cite

How much does a given trained model leak about each individual data record in its training set? Membership inference attacks are used as an auditing tool to quantify the private information that a model leaks about the individual data points in its training set. The attacks are influenced by different uncertainties that an attacker has to resolve about training data, the training algorithm, and the underlying data distribution. Thus attack success rates, of many attacks in the literature, do not precisely capture the information leakage of models about their data, as they also reflect other uncertainties that the attack algorithm has. In this paper, we explain the implicit assumptions and also the simplifications made in prior work using the framework of hypothesis testing. We also derive new attack algorithms from the framework that can achieve a high AUC score while also highlighting the different factors that affect their performance. Our algorithms capture a very precise approximation of privacy loss in models, and can be used as a tool to perform an accurate and informed estimation of privacy risk in machine learning models. We provide a thorough empirical evaluation of our attack strategies on various machine learning tasks and benchmark datasets.

show abstract

Differentially Private Guarantees for Analytics and Machine Learning on Graphs: A Survey of Results

Mueller,

Usynin,

Paetzold

et al. 2024

JPC

View full text Add to dashboard Cite

We study the applications of differential privacy (DP) in the context of graph-structured data and discuss the formulations of DP applicable to the publication of graphs and their associated statistics as well as machine learning on graph-based data, including graph neural networks (GNNs). Interpreting DP guarantees in the context of graph-structured data can be challenging, as individual data points are interconnected (often non-linearly or sparsely). This connectivity complicates the computation of individual privacy loss in differentially private learning. The problem is exacerbated by an absence of a single, well-established formulation of DP in graph settings. This issue extends to the domain of GNNs, rendering private machine learning on graph-structured data a challenging task. A lack of prior systematisation work motivated us to study graph-based learning from a privacy perspective. In this work, we systematise different formulations of DP on graphs, discuss challenges and promising applications, including the GNN domain. We compare and separate works into graph analytics tasks and graph learning tasks with GNNs. We conclude our work with a discussion of open questions and potential directions for further research in this area.

show abstract

Antipodes of Label Differential Privacy: PATE and ALIBI

Cited by 4 publications

References 19 publications

GeoPointGAN: Synthetic Spatial Data with Local Label Differential Privacy

GeoPointGAN: Synthetic Spatial Data with Local Label Differential Privacy

Enhanced Membership Inference Attacks against Machine Learning Models

Differentially Private Guarantees for Analytics and Machine Learning on Graphs: A Survey of Results

Contact Info

Product

Resources

About