On-Average KL-Privacy and Its Equivalence to Generalization for Max-Entropy Mechanisms

Wang, Yuxiang; Lei, Jing; Fienberg, Stephen E.

doi:10.1007/978-3-319-45381-1_10

Cited by 38 publications

(33 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A machine learning model is said to overfit to its training data when its performance on unseen test data diverges from the performance observed during training, i.e., its generalization error is large. The relationship between privacy risk and overfitting is further supported by recent results that suggest the contrapositive, i.e., under certain reasonable assumptions, differential privacy [13] and related notions of privacy [18,19] imply good generalization. However, a precise account of the connection between overfitting and the risk posed by different types of attack remains unknown.…”

Section: Introductionmentioning

confidence: 54%

“…In particular, Bassily et al [18] studied a notion of privacy called total variation stability and proved good generalization with respect to a bounded number of adaptively chosen low-sensitivity queries. Moreover, for data drawn from Gibbs distributions, Wang et al [19] showed that on-average KL privacy is equivalent to generalization error as defined in this paper. While these results give evidence for the relationship between privacy and overfitting, we construct an attacker that directly leverages overfitting to gain advantage commensurate with the extent of the overfitting.…”

Section: Privacy and Machine Learningmentioning

confidence: 84%

See 1 more Smart Citation

Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting

Yeom

Giacomelli

Fredrikson

et al. 2018

2018 IEEE 31st Computer Security Foundations Symposium (CSF)

636

787

View full text Add to dashboard Cite

Machine learning algorithms, when applied to sensitive data, pose a distinct threat to privacy. A growing body of prior work demonstrates that models produced by these algorithms may leak specific private information in the training data to an attacker, either through the models' structure or their observable behavior. However, the underlying cause of this privacy risk is not well understood beyond a handful of anecdotal accounts that suggest overfitting and influence might play a role.This paper examines the effect that overfitting and influence have on the ability of an attacker to learn information about the training data from machine learning models, either through training set membership inference or attribute inference attacks. Using both formal and empirical analyses, we illustrate a clear relationship between these factors and the privacy risk that arises in several popular machine learning algorithms. We find that overfitting is sufficient to allow an attacker to perform membership inference and, when the target attribute meets certain conditions about its influence, attribute inference attacks. Interestingly, our formal analysis also shows that overfitting is not necessary for these attacks and begins to shed light on what other factors may be in play. Finally, we explore the connection between membership inference and attribute inference, showing that there are deep connections between the two that lead to effective new attacks. * This is the unabridged version of the paper accepted for publication in CSF 2018.

show abstract

Section: Introductionmentioning

confidence: 54%

Section: Privacy and Machine Learningmentioning

confidence: 84%

Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting

Yeom

Giacomelli

Fredrikson

et al. 2018

2018 IEEE 31st Computer Security Foundations Symposium (CSF)

636

787

View full text Add to dashboard Cite

show abstract

“…In [19], the authors announce that  also needs tend to 0 in some rates to keep generalization which matches our result.…”

Section: Discussionmentioning

confidence: 42%

Error Analysis and Variable Selection for Differential Private Learning Algorithm

Nie¹,

Wang²

2017

JAMP

View full text Add to dashboard Cite

show abstract

“…Finally, pDP is related to random differential privacy (Hall et al, 2013) and on-average KL-privacy (Wang et al, 2016). They respectively measure the high-probability and expected privacy loss when z and the data points in Z are drawn i.i.d.…”

Section: Related Workmentioning

confidence: 99%

Per-instance Differential Privacy

Wang

2019

JPC

Self Cite

View full text Add to dashboard Cite

We consider a refinement of differential privacy -per instance differential privacy (pDP), which captures the privacy of a specific individual with respect to a fixed data set. We show that this is a strict generalization of the standard DP and inherits all its desirable properties, e.g., composition, invariance to side information and closure to postprocessing, except that they all hold for every instance separately. When the data is drawn from a distribution, we show that moments of per-instance DP imply generalization. Moreover, we provide explicit calculations of the per-instance DP for the output perturbation on a class of smooth learning problems. The result reveals an interesting and intuitive fact that an individual has stronger privacy if he/she has small "leverage score" with respect to the data set and if he/she can be predicted more accurately using the leave-one-out data set. Simulations show several orders-of-magnitude more favorable privacy and utility trade-off when we consider the privacy of only the users in the data set. In a case study on differentially private linear regression, we provide a novel analysis of the One-Posterior-Sample (OPS) estimator and show that when the data set is well-conditioned it provides ( , δ)-pDP for any target individuals and matches the exact lower bound up to a 1 +Õ(n −1 −2 ) multiplicative factor. We also demonstrate how we can use a "pDP to DP conversion" step to design AdaOPS which uses adaptive regularization to achieve the same results with ( , δ)-DP. * Corresponding

show abstract

On-Average KL-Privacy and Its Equivalence to Generalization for Max-Entropy Mechanisms

Cited by 38 publications

References 32 publications

Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting

Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting

Error Analysis and Variable Selection for Differential Private Learning Algorithm

Per-instance Differential Privacy

Contact Info

Product

Resources

About