$30 off During Our Annual Pro Sale. View Details »

Privacy granted by maths

Giulia
October 21, 2019
Programming
1
280

Privacy granted by maths

Since March 2019 the TensorFlow family counts a new member TensorFlow Privacy. What is it about? What are the mathematical theories that guarantee the privacy of deep learning models and how they are implemented?

Presented at DevFest Nantes 2019.
Format: 20 minutes Q&A included

Giulia

October 21, 2019
Tweet

More Decks by Giulia

See All by Giulia
From billions to hundreds - How machine learning helps experts detect sensitive data leaks
giulbia
0
26
Chercher l'aiguille dans... les données
giulbia
0
33
M.L. tangle teaser - The TensorFlow Estimator chapter
giulbia
0
30
Dévoiler les secrets d’un modèle de machine learning : une menace crédible ?
giulbia
0
80
Event Driven Machine Learning
giulbia
0
54
Event Driven Machine Learning
giulbia
0
140
Predicting with GCP
giulbia
1
35
GCP for Data Scientists
giulbia
0
72
MLflow and the Machine Learning Lifecycle
giulbia
0
110

Other Decks in Programming

See All in Programming
Vue & Vite Rustify
kazupon
4
970
リーンスタートアップのリーンな品質の話
techouse
0
550
セシール、大地に立つ - NIFTY Tech Day 2023
niftycorp
0
120
アーキテクチャ刷新の現場 / Scene of architectural renewal
nrslib
6
960
Expert Tech Talk!〜ニフティスペシャリスト対談〜 - NIFTY Tech Day 2023
niftycorp
0
130
Gatlingによる負荷テスト入門
irof
6
570
ChatGPTをソフトウェア開発に活用する
fbei_ot
0
140
Python機械学習勉強会in新潟のロゴが無いので、生成AIで作ってみましょう / osc2023niigata
kasacchiful
0
230
「defineCustomElement」を活用した サービス共通のUIコンポーネントライブラリ
piyoppi
0
230
アクセシビリティを理解するとフロントエンドのテストが楽になる!
nano72mkn
1
1.9k
エンジニア秘書が通訳する異文化コミュニケーションのあれこれ / engineer-communication
assu_ming
0
130
コンピュータグラフィクスの空
fadis
6
1.4k

Featured

See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
1
300
Testing 201, or: Great Expectations
jmmastey
26
6.1k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
13
5.9k
Making Projects Easy
brettharned
105
5.2k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k
A Philosophy of Restraint
colly
194
15k
Documentation Writing (for coders)
carmenintech
55
3.5k
Code Reviewing Like a Champion
maltzj
511
38k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
177
10k
Six Lessons from altMBA
skipperchong
18
2.7k
Art, The Web, and Tiny UX
lynnandtonic
286
19k

Transcript

  1. Privacy granted by maths
    @Giuliabianchl
    October 22, 2019

    View Slide

  2. Giulia Bianchi
    ‍ data scientist
    @Giuliabianchl

    View Slide

  3. Table of contents
    Privacy leaks
    Differential Privacy
    TensorFlow Privacy

    View Slide

  4. https://www.cs.cmu.edu/~mfredrik/papers/fjr2015ccs.pdf
    Privacy leaks

    View Slide

  5. https://xkcd.com/2169/
    https://arxiv.org/abs/1802.08232
    Privacy leaks

    View Slide

  6. https://arxiv.org/abs/1802.08232
    Privacy leaks
    "Unintended memorization occurs when trained neural networks may reveal the
    presence of out-of-distribution training data -- i.e., training data that is irrelevant to
    the learning task [...].
    Let's meet by
    the docks at
    midnight on
    june 28, come
    alone.
    Long live the
    revolution.
    Our next
    meeting will
    be at the
    docks...

    View Slide

  7. Differential privacy addresses the paradox of learning nothing about an
    individual while learning useful information about a population
    "
    Roughly, an algorithm is differentially private if an observer seeing its output
    cannot tell if a particular individual's information was used in the computation
    "
    Differential privacy
    https://www.cis.upenn.edu/~aaroth/Papers/privacybook.pdf

    View Slide

  8. Differential privacy
    Y
    X
    2 databases X, Y
    Y = X + 1 entry
    If M(X) is sufficiently close to M(Y)
    then M is differentially private
    "
    Analyst ‍♀
    The analyst queries X
    and Y and obtains
    M(X) and M(Y)
    Algorithm M Probability of M(X)≅Probability of M(Y)

    View Slide

  9. "Differential privacy will provide privacy by process; in particular it will introduce
    randomness.
    "
    Differential privacy
    A randomized algorithm M with domain N|X| is (ε, δ)-differentially private if
    for all S ⊆ Range(M) and for all x, y ∈ N|X| such that ∥x − y∥
    1
    ≤ 1:
    Pr[M(x) ∈ S] ≤ exp(ε) Pr[M(y) ∈ S] + δ
    If δ = 0, we say that M is ε-differentially private.
    https://www.cis.upenn.edu/~aaroth/Papers/privacybook.pdf

    View Slide

  10. ● adjacent databases x, y ∈ N|X|
    ○ N|x| input set
    ○ x, y differs for 1 entry
    "
    Differential privacy
    A randomized algorithm M with domain N|X| is (ε, δ)-differentially private if
    for all S ⊆ Range(M) and for all x, y ∈ N|X| such that ∥x − y∥
    1
    ≤ 1:
    Pr[M(x) ∈ S] ≤ exp(ε) Pr[M(y) ∈ S] + δ
    If δ = 0, we say that M is ε-differentially private.
    https://www.cis.upenn.edu/~aaroth/Papers/privacybook.pdf

    View Slide

  11. ● randomized algorithm M: N|x| → Range(M)
    ○ N|x| input set
    ○ Range(M) output set
    ○ S ⊆ Range(M) → S is an output
    "
    Differential privacy
    A randomized algorithm M with domain N|X| is (ε, δ)-differentially private if
    for all S ⊆ Range(M) and for all x, y ∈ N|X| such that ∥x − y∥
    1
    ≤ 1:
    Pr[M(x) ∈ S] ≤ exp(ε) Pr[M(y) ∈ S] + δ
    If δ = 0, we say that M is ε-differentially private.
    https://www.cis.upenn.edu/~aaroth/Papers/privacybook.pdf

    View Slide

  12. ● δ=0
    ○ Probability[M(x) ∈ S] ≤ exp(ε) Probability[M(y) ∈ S]
    ● ε≅0 ⇒ exp(ε)≅1
    ○ Probability[M(x) ∈ S] / Probability[M(y) ∈ S] ≤ 1
    "
    Differential privacy
    A randomized algorithm M with domain N|X| is (ε, δ)-differentially private if
    for all S ⊆ Range(M) and for all x, y ∈ N|X| such that ∥x − y∥
    1
    ≤ 1:
    Pr[M(x) ∈ S] ≤ exp(ε) Pr[M(y) ∈ S] + δ
    If δ = 0, we say that M is ε-differentially private.
    https://www.cis.upenn.edu/~aaroth/Papers/privacybook.pdf

    View Slide

  13. "
    Differential privacy
    A randomized algorithm M with domain N|X| is (ε, δ)-differentially private if
    for all S ⊆ Range(M) and for all x, y ∈ N|X| such that ∥x − y∥
    1
    ≤ 1:
    Pr[M(x) ∈ S] ≤ exp(ε) Pr[M(y) ∈ S] + δ
    If δ = 0, we say that M is ε-differentially private.
    ● The probability of an output of a randomized (ε, δ)-differentially private
    algorithm on two adjacent databases is pretty much the same
    ○ ε small enough
    ○ δ < 1/|X|
    https://www.cis.upenn.edu/~aaroth/Papers/privacybook.pdf

    View Slide

  14. *Easy way to approximate a deterministic function with a differentially private
    algorithm
    *
    Differential privacy
    Privacy guarantee achieved is quantifiable
    *Differential privacy has properties that makes it useful in machine learning
    (composability, group privacy, robustness to auxiliary information)

    View Slide

  15. *Easy way to approximate a deterministic function with a differentially private
    algorithm
    Differential privacy

    View Slide

  16. *Easy way to approximate a deterministic function with a differentially private
    algorithm
    Differential privacy
    By adding NOISE
    *Gaussian mechanism G
    σ
    f(x) ≝ f(x) + N(0, σ2)
    https://en.wikipedia.org/wiki/Additive_noise_mechanisms

    View Slide

  17. Deep Learning with Differential Privacy
    https://arxiv.org/abs/1607.00133
    Differentially private Stochastic Gradient
    Descent
    *Differential privacy is introduced in deep learning algorithms by modifying the
    stochastic gradient descent
    At each iteration:
    1. clip gradient
    2. add noise
    Clipping gradient is common practice to avoid
    overfitting even when privacy is not a matter.
    It is required to prove the differential privacy
    guarantee

    View Slide

  18. Differentially private sgd
    Deep Learning with Differential Privacy
    https://arxiv.org/abs/1607.00133

    View Slide

  19. TensorFlow Privacy
    https://github.com/tensorflow/privacy
    Latest release 0.1.0
    2 oct 2019
    First release 0.0.1
    23 aug 2019

    View Slide

  20. Without DP
    With DP
    TensorFlow Privacy
    https://github.com/tensorflow/privacy/blob/master/tutorials/mnist_dpsgd_tutorial_keras.py
    if train_with_differential_privacy == True:
    optimizer = DPGradientDescentGaussianOptimizer(
    l2_norm_clip=l2_norm_clip,
    noise_multiplier=noise_multiplier,
    num_microbatches=microbatches,
    learning_rate=learning_rate)
    # Compute vector of per-example loss rather than its mean over a minibatch.
    loss = tf.keras.losses.CategoricalCrossentropy(
    from_logits=True, reduction=tf.losses.Reduction.NONE)
    else:
    optimizer = GradientDescentOptimizer(learning_rate=learning_rate)
    loss = tf.keras.losses.CategoricalCrossentropy(from_logits=True)
    model.compile(optimizer=optimizer, loss=loss, metrics=['accuracy'])

    View Slide

  21. if train_with_differential_privacy == True:
    optimizer = DPGradientDescentGaussianOptimizer(
    l2_norm_clip=l2_norm_clip,
    noise_multiplier=noise_multiplier,
    num_microbatches=microbatches,
    learning_rate=learning_rate)
    # Compute vector of per-example loss rather than its mean over a minibatch.
    loss = tf.keras.losses.CategoricalCrossentropy(
    from_logits=True, reduction=tf.losses.Reduction.NONE)
    else:
    optimizer = GradientDescentOptimizer(learning_rate=FLAGS.learning_rate)
    loss = tf.keras.losses.CategoricalCrossentropy(from_logits=True)
    model.compile(optimizer=optimizer, loss=loss, metrics=['accuracy'])
    TensorFlow Privacy
    https://github.com/tensorflow/privacy/blob/master/tutorials/mnist_dpsgd_tutorial_keras.py
    privacy.optimizers.dp_optimizer.
    DPGradientDescentGaussianOptimizer
    tf.optimizers.SGD
    DPAdamGaussianOptimizer
    DPAdagradGaussianOptimizer
    DPGradientDescentGaussianOptimizer

    View Slide

  22. Privacy Analysis
    *Differential privacy guarantee is expressed by epsilon and delta
    ● epsilon: upper bound on how much the probability of a particular model output can vary by adding
    or removing a single training point
    ● delta: bounds the probability of our privacy guarantee not holding
    *TensorFlow Privacy provides methods to compute them

    View Slide

  23. Take aways
    Differential privacy
    Privacy leaks TensorFlow Privacy
    Y
    X
    Pr [M(X)]

    Pr [M(Y)]
    M
    M
    DPAdamGaussianOptimizer
    DPAdagradGaussianOptimizer
    DPGradientDescentGaussianOptimizer

    View Slide

  24. Thank you

    @Giuliabianchl

    View Slide