Bayesian Estimation of Differential Privacy
- Santiago Zanella-Béguelin ,
- Lukas Wutschitz ,
- Shruti Tople ,
- Ahmed Salem ,
- Victor Ruehle ,
- Andrew Paverd ,
- Mohammad Naseri ,
- Boris Köpf ,
- Daniel Jones
2023 International Conference on Machine Learning |
Published by PMLR | Organized by International Machine Learning Society
Rédacteur en chef(s): Barbara Engelhardt, Emma Brunskill, Kyunghyun Cho
Algorithms such as Differentially Private SGD enable training machine learning models with formal privacy guarantees. However, because these guarantees hold with respect to unrealistic adversaries, the protection afforded against practical attacks is typically much better. An emerging strand of work empirically estimates the protection afforded by differentially private training as a confidence interval for the privacy budget ε spent with respect to specific threat models. Existing approaches derive confidence intervals for ε from confidence intervals for false positive and false negative rates of membership inference attacks, which requires training an impractically large number of models to get intervals that can be acted upon. We propose a novel, more efficient Bayesian approach that brings privacy estimates within the reach of practitioners. Our approach reduces sample size by computing a posterior for ε (not just a confidence interval) from the joint posterior of the false positive and false negative rates of membership inference attacks. We implement an end-to-end system for privacy estimation that integrates our approach and state-of-the-art membership inference attacks, and evaluate it on text and vision classification tasks. For the same number of samples, we see a reduction in interval width of up to 40% compared to prior work.
Proceedings of the 40th International Conference on Machine Learning, PMLR 211, 2023. Copyright 2023 by the author(s). Licensed under CC BY-SA 4.0.