Too Good to be True? Turn Any Model Differentially Private With DP-Weights

The noise scale for applying noise to model weights post training is calculated using the following formula:

where $N$ is the dataset size, $\delta=\frac{1}{N^{2}}$, $E$ is the number of epochs, $\eta$ is the learning rate, $C$ is the clip** norm, $\epsilon$ is the privacy parameter, $B$ is the batch size. Sufficient knowledge of the training process is vital to ensure proper application of noise.

The additive term in the noise scale was added to gradually ease the noise scale taper as epsilon approaches higher values, ensuring enhanced privacy protection. This refinement aims to maintain a comparative similarity between our new DP-Weights approach and DP-SGD. The specific values for the numerator and the exponent were derived by fitting a model that aligns perplexity scores with epsilon for DP-SGD, and correlates perplexity and noise scale values for our DP-Weights approach. This method ensures a smooth transition and consistent performance across different privacy budgets.

It is critical to note that the most a model’s weights are permitted to be changed during the training process is directly proportional to the learning rate times the clip** norm times the number of epochs a model saw the training data. The clip** norm binds the global sensitivity of the function, and we include the epoch term because a model’s weights may accumulate weight change over multiple training rounds. As such, we define the maximum global sensitivity of the weight update rule to be bound by:

The sensitivity is scaled by the inverse of the size of the dataset and batch size. A formal proof of privacy guarantees is offered in the appendix.

We conducted experiments using three primary GPT2 model configurations:

1. 1.

   DP Model: A traditional model trained with DP-SGD.

2. 2.

   DP-Weights Model: A fine-tuned model with differentially private noise applied post-training.

3. 3.

   Fine-Tuned Model: A model fine-tuned without any differential privacy noise.

We used the first 1,000 records from the Open Orca dataset for training and as members in our membership inference attack, and the second 1,000 records from the Open Orca dataset for evaluation as non-members in our membership inference attack.

To assess the vulnerability of each approach to membership inference attacks, we designed and conducted a series of experiments involving each previously noted GPT2 model. The following methodology outlines the steps taken to evaluate these models.

The training procedure involved multiple steps. Initially, models were trained on a designated member dataset, employing the calculated noise scales for differentially private models. The training was performed using a custom implementation of DP-SGD with gradient clip** and noise addition. For the DP-Weights model, differential privacy noise was applied post-training using the pre-computed noise scales.

Overview: This approach leverages statistical simulations to empirically validate differential privacy conditions by evaluating the noise mechanism across a spectrum of epsilon values.

Procedure:

1. 1.

   Noise Scale Calculation: Define a function to compute the noise scale $\sigma$. The function is based on differential privacy parameters $\epsilon$ and $\delta$, number of epochs (E), learning rate ($\eta$), clip** norm (C), dataset size (N), and batch size (B). The calculation incorporates both the standard Gaussian noise component and an empirical term to ensure adequate privacy protection.

   $$\sigma=\sqrt{2\cdot\log\left(\frac{1.25}{\delta}\right)}\cdot\frac{E\cdot\eta\cdot C}{N\cdot B\cdot\epsilon}+\frac{0.009760}{\epsilon^{0.078008}}$$

   (3)

2. 2.

   Noise Mechanism Simulation: Implement a function to add Gaussian noise to a given weight $w$.

   $$\text{noisy}_{w}=w+\mathcal{N}(0,\sigma)$$

   (4)

3. 3.

   Privacy Condition Testing: Develop a function to simulate the noise mechanism for a specified number of samples. This function calculates the violation rate by comparing the logarithm of the ratio of the probability density functions (PDFs) of the noisy weights for adjacent datasets.

   1:$E$, $\eta$, $C$, $N$, $B$, $\delta$, $num\_samples$

   2:$x\leftarrow 0$

   3:$x^{\prime}\leftarrow x+\frac{E\cdot\eta\cdot C}{N\cdot B}$

   4:$sigma\leftarrow\sqrt{2\cdot\log{\left(\frac{1.25}{\delta}\right)}}\cdot\frac{E\cdot\eta\cdot C}{N\cdot B\cdot\epsilon}+\frac{0.009760}{\epsilon^{0.078008}}$

   5:$violations\leftarrow 0$

   6:$privacy\_losses\leftarrow[\ ]$

   7:for $i=1$ to $num\_samples$ do

   8:     $y\leftarrow x+\mathcal{N}(0,\sigma)$

   9:     $privacy\_loss\leftarrow|\log{\left(\frac{\mathcal{N}(y;x,\sigma)}{\mathcal{N}(y;x^{\prime},\sigma)}\right)}|$

   10:     Append $privacy\_loss$ to $privacy\_losses$

   11:     if $privacy\_loss>\epsilon$ then

   12:         $violations\leftarrow violations+1$

   13:     end if

   14:end for

   15:$violation\_rate\leftarrow\frac{violations}{num\_samples}$ return $violation\_rate,privacy\_losses$

4. 4.

   Experiment Execution: Perform experiments by loo** through a range of epsilon values to compute the violation rates. The results are then visualized using a logarithmic scale plot.

Overview: This approach employs formal verification techniques using the Z3 solver to mathematically validate the differential privacy conditions. It explores the impact of multiple compositions on privacy guarantees.

Procedure:

1. 1.

   Define the Differential Privacy Condition: Utilize a Taylor series expansion to approximate the exponential function for the Gaussian noise PDF. Formulate the differential privacy condition as a Z3 constraint.

   $$\text{pdf}_{w}=\frac{1}{\sqrt{2\pi\sigma^{2}}}\cdot\exp\left(-\frac{(x-w)^{2}}{2\sigma^{2}}\right)$$

   (5)

   $$\text{pdf}_{w^{\prime}}=\frac{1}{\sqrt{2\pi\sigma^{2}}}\cdot\exp\left(-\frac{(x-w^{\prime})^{2}}{2\sigma^{2}}\right)$$

   (6)

   $$\text{dp\_condition}=\left(\text{pdf}_{w}\leq\exp(\epsilon)\cdot\text{pdf}_{w^{\prime}}+\delta\right)$$

   (7)

2. 2.

   Advanced Composition: Compute the composed $\epsilon$ and $\delta$ values after multiple compositions using advanced composition theorems.

   $$\epsilon^{\prime}=\epsilon\cdot\sqrt{2\cdot k\cdot\log\left(\frac{1}{\delta}\right)}$$

   (8)

   $$\delta^{\prime}=k\cdot\delta+\delta$$

   (9)

   1:$E$, $\eta$, $C$, $N$, $B$, $\epsilon$, $\delta$, $num\_compositions$

   2:$delta_{w}\leftarrow\frac{E\cdot\eta\cdot C}{N\cdot B}$

   3:function TaylorExp($x$, $terms$)

   4:     $result\leftarrow 1$

   5:     $factorial\leftarrow 1$

   6:     for $i=1$ to $terms-1$ do

   7:         $factorial\leftarrow factorial\cdot i$

   8:         $result\leftarrow result+\frac{x^{i}}{factorial}$

   9:     end for

   10:     return $result$

   11:end function

   12:function DifferentialPrivacy($\epsilon$, $\delta$, $\sigma$, $delta_{w}$)

   13:     Define $w$, $w^{\prime}$, $noisy\_w$, $noisy\_w^{\prime}$, $x$ as Real variables

   14:     $pdf\_w\leftarrow\frac{1}{\sqrt{2\pi\sigma^{2}}}\cdot\text{TaylorExp}\left(\frac{-(x-w)^{2}}{2\sigma^{2}}\right)$

   15:     $pdf\_w^{\prime}\leftarrow\frac{1}{\sqrt{2\pi\sigma^{2}}}\cdot\text{TaylorExp}\left(\frac{-(x-w^{\prime})^{2}}{2\sigma^{2}}\right)$

   16:     return $\text{Implies}(w^{\prime}=w+delta\_w\land x=noisy\_w,pdf\_w\leq\text{TaylorExp}(\epsilon)\cdot pdf\_w^{\prime}+\delta)$

   17:end function

   18:function AdvancedComposition($\epsilon$, $\delta$, $num\_compositions$)

   19:     return $\epsilon\cdot\sqrt{2\cdot num\_compositions\cdot\log{\left(\frac{1}{\delta}\right)}}$, $num\_compositions\cdot\delta+\delta$

   20:end function

   21:$\epsilon\_composed,\delta\_composed\leftarrow\text{AdvancedComposition}(\epsilon,\delta,num\_compositions)$

   22:$\sigma\_composed\leftarrow\sqrt{2\cdot\log{\left(\frac{1.25}{\delta\_composed}\right)}}\cdot\frac{delta\_w}{\epsilon\_composed}+\frac{0.009760}{\epsilon\_composed^{0.078008}}$

   23:Create Z3 solver $s\_composed$

   24:$s\_composed.\text{add}(\text{DifferentialPrivacy}(\epsilon\_composed,\delta\_composed,\sigma\_composed,delta\_w))$

   25:$\sigma\_original\leftarrow\sqrt{2\cdot\log{\left(\frac{1.25}{\delta}\right)}}\cdot\frac{delta\_w}{\epsilon}+\frac{0.009760}{\epsilon^{0.078008}}$

   26:Create Z3 solver $s\_original$

   27:$s\_original.\text{add}(\text{DifferentialPrivacy}(\epsilon,\delta,\sigma\_original,delta\_w))$

Overview: The statistical simulation approach aimed to empirically validate differential privacy conditions across varying epsilon values. By calculating the noise scale and applying it to a weight, we simulated multiple instances and computed the violation rate based on the ratio of probability density functions (pdfs) of noisy weights.

Results: The simulation revealed the following violation rates:

• •

  Minimum violation rate: 0.000000 at epsilon = 0.01

• •

  Maximum violation rate: 0.000000 at epsilon = 0.01

The violation rates were recorded and visualized, providing insights into the effectiveness of the noise mechanism in preserving privacy under different privacy budgets.

Overview: The formal verification approach employed the Z3 solver to verify differential privacy conditions under advanced composition for multiple queries or iterations. This method provided a rigorous mathematical validation by checking the satisfiability of the differential privacy conditions.

Results: For epsilon = 1, the Z3 solver analysis demonstrated the following:

• •

  The differential privacy condition is satisfied after 1000 compositions.

• •

  Composed epsilon: 191.94103648752323

• •

  Composed delta: 1.001e-05

• •

  The original (non-composed) differential privacy condition is satisfied.

This method confirmed that the privacy guarantees hold under advanced composition, providing validation of the differential privacy mechanisms.

The results from both approaches complement each other, with the statistical simulation providing empirical insights and the formal verification offering rigorous mathematical validation. Together, they demonstrate the effectiveness and robustness of differential privacy mechanisms under varying conditions and compositions.

In this section, we present a comprehensive analysis of the performance of the differentially private (DP-SGD) model compared to the non-differentially private (DP-Weights) noisy model and the fine-tuned model. The analysis includes pairwise comparisons and confidence intervals for various metrics, providing insights into the statistical similarities and differences between the models.

We conducted pairwise comparisons and calculated 95% confidence intervals for the following metrics: perplexity (member and non-member), ROC AUC, accuracy, precision, recall, and F1 score. The results are summarized below:

In this section, we analyze the performance differences between the DP (Differentially Private) model, the DP-Weights noisy model, and the fine-tuned model across different epochs of training. The analysis focuses on key metrics: perplexity (for both member and non-member data points), and metrics related to a membership inference attack on the model: ROC AUC, accuracy, precision, recall, and F1 score. The goal is to determine if the DP model behaves similarly to the DP-Weights noisy model and if both differ significantly from the fine-tuned model.

Our experiments demonstrated that the novel fine-tuned model (DP-Weights model) with post-training noise application achieves performance metrics statistically similar to those of the traditional DP model. This finding is crucial as it validates the effectiveness of our method in maintaining privacy guarantees while maintaining a similar level of performance degradation compared to the DP-SGD model. This can be particularly advantageous in practical applications where retraining a model is costly or impractical.

The primary advantage of applying DP noise post-training is the potential for improved training efficiency and model performance tuning. Traditional methods integrating noise during training can lead to significant training costs and require careful tuning of the noise parameters to balance privacy and accuracy. By applying noise post-training, our method simplifies the training process and allows for better optimization of the model’s performance before introducing privacy guarantees.

While our study shows promising results, it is essential to consider the limitations and potential areas for future research. One limitation is the assumption that the noise added post-training uniformly affects all model weights. Further investigation is needed to understand the impact of noise distribution and its implications on model performance.

This approach requires a machine learning practitioner to have knowledge of the dataset size, learning rate, batch size, and the gradients must be clipped during training for this approach to be mathematically differentially private. Without clip** the gradients, the global sensitivity of the model weight update rule is not bound by the gradient norm. As such, one must always have knowledge of how a model was trained in order for this approach to provide the guarantees afforded by the Differential Privacy framework.

Additionally, exploring the scalability of our approach to larger models and more complex datasets is a critical next step. Understanding how post-training noise application interacts with various model architectures and training regimes will provide deeper insights into its practical applicability.

To establish the differential privacy guarantees of our proposed method of applying noise post-training, we follow a systematic approach to prove that the mechanism is indeed differentially private.