A General Framework for Auditing Differentially Private Machine Learning

Fred Lu, Joseph Munoz, Maya Fuchs, Tyler LeBlond, Elliott Zaresky-Williams, Edward Raff, Francis Ferraro, Brian Testa

Introduction

Machine learning (ML) is increasingly deployed in contexts where the privacy of the data used to build the model is of concern. ML models are capable of ingesting enormous quantities of data in order to determine meaningful predictive patterns. When such models are built on potentially sensitive inputs such as healthcare or financial data , it becomes important to determine to what extent information from the training dataset can be inferred from the model. Such information can be of personal interest when the identity of a data contributor may be compromised based on involvement in the data collection process , but it can also lead to regulatory concern about whether a model trained on private data should itself be considered private .

Differentially private (DP) machine learning is a theoretically rigorous approach that provides a worst-case privacy guarantee for ML algorithms . Specifically, it provides a mathematical guarantee that the distribution of possible output models based on the input dataset is not significantly altered whether an individual data point is included in the training set or not. This is accomplished by randomizing the output model in a specific manner so that the distributions of the model trained with or without any individual data point are statistically indistinguishable up to a level specified by parameters ε,δ\varepsilon,\delta that must be set appropriately. While DP mathematically certifies the privacy of a mechanism, the noise added is generally tailored to the worst case scenario.

Previous results attempting to assess the privacy leakage of such models, using attacks ranging from membership inference to model inversion, have inferred that the actual detectable risk of a model procedure is lower than the theoretical bound . While a recent study on DP neural networks indicates that the privacy guarantee of the DP-SGD algorithm is tight under the strongest adversary , the privacy risk under realistic datasets and attackers without complete access to the training process still lies below the worst case bound. Across other models, the question remains of whether the privacy violation of a mechanism is lower than specified or whether the attacks previously used are not strong enough. Given that there are no guidelines on how to set ε,δ\varepsilon,\delta in practice, it would be useful for practitioners to estimate the actual risk they incur in practice and set the parameters accordingly. This is critical when DP for ML is still a nascent field, with limited implementations that can be hard to verify.

Recent works have shown that simple DP mechanisms can be audited effectively . These mechanisms generally map an input vector to a perturbed output vector, and are often used as building blocks of more complicated DP algorithms such as machine learning models. Examples include the Laplace and exponential mechanisms which are respectively used in DP Naive Bayes and random forest . The auditing procedure involves searching for optimal neighboring input sets a,aa,a^{\prime} and sampling the DP outputs M(a),M(a)\mathcal{M}(a),\mathcal{M}(a^{\prime}), to get a Monte Carlo estimate of ε\varepsilon. To extend these techniques to audit a machine learning model, the vector inputs a,aa,a^{\prime} are replaced with datasets D,DD,D^{\prime} which differ by a single entry. Working in this realm raises important challenges. First, previously effective search methods for neighboring inputs involving enumeration or symbolic search are impossible over large datasets, making it difficult to find optimal dataset pairs. In addition, Monte Carlo estimation requires costly model retraining thousands of times to bound ε\varepsilon with high confidence.

We propose solutions to these problems to accommodate the general auditing approach to machine learning algorithms. For the first concern, we develop a set of data poisoning attacks which perturb a single point of dataset DD, approximating a worst-case neighboring dataset DD^{\prime} specific to M\mathcal{M}. To address the second, we present a statistical framework combining elements of Bichsel et al. and Jagielski et al. to estimate ε\varepsilon for general ML procedures for smaller sample sizes. Our techniques involve improved estimation bounds and, more significantly, learning probabilities over general model spaces, while previous works can only estimate probabilities over a single output (the predictive probability).

These novel contributions form our framework ML-Audit for auditing the DP of arbitrary machine learning models. Compared to prior works we can obtain orders of magnitude improvement in the estimation of ε\varepsilon that are effective across a larger range of ε\varepsilon, more datasets, and more model types. Our framework is compatible with prior model-specific approaches (small neural networks), obtaining similar or improved efficacy. Further still, we provide case studies where our framework detects potential violations in existing implementations of DP machine learning.

We review these prior approaches in section 2, and introduce key DP concepts in section 3. Then we present our framework in section 4, followed by results and discussion in section 5. Finally we conclude in section 6.

Related work

Although differential privacy of a mechanism is established with mathematical proof, previous work has shown that holes can exist, either in theory, such as the sparse vector mechanism (of which erroneous versions have been proposed ), or implementation, for example sampling non-uniformity in pseudo-random number generators . Such occurrences point to the need for empirical verification of the promised security of differential privacy mechanisms. This is critical as lapses in DP are likely to provide greater predictive performance, so choosing a model to obtain maximal accuracy given a chosen level of privacy is likely to select these errant models.

Recent works propose efficient solutions for auditing simple differential privacy mechanisms operating on scalar or vector inputs . In such cases, the neighboring inputs can be enumerated tractably (e.g. for a vector input, trying adding one to each input element). For each neighboring pair, the appropriate output set is determined, and Monte Carlo probabilities are measured to determine privacy. The sampling process in such mechanisms is vectorized to greatly reduce the runtime . These works develop a rigorous statistical framework for DP auditing which serves as the basis of current ML auditing approaches, including our work.

Few studies have attempted to audit DP machine learners. We are aware of two works that measure the privacy of neural networks trained with the DP-SGD mechanism . Jagielski et al. develops a poisoning attack (ClipBKD) by constructing a data point along the axis of least variance in the dataset. This causes the gradients of the point to be distinguishable, mitigating the effect of the DP-SGD clipping and noise. Since this attack is model-agnostic, we adopt it as a baseline for all our models. We show considerably improved performance with our method and that the least variance approach suffers as the sphericity of the dataset increases.

The second work analyzes DP-SGD through a series of increasingly white-box attacks . They note that while the DP-SGD privacy guarantee is formulated for all neighboring datasets, the mechanism itself operates purely via gradient manipulation. Therefore they are able to formulate stronger attacks which directly target the gradient or make use of adaptive poisoning. While these are not usable for general-purpose ML auditing, we implement their poisoning attack, based on adversarial perturbation, for our DP-SGD experiments. We find that this attack performs comparably with ClipBKD on DP-SGD.

While their works are important progenitors to ours, they estimate the privacy loss by thresholding a single scalar output, e.g. the loss on a specific poisoning point. This is a major bottleneck limiting the ability to audit other machine learning algorithms. Instead of a scalar, our approach learns distributions over any vector representation of a model, allowing us to be the first to propose a general procedure for auditing any DP learner.

Another predecessor established the complementary relationship between data poisoning and differential privacy, using a poisoning attack based on gradient ascent of logistic regression parameters θ\theta with respect to xx to reach a target θ\theta^{\star} . The result has similar form to a perturbation influence function which we discuss . However, the aim of their study is to evaluate the effect of differential privacy on poisoning strength rather than vice versa. In addition, their attack formulation requires manual gradient computation which does not readily extend to other models. We include a form of their attack to compare in our logistic regression experiments.

Differential privacy overview

We provide a background on key elements of differential privacy relevant to our work.

A randomized learner M:D×BΘ\mathcal{M}:\mathcal{D}\times\mathcal{B}\mapsto\Theta is a function mapping a training dataset DDD\in\mathcal{D} and auxiliary noise bBb\in\mathcal{B} to an output model θΘ\theta\in\Theta.

A randomized learner M\mathcal{M} is considered (ε,δ)(\varepsilon,\delta)-differentially private if for all datasets D,DDD,D^{\prime}\in\mathcal{D} differing in a single entry and measurable sets SS over the output space Θ\Theta,

In this definition, the ε\varepsilon term is the primary quantity of interest because it bounds the ratio between model output probabilities when the original dataset DD is perturbed by a single row. Setting ε=δ=0\varepsilon=\delta=0 would enforce that M(D)M(D) equals M(D)M(D^{\prime}) in distribution, while a large ε\varepsilon or δ\delta permits the distributions to be arbitrarily different. As ε\varepsilon\to\infty the model distribution converges to M(D)\mathcal{M}_{\infty}(D), which in most cases is identical to the standard non-private version of the model. The δ\delta term permits some additive slack in the probability bound, but in most purposes is set to an o(1/n)o(1/n) quantity.

Given ε\varepsilon and δ\delta, M\mathcal{M} calibrates the noise distribution to the sensitivity of the model function .

Our main goal is to audit the privacy of a known mechanism whose inner workings may be hidden, so we assume in our work that the user has access to the mechanism, the privacy parameters, and the dataset, but does not have control over the training process or the randomness bb.

The final tool which we will employ in our framework is group privacy, which iterates over Eq. 1 to bound the probabilities when D,DD,D^{\prime} differ by multiple points.

Suppose M\mathcal{M} is (ε,δ)(\varepsilon,\delta)-private and D,DD,D^{\prime} differ by kk rows. Then for all measurable SΘS\subset\Theta,

Auditing framework

A DP mechanism calibrates its randomization to a user-specified εth\varepsilon_{th} representing the desired theoretical level of privacy. The goal of DP auditing is to empirically assess the actual privacy enabled by the mechanism, ε\varepsilon^{\star}. To do this, we determine a lower bound for ε\varepsilon^{\star} with high statistical confidence. Observe that rewriting the definition of DP gives

For any given (D,D,S)(D,D^{\prime},S) we can estimate the quantity with Monte Carlo by retraining M\mathcal{M} to generate samples and then compute a 95% confidence interval. The lower bound of the interval ε^lb\hat{\varepsilon}_{lb} is the detected privacy violation, and with high probability, we state that εε^lb\varepsilon^{\star}\geq\hat{\varepsilon}_{lb} with (D,D,S)(D,D^{\prime},S) as a witness. By maximizing ε^lb\hat{\varepsilon}_{lb} over all possible witnesses, we increase the lower bound on ε\varepsilon^{\star} which we can then compare against the promised εth\varepsilon_{th}. Given a mechanism M\mathcal{M}, the auditing objective is then to find

that is, the maximum privacy loss ratio over neighboring datasets D,DD,D^{\prime} and measurable output set SS. For all mechanisms considered in this work δ<104\delta<10^{-4} which is not detectable, so we simplify by setting δ=0\delta=0.

A successful auditing approach requires solutions to the two separate maximizations. We maximize over D,DD,D^{\prime} by developing a toolkit of poisoning attacks which have the largest influence on the mechanism in question. Once DD and DD^{\prime} are obtained, we fit a likelihood ratio-based optimization to determine an appropriate SS. In the following, we discuss these procedures in detail.

Given a dataset D=(X,Y)D=(X,Y) we define a valid poisoning attack to be an operation which selects an existing data point (x,y)(x,y) and perturbs xx to any new point xx^{\star} within a constraint set C\mathcal{C}. As we consider classification algorithms in this work, the class label yy can also be switched. The constraint C\mathcal{C} is specific to each DP algorithm and is used to determine the max sensitivity bound from Def. 3.3 (as otherwise a single data point can arbitrarily affect the model). Without loss of generality, we set the constraint to be the smallest containing the training data.

This is the only part of the framework which needs user design, as a strong attack against one mechanism may not be effective against another. However we distill the steps for constructing such attacks into a recipe:

The underlying model of M\mathcal{M} can be abstract, requiring a summary function τ\tau to embed M\mathcal{M} into a vector space. Since post-processing of DP outputs does not decrease privacy , we can select τ\tau to preserve as much information about M\mathcal{M} as possible. In logistic regression the transformation is natural: we define τM\tau\circ\mathcal{M} as the coefficient vector θ\theta (Table 1). To reduce notation overload we implicitly apply τ\tau when we discuss empirical samples zM(D)z\sim\mathcal{M}(D).

Obtain a non-private algorithm M(D)\mathcal{M}_{\infty}(D) as a surrogate. Note that as long as Eb[M(D,b)]M(D)E_{b}[\mathcal{M}(D,b)]\approx\mathcal{M}_{\infty}(D), meaning the DP model is on average equivalent to the non-private version, it is sufficient to find the optimal poisoning with respect to the non-private model. While not explored in this work, attacks can instead take into account the actual noise distribution by averaging over samples of M(D,b)\mathcal{M}(D,b), at the cost of additional run-time.

Determine a poisoning (x,y)(x^{\star},y^{\star}) from (x,y)(x,y) maximizing the distance between τ(M(D))\tau(\mathcal{M}_{\infty}(D)) and τ(M(D))\tau(\mathcal{M}_{\infty}(D^{\prime})). This involves a selection and a perturbation step.

Ahead we detail the poisoning attack design for each mechanism:

Logistic Regression. DP logistic regression is achieved using one of three approaches: objective, output, or gradient perturbation. We evaluate objective and output perturbation using the widely used method developed by Chaudhuri and Monteleoni and Chaudhuri et al. .

For the attack we adopt the influence function, a technique which estimates the change in a model when a specific data point is infinitesimally upweighted in the training set . For a general model with gradient and Hessian information, the effect of point xx^{\star} on the model parameters for a loss function LL can be approximated as Iθ(x)=Hθ1θL(x,θ^)\mathcal{I}_{\theta}(x^{\star})=-H_{\theta}^{-1}\nabla_{\theta}L(x^{\star},\hat{\theta}). In generalized linear models with canonical link function where LL is the negative log likelihood, this has a closed form involving the Fisher information as the expected Hessian , which for logistic regression evaluates to Iθ(x)=(yy^)(XWX+λI)1x\mathcal{I}_{\theta}(x^{\star})=(y^{\star}-\hat{y}^{\star})(X^{\top}WX+\lambda I)^{-1}x^{\star} where WW is a diagonal matrix with entries Wii=y^i(1y^i)W_{ii}=\hat{y}_{i}(1-\hat{y}_{i}), and λ\lambda regularization.

We choose τ\tau to be the coefficient vector θ,θ\theta,\theta^{\prime} of M(D),M(D)\mathcal{M}_{\infty}(D),\mathcal{M}_{\infty}(D^{\prime}) respectively. We first select (x,y)(x,y) closest to the corner of the hyper-rectangle containing the data (a heuristic for selecting a point far from where the separating hyperplane would likely be) and initialize (x,y)(x^{\star},y^{\star}) as the mean point in the opposite class. Since our goal is to increase the distance θθ2\lVert\theta-\theta^{\prime}\rVert_{2}, we optimize the L2L_{2} norm of the influence function using projected gradient ascent. The constraint set C\mathcal{C} is the L2L_{2} norm ball containing the training set, so after each iteration we clip xx^{\star} if needed.

Naive Bayes. The Gaussian Naive Bayes model parameterizes the class-conditional distribution of features using independent Normal distributions. The parameters involve a mean μyd\mu_{yd} and variance σyd2\sigma^{2}_{yd} for each feature and class combination, as well as prior probabilities for each class πy\pi_{y}. To achieve differential privacy, Laplace or Geometric noise are added to the maximum likelihood estimates for each parameter . The constraint set C\mathcal{C} is a hyper-rectangle set by the smallest and largest value of each feature in the dataset.

We choose τ\tau to be the vector of all {μyd,σyd2,πy}\{\mu_{yd},\sigma^{2}_{yd},\pi_{y}\}. The maximum influence a perturbation can have on μ^y\hat{\mu}_{y} of class yy is by selecting a point on the corner of the hyper-rectangle C\mathcal{C} nearest the data points of class yy and placing it on the corner furthest away. On the other hand, the maximum influence attack on πy\pi_{y} is to flip a class label. We combine the two ideas by flipping the class label of the point closest to a corner. In our experiments we compare the power against only attacking μy\mu_{y}.

Random Forest. The DP random forest mechanism uses unsupervised random splits of the features based on the domain of the inputs. Each tree is split to a pre-determined depth. Then the training points are percolated through the forest, and the majority label of each leaf is sampled from the Exponential mechanism . Thus a perturbed training point has no impact on the actual tree structure besides the potential label of a single leaf in each tree. As a result we measure only the change in those leaves, choosing τ\tau to be the prediction of each tree on xx^{\star}.

The most detectable change in probability occurs when j=1j=1 and then the majority class is swapped by a class flip. For example, if a leaf has one positive and two negative points, we flip the class of one of the negatives. Since each tree is random, there is no guarantee that any given point will be in such a situation where j=1j=1, but to increase this chance we target points which are likely to be solitary in each leaf. Thus we select the point most distant from the rest of the training set as measured by L1L_{1}-distance and flip its label. We provide further exposition and hyperparameter details in the Appendix.

DP-SGD. For DP-SGD we evaluate two extent poisoning attacks using our framework. The ClipBKD attack constructs a data point along the axis of least variance in the dataset . This can be performed by taking the eigenvector of the covariance matrix with the smallest eigenvalue, and then projecting it to the median L2 norm of the training set. This point is assigned the label with smallest predicted probability. The goal of this attack is to enable the gradients of the point to be distinguishable, mitigating the effect of the DP-SGD clipping and noise.

The second attack selects a random datum and maximizes the loss with gradient ascent. The loss is defined with respect to a set of trained shadow models . In both attacks, the outcome τ(M(D))\tau(\mathcal{M}(D)) being measured is the predicted probability of the perturbed point PM(x=1)P_{\mathcal{M}}(x^{\star}=1), while ClipBKD first subtracts the zero vector’s predicted PM(0)P_{\mathcal{M}}(\vec{0}). We also consider an updated ClipBKD with the zero prediction encoded separately with additional test predictions in τ\tau: PM(0)P_{\mathcal{M}}(\vec{0}), PM(xitest)P_{\mathcal{M}}(x_{i}^{test}).

2 Optimizing S𝑆S

Intuitively, we have a likelihood ratio fM(D)(z)/fM(D)(z)f_{\mathcal{M}(D)}(z)/f_{\mathcal{M}(D^{\prime})}(z) and we are selecting points to fill SS where DD is more likely than DD^{\prime}. We start by adding points where DD is most likely and work downwards until SS is large enough that there is a cc chance that M(D)\mathcal{M}(D^{\prime}) is erroneously in SS.

Directly obtaining these densities is intractable. Instead we can learn, given collected samples {M(D)}\{\mathcal{M}(\mathbf{D})\} where D{D,D}\mathbf{D}\in\{D,D^{\prime}\}, the posterior probability of the dataset DD:

Let us consider the set Lk{z  p(Dz)/p(Dz)>k}L^{k}\coloneqq\{z\ |\ p(D|z)/p(D^{\prime}|z)>k\}. From Bayes’ Theorem we know p(Dz)fM(D)(z)Pr(D=D)p(D|z)\propto f_{\mathcal{M}(D)}(z)\cdot\Pr(\mathbf{D}=D). Given equal samples of D\mathbf{D} from DD and DD^{\prime}, then P(D=D)=P(D=D)P(\mathbf{D}=D)=P(\mathbf{D}=D^{\prime}) implying p(Dz)/p(Dz)=fM(D)(z)/fM(D)(z)p(D|z)/p(D^{\prime}|z)=f_{\mathcal{M}(D)}(z)/f_{\mathcal{M}(D^{\prime})}(z).

Our approach introduces the following further adaptations on Bichsel et al. to enable auditing on slower, potentially expensive machine learning mechanisms. (The original work used around 10810^{8} samples for auditing simple mechanisms, which is infeasible for training machine learning models. We use N=10000N=10000 samples for all mechanisms except DP-SGD where N=500N=500.)

All previous auditing works (including below) use Clopper-Pearson intervals for p^1\hat{p}_{1} and p^0\hat{p}_{0} to determine the lower bound. This method is highly suboptimal because it separately bounds the numerator and denominator. We identify instead the Katz-log confidence interval to directly bound the ratio of binomial proportions , see Lemma A.3. This has far better coverage properties in our simulations, as shown in the Appendix.

Our modified procedure is presented in Algorithm 1 and summarized visually in Fig. 1.

Given Algo. 1 and NN samples, the highest detectable privacy risk is

To avoid biasing the confidence interval, it is important that the final MC estimate is conducted on an independent set of samples, as done in . This is especially the case when optimizing over thresholds in SS. Since we compute a 1α1-\alpha interval over ε^\hat{\varepsilon} for each threshold, using the best result from the same sample would lead to biased inference from multiple testing.

Experiments and Results

We evaluate the DP mechanisms over a range of εth\varepsilon_{th}: {0.1,0.25,0.5,1,2,4,8,16,50}\{0.1,0.25,0.5,1,2,4,8,16,50\}. At εth=0.1\varepsilon_{th}=0.1 the ratio of probabilities is bounded by e0.11.1e^{0.1}\approx 1.1 giving nearly indistinguishable distributions, whereas at εth=50\varepsilon_{th}=50 essentially no privacy is guaranteed. For a given dataset DD, we perturb k{1,2,4,8}k\in\{1,2,4,8\} points to get DD^{\prime} and train N=10000N=10000 times for each to determine the appropriate auditing set SS. Then we obtain NN new samples to perform the final Monte Carlo estimate and obtain the lower bound ε^lb\hat{\varepsilon}_{lb}. We use confidence level α=0.05\alpha=0.05 throughout.

We assess Naive Bayes, logistic regression (output and objective perturbation), and random forest on common machine learning datasets: adult, credit, iris, breast-cancer, banknote, thoracic. We use the diffprivlib library and implement output perturbation following . Additionally, we test DP-SGD on FMNIST and CIFAR10 (here with N=500N=500) using . Refer to Appendix for more details.

Figure 2 directly compares, over three datasets, the ε^lb\hat{\varepsilon}_{lb} obtained by our poisoning attacks (ML-Audit), the ClipBKD attack, and a baseline where a random data point xx is changed to a random point from the opposite class without changing labels (Swap-X). (Note that while the original ClipBKD work uses DP-SGD, the poisoning itself is mechanism-agnostic, so it is an appropriate baseline.) We replicated our procedure 3x and show the median ε^lb\hat{\varepsilon}_{lb}. The Katz log interval was used for the lower bounds even on the baselines. As a reference we plot the theoretical privacy loss up to the maximum detectable limit (Corollary 4.0.1).

For the logistic regression experiments we include an additional alternative of our approach where the modified point, rather than maximizing the influence, is optimized to target a specific coefficient vector (labeled Poisoning). The method is based on the coefficient attack of , a gradient-based optimization approach with similar form to ours. Heuristically, we want the target coefficient vector to be as distinguishable as possible from the original optimal linear coefficients, so we constructed a perpendicular vector to the original coefficients using cross products. This method, which only exists for logistic regression, can be considered an ablation of ML-Audit with a weaker attack.

Our attacks consistently and often dramatically outperform baselines across datasets, models, and εth\varepsilon_{th}. In some cases, the privacy detection is within a small factor (12×)(1-2\times) of optimal. The Poisoning attack is close to our attacks in some datasets but performs poorly in others. The Swap-X baseline shows the expected privacy loss of an attack which poisons a data point within the original data distribution, rather than a worst-case perturbation (e.g. swapping two points in the training set). The only case where Swap-X performs similarly to our tailored attacks is in output-perturbed logistic regression on separable datasets with high non-sphericity such as iris and breast-cancer. We believe these properties enable simple strategies to work well (see Fig. 3a). We believe this is not a meaningful difference in performance as both methods are near the limit of what can be theoretically detected. Our results validate previous findings showing that estimating ε\varepsilon using membership inference-based bounds are weaker than poisoning attacks . We also tried the loss-threshold attack of and found it ineffective.

On many models and datasets we obtain nearly optimal results, indicating that these datasets are close to the maximal sensitivity of the mechanism. We observe this for random forest at εth2\varepsilon_{th}\leq 2 but also a plateau in higher εth\varepsilon_{th}. This is likely due to lack of resolution in the outputs: an average over mm tree decisions only takes mm unique probability values. Our attack on Naive Bayes is also near-optimal, while varying among datasets. Since the algorithm assigns εth/3\varepsilon_{th}/3 to protect each of μyd\mu_{yd}, σyd2\sigma^{2}_{yd}, and πy\pi_{y}, a perturbation needs to achieve the sensitivity bound on all three to reach the theoretical privacy risk, with the bound over all pairs D,DD,D^{\prime} rather than conditioning on a starting DD. For example, to reach the bound for μ\mu, all points of one class must be in one corner of the hyper-rectangle and the poisoned point on the other corner, which is unrealistic. For this reason, our choice of attacking the class prior π\pi is generally more effective than attacking the mean μ\mu (Fig. 4).

Lastly, our DP-SGD experiments assess the two existing perturbation methods of . Our findings (Fig. 8) are consistent with what is reported in those works. Interestingly, we find that the shadow adversarial attack outperforms ClipBKD on FMNIST and vice versa on CIFAR10. We also updated ClipBKD to use additional information in τ\tau as detailed in Section 4.1 and find a moderate improvement on FMNIST. Refer to the Appendix for further discussion.

Dataset-specific attack comparisons. Previous work hypothesized that privacy attacks on realistic datasets do not cause the model shift to reach the worst-case given by the sensitivity bound, except when the attacker can completely specify the dataset . Based on our observations on the impact of the dataset distribution on attack strength, our evidence supports the hypothesis that achievable privacy is dataset-dependent. We believe theoretical analysis of datasets for attack risk to be useful for future work.

We briefly investigate this phenomenon by comparing the performance of ClipBKD by dataset sphericity, as computed by ratio between largest and smallest singular values. An attack on the direction of least variance is likely ineffective when the dataset is spherical. We observe a strong relationship between the non-sphericity of a dataset and the influence of the ClipBKD perturbed point in Fig. 3a. In comparison our influence-based attack consistently finds a higher influence value (Fig. 3b). Furthermore, this difference in influence is directly linked to the auditing improvement of our approach compared to ClipBKD.

Detecting violations in privacy. We discuss two case studies where privacy leaks occur in practice and are detected by our method. First, the Naive Bayes mechanism in diffprivlib exposes perturbed class counts in the API. However, the sum of class counts is enforced to be the dataset size. This means whenever (D,D)(D,D^{\prime}) differ by one row in length no privacy is guaranteed. When we include the exposed class counts as part of τ\tau, our framework detects maximal privacy loss at all εth\varepsilon_{th} (Fig. 4a). We therefore recommend that only the class priors and not counts be made accessible.

As another example, in some works DP defines neighboring datasets can only have a single row addition or deletion, while others allow modifiying an existing point (equivalently deleting and then adding a row). This means that depending on the implementation, the actual privacy level may be half or double what the user desires to obtain. Our auditing framework correctly detected this discrepancy in the DP random forest, which defines ε\varepsilon under the first option. Our estimated ε^\hat{\varepsilon} using the second definition exceeded the theoretical level until the definitions were reconciled.

We reiterate that the advantages of our approach over precursors are (1) improved perturbation attacks on DD, and (2) optimizing a likelihood attack SS on any summary function τ\tau of a model M\mathcal{M}. Our final ablation in Fig. 4b highlights these strengths by demonstrating the incremental improvement to ClipBKD when either (1) or (2) are added.

Conclusion

We have proposed ML-Audit, a framework for estimating the differential privacy of a ML model. ML-Audit provides a recipe for devising audits against arbitrary models and is often orders of magnitude more effective than existing approaches – sometimes 2×\leq 2\times of theoretical optimum.

Acknowledgments

Approved for Public Release; Distribution Unlimited. PA #: AFRL-2022-3247.

References

Appendix A Mathematical claims and proofs

Suppose M\mathcal{M} is (ε,δ)(\varepsilon,\delta)-private and D,DD,D^{\prime} differ by kk rows. Then for all measurable SΘS\subset\Theta,

Let D1,D2,,Dk1D_{1},D_{2},\ldots,D_{k-1} represent intermediate datasets between DD and DD^{\prime} changing one row at a time. For each step Definition 3.2 holds. For example

For ε>0\varepsilon>0, the final sum is a geometric series. Applying the standard identity gives the final result. ∎

(Neyman-Pearson): Given observations of a variable XX, consider a hypothesis test distinguishing H0:θ=θ0H_{0}:\theta=\theta_{0} and H1:θ=θ1H_{1}:\theta=\theta_{1} with respective densities f0(x)f_{0}(x) and f1(x)f_{1}(x). For a level of significance α\alpha, there exists a test with rejection region RR and t0t\geq 0 such that

A test satisfying these conditions is a most powerful test at level α\alpha (that is, P1(XR)P_{1}(X\in R) is greater or equal to that of any other test with the same level).

Given two independent Binomial variables with underlying probability parameters p1,p0p_{1},p_{0}, number of trials NN, and observed values n1n_{1} and n0n_{0}, a 1α1-\alpha confidence interval for the ratio ln(p1/p0)\ln(p1/p0) is

where zα/2z_{\alpha/2} is the critical value of the standard normal (e.g. 1.96 for α=0.05\alpha=0.05).

Given Algorithm 1 and NN samples, the highest detectable privacy violation is

Given NN samples of distribution M1M_{1} and NN of distribution M0M_{0} with Bernoulli probability p1,p0p_{1},p_{0} of being in set SS, the largest value of ln(p1/p0)\ln(p_{1}/p_{0}) is when all NN of M1M_{1} are accepted in SS and only one of M0M_{0} is (otherwise the ratio is infinite). That is, n1=Nn_{1}=N and n0=1n_{0}=1. So the maximal value of ln(p1/p0)\ln(p1/p_{0}) is ln(N)\ln(N). Then apply Lemma A.3 to get the confidence lower bound, which is the best case reportable by our algorithm. ∎

with probability at least 1α1-\alpha, where ρ=ln(2/α)2N\rho=\sqrt{\frac{\ln(2/\alpha)}{2N}}, and ρc12\frac{\rho}{c}\leq\frac{1}{2}.

Appendix B Additional Results

We highlight some results comparing k={1,2,4,8}k=\{1,2,4,8\} for the same attack, model, and dataset. As shown, small values of ε\varepsilon benefit from larger kk, while at larger ε\varepsilon, kk is detrimental because it requires dividing the final privacy estimate. In our final experiments we adopt k=8k=8 for all ε2\varepsilon\leq 2, k=2k=2 for 2<ε82<\varepsilon\leq 8, and k=1k=1 for ε{16,50}\varepsilon\in\{16,50\}.

B.2 Coverage simulation

We compare the baseline Clopper-Pearson interval with the Katz-log interval specifically designed for ratios of binomial variables. At a 95%95\% desired coverage (α=0.05\alpha=0.05), we find the Katz log intervals to be precise while the Clopper-Pearson are highly conservative. This is to be expected since the Clopper-Pearson approach separately bounds the two binomial variables before taking the ratio: the lower bound of the numerator divided by the upper bound of the denominator. Thus intuitively at a α=0.05\alpha=0.05 level it actually computes a quantity that holds with probability on the order of α2\alpha^{2}.

Appendix C DP-SGD Result

Our findings here are consistent with what is reported in the benchmark works. The shadow adversarial attack here outperforms ClipBKD on FMNIST and vice versa on CIFAR10. In general the auditing performance of these attacks are weaker compared to the other models. We believe this to be a combination of small sample size and resistance of DP-SGD to data perturbations: we found that more perturbations k=4,8k=4,8 were required to induce detectable changes at high εth\varepsilon_{th}.

Appendix D Additional experiment details

Our work considers binary classification so we restrict all datasets to classes 0 and 1. Datasets which are larger than 1000 points are subsampled to 1000. For evaluating random forest, which scales poorly with dataset size, we further subsample all datasets to 500 points. Results do not change significantly with dataset size (it is currently a pure Python implementation), as the DP noise added is calibrated to dataset statistics. Hyperparameter details are in the Appendix.

Our experiments were run over a cluster of 240 CPUs over a week. A single auditing run (40k retrainings, not DP-SGD) averaged 10-40 min depending on the dataset and model, while a single DP-SGD audit took about 3 hrs for 2k retrainings.

For FMNIST, we use a CNN with three 2D-conv layers and 2x2 max-pooling. The number of filters starts at 4 and is doubled to 8 at the third convolution. This is followed by a fully-connected layer. For CIFAR10, the overall architecture is the same but the number of filters is doubled for all conv layers.

We set the clipping norm to 0.002 similar to previous work and use learning rate 1e-3 with RMSprop. We train FMNIST for 10 epochs and CIFAR10 for 15. For all settings tested, model accuracy is over 98%98\% so we believe our settings are reasonable.

Note that in one- and two-layer fully connected networks are studied. Thus our models have higher capacity and are more realistic for the datasets studied. Our results for both baselines are consistent with reported.

During training our observations correlate with the comments in about the normalization of the dataset vs impact of weight initialization. For example, we find the strongest auditing performance by far when FMNIST is kept in the original feature scaling of $,withadetectedprivacyriskofaround0.7for, with a detected privacy risk of around 0.7 for\varepsilon=50$. In contrast, when normalized to oror, the highest detected privacy risk drops to around 0.4. We believe this to be the intersection of a few factors, including weight initialization (affecting initial variance of the network embeddings), the max grad norm clipping value, and the learning rate. We think this phenomenon worthy of further study to better understand the nuances affecting privacy in networks trained with DP-SGD.

D.2 Random Forest

Derivation of attack: The class label y(l)y(l) of a leaf ll is determined as

where u(z,l)u(z,l) is 1 if zz is the majority label in ll and 0 otherwise, and jj is the number of excess points for the majority. We want a change of a single point that can induce a large change of this probability. As jj increases the probability rapidly converges to 1, so for larger jj the difference is statistically indistinguishable. We can compare the ratio when j=2j=2 and j=1j=1, and verify that the largest difference is when j=1j=1 and the majority is flipped.

Note that this requires actively flipping the label of a point rather than just removing or adding a point to make the majority an equality. In the case of equal proportions of classes then the final probability becomes 0.5 which is not as strong as if the majority flips.

We use m=15m=15 trees and depth 10 in our study.

We further note that the detectable privacy violation is hyperparameter-dependent. By our analysis, growing the tree depth with nn sufficiently such that each data point is solitary would guarantee the effectiveness of the class flip attack. However, the size of the tree increases exponentially and the runtime is too costly with the current available implementation. As a compromise we cap our dataset sizes to 500 and disregard categorical features in the random splits, as they cannot be used to isolate points. This provides additional evidence that practical privacy risk is dataset-specific. We note that given the goal to analyze the largest privacy risk in random forest (e.g. to assess whether there are implementation errors), it makes sense to select parameters and dataset sizes to maximize privacy risk.

D.3 Logistic regression

We found in the implementations of logistic regression that the performance of the model at certain ε\varepsilon and λ\lambda combinations would lead to severe degradation of optimization, essentially giving degenerate coefficients. In such cases, nearly no privacy loss is detectable. Our goal is to assess the models at a reasonable performance level reflective of their actual use case on each dataset, so we adjusted the regularization λ\lambda to avoid these situations while maintaining weak regularization consistent with statistical literature (e.g. λ1/n\lambda\approx 1/\sqrt{n}). Our code uses scikit-learn which uses the C=1/(nλ)C=1/(n\cdot\lambda) convention. In our code we specified C=1.0C=1.0 for objective perturbation, C=0.01C=0.01 for output perturbation. For ε\varepsilon around 1-8 we needed C=10.0C=10.0 to deal with the degeneracy issue in objective perturbation.

Appendix E Adapting ML-Audit for δ>0𝛿0\delta>0

In our current study all methods we evaluate use standard implementations with δ=0\delta=0, with the exception of DP-SGD, where δ\delta is very small. Our method can be readily adapted for δ>0\delta>0 by keeping the δ\delta in the auditing objective of Section 4. Then the objective splits into two quantities, the first of which is what we currently bound. For the second we can use a binomial proportion CI on the denominator while setting δ\delta to be the level we wish to audit at. If we don’t have prior information we could also vary δ\delta which results in a curve of estimated δ\delta vs ε^\hat{\varepsilon}.

Nonetheless, in practical applications, δo(1/n)\delta\in o(1/n) yielding values which are exceedingly difficult to measure (and which essentially have no effect on our measurements). For example, the minimum probabilities which we can measure with confidence via Monte Carlo are around 0.01 while δ<0.001\delta<0.001 for a 1000-point dataset.

Appendix F Data-specific epsilon vs influence

As the ε\varepsilon of a DP ML mechanism holds for a worst-case pair of neighboring datasets, we note that many real-world datasets may have lower achievable maximum privacy leakage. We can take the maximum ε^\hat{\varepsilon} estimated from our logistic regression auditing experiments as a proxy lower bound for this quantity. We let YY be this value relative to a true ε=1\varepsilon=1.

Additionally, we define XX to be the norm of the influence function applied at our perturbation point, relative to the average influence function norm of each dataset. The following figure compares XX and YY: