Adaptive Privacy Preserving Deep Learning Algorithms for Medical Data

Deep learning holds a great promise of revolutionizing healthcare and medicine. Unfortunately, various inference attack models demonstrated that deep learning puts sensitive patient information at risk. The high capacity of deep neural networks is the main reason behind the privacy loss. In particular, patient information in the training data can be unintentionally memorized by a deep network. Adversarial parties can extract that information given the ability to access or query the network. In this paper, we propose a novel privacy-preserving mechanism for training deep neural networks. Our approach adds decaying Gaussian noise to the gradients at every training iteration. This is in contrast to the mainstream approach adopted by Google’s TensorFlow Privacy, which employs the same noise scale in each step of the whole training process. Compared to existing methods, our proposed approach provides an explicit closed-form mathematical expression to approximately estimate the privacy loss. It is easy to compute and can be useful when the users would like to decide proper training time, noise scale, and sampling ratio during the planning phase. We provide extensive experimental results using one real-world medical dataset (chest radiographs from the CheXpert dataset) to validate the effectiveness of the proposed approach. The proposed differential privacy based deep learning model achieves significantly higher classification accuracy over the existing methods with the same privacy budget.

[1]  Anand D. Sarwate,et al.  Differentially Private Empirical Risk Minimization , 2009, J. Mach. Learn. Res..

[2]  Bingzhe Wu,et al.  P3SGD: Patient Privacy Preserving SGD for Regularizing Deep CNNs in Pathological Image Classification , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[3]  Miao Pan,et al.  Differentially Private Robust ADMM for Distributed Machine Learning , 2019, 2019 IEEE International Conference on Big Data (Big Data).

[4]  Miao Pan,et al.  Stochastic ADMM Based Distributed Machine Learning with Differential Privacy , 2019, SecureComm.

[5]  Seong Joon Oh,et al.  Towards Reverse-Engineering Black-Box Neural Networks , 2017, ICLR.

[6]  Adam D. Smith,et al.  Differentially Private Feature Selection via Stability Arguments, and the Robustness of the Lasso , 2013, COLT.

[7]  Geraint Rees,et al.  Clinically applicable deep learning for diagnosis and referral in retinal disease , 2018, Nature Medicine.

[8]  Thomas Steinke,et al.  Composable and versatile privacy via truncated CDP , 2018, STOC.

[9]  Fan Zhang,et al.  Stealing Machine Learning Models via Prediction APIs , 2016, USENIX Security Symposium.

[10]  Hongxia Jin,et al.  Efficient Private Empirical Risk Minimization for High-dimensional Learning , 2016, ICML.

[11]  Miao Pan,et al.  Differentially Private and Fair Classification via Calibrated Functional Mechanism , 2020, AAAI.

[12]  Martín Abadi,et al.  Semi-supervised Knowledge Transfer for Deep Learning from Private Training Data , 2016, ICLR.

[13]  Di Wang,et al.  Differentially Private Empirical Risk Minimization Revisited: Faster and More General , 2018, NIPS.

[14]  Yifan Yu,et al.  CheXpert: A Large Chest Radiograph Dataset with Uncertainty Labels and Expert Comparison , 2019, AAAI.

[15]  Binghui Wang,et al.  Stealing Hyperparameters in Machine Learning , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[16]  Fei Wang,et al.  Differentially Private Generative Adversarial Network , 2018, ArXiv.

[17]  Hongxia Jin,et al.  Private Incremental Regression , 2017, PODS.

[18]  Lingxiao Wang,et al.  Efficient Privacy-Preserving Nonconvex Optimization , 2019, ArXiv.

[19]  Alex Krizhevsky,et al.  Learning Multiple Layers of Features from Tiny Images , 2009 .

[20]  Raef Bassily,et al.  Differentially Private Empirical Risk Minimization: Efficient Algorithms and Tight Error Bounds , 2014, 1405.7085.

[21]  Miao Pan,et al.  Differentially Private Functional Mechanism for Generative Adversarial Networks , 2019, 2019 IEEE Global Communications Conference (GLOBECOM).

[22]  Daniel Kifer,et al.  Concentrated Differentially Private Gradient Descent with Adaptive per-Iteration Privacy Budget , 2018, KDD.

[23]  Stephen E. Fienberg,et al.  Learning with Differential Privacy: Stability, Learnability and the Sufficiency and Necessity of ERM Principle , 2015, J. Mach. Learn. Res..

[24]  Daniel Kifer,et al.  Private Convex Empirical Risk Minimization and High-dimensional Regression , 2012, COLT 2012.

[25]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[26]  Prateek Jain,et al.  (Near) Dimension Independent Risk Bounds for Differentially Private Learning , 2014, ICML.

[27]  Vitaly Shmatikov,et al.  Membership Inference Attacks Against Machine Learning Models , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[28]  L. Sweeney Only You, Your Doctor, and Many Others May Know , 2015 .

[29]  Di Wang,et al.  Differentially Private Empirical Risk Minimization with Smooth Non-Convex Loss Functions: A Non-Stationary View , 2019, AAAI.

[30]  Baochun Li,et al.  Differentially-Private Deep Learning from an optimization Perspective , 2019, IEEE INFOCOM 2019 - IEEE Conference on Computer Communications.

[31]  Bo Luo,et al.  I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators , 2018, ACSAC.

[32]  Calton Pu,et al.  Differentially Private Model Publishing for Deep Learning , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[33]  G. Crooks On Measures of Entropy and Information , 2015 .

[34]  A. Ng,et al.  Deep learning for chest radiograph diagnosis: A retrospective comparison of the CheXNeXt algorithm to practicing radiologists , 2018, PLoS medicine.

[35]  Karan Singh,et al.  The Price of Differential Privacy for Online Learning , 2017, ICML.

[36]  Ruby B. Lee,et al.  Model inversion attacks against collaborative inference , 2019, ACSAC.

[37]  Prateek Jain,et al.  Differentially Private Learning with Kernels , 2013, ICML.

[38]  Somesh Jha,et al.  Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting , 2017, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[39]  Somesh Jha,et al.  Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures , 2015, CCS.

[40]  Di Wang,et al.  Differentially Private Empirical Risk Minimization with Non-convex Loss Functions , 2019, ICML.

[41]  Ian Goodfellow,et al.  Deep Learning with Differential Privacy , 2016, CCS.

[42]  Cynthia Dwork,et al.  Differential Privacy: A Survey of Results , 2008, TAMC.

[43]  Úlfar Erlingsson,et al.  Tempered Sigmoid Activations for Deep Learning with Differential Privacy , 2020, AAAI.

[44]  Miao Pan,et al.  Optimal Differentially Private ADMM for Distributed Machine Learning , 2019, ArXiv.

[45]  Miao Pan,et al.  Towards Plausible Differentially Private ADMM Based Distributed Machine Learning , 2020, CIKM.