Optimal privacy guarantees for a relaxed threat model: Addressing sub-optimal adversaries in differentially private machine learning

Georgios Kaissis; Alexander Ziller; Stefan Kolek; Anneliese Riess; Daniel Rueckert

Optimal privacy guarantees for a relaxed threat model: Addressing sub-optimal adversaries in differentially private machine learning

Georgios Kaissis, Alexander Ziller, Stefan Kolek, Anneliese Riess, Daniel Rueckert

Informatics 31 - Chair of Artificial Intelligence in Healthcare and Medicine

Research output: Contribution to journal › Conference article › peer-review

4 Scopus citations

Abstract

Differentially private mechanisms restrict the membership inference capabilities of powerful (optimal) adversaries against machine learning models. Such adversaries are rarely encountered in practice. In this work, we examine a more realistic threat model relaxation, where (sub-optimal) adversaries lack access to the exact model training database, but may possess related or partial data. We then formally characterise and experimentally validate adversarial membership inference capabilities in this setting in terms of hypothesis testing errors. Our work helps users to interpret the privacy properties of sensitive data processing systems under realistic threat model relaxations and choose appropriate noise levels for their use-case.

Original language	English
Pages (from-to)	55802-55825
Number of pages	24
Journal	Advances in Neural Information Processing Systems
Volume	36
State	Published - 2023
Event	37th Conference on Neural Information Processing Systems, NeurIPS 2023 - New Orleans, United States Duration: 10 Dec 2023 → 16 Dec 2023

Cite this

@article{cf184fe6e6ac4426bdb9694a364f9418,

title = "Optimal privacy guarantees for a relaxed threat model: Addressing sub-optimal adversaries in differentially private machine learning",

abstract = "Differentially private mechanisms restrict the membership inference capabilities of powerful (optimal) adversaries against machine learning models. Such adversaries are rarely encountered in practice. In this work, we examine a more realistic threat model relaxation, where (sub-optimal) adversaries lack access to the exact model training database, but may possess related or partial data. We then formally characterise and experimentally validate adversarial membership inference capabilities in this setting in terms of hypothesis testing errors. Our work helps users to interpret the privacy properties of sensitive data processing systems under realistic threat model relaxations and choose appropriate noise levels for their use-case.",

author = "Georgios Kaissis and Alexander Ziller and Stefan Kolek and Anneliese Riess and Daniel Rueckert",

note = "Publisher Copyright: {\textcopyright} 2023 Neural information processing systems foundation. All rights reserved.; 37th Conference on Neural Information Processing Systems, NeurIPS 2023 ; Conference date: 10-12-2023 Through 16-12-2023",

year = "2023",

language = "English",

volume = "36",

pages = "55802--55825",

journal = "Advances in Neural Information Processing Systems",

issn = "1049-5258",

publisher = "Neural information processing systems foundation",

}

TY - JOUR

T1 - Optimal privacy guarantees for a relaxed threat model

T2 - 37th Conference on Neural Information Processing Systems, NeurIPS 2023

AU - Kaissis, Georgios

AU - Ziller, Alexander

AU - Kolek, Stefan

AU - Riess, Anneliese

AU - Rueckert, Daniel

PY - 2023

Y1 - 2023

N2 - Differentially private mechanisms restrict the membership inference capabilities of powerful (optimal) adversaries against machine learning models. Such adversaries are rarely encountered in practice. In this work, we examine a more realistic threat model relaxation, where (sub-optimal) adversaries lack access to the exact model training database, but may possess related or partial data. We then formally characterise and experimentally validate adversarial membership inference capabilities in this setting in terms of hypothesis testing errors. Our work helps users to interpret the privacy properties of sensitive data processing systems under realistic threat model relaxations and choose appropriate noise levels for their use-case.

AB - Differentially private mechanisms restrict the membership inference capabilities of powerful (optimal) adversaries against machine learning models. Such adversaries are rarely encountered in practice. In this work, we examine a more realistic threat model relaxation, where (sub-optimal) adversaries lack access to the exact model training database, but may possess related or partial data. We then formally characterise and experimentally validate adversarial membership inference capabilities in this setting in terms of hypothesis testing errors. Our work helps users to interpret the privacy properties of sensitive data processing systems under realistic threat model relaxations and choose appropriate noise levels for their use-case.

UR - http://www.scopus.com/inward/record.url?scp=85180396722&partnerID=8YFLogxK

M3 - Conference article

AN - SCOPUS:85180396722

SN - 1049-5258

VL - 36

SP - 55802

EP - 55825

JO - Advances in Neural Information Processing Systems

JF - Advances in Neural Information Processing Systems

Y2 - 10 December 2023 through 16 December 2023

ER -

Optimal privacy guarantees for a relaxed threat model: Addressing sub-optimal adversaries in differentially private machine learning

Abstract

Other files and links

Fingerprint

Cite this