Semi-supervised Knowledge Transfer for Deep Learning from Private Training Data
Today, machine learning is being applied almost everywhere. However, there are many applications that deal with private data. This may include your hospital or banking records or your personal photos and contacts. Thus, special care must be taken while training a model that uses such data. A model may inadvertently and implicitly store some of its training data; the careful analysis of the model may, therefore, reveal sensitive information.
The following paper describes an approach to protect this private data. It even won the best paper award at ICLR 2017!
Some machine learning applications with great benefits are enabled only through the analysis of sensitive data, such as users’ personal contacts, private photographs or correspondence, or even medical records or genetic sequences. Ideally, in those cases, the learning algorithms would protect the privacy of users’ training data. Unfortunately, established machine learning algorithms make no such guarantee; indeed, though state-of-the-art algorithms generalize well to the test set, they continue to overfit on specific training examples in the sense that some of these examples are implicitly memorized. Recent attacks exploiting this implicit memorization in machine learning have demonstrated that private, sensitive training data can be recovered from models.
Since machine learning models tend to overfit, they are very likely to store private data. To avoid this, the paper improves upon a specific, structured application of techniques of knowledge aggregation and transfer.
In this approach, an ensemble of teacher models is trained on disjoint subsets of the data. Then, using auxiliary, unlabelled non-sensitive data, a student model is trained on the aggregate output of the ensemble, such that the student learns to mimic the ensemble accurately. Intuitively, this strategy ensures that the student does not depend on the details of any single sensitive training data point (e.g., of any individual user), and, thereby, the privacy of the training data is protected even if attackers can observe the student’s internal model parameters.
Now, to strengthen the privacy guarantee, a strategy called as PATE, for Private Aggregation of Teacher Ensembles is implemented. An improved privacy analysis that makes this strategy applicable to machine learning algorithms, especially when combined with semi-supervised learning, is introduced as well.
Let us first see how PATE works:
Step 1: Training the ensemble of teachers.
The dataset is divided into n disjoint sets(Xn, Yn) and train a model separately on each set. We obtain n classifiers fi called teachers. We then deploy them as an ensemble making predictions on unseen inputs x by querying each teacher for a prediction fi(x) and aggregating these into a single prediction. The privacy guarantees of this teacher ensemble stem from its aggregation. When combining the ensemble’s votes to make the prediction, we don’t want to end up in a situation whereby a single teacher’s vote can make an observable difference (i.e., the top two predicted labels with vote counts differing by at most one). To introduce ambiguity, random noise is added to the vote counts. If the prediction of model nj on input x- is given by nj(x-), then the prediction f(x) of the ensemble is given as:
Gamma is the indicator of the guarantee of privacy here. More the value of gamma more is the guarantee of privacy, but less accurate the predictions become. While we could use an f such as above to make predictions, the noise required would increase as we make more predictions, making the model useless after a bounded number of queries. Furthermore, privacy guarantees do not hold when an adversary has access to the model parameters. Indeed, as each teacher fi was trained without taking into account privacy, it is conceivable that they have sufficient capacity to retain details of the training data. To address these limitations, we train another model, the student, using a fixed number of labels predicted by the teacher ensemble.
Step 2: Semi-supervised transfer of the knowledge from the ensemble to the student.
The student is trained on insensitive and unlabelled data, some of which is labeled using the aggregation mechanism. Since this is the model that is not exposed to sensitive data, it is deployed. For labeling the data in the student model, GANs are used.
GANs contain a generator and a discriminator.
They are trained in a competitive method, as a two-player game.
The generator produces samples from the data distribution by transforming vectors sampled from a Gaussian distribution.
The discriminator is trained to distinguish samples artificially produced by the generator from samples part of the real data distribution.
Models are trained via simultaneous gradient descent steps on both players’ costs.
Training the student in a semi-supervised fashion makes better use of the entire data available to the student, while still only labeling a subset of it. Unlabelled inputs are used in unsupervised learning to estimate a good prior to the distribution. Labeled inputs are then used for supervised learning.
