Theory
Operating System
Storage
Coordination
Fault Tolerance
Cloud Computing
Systems for ML
ML for Systems
Video Analytics
Networking
Serverless
Resource Disaggregation
Edge Computing
Security/Privacy
Misc.
Deep Learning with Differential Privacy
https://arxiv.org/pdf/1607.00133.pdf

## Summary

This paper proposes a new algorithm which allows us to train a deep neural network under a modest privacy budget. It offers protection against a strong adversary with full knowledge of the training mechanism and access to the model's parameters.

## Differential Privacy

https://arxiv.org/pdf/1607.00133.pdf
Note that:
• We say that two of sets are adjacent if they differ in a single entry, that is, if one image-label pair is present in one set and absent in the other.
• $e^\epsilon$
is the exponential function applied to the parameter
$\epsilon > 0$
. If
$\epsilon$
is very close to 0, then
$e^\epsilon$
is very close to 1, so the probabilities are very similar. The bigger
$\epsilon$
is, the more the probabilities can differ.
• This paper uses the variant, which allows for the possibility that plain
$\epsilon$
-differential privacy is broken with probability
$\delta$
.

## The Algorithm

https://arxiv.org/pdf/1607.00133.pdf
The algorithm is very similar to the traditional SGD algorithm with few exceptions:
1. 1.
To guarantee our model is differentially private, we need to bound the influence of each individual example on our model. Thus, , we clip each gradient in l2 norm.
2. 2.
The algorithm adds noise at lot-level. Lots are similar to a batches, but, to limit the memory consumption, we may set the batch size much smaller than the lot size. We perform the computation in batches, then group several batches into a lot for adding noise.
3. 3.
The algorithm computes the overall privacy cost of the train.