Differential privacy (DP) is a gold-standard concept of measuring and guaranteeing privacy in data analysis. It is well-known that the cost of adding DP to deep learning model is its accuracy. However, it remains unclear how it affects robustness of the model. Standard neural networks are not robust to different input perturbations: either adversarial attacks or common corruptions. In this paper, we empirically observe an interesting trade-off between privacy and robustness of neural networks. We experimentally demonstrate that networks, trained with DP, in some settings might be even more vulnerable in comparison to non-private versions. To explore this, we extensively study different robustness measurements, including FGSM and PGD adversaries, distance to linear decision boundaries, curvature profile, and performance on a corrupted dataset. Finally, we study how the main ingredients of differentially private neural networks training, such as gradient clipping and noise addition, affect (decrease and increase) the robustness of the model.

翻译：差异隐私(DP)是一个衡量和保障数据分析隐私的金质标准概念,众所周知,在深层学习模式中增加DP的成本是其准确性,但尚不清楚它如何影响模型的稳健性。标准神经网络对不同的输入扰动并不强健:要么是对抗性攻击,要么是常见的腐败。在本文中,我们从经验上观察到在隐私和神经网络稳健性之间的一种有趣的权衡。我们实验性地证明,在一些环境中,与DP培训过的网络可能比非私人版本更加脆弱。为了探索这一点,我们广泛研究不同的强健度测量,包括FGSM和PGD对手、距离线性决定边界、曲线剖面图和腐败数据集的性能。最后,我们研究差异性私人神经网络培训的主要成份,如梯度剪裁和噪音添加等,如何影响(减少和增加)模型的稳健性。