Differential privacy (DP) provides a provable framework for protecting individuals by customizing a random mechanism over a privacy-sensitive dataset. Deep learning models have demonstrated privacy risks in model exposure as an established learning model unintentionally records membership-level privacy leakage. Differentially private stochastic gradient descent (DP- SGD) has been proposed to safeguard training individuals by adding random Gaussian noise to gradient updates in the backpropagation. Researchers identify that DP-SGD typically causes utility loss since the injected homogeneous noise alters the gradient updates calculated at each iteration. Namely, all elements in the gradient are contaminated regardless of their importance in updating model parameters. In this work, we argue that the utility loss mainly results from the homogeneity of injected noise. Consequently, we propose a generic differential privacy framework with heterogeneous noise (DP-Hero) by defining a heterogeneous random mechanism to abstract its property. The insight of DP-Hero is to leverage the knowledge encoded in the previously trained model to guide the subsequent allocation of noise heterogeneity, thereby leveraging the statistical perturbation and achieving enhanced utility. Atop DP-Hero, we instantiate a heterogeneous version of DP-SGD, where the noise injected into gradients is heterogeneous and guided by prior-established model parameters. We conduct comprehensive experiments to verify and explain the effectiveness of the proposed DP-Hero, showing improved training accuracy compared with state-of-the-art works. Broadly, we shed light on improving the privacy-utility space by learning the noise guidance from the pre-existing leaked knowledge encoded in the previously trained model, showing a different perspective of understanding the utility-improved DP training.

翻译：差分隐私（DP）通过为隐私敏感数据集定制随机机制，为保护个体提供了一个可证明的框架。深度学习模型在模型暴露中已展现出隐私风险，因为已建立的学习模型无意中记录了成员级别的隐私泄露。差分隐私随机梯度下降（DP-SGD）被提出，通过在反向传播的梯度更新中添加随机高斯噪声来保护训练个体。研究者发现，DP-SGD通常会导致效用损失，因为注入的均匀噪声改变了每次迭代计算的梯度更新。也就是说，梯度中的所有元素无论其在更新模型参数中的重要性如何，均受到污染。在本工作中，我们认为效用损失主要源于注入噪声的均匀性。因此，我们通过定义一个异质随机机制来抽象其性质，提出了一个具有异质噪声的通用差分隐私框架（DP-Hero）。DP-Hero的核心思想是利用先前训练模型中编码的知识来指导后续噪声异质性的分配，从而利用统计扰动并实现增强的效用。基于DP-Hero，我们实例化了一个异质版本的DP-SGD，其中注入梯度的噪声是异质的，并由先前建立的模型参数指导。我们进行了全面的实验来验证和解释所提出的DP-Hero的有效性，结果显示其训练精度相较于最先进的工作有所提升。更广泛地说，我们通过从先前训练模型中编码的既有泄露知识中学习噪声指导，为改进隐私-效用空间提供了启示，展示了一种理解效用改进的DP训练的不同视角。