Design And Optimization Of Differentially Private Machine Learning Algorithms

Data is the cornerstone of deep learning and artificial intelligence.In recent years,a vast amount of high-quality training data has propelled rapid developments in these two areas,leading to numerous innovative applications such as facial recognition,voice assistants,and chatbots,significantly enhancing the convenience of people’s lives and promoting productivity.Therefore,acquiring high-quality training data is crucial.However,due to potential data leakage risks,a large amount of data in areas such as personal assistants,finance,and healthcare cannot yet be used for training deep learning models.For this reason,designing learning algorithms that can protect data privacy is particularly important.Relevant algorithms can enhance the usability of sensitive data,thereby further promoting the application and development of deep learning in related fields,and have a broad and important social value for different application scenarios.Differential Privacy,as a theoretically rigorous definition,has become a golden standard for protecting data privacy.In recent years,developing machine learning algorithms capable of providing differential privacy protection for training data has emerged as an important new research direction.This direction faces three main issues:1)The theoretical analysis tools for related optimization algorithms are not yet perfect;2)The challenges of applying these optimization algorithms to deep learning;3)The new privacy risks introduced by human annotators required for the instruction fine-tuning of large language models.Specifically,there is significant room for improvement in the theoretical upper bound analysis of the Empirical Risk Minimization for related optimization algorithms.Moreover,when these optimization algorithms are applied to deep learning practice,there are two main challenges:one is the significantly increased computational overhead compared to traditional deep learning algorithms;the other is that models satisfying differential privacy have a non-trivial reduction in accuracy compared to baseline models without privacy protection measures.Finally,existing research primarily focuses on the issue of training data leakage during the model deployment stage.However,with the popularity of algorithms such as Reinforcement Learning from Human Feedback,new urgent privacy risks have emerged in the model training data collection phase.This is because reinforcement learning based on human feedback requires the use of human annotators for data annotation,introducing new privacy risks by exposing sensitive data to human annotators.To address these issues,this paper conducts work in the following four areas:1.Regarding the issue that the theoretical upper bound of empirical risk minimization is not optimal,this paper analyzes the impact of noise used to ensure differential privacy on the optimization properties of the objective function and finds a new property that better reflects the optimization condition under noise perturbation.The new property significantly improves the theoretical results from previous research.Specifically,we show that the utility guarantee during the noisy gradient descent process is determined by the"expected curvature" of the objective function’s Hessian matrix,rather than the global minimum curvature as in traditional optimization analysis.The concept of"expected curvature" represents the average curvature along the entire optimization path and is significantly better than the global minimum curvature.Therefore,by adopting the"expected curvature" for analysis,this paper significantly improves the theoretical upper bound of empirical risk minimization.2.Regarding the issue of high computational cost of differentially private learning algorithms,this paper first analyzes the reasons leading to the additional computational overhead.This extra overhead stems from the need for these learning algorithms to instantiate and store the gradient of each training sample.Unlike traditional learning algorithms that only need to store the average gradient of batch samples,this significantly increases the algorithm’s memory overhead,thereby slowing down the training speed.To solve this problem,this paper proposes a method for reparameterizing the forward propagation process of neural networks.By adopting this reparameterization method,this paper can store the gradient projection of each sample with minimal memory overhead during the backward propagation process.Experiments show that the proposed reparameterization method significantly reduces the memory usage of such learning algorithms and significantly increases the training speed.3.Regarding the issue of significantly reduced model accuracy,this paper proposes a method to significantly improve model performance using pre-trained models.Pretrained models are first learned on public and non-sensitive data and then applied to downstream tasks.In traditional deep learning tasks,pre-trained models have been proven to significantly improve model performance.However,how to apply pre-trained models in scenarios where downstream training data privacy needs to be protected remains an open question.This paper makes the first attempt to apply pre-trained models in this scenario and proposes a simple and efficient metaframework.Through exhaustive experiments,we demonstrate that this framework can significantly improve the performance of learning algorithms providing differential privacy.4.Regarding the privacy risks introduced by human annotators,this paper proposes a method of using synthetic data to replace real data during the annotation process.In the development process of many models,model service providers first deploy an initial model and then collect instructions provided by users during use.To iteratively optimize the model,service providers hire annotators to classify and respond to user instructions.This paper first analyzes real-world datasets of user instructions,finds that they contain a large amount of sensitive information,and thus raises a key issue:handing user instructions to human annotators may lead to privacy leakage.To solve this issue,this paper proposes using synthetic instructions with differential privacy guarantees to desensitize real data and develops a framework for generating high-quality synthetic instructions.Experimental results show that using synthetic instructions can effectively prevent privacy leakage during the training process while ensuring the performance of dialogue models is comparable to models trained with real user instructions.