Enhancing One-run Privacy Auditing with Quantile Regression-Based Membership Inference
Reviewed by Pithpith:HQYJ7Z2Popen to challenge →
read the original abstract
Differential privacy (DP) auditing aims to provide empirical lower bounds on the privacy guarantees of DP mechanisms like DP-SGD. While some existing techniques require many training runs that are prohibitively costly, recent work introduces one-run auditing approaches that effectively audit DP-SGD in white-box settings while still being computationally efficient. However, in the more practical black-box setting where gradients cannot be manipulated during training and only the last model iterate is observed, prior work shows that there is still a large gap between the empirical lower bounds and theoretical upper bounds. Consequently, in this work, we study how incorporating approaches for stronger membership inference attacks (MIA) can improve one-run auditing in the black-box setting. Evaluating on image classification models trained on CIFAR-10 with DP-SGD, we demonstrate that our proposed approach, which utilizes quantile regression for MIA, achieves tighter bounds while crucially maintaining the computational efficiency of one-run methods.
This paper has not been read by Pith yet.
Forward citations
Cited by 2 Pith papers
-
Natural Identifiers for Privacy and Data Audits in Large Language Models
Introduces natural identifiers (NIDs) from common training data to support post-hoc differential privacy auditing and dataset inference for LLMs without retraining or private held-out sets.
-
Let's Ask Gauss: Improved One-Run Privacy Auditing
In white-box DP-SGD, canary-aligned signals form a sequence of random variables whose normalized sum is asymptotically Gaussian, enabling a new one-run auditing framework with tighter privacy lower bounds.
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.