Verification of Neural Networks’ Local Differential Classification Privacy

Roie Reshef; Anan Kabaha; Olga Seleznova; Dana Drachsler-Cohen

doi:10.1007/978-3-031-50521-8_5

Verification of Neural Networks’ Local Differential Classification Privacy

Roie Reshef, Anan Kabaha, Olga Seleznova, Dana Drachsler-Cohen

Technion - Israel Institute of Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Neural networks are susceptible to privacy attacks. To date, no verifier can reason about the privacy of individuals participating in the training set. We propose a new privacy property, called local differential classification privacy (LDCP), extending local robustness to a differential privacy setting suitable for black-box classifiers. Given a neighborhood of inputs, a classifier is LDCP if it classifies all inputs the same regardless of whether it is trained with the full dataset or whether any single entry is omitted. A naive algorithm is highly impractical because it involves training a very large number of networks and verifying local robustness of the given neighborhood separately for every network. We propose Sphynx, an algorithm that computes an abstraction of all networks, with a high probability, from a small set of networks, and verifies LDCP directly on the abstract network. The challenge is twofold: network parameters do not adhere to a known distribution probability, making it difficult to predict an abstraction, and predicting too large abstraction harms the verification. Our key idea is to transform the parameters into a distribution given by KDE, allowing to keep the over-approximation error small. To verify LDCP, we extend a MILP verifier to analyze an abstract network. Experimental results show that by training only 7% of the networks, Sphynx predicts an abstract network obtaining 93 % verification accuracy and reducing the analysis time by 1.7 · 10⁴ x.

Original language	English
Title of host publication	Verification, Model Checking, and Abstract Interpretation - 25th International Conference, VMCAI 2024, Proceedings
Editors	Rayna Dimitrova, Ori Lahav, Sebastian Wolff
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	98-123
Number of pages	26
ISBN (Print)	9783031505201
DOIs	https://doi.org/10.1007/978-3-031-50521-8_5
State	Published - 2024
Event	25th International Conference on Verification, Model Checking, and Abstract Interpretation, VMCAI 2024 was co-located with 51st ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2024 - London, United Kingdom Duration: 15 Jan 2024 → 16 Jan 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	14500 LNCS

Conference

Conference	25th International Conference on Verification, Model Checking, and Abstract Interpretation, VMCAI 2024 was co-located with 51st ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2024
Country/Territory	United Kingdom
City	London
Period	15/01/24 → 16/01/24

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-50521-8_5

Cite this

Reshef, R., Kabaha, A., Seleznova, O., & Drachsler-Cohen, D. (2024). Verification of Neural Networks’ Local Differential Classification Privacy. In R. Dimitrova, O. Lahav, & S. Wolff (Eds.), Verification, Model Checking, and Abstract Interpretation - 25th International Conference, VMCAI 2024, Proceedings (pp. 98-123). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14500 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-50521-8_5

Reshef, Roie ; Kabaha, Anan ; Seleznova, Olga et al. / Verification of Neural Networks’ Local Differential Classification Privacy. Verification, Model Checking, and Abstract Interpretation - 25th International Conference, VMCAI 2024, Proceedings. editor / Rayna Dimitrova ; Ori Lahav ; Sebastian Wolff. Springer Science and Business Media Deutschland GmbH, 2024. pp. 98-123 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{fd16acd8176842fbafbfbab2c1a05b66,

title = "Verification of Neural Networks{\textquoteright} Local Differential Classification Privacy",

abstract = "Neural networks are susceptible to privacy attacks. To date, no verifier can reason about the privacy of individuals participating in the training set. We propose a new privacy property, called local differential classification privacy (LDCP), extending local robustness to a differential privacy setting suitable for black-box classifiers. Given a neighborhood of inputs, a classifier is LDCP if it classifies all inputs the same regardless of whether it is trained with the full dataset or whether any single entry is omitted. A naive algorithm is highly impractical because it involves training a very large number of networks and verifying local robustness of the given neighborhood separately for every network. We propose Sphynx, an algorithm that computes an abstraction of all networks, with a high probability, from a small set of networks, and verifies LDCP directly on the abstract network. The challenge is twofold: network parameters do not adhere to a known distribution probability, making it difficult to predict an abstraction, and predicting too large abstraction harms the verification. Our key idea is to transform the parameters into a distribution given by KDE, allowing to keep the over-approximation error small. To verify LDCP, we extend a MILP verifier to analyze an abstract network. Experimental results show that by training only 7\% of the networks, Sphynx predicts an abstract network obtaining 93 \% verification accuracy and reducing the analysis time by 1.7 · 104 x.",

author = "Roie Reshef and Anan Kabaha and Olga Seleznova and Dana Drachsler-Cohen",

note = "Publisher Copyright: {\textcopyright} 2024, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 25th International Conference on Verification, Model Checking, and Abstract Interpretation, VMCAI 2024 was co-located with 51st ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2024 ; Conference date: 15-01-2024 Through 16-01-2024",

year = "2024",

doi = "10.1007/978-3-031-50521-8\_5",

language = "الإنجليزيّة",

isbn = "9783031505201",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "98--123",

editor = "Rayna Dimitrova and Ori Lahav and Sebastian Wolff",

booktitle = "Verification, Model Checking, and Abstract Interpretation - 25th International Conference, VMCAI 2024, Proceedings",

address = "ألمانيا",

}

Reshef, R, Kabaha, A, Seleznova, O & Drachsler-Cohen, D 2024, Verification of Neural Networks’ Local Differential Classification Privacy. in R Dimitrova, O Lahav & S Wolff (eds), Verification, Model Checking, and Abstract Interpretation - 25th International Conference, VMCAI 2024, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14500 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 98-123, 25th International Conference on Verification, Model Checking, and Abstract Interpretation, VMCAI 2024 was co-located with 51st ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2024, London, United Kingdom, 15/01/24. https://doi.org/10.1007/978-3-031-50521-8_5

Verification of Neural Networks’ Local Differential Classification Privacy. / Reshef, Roie; Kabaha, Anan; Seleznova, Olga et al.
Verification, Model Checking, and Abstract Interpretation - 25th International Conference, VMCAI 2024, Proceedings. ed. / Rayna Dimitrova; Ori Lahav; Sebastian Wolff. Springer Science and Business Media Deutschland GmbH, 2024. p. 98-123 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14500 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Verification of Neural Networks’ Local Differential Classification Privacy

AU - Reshef, Roie

AU - Kabaha, Anan

AU - Seleznova, Olga

AU - Drachsler-Cohen, Dana

PY - 2024

Y1 - 2024

N2 - Neural networks are susceptible to privacy attacks. To date, no verifier can reason about the privacy of individuals participating in the training set. We propose a new privacy property, called local differential classification privacy (LDCP), extending local robustness to a differential privacy setting suitable for black-box classifiers. Given a neighborhood of inputs, a classifier is LDCP if it classifies all inputs the same regardless of whether it is trained with the full dataset or whether any single entry is omitted. A naive algorithm is highly impractical because it involves training a very large number of networks and verifying local robustness of the given neighborhood separately for every network. We propose Sphynx, an algorithm that computes an abstraction of all networks, with a high probability, from a small set of networks, and verifies LDCP directly on the abstract network. The challenge is twofold: network parameters do not adhere to a known distribution probability, making it difficult to predict an abstraction, and predicting too large abstraction harms the verification. Our key idea is to transform the parameters into a distribution given by KDE, allowing to keep the over-approximation error small. To verify LDCP, we extend a MILP verifier to analyze an abstract network. Experimental results show that by training only 7% of the networks, Sphynx predicts an abstract network obtaining 93 % verification accuracy and reducing the analysis time by 1.7 · 104 x.

AB - Neural networks are susceptible to privacy attacks. To date, no verifier can reason about the privacy of individuals participating in the training set. We propose a new privacy property, called local differential classification privacy (LDCP), extending local robustness to a differential privacy setting suitable for black-box classifiers. Given a neighborhood of inputs, a classifier is LDCP if it classifies all inputs the same regardless of whether it is trained with the full dataset or whether any single entry is omitted. A naive algorithm is highly impractical because it involves training a very large number of networks and verifying local robustness of the given neighborhood separately for every network. We propose Sphynx, an algorithm that computes an abstraction of all networks, with a high probability, from a small set of networks, and verifies LDCP directly on the abstract network. The challenge is twofold: network parameters do not adhere to a known distribution probability, making it difficult to predict an abstraction, and predicting too large abstraction harms the verification. Our key idea is to transform the parameters into a distribution given by KDE, allowing to keep the over-approximation error small. To verify LDCP, we extend a MILP verifier to analyze an abstract network. Experimental results show that by training only 7% of the networks, Sphynx predicts an abstract network obtaining 93 % verification accuracy and reducing the analysis time by 1.7 · 104 x.

UR - http://www.scopus.com/inward/record.url?scp=85181984401&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-50521-8_5

DO - 10.1007/978-3-031-50521-8_5

M3 - منشور من مؤتمر

SN - 9783031505201

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 98

EP - 123

BT - Verification, Model Checking, and Abstract Interpretation - 25th International Conference, VMCAI 2024, Proceedings

A2 - Dimitrova, Rayna

A2 - Lahav, Ori

A2 - Wolff, Sebastian

PB - Springer Science and Business Media Deutschland GmbH

T2 - 25th International Conference on Verification, Model Checking, and Abstract Interpretation, VMCAI 2024 was co-located with 51st ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2024

Y2 - 15 January 2024 through 16 January 2024

ER -

Reshef R, Kabaha A, Seleznova O, Drachsler-Cohen D. Verification of Neural Networks’ Local Differential Classification Privacy. In Dimitrova R, Lahav O, Wolff S, editors, Verification, Model Checking, and Abstract Interpretation - 25th International Conference, VMCAI 2024, Proceedings. Springer Science and Business Media Deutschland GmbH. 2024. p. 98-123. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-50521-8_5

Verification of Neural Networks’ Local Differential Classification Privacy

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this