On the effect of normalization layers on Differentially Private training of deep Neural networks
This work addresses privacy threats in deep learning for sensitive data, but it is incremental as it builds on existing DPSGD methods.
The paper tackles the problem of accuracy reduction in differentially private deep neural network training by studying the effect of normalization layers, and it proposes a method to integrate batch normalization without extra privacy loss, enabling deeper networks and improved utility-privacy trade-offs.
Differentially private stochastic gradient descent (DPSGD) is a variation of stochastic gradient descent based on the Differential Privacy (DP) paradigm, which can mitigate privacy threats that arise from the presence of sensitive information in training data. However, one major drawback of training deep neural networks with DPSGD is a reduction in the models accuracy. In this paper, we study the effect of normalization layers on the performance of DPSGD. We demonstrate that normalization layers significantly impact the utility of deep neural networks with noisy parameters and should be considered essential ingredients of training with DPSGD. In particular, we propose a novel method for integrating batch normalization with DPSGD without incurring an additional privacy loss. With our approach, we are able to train deeper networks and achieve a better utility-privacy trade-off.