Adversarial Sample-Based Approach for Tighter Privacy Auditing in Final Model-Only Scenarios
This work provides a practical framework for more reliable and accurate privacy auditing in differentially private machine learning, addressing a specific bottleneck for practitioners in the field.
The paper tackles the challenge of auditing Differentially Private Stochastic Gradient Descent (DP-SGD) in final model-only scenarios, where empirical lower bounds are often looser than theoretical guarantees, by introducing a novel method that crafts worst-case adversarial samples to achieve tighter bounds, specifically improving from 4.385 to 4.914 on MNIST with a theoretical budget of ε=10.0.
Auditing Differentially Private Stochastic Gradient Descent (DP-SGD) in the final model setting is challenging and often results in empirical lower bounds that are significantly looser than theoretical privacy guarantees. We introduce a novel auditing method that achieves tighter empirical lower bounds without additional assumptions by crafting worst-case adversarial samples through loss-based input-space auditing. Our approach surpasses traditional canary-based heuristics and is effective in final model-only scenarios. Specifically, with a theoretical privacy budget of $\varepsilon = 10.0$, our method achieves empirical lower bounds of $4.914$, compared to the baseline of $4.385$ for MNIST. Our work offers a practical framework for reliable and accurate privacy auditing in differentially private machine learning.