6.4.10 · HinglishAI Safety & Alignment

Privacy (differential privacy, membership inference)

2,885 words13 min readRead in English

6.4.10 · AI-ML › AI Safety & Alignment

Overview

Machine learning models training data memorize kar sakte hain, jo serious privacy risks paida karta hai. Do key concepts isse protect karte hain:

  1. Differential Privacy (DP): Ek mathematical framework jo guarantee karta hai ki kisi bhi individual ka data model outputs pe minimal impact kare
  2. Membership Inference Attacks: Adversarial techniques jo determine karti hain ki koi specific record training set mein tha ya nahi

Ye dono complementary perspectives form karte hain: DP defense hai, aur membership inference woh attack hai jo is defense ko motivate karti hai.


Core Intuition


Differential Privacy: The Mathematical Defense

Privacy Guarantee Derive Karna

Step 1: "Neighboring datasets" ka matlab kya hai?

"Neighboring" ki do standard definitions hain, aur ye sensitivity ko 2 ke factor se change kar deti hain:

  • Add/Remove definition: woh hai jisme ek record add ya remove kiya gaya ho. .
  • Replace-one definition: woh hai jisme ek record replace kiya gaya ho kisi aur se. .

Example (add/remove):

  • (ek extra person)

Ye kyun matter karta hai: Add/remove ke under, ek summed query zyada se zyada ek record ke contribution se change hoti hai. Replace-one ke under, ye do records ke worth se change ho sakti hai (old remove + new add), jo sensitivity double kar deta hai. Hum clearly batate hain ki hum neeche har derivation mein kaunsi definition use kar rahe hain.

Step 2: Exponential bound kyun?

Probabilities ka ratio lo:

Ye form kyun? Exponential, ε ko composition ke under additive banata hai (hum dekhenge ki ye kyun matter karta hai). Chhote ε ke liye, , matlab probabilities "close" hain.

Step 3: "Mechanism" kya hota hai?

Ek mechanism koi bhi aisa algorithm hai jo data leta hai aur output produce karta hai. ML ke liye:

  • Gradients compute karna
  • Model parameters release karna
  • Data statistics ke baare mein queries answer karna

Guarantee: Unlimited computational power wala adversary, dekhke, confidently determine nahi kar sakta ki koi specific individual mein hai ya nahi.

Ye step kyun? Laplace distribution ke exponential tails bilkul wohi bound create karte hain jo humein chahiye. Gaussian noise pure DP satisfy nahi karta (though approximate DP satisfy karta hai).

DP-SGD: Deep Learning mein Differential Privacy

Standard SGD compute karta hai:

Problem: Har gradient individual ke baare mein unbounded information contain kar sakta hai.

DP-SGD Fix (Abadi et al., 2016):

  1. Har gradient clip karo:

    • Kyun? Har per-example gradient norm ko tak bound karta hai. Add/remove neighboring definition ke under, clipped gradient ko sum se remove karne par woh at most change hota hai, isliye summed gradient ki sensitivity hai. (Replace-one definition ke under ye hoti, kyunki aap norm wala ek contribution remove karte ho aur ek add karte ho.) Hum throughout add/remove use karte hain.
  2. Gaussian noise add karo: Summed clipped gradient mein noise add karo jiska standard deviation sensitivity ke proportional ho:

    • Bahar kyun? Noise sum ki sensitivity () ke hisaab se calibrate hota hai, phir poora sum (signal + noise) se average hota hai. Equivalently, averaged gradient mein add hone wale noise ka standard deviation per coordinate hai. Dono statements same mechanism describe karte hain; noise sum ki sensitivity ke liye scale hota hai averaging se pehle.
    • Gaussian kyun? Hum (ε, δ)-DP (approximate DP) use karte hain jahan chhota failure probability δ acceptable hai.
  3. Update:

Privacy accounting: Poisson subsampling rate ke saath steps ke baad, privacy degrade hoti hai. Subsampled Gaussian mechanism ke liye moments accountant / advanced-composition bound hai:

Ye scaling kyun? Privacy loss ke roop mein accumulate hoti hai (linearly nahi!) advanced composition ki wajah se, aur subsampling se factor ke through amplify hoti hai: ek individual sirf fraction of steps mein appear karta hai. Dhyan do ki sensitivity aur batch size yahan alag-alag appear nahi karte — ye noise multiplier mein absorb ho jaate hain (noise std ka sensitivity se ratio), jo actually privacy control karta hai.


Membership Inference Attacks: The Threat

Models Membership Kyun Leak Karte Hain

Core insight: Models training data pe overfit ho jaate hain, train vs test examples pe alag behave karte hain.

Signal 1: Confidence

  • Training examples → high confidence predictions
  • Test examples → lower confidence

Kyun? Model ne training examples ko kai baar "dekha" hai, details memorize kar li hain.

Signal 2: Loss value

  • Training loss < Test loss (overfitting ki definition se)
  • Agar unusually low hai, toh likely training set mein hai

Classic Attack (Shokri et al., 2017)

Setup:

  • Target model jo pe trained hai
  • Attacker ke paas ka access hai (black-box queries)
  • Attacker similar data pe shadow models train karta hai

Attack Steps:

  1. Shadow models train karo: datasets pe

    • Kyun? Target model ke behavior ko simulate karo taaki training data generate ho sake
  2. Attack training set banao:

    • Har shadow model ke liye, examples ko "in" ya "out" of training label karo
    • Features: prediction vector
  3. Binary classifier train karo:

    • Input: prediction confidence scores
    • Output: membership prediction
  4. Target pe apply karo: use karke membership infer karo


The DP-Privacy Connection

Privacy-Utility Tradeoff

Fundamental tension:

  • Low ε (strong privacy): Bada noise chahiye → poor model accuracy
  • High ε (weak privacy): Kam noise → better accuracy lekin zyada leakage

Practical values:

  • ε < 1: Strong privacy, significant utility loss
  • ε = 1-10: Moderate privacy, acceptable utility
  • ε > 10: Weak privacy, minimal utility impact

Free lunch kyun nahi? Information-theoretically, learning ke liye data se signal extract karna zaroori hai. Privacy ke liye individual contributions chhupana zaroori hai. Ye goals conflict karte hain.


Common Mistakes

Concept Map

creates

motivates

attack

defense

determines record in training set

guarantees via

defined over

add/remove or replace-one

scales

applies to

bounds impact of

counters

Model memorizes training data

Privacy risk

Two key concepts

Membership Inference

Differential Privacy

epsilon-DP bound e^epsilon

Neighboring datasets

Sensitivity

Randomized mechanism M

Gradients and parameters

Any individual record