Differential privacy generative adversarial network algorithm with dynamic gradient threshold clipping

doi:10.11772/j.issn.1001-9081.2022071114

Abstract

Abstract:

Most of the existing methods combining Generative Adversarial Network （GAN） and differential privacy use gradient perturbation to achieve privacy protection， that is in the process of optimization， the gradient clipping technology was used to constrain the sensitivity of the optimizer to single data， and random noise is added to the clipped gradient to achieve the purpose of model protection. However， most methods take the clipping threshold as a fixed parameter during training. Whether the threshold is too large or too small， the performance of the model will be affected. To solve this problem， DGC_DPGAN （Dynamic Gradient Clipping Differential Privacy Generative Adversarial Network） with dynamic gradient threshold clipping was proposed to consider privacy protection and model performance at the same time. In this algorithm， combined with the pre-training technology， in the process of optimization， the mean gradient F-norm value of each batch of privacy data was obtained as the dynamic gradient clipping threshold at first， and then the gradient was perturbed. Considering different clipping orders， CLIP_DGC_DPGAN （Clip Dynamic Gradient Clipping Differential Privacy Generative Adversarial Network）， which clipping first and adding noise after， and DGC_DPGAN， which adding noise first and clipping after， were proposed， and Rényi Accountant was used to calculate the privacy loss. Experimental results show that under the same privacy budget， the two proposed dynamic gradient clipping algorithms are better than the fixed gradient threshold clipping method. On Mnist dataset， the two proposed algorithm has the Inception Score （IS）， Structural SIMilarity （SSIM）， and Convolutional Neural Network （CNN） classification accuracy improved by 0.32 to 3.92， 0.03 to 0.27， and 7% to 44% respectively； on Fashion-Mnist dataset， the two proposed algorithm has the IS， SSIM， and CNN classification accuracy improved by 0.40 to 4.32， 0.01 to 0.44 and 20% to 51% respectively. At the same time， the usability of the images generated by GAN model is better.

Key words: Generative Adversarial Network (GAN), differential privacy, dynamic gradient threshold clipping, Rényi Accountant

摘要：

现有的生成对抗网络（GAN）和差分隐私相结合的方法大多采用梯度扰动的方法实现隐私保护，即在优化过程中利用梯度裁剪技术来约束优化器对单个数据的敏感性，并对裁剪后的梯度添加随机噪声以达到保护模型的目的。然而大多数方法在训练时裁剪阈值固定，而阈值过大或过小均会影响模型的性能。针对该问题，提出动态梯度阈值裁剪的DGC_DPGAN （Dynamic Gradient Clipping Differential Privacy Generative Adversarial Network）算法以兼顾隐私保护和模型的性能。该算法结合预训练技术，在优化过程中先求取每批次隐私数据的梯度F-范数均值作为动态梯度裁剪阈值，再对梯度进行扰动。考虑不同的裁剪顺序，提出先裁剪再加噪的CLIP_DGC_DPGAN （Clip Dynamic Gradient Clipping Differential Privacy Generative Adversarial Network）算法和先加噪再裁剪的DGC_DPGAN算法，并采用Rényi Accountant求取隐私损失。实验结果表明，在相同的隐私预算下，所提出的两种动态梯度裁剪算法与固定梯度阈值裁剪方法相比更优：在Mnist数据集上，所提两种算法在IS（Inception Score）、结构相似性（SSIM）、卷积神经网络（CNN）分类准确率上分别提升了0.32~3.92，0.03~0.27，7%~44%；在Fashion-Mnist数据集上，所提两种算法在IS、SSIM、CNN分类准确率上分别提升了0.40~4.32，0.01~0.44，20%~51%。同时，GAN模型生成图像的可用性更好。

关键词: 生成对抗网络, 差分隐私, 动态梯度阈值裁剪, Rényi Accountant

CLC Number:

TP309.2

Shaoquan CHEN, Jianping CAI, Lan SUN. Differential privacy generative adversarial network algorithm with dynamic gradient threshold clipping[J]. Journal of Computer Applications, 2023, 43(7): 2065-2072.

陈少权, 蔡剑平, 孙岚. 动态梯度阈值裁剪的差分隐私生成对抗网络算法[J]. 《计算机应用》唯一官方网站, 2023, 43(7): 2065-2072.

Figures/Tables 10

Fig. 1 Framework of DPGAN

Fig. 2 Overall Structure of GAN model

Fig. 3 CLIP_DGC_DPGAN algorithm flow

Fig. 4 DGC_DPGAN algorithm flow

Tab. 1 Setting of experimental parameters

变量名	描述	默认值
$δ 0$	隐私偏差	0.000 01
$α$	RDP约束	—
$ε$	隐私预算	—
$T$	实验最大迭代次数	100 000
$l r$	学习率	0.000 2
$ε 0$	总的隐私预算	—
$σ$	噪声规模	—
$C$	动态梯度裁剪阈值	—

Tab. 1 Setting of experimental parameters

变量名	描述	默认值
$δ 0$	隐私偏差	0.000 01
$α$	RDP约束	—
$ε$	隐私预算	—
$T$	实验最大迭代次数	100 000
$l r$	学习率	0.000 2
$ε 0$	总的隐私预算	—
$σ$	噪声规模	—
$C$	动态梯度裁剪阈值	—

Tab. 2 Description of experimental algorithms

算法	描述
DGC_DPGAN	本文提出的先进行梯度扰动再进行梯度裁剪的动态梯度裁剪DPGAN算法
CLIP_DGC_DPGAN	本文提出的先进行梯度裁剪再进行梯度扰动的动态梯度裁剪DPGAN算法
PPGAN^［11］	满足差分隐私保护的固定梯度裁剪算法
DPCGAN^［9］	将判别器优化过程进行分离的基于梯度扰动的固定梯度裁剪算法
GAN_NOISY_LAYER^［12］	在判别器中添加服从高斯分布的随机噪声层满足差分隐私的隐私保护算法
DPACGAN^［21］	自适应裁剪算法

Fig. 5 Generated images on two datasets under (5,10-5)-DP

Tab. 3 Results of IS under (5,10-5)-DP and (10,10-5)-DP

算法	$(5, 10 - 5)$ -DP		$(10, 10 - 5)$ -DP
算法	Mnist	Fashion-Mnist	Mnist	Fashion-Mnist
真实值	9.36	9.21	9.36	9.21
NO PRIVACY	8.54	7.97	8.54	7.97
DGC_DPGAN	8.31	7.80	8.27	7.89
CLIP_DGC_DPGAN	7.82	7.19	8.09	7.78
DPACGAN	7.60	7.02	7.77	7.38
GAN_NOISY_LAYER	6.50	4.72	6.84	6.39
PPGAN	4.39	3.94	5.67	4.53
DPCGAN	3.19	3.56	4.35	3.57

Tab. 3 Results of IS under (5,10-5)-DP and (10,10-5)-DP

算法	$(5, 10 - 5)$ -DP		$(10, 10 - 5)$ -DP
算法	Mnist	Fashion-Mnist	Mnist	Fashion-Mnist
真实值	9.36	9.21	9.36	9.21
NO PRIVACY	8.54	7.97	8.54	7.97
DGC_DPGAN	8.31	7.80	8.27	7.89
CLIP_DGC_DPGAN	7.82	7.19	8.09	7.78
DPACGAN	7.60	7.02	7.77	7.38
GAN_NOISY_LAYER	6.50	4.72	6.84	6.39
PPGAN	4.39	3.94	5.67	4.53
DPCGAN	3.19	3.56	4.35	3.57

Tab. 4 Results of SSIM under (5,10-5)-DP and (10,10-5)-DP

算法	$(5, 10 - 5)$ -DP		$(10, 10 - 5)$ -DP
算法	Mnist	Fashion-Mnist	Mnist	Fashion-Mnist
DGC_DPGAN	0.84	0.77	0.86	0.77
CLIP_DGC_DPGAN	0.80	0.76	0.82	0.76
DPACGAN	0.79	0.73	0.79	0.75
GAN_NOISY_LAYER	0.55	0.46	0.69	0.54
PPGAN	0.74	0.70	0.76	0.72
DPCGAN	0.42	0.33	0.59	0.33

Tab. 4 Results of SSIM under (5,10-5)-DP and (10,10-5)-DP

算法	$(5, 10 - 5)$ -DP		$(10, 10 - 5)$ -DP
算法	Mnist	Fashion-Mnist	Mnist	Fashion-Mnist
DGC_DPGAN	0.84	0.77	0.86	0.77
CLIP_DGC_DPGAN	0.80	0.76	0.82	0.76
DPACGAN	0.79	0.73	0.79	0.75
GAN_NOISY_LAYER	0.55	0.46	0.69	0.54
PPGAN	0.74	0.70	0.76	0.72
DPCGAN	0.42	0.33	0.59	0.33

Tab. 5 CNN classification accuracy under (10,10-5)-DP

算法	Mnist	Fashion-Mnist
真实值	99	91
NO PRIVACY	96	73
DGC_DPGAN	91	68
CLIP_DGC_DPGAN	86	65
PPGAN	74	45
GAN_NOISY_LAYER	67	48
DPACGAN	80	54
DPCGAN	63	54

References 21

1	GOODFELLOW I， POUGET-ABADIE J， MIRZA M， et al. Generative adversarial nets ［C］// Proceedings of the 27th International Conference on Neural Information Processing Systems — Volume 2. Cambridge： MIT Press， 2014： 2672-2680.
2	CIREŞAN D C， GIUSTI A， GAMBARDELLA L M， et al. Deep neural networks segment neuronal membranes in electron microscopy images ［C］// Proceedings of the 25th International Conferences on Neural Information Processing Systems — Volume 2. Red Hook， NY： Curran Associates Inc.， 2012： 2843-2851. 10.1007/978-3-642-40763-5_51
3	HINTON G， DENG L， YU D， et al. Deep neural networks for acoustic modeling in speech recognition： the shared views of four research groups［J］. IEEE Signal Processing Magazine， 2012， 29 （6）： 82-97. 10.1109/msp.2012.2205597
4	ZHU J Y， PARK T， ISOLA P， et al. Unpaired image-to-image translation using cycle-consistent adversarial networks ［C］// Proceedings of the 2017 IEEE International Conference on Computer Vision. Piscataway： IEEE， 2017： 2242-2251. 10.1109/iccv.2017.244
5	HITAJ B， ATENIESE G， PEREZ-CRUZ F. Deep models under the GAN： information leakage from collaborative deep learning ［C］// Proceedings of the 2017 ACM SIGSAC Conferences on Computer and Communications Security. New York： ACM， 2017： 603-618. 10.1145/3133956.3134012
6	FREDRIKSON M， LANTZ E， JHA S， et al. Privacy in pharmacogenetics： an end-to-end case study of personalized warfarin dosing ［C］// Proceedings of the 23rd USENIX Secure Symposium. Berkeley： USENIX Association， 2014： 17-32.
7	DWORK C. Differential privacy ［C］// Proceedings of the 2016 International Colloquium on Automata， Languages and Programming， LNCS 4052. Berlin： Springer， 2016： 1-12.
8	XIE L Y， LIN K X， WANG S， et al. Differentially private generative adversarial network［EB/OL］. （2018-02-19）［2022-05-23］. .
9	TORKZADEHMAHANI R， KAIROUZ P， PATEN B. DP-CGAN： differentially private synthetic data and label generation ［C］// Proceedings of the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops. Piscataway： IEEE， 2019： 98-104. 10.1109/cvprw.2019.00018
10	MA C， LI J， DING M， et al. RDP-GAN： a Rényi-differential privacy based generative adversarial network［J］. IEEE Transactions on Dependable and Secure Computing， 2023 （Early Access）： 1-15. 10.1109/tdsc.2022.3233580
11	LIU Y， PENG J L， YU J J Q， et al. PPGAN： privacy-preserving generative adversarial network ［C］// Proceedings of the IEEE 25th International Conference on Parallel and Distributed Systems. Piscataway： IEEE， 2019： 985-989. 10.1109/icpads47876.2019.00150
12	TRIASTCYN A， FALTINGS B. Generating differentially private datasets using GANs［EB/OL］. （2018-03-08）［2022-05-23］. . 10.3390/a15070232
13	ZHANG X Y， JI S L， WANG T. Differentially private releasing via deep generative model （technical report）［EB/OL］. （2018-03-25）［2022-05-23］. .
14	MIRONOY I. Rényi differential privacy ［C］// Proceedings of the IEEE 30th Computer Security Foundations Symposium. Piscataway： IEEE， 2017： 263-275. 10.1109/csf.2017.11
15	DWORK C， ROTH A. The algorithmic foundations of differential privacy［J］. Foundations and Trends in Theoretical Computer Science， 2014， 9 （3/4）： 211-407.
16	BU Z Q， DONG J S， LONG Q， et al. Deep learning with Gaussian differential privacy［J］. Harvard Data Science Review， 2020， 2 （3）： No.10.1162/99608f92.cfc5dd25.
17	MIRONOV I， TALWAR K， ZHANG L. Rényi differential privacy of the sampled Gaussian mechanism［EB/OL］. （2019-08-28）［2022-05-23］. . 10.1109/csf.2017.11
18	ASOODEH S， LIAO J C， CALMON F P， et al. Three variants of differential privacy： lossless conversion and applications［J］. IEEE Journal on Selected Areas in Information Theory， 2021， 2 （1）： 208-222. 10.1109/jsait.2021.3054692
19	ABADI M， CHU A， GOODFELLOW I， et al. Deep learning with differential privacy ［C］// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York： ACM， 2016： 308-318. 10.1145/2976749.2978318
20	LIN Y， BAO L Y， LI Z M H， et al. Differential privacy protection over deep learning： an investigation of its impacted factors［J］. Computers and Security， 2020， 99： No.102061. 10.1016/j.cose.2020.102061
21	郭鹏，钟尚平，陈开志，等. 差分隐私GAN梯度裁剪阈值的自适应选取方法［J］. 网络与信息安全学报， 2018， 4 （5）： 10-20. 10.11959/j.issn.2096-109x.2018041
	GUO P， ZHONG S P， CHEN K Z， et al. Adaptive selection method of differential privacy GAN gradient clipping thresholds［J］. Chinese Journal of Network and Information Security， 2018， 4 （5）： 10-20. 10.11959/j.issn.2096-109x.2018041

[1]	Zhizheng ZHANG, Xiaojian ZHANG, Junqing WANG, Guanghui FENG. Federated spatial data publication method with differential privacy and secure aggregation [J]. Journal of Computer Applications, 2024, 44(9): 2777-2784.
[2]	Tingwei CHEN, Jiacheng ZHANG, Junlu WANG. Random validation blockchain construction for federated learning [J]. Journal of Computer Applications, 2024, 44(9): 2770-2776.
[3]	Li LIU, Haijin HOU, Anhong WANG, Tao ZHANG. Generative data hiding algorithm based on multi-scale attention [J]. Journal of Computer Applications, 2024, 44(7): 2102-2109.
[4]	Haoran WANG, Dan YU, Yuli YANG, Yao MA, Yongle CHEN. Domain transfer intrusion detection method for unknown attacks on industrial control systems [J]. Journal of Computer Applications, 2024, 44(4): 1158-1165.
[5]	Sunjie YU, Hui ZENG, Shiyu XIONG, Hongzhou SHI. Incentive mechanism for federated learning based on generative adversarial network [J]. Journal of Computer Applications, 2024, 44(2): 344-352.
[6]	Peng PENG, Zhiwei NI, Xuhui ZHU, Qian CHEN. Interference trajectory publication based on improved glowworm swarm algorithm and differential privacy [J]. Journal of Computer Applications, 2024, 44(2): 496-503.
[7]	Rui GAO, Xuebin CHEN, Zucuan ZHANG. Dynamic social network privacy publishing method for partial graph updating [J]. Journal of Computer Applications, 2024, 44(12): 3831-3838.
[8]	Xuebin CHEN, Liyang SHAN, Rumin GUO. Review of histogram publication methods based on differential privacy [J]. Journal of Computer Applications, 2024, 44(10): 3114-3121.
[9]	Xueran XU, Geng YANG, Yuxian HUANG. Differential privacy clustering algorithm in horizontal federated learning [J]. Journal of Computer Applications, 2024, 44(1): 217-222.
[10]	Hui ZHOU, Yuling CHEN, Xuewei WANG, Yangwen ZHANG, Jianjiang HE. Deep shadow defense scheme of federated learning based on generative adversarial network [J]. Journal of Computer Applications, 2024, 44(1): 223-232.
[11]	Anyang LIU, Huaici ZHAO, Wenlong CAI, Zechao XU, Ruideng XIE. Adaptive image deblurring generative adversarial network algorithm based on active discrimination mechanism [J]. Journal of Computer Applications, 2023, 43(7): 2288-2294.
[12]	Shuo HUANG, Yanhui LI, Jianqiu CAO. PrivSPM： frequent sequential pattern mining algorithm under local differential privacy [J]. Journal of Computer Applications, 2023, 43(7): 2057-2064.
[13]	Xin JIN, Yangchuan LIU, Yechen ZHU, Zijian ZHANG, Xin GAO. Sinogram inpainting for sparse-view cone-beam computed tomography image reconstruction based on residual encoder-decoder generative adversarial network [J]. Journal of Computer Applications, 2023, 43(6): 1950-1957.
[14]	Jiagao WU, Shiwen ZHANG, Yudong JIANG, Linfeng LIU. Social-interaction GAN for pedestrian trajectory prediction based on state-refinement long short-term memory and attention mechanism [J]. Journal of Computer Applications, 2023, 43(5): 1565-1570.
[15]	Jinwen GUO, Xinghua MA, Gongning LUO, Wei WANG, Yang CAO, Kuanquan WANG. Guidewire artifact removal method of structure-enhanced IVOCT based on Transformer [J]. Journal of Computer Applications, 2023, 43(5): 1596-1605.