Weights Shuffling for Improving DPSGD in Transformer-based Models

Differential Privacy (DP) mechanisms, especially in high-dimensional settings, often face the challenge of maintaining privacy without compromising the data utility. This work introduces an innovative shuffling mechanism in Differentially-Private Stochastic Gradient Descent (DPSGD) to enhance the utility of large models at the same privacy guarantee of the unshuffled case. Specifically, we reveal that random shuffling brings additional randomness to the trajectory of gradient descent while not impacting the model accuracy by the permutation invariance property -- the model can be equivalently computed in both forward and backward propagations under permutation. We show that permutation indeed improves the privacy guarantee of DPSGD in theory, but tracking the exact privacy loss on shuffled model is particularly challenging. Hence we exploit the approximation on sum of lognormal distributions to derive the condition for the shuffled DPSGD to meet the DP guarantee. Auditing results show that our condition offers a DP guarantee quite close to the audited privacy level, demonstrating our approach an effective estimation in practice. Experimental results have verified our theoretical derivation and illustrate that our mechanism improves the accuracy of DPSGD over the state-of-the-art baselines on a variety of models and tasks.

Crafter: Facial Feature Crafting against Inversion-based Identity Theft on Deep Models

With the increased capabilities at the edge (e.g., mobile device) and more stringent privacy requirement, it becomes a recent trend for deep learning-enabled applications to pre-process sensitive raw data at the edge and transmit the features to the backend cloud for further processing. A typical application is to run machine learning (ML) services on facial images collected from different individuals. To prevent identity theft, conventional methods commonly rely on an adversarial game-based approach to shed the identity information from the feature. However, such methods can not defend against adaptive attacks, in which an attacker takes a countermove against a known defence strategy. We propose Crafter, a feature crafting mechanism deployed at the edge, to protect the identity information from adaptive model inversion attacks while ensuring the ML tasks are properly carried out in the cloud. The key defence strategy is to mislead the attacker to a non-private prior from which the attacker gains little about the private identity. In this case, the crafted features act like poison training samples for attackers with adaptive model updates. Experimental results indicate that Crafter successfully defends both basic and possible adaptive attacks, which can not be achieved by state-of-the-art adversarial game-based methods.

Unconstrained Two-parallel-plane Model for Focused Plenoptic Cameras Calibration

The plenoptic camera can capture both angular and spatial information of the rays, enabling 3D reconstruction by single exposure. The geometry of the recovered scene structure is affected by the calibration of the plenoptic camera significantly. In this paper, we propose a novel unconstrained two-parallel-plane (TPP) model with 7 parameters to describe a 4D light field. By reconstructing scene points from ray-ray association, a 3D projective transformation is deduced to establish the relationship between the scene structure and the TPP parameters. Based on the transformation, we simplify the focused plenoptic camera as a TPP model and calibrate its intrinsic parameters. Our calibration method includes a close-form solution and a nonlinear optimization by minimizing re-projection error. Experiments on both simulated data and real scene data verify the performance of the calibration on the focused plenoptic camera.