Privacy-preserving Learning via Deep Net Pruning

Abstract

Neural network pruning has demonstrated its success in significantly improving the computational e ciency of deep models while only introducing a small reduction on final accuracy. In this paper, we explore an extra bonus of neural network pruning in terms of enhancing privacy. Specifically, we show a novel connection between magnitude-based pruning and adding di↵erentially private noise to intermediate layers under the overparameterized regime. To the best of our knowledge, this is the first work that bridges pruning with the theory of di↵erential privacy. The paper also presents experimental results by running the model inversion attack on two benchmark datasets, which supports the theoretical finding.

1. Introduction

Data privacy has become one of the top concerns in the application of deep neural networks, since there has been an increasing demand to train deep models on private data sets. 2020). However, the majority of existing literature only demonstrate the benefits of pruning in terms of energy saving and inference speedup, while in this work, we investigate another interesting bonus of pruningpreserving data privacy. Our investigation is mainly inspired by the observation that neural network pruning makes the inversion from hidden-layers harder, as the percentage of remained weight decreases (see Figure 1 ). Motivated by this empirical observation, we build under the over-paramterized regime of deep learning theory, and show an interesting connection between neural network pruning and adding di↵erentially private noise to intermediate layers. We believe this con-



For example, hospitals are now training their automated diagnosis systems on private patients' data Litjens et al. (2016); Lakhani & Sundaram (2017); De Fauw et al. (2018); and advertisement providers are collecting users' online trajectories to optimize their learning-based recommendation algorithm Covington et al. (2016); Ying et al. (2018). These private data, however, are usually subject to the regulations such as California Consumer Privacy Act (CCPA) Legislature (2018), Health Insurance Portability and Accountability Act (HIPAA) Act (1996), and General Data Protection Regulation (GDPR) of European Union. Di↵erential privacy (DP) Dwork et al. (2006b); Dwork (2009); Dwork & Roth (2014) has emerged, during the past few years, as a strong standard to provide theoretical privacy guarantees for algorithms on aggregate databases. The core idea of achieving di↵erential privacy is to add controlled noise to the output of a deterministic function, such that the output cannot be used to infer much about any single individual in the database. Recent years have seen an increasing number of applications that adapt di↵erential privacy mechanisms to address privacy concerns in deep learning Shokri & Shmatikov (2015); Abadi et al. (2016); Phan et al. (2016); McMahan et al. (2018). Neural network pruning (or pruning in short), a seemingly orthogonal field to privacy, has also been the subject of a great amount of work in recent years. Pruning aims to reduce the number of model parameters, such that the compressed model can be applied even under the memory constraints of the edge-devices. Various pruning techniques have succeeded in significantly compressing models with little or no loss of accuracy Han et al. (2015; 2016a); Li et al. (2016); Ding et al. (2018); Evci et al. (2019); Tanaka et al. (

