ML Security PapersModeling Neural Networks with Privacy Using Neural Stochastic Differential Equations
Sanghyun Hong 1, Fan Wu 2, Anthony Gruber 3, Kookjin Lee 2
Published on arXiv
2501.06686
Membership Inference Attack
OWASP ML Top 10 — ML04
Key Finding
NSDEs achieve membership inference risk levels comparable to DP-SGD-trained models while providing an improved privacy-utility tradeoff and formal differential privacy guarantees.
Neural Stochastic Differential Equations (NSDEs)
Novel technique introduced
In this work, we study the feasibility of using neural ordinary differential equations (NODEs) to model systems with intrinsic privacy properties. Unlike conventional feedforward neural networks, which have unlimited expressivity and can represent arbitrary mappings between inputs and outputs, NODEs constrain their learning to the solution of a system of differential equations. We first examine whether this constraint reduces memorization and, consequently, the membership inference risks associated with NODEs. We conduct a comprehensive evaluation of NODEs under membership inference attacks and show that they exhibit twice the resistance compared to conventional models such as ResNets. By analyzing the variance in membership risks across different NODE models, we find that their limited expressivity leads to reduced overfitting to the training data. We then demonstrate, both theoretically and empirically, that membership inference risks can be further mitigated by utilizing a stochastic variant of NODEs: neural stochastic differential equations (NSDEs). We show that NSDEs are differentially-private (DP) learners that provide the same provable privacy guarantees as DPSGD, the de-facto mechanism for training private models. NSDEs are also effective in mitigating membership inference attacks, achieving risk levels comparable to private models trained with DP-SGD while offering an improved privacyutility trade-off. Moreover, we propose a drop-in-replacement strategy that efficiently integrates NSDEs into conventional feedforward architectures to enhance their privacy.
Key Contributions
- Comprehensive empirical evaluation showing NODEs exhibit ~2x resistance to membership inference attacks compared to standard ResNets due to constrained expressivity reducing overfitting
- Theoretical and empirical proof that NSDEs are differentially-private learners, providing the same provable guarantees as DP-SGD while offering a better privacy-utility tradeoff
- Drop-in-replacement strategy for integrating NSDEs into conventional feedforward architectures to enhance their privacy
🛡️ Threat Analysis
The paper centers on evaluating and mitigating membership inference attacks (MIA) against NODEs and NSDEs. It empirically measures MIA resistance, shows NODEs have 2x resistance vs ResNets, and demonstrates NSDEs match DP-SGD privacy guarantees — the entire adversarial threat model is membership inference.