Deep-learning models are data driven, and that data may contain sensitive information that requires privacy protection. Differential privacy (DP) is a formal framework for ensuring the privacy of individuals in datasets, so that adversarial users can’t learn whether any given data sample was or was not used to train a machine learning model. Employing DP in deep learning typically means capping the contribution that each training sample makes to the model’s parameter adjustments, an approach known as per-sample gradient clipping.
Per-sample gradient clipping, however, makes deep learning much more time consuming than it would be otherwise, impeding the development of large DP models — for instance, at the level of the GPT language models, with billions of parameters.
In 2022, in workshops at the International Conference on Machine Learning (ICML) and the Conference on Neural Information Processing Systems (NeurIPS), we presented two papers that advance DP for deep learning. In the first paper, "Automatic clipping: Differentially private deep learning made easier and stronger", we described an automatic method that improves the efficiency of tuning the gradient-clipping process by an order of magnitude (say, 5-10 times).
Typically, gradient clipping involves an expensive ablation study to select a clipping threshold above which a data sample’s contribution to the model’s parameter adjustments is cut off, or clipped. Our approach instead uses normalization, completely eliminating the tuning of the clipping threshold.
In the second paper, "Differentially private bias-term only fine-tuning of foundation models" (DP-BiTFiT), which won the Best Paper Award at the NeurIPS Workshop on Trustworthy and Socially Responsible Machine Learning (TSRML), we introduced BiTFiT, a parameter-efficient method for doing fine-tuning during DP learning.
Generally speaking, a neural network has two types of parameters: the weights, which constitute more than 99% of the parameters and capture most of the information from the training data, and the biases, which shift (offset) the model output. We show that privately fine-tuning the bias terms alone is enough to achieve high accuracy under DP constraints, make DP learning 2 to 30 times faster, reduce memory use by 50% to 88%, and incur only 1/1000 the communication cost in the distributed environment.
Together, these two techniques have made fine-tuning a DP-GPT-2 as efficient as fine-tuning a standard GPT-2 in a parameter-efficient manner. We have made both methods publicly available, to encourage researchers to experiment with and benefit from faster DP deep learning.
Automatic clipping
The deep-learning process includes a tunable hyperparameter called the learning rate, which determines the degree to which the model weights can change during updates. The per-sample gradient clipping threshold is similar, but it imposes a limit on a per-sample basis. The existing approach to DP training requires an ablation study to simultaneously tune the clipping threshold and the learning rate. As such, if K (say, five, in practice) different clipping thresholds are evaluated, this makes the model’s hyperparameter tuning stage K times more expensive.
To solve this problem, we introduced automatic clipping, using gradient normalization instead of per-sample gradient clipping. This (1) eliminates the clipping threshold, (2) enlarges the small gradients that were not clipped, and (3) provably optimizes performance. Equipped with our automatic clipping, the DP stochastic-gradient-descent-optimization algorithm (DP-SGD) has the same asymptotic convergence rate as the standard (non-DP) SGD, even in the nonconvex-optimization setting, where the deep learning optimization lies.
Our experiments across several computer vision and language tasks show that automatic clipping can achieve state-of-the-art DP accuracy, on par with per-sample clipping methods, without sacrificing the training efficiency or the privacy guarantee.
DP-BiTFiT
The first advantage of differentially private bias-term fine-tuning (DP-BiTFiT) is that it’s model agnostic; we can apply it to any model by simply freezing all weights during fine-tuning, updating only the bias terms. In sharp contrast, prior alternatives such as low-rank adaption (LoRA) and adapters are applicable exclusively to transformers and involve extra tuning of the adaption ranks.
The second advantage of DP-BiTFiT is its parameter efficiency. In a study that spanned a range of foundation models, we found that the bias terms constitute only around 0.1% of model parameters. This means that DP-BiTFiT provides large efficiency improvements in terms of training time, memory footprint, and communication cost in the distributed-learning setting.
The third advantage of DP-BiTFiT is its computational advantage over other parameter-efficient approaches, such as DP-LoRA. Even if both approaches fine-tune roughly the same number of parameters, DP-BiTFiT still enjoys a great advantage in memory saving, as it does not need to store and access expensive activation tensors when computing the bias gradients; that’s unavoidable when computing weight gradients. We verify this rigorously through the chain rules of the back-propagation, where DP-BiTFiT has a much simpler computation graph because the activation tensors are not used.
Empirically, we have observed a substantial boost in efficiency when switching from DP full fine-tuning to DP-BiTFiT, while still maintaining state-of-the-art accuracy on large foundation models such as GPT-2-large, ResNet 152, RoBERTa-large, and Vision Transformers. For instance, we compare DP-BiTFiT to DP full fine-tuning and observe a four- to tenfold speedup and a two- to tenfold memory saving on GPT-2.
Acknowledgements: We would like to acknowledge our coauthors on the papers for their contributions: Sheng Zha and George Karypis. We thank Huzefa Rangwala for reviewing this post.