Current browse context:
cs.LG
Change to browse by:
References & Citations
Computer Science > Machine Learning
Title: Accuracy-Privacy Trade-off in Deep Ensemble: A Membership Inference Perspective
(Submitted on 12 May 2021 (v1), last revised 6 Dec 2022 (this version, v4))
Abstract: Deep ensemble learning has been shown to improve accuracy by training multiple neural networks and averaging their outputs. Ensemble learning has also been suggested to defend against membership inference attacks that undermine privacy. In this paper, we empirically demonstrate a trade-off between these two goals, namely accuracy and privacy (in terms of membership inference attacks), in deep ensembles. Using a wide range of datasets and model architectures, we show that the effectiveness of membership inference attacks increases when ensembling improves accuracy. We analyze the impact of various factors in deep ensembles and demonstrate the root cause of the trade-off. Then, we evaluate common defenses against membership inference attacks based on regularization and differential privacy. We show that while these defenses can mitigate the effectiveness of membership inference attacks, they simultaneously degrade ensemble accuracy. We illustrate similar trade-off in more advanced and state-of-the-art ensembling techniques, such as snapshot ensembles and diversified ensemble networks. Finally, we propose a simple yet effective defense for deep ensembles to break the trade-off and, consequently, improve the accuracy and privacy, simultaneously.
Submission history
From: Shahbaz Rezaei [view email][v1] Wed, 12 May 2021 00:58:04 GMT (1242kb,D)
[v2] Fri, 28 May 2021 16:48:18 GMT (383kb,D)
[v3] Wed, 6 Oct 2021 16:46:45 GMT (1615kb,D)
[v4] Tue, 6 Dec 2022 01:21:05 GMT (11918kb)
Link back to: arXiv, form interface, contact.