Attacks and Defenses in Privacy-Preserving Representation Learning
Date
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Nowadays, the users’ privacy concerns mandate data publishers to protect privacy by anonymizing the data before sharing it with data consumers. Thus, the ultimate goal of privacy-preserving representation learning is to protect user privacy while ensuring the utility, e.g., the accuracy of the published data, for future tasks and usages. Privacy-preserving embeddings are usually functions that are encoded to low-dimensional vectors to protect privacy while preserving important semantic information about an input text. We demonstrate that these embeddings still leak private information, even though the low dimensional embeddings encode generic semantics. In this dissertation, we first develop two classes of attacks, i.e., adversarial classification (AC) attack and adversarial generation (AG) attack, to study the new threats for these embeddings. In particular, the threats are (1) these embeddings may reveal sensitive attributes letting alone if they explicitly exist in the input text, and (2) the embedding vectors can be partially recovered via generation models. We further propose a semi-supervised generative adversarial network that inverts the given embeddings back to the sensitive raw text inputs via querying the model. This approach can produce higher-performing adversary models than other AC and AG baselines. Besides, we argue that privacy protection of privacy-preserving representation learning breaks during inference with model partitioning. Specifically, the hidden representations are easy to be eavesdropped during uploading the data from the local devices to the cloud. Based on the aforementioned two attack models, i.e., AC and AG, we correspondingly propose two defenses: defending the adversarial classification (DAC) and defending the adversarial generation (DAG). Both methods optimally modify a subpopulation of the neural representations that are subject to maximally decreasing the adversary’s ability. The representations trained with this bilevel optimization achieve a higher-level sensitive information protection, compared with the current state-of-the-art method~\citep{coavoux2018privacy}, while maintaining their utility for downstream tasks. Moreover, because some of the hidden private information correlates with the output attributes and therefore can be learned by a neural network. In such a case, there is a trade-off between the utility of the representation and its privacy. We explicitly cast this problem as Multi-objective optimization (MOO) and propose a multiple-gradient descent algorithm that enables the efficient application of the Frank-Wolfe algorithm to search for the optimal utility-privacy configuration of the text classification task. Graph neural networks (GNNs) combine the representational power of neural networks with the graph structure. In essence, GNNs compute a sequence of node representations by aggregating information at each node from its neighbors and itself. However, not all data is adequately expressed in terms of pairwise relationships. Interactions in a social network, for instance, do not solely occur in a pairwise relation but also among larger groups of people. This warrants a simplicial complex in order to represent rich and complex datasets. Simplicial complexes describe relational structures that are closed under restriction. Simplicial neural networks (SNNs) have already proven useful in some applications, e.g. coauthorship complexes~\citep{ebli2020simplicial} and social networks~\citep{chen2022bscnets}. The machinery of SNNs allows us to consider richer data, including vector fields and