This thesis explores Differential Privacy (DP) techniques in Transformer-based architectures. We identify a gap in existing research by focusing on privacy guarantees for the inference data as opposed to those for the training data. In order to ensure Differential Privacy of inference data, we propose two new privacy-preserving mechanisms for Transformer architectures, input perturbation and layer perturbation, based on adding random noise to the input data and to the encoder, respectively. We provide proofs of DP guarantees for inference data for both methods. Furthermore, we give insights into the practical limitations of these techniques on NLP tasks. We discover that when using the input perturbation mechanism, the model accuracy decreases with lower values of the privacy budget, but the magnitude of this decrease depends significantly on the underlying dataset. Additionally, we identify the necessity of using certifiably robust architectures for the layer perturbation method. We focus on Lipschitz continuous modification of the BERT model. We identify significant challenges with pretraining Lipchitz continuous BERT architectures. Moreover, we provide empirical estimates of Lipschitz constants of this model under certain conditions.
Name | Type | Size | Last Modification | Last Editor |
---|---|---|---|---|
230710 Jakob Zmrzlikar Master Thesis Kick Off.pptx | 1,44 MB | 10.07.2023 | ||
231030 Jakob Zmrzlikar Master Thesis Final Presentation.pptx | 1,72 MB | 14.11.2023 | ||
231114 Jakob Zmrzlikar Master Thesis.pdf | 1,38 MB | 14.11.2023 |