Assessing the Impact of Image Dataset Features on Privacy-Preserving Machine Learning

Machine Learning (ML) is crucial in many sectors, including computer vision. However, ML models trained on sensitive data face security challenges, as they can be attacked and leak information. Privacy-Preserving Machine Learning (PPML) addresses this by using Differential Privacy (DP) to balance utility and privacy. This study identifies image dataset characteristics that affect the utility and vulnerability of private and non-private Convolutional Neural Network (CNN) models. Through analyzing multiple datasets and privacy budgets, we find that imbalanced datasets increase vulnerability in minority classes, but DP mitigates this issue. Datasets with fewer classes improve both model utility and privacy, while high entropy or low Fisher Discriminant Ratio (FDR) datasets deteriorate the utility-privacy trade-off. These insights offer valuable guidance for practitioners and researchers in estimating and optimizing the utility-privacy trade-off in image datasets, helping to inform data and privacy modifications for better outcomes based on dataset characteristics.

💡 Research Summary

This paper investigates how intrinsic characteristics of image datasets influence both the utility and privacy of convolutional neural network (CNN) models trained with and without differential privacy (DP). While DP‑SGD can protect models against membership inference attacks (MIAs), it inevitably degrades predictive performance, creating a utility‑privacy trade‑off. Existing literature has largely focused on algorithmic tweaks, leaving a gap in understanding how dataset‑level properties affect this trade‑off.

The authors select six widely used benchmark image datasets—MNIST, Fashion‑MNIST (FMNIST), SVHN, CIFAR‑10, CIFAR‑100, and EMNIST—to cover a spectrum of complexity, class count, color information, and balance. For each dataset they train a standard CNN architecture in three privacy regimes: non‑private (ε = ∞), moderately private (ε = 30), and strongly private (ε = 1) using TensorFlow‑Privacy’s DP‑SGD implementation. All experiments are run on a Tesla V100 GPU with a fixed random seed (42) to ensure reproducibility; code is publicly released.

Dataset characteristics are quantified using six metrics: (1) class size (average number of samples per class), (2) number of classes, (3) class imbalance ratio, (4) entropy of the label distribution, (5) compression ratio (as a proxy for information density), and (6) Fisher’s Discriminant Ratio (FDR) measuring inter‑class separability. Additionally, the authors compute per‑image statistics such as color vs. grayscale proportion and standard deviation of pixel values.

Model utility is assessed by top‑1 accuracy and macro‑averaged F1‑score; over‑fitting is gauged via the train‑test accuracy gap. Privacy risk is measured with the Likelihood Ratio Attack (LiRA), an offline white‑box MIA that trains 32 shadow models to estimate IN/OUT confidence distributions. Three attack metrics are reported: ROC‑AUC, true‑positive rate at 10 % false‑positive rate (TPR@0.1 FPR), and true‑positive rate at 0.1 % false‑positive rate (TPR@0.001 FPR).

Key findings:

1. Class Imbalance – Minority classes are disproportionately vulnerable in non‑private models (ROC‑AUC ≈ 0.85). Introducing DP with ε = 1 reduces the ROC‑AUC gap between minority and majority classes to <0.12, showing that noise effectively masks the distinctive gradients of under‑represented classes.

2. Number of Classes – Increasing class count (e.g., CIFAR‑100 vs. CIFAR‑10) lowers non‑private accuracy by 2–3 % and raises MIA ROC‑AUC by 0.07–0.10. With ε = 30, accuracy drops by 4–5 % but ROC‑AUC falls below 0.2, indicating that moderate privacy suffices to curb the extra leakage introduced by many classes.

3. Entropy & Compression – Datasets with higher label entropy (SVHN) exhibit lower attack success (ROC‑AUC ≈ 0.68) because the model learns less class‑specific information. Low compression ratios (i.e., higher intrinsic information density) also correlate with reduced MIA performance.

4. Fisher Discriminant Ratio – Low FDR (poor inter‑class separability) amplifies utility loss under DP; ε = 30 leads to 6–8 % additional accuracy degradation compared to high‑FDR datasets. Attack success modestly rises, suggesting that when the data are already hard to separate, added noise further hampers learning without substantially improving privacy.

5. Color vs. Grayscale – Color datasets (SVHN, CIFAR‑10/100) achieve 5–7 % higher accuracy than grayscale counterparts but also show 0.05–0.08 higher ROC‑AUC under the same ε, implying that extra channels provide more memorisable signal for the attacker.

Overall, the impact of dataset characteristics on the utility‑privacy trade‑off is modulated by the privacy budget. Strong privacy (ε ≤ 1) universally suppresses MIA success, especially for minority classes, but can cause severe utility loss on complex or low‑FDR data. A moderate budget (ε ≈ 30) offers a practical balance: it mitigates class‑imbalance‑driven attacks while preserving most of the predictive performance.

The authors translate these insights into actionable recommendations: (i) perform a pre‑training audit of entropy, FDR, and class balance; (ii) apply oversampling or class‑weighting to reduce imbalance before DP training; (iii) consider converting color images to grayscale or applying dimensionality reduction when high‑resolution color data are not essential; (iv) select ε based on dataset complexity—higher‑entropy or high‑FDR datasets tolerate larger ε without compromising privacy, whereas low‑entropy, low‑FDR datasets benefit from tighter budgets.

In conclusion, this work fills a critical gap by systematically linking image dataset properties to the behavior of private and non‑private CNNs under membership inference attacks. The empirical evidence supports a data‑centric approach to privacy‑preserving machine learning: by tailoring dataset preprocessing and privacy budget selection to intrinsic data characteristics, practitioners can achieve a more favorable utility‑privacy balance than by relying on generic DP settings alone. Future directions include extending the analysis to non‑image modalities (text, time‑series) and developing automated tools that map dataset metrics to optimal DP hyper‑parameters.