TEST-DATA-003: Differential Privacy Audit
MLASTG-TEST-DATA-003: Differential Privacy Audit¶
Control Reference¶
- MLASVS-DATA-019: Differential Privacy ε-Guarantee (L2)
- MLASVS-DATA-022: Secure Multi-Party Computation (L2)
- MLASVS-DATA-023: Homomorphic Encryption Support (L2)
Severity¶
N/A (L1) / High (L2)
Overview¶
Differential privacy provides formal mathematical guarantees that a model's training process does not leak information about individual records. This test verifies that differential privacy mechanisms are correctly implemented, that the privacy budget is tracked, and that the epsilon value meets the documented requirements.
Prerequisites¶
| Requirement | Details |
|---|---|
| Tools | diffprivlib (pip install diffprivlib), Opacus, or TF Privacy |
| Access | Model training configuration, privacy budget documentation |
| Knowledge | Training pipeline implementation, data sensitivity classification |
Step-by-Step Procedure¶
Step 1: Verify DP Training Mechanism¶
- Verify that a differential privacy training mechanism is in use:
- DP-SGD (Differentially Private Stochastic Gradient Descent)
- Privacy accountant from Opacus (PyTorch) or TF Privacy (TensorFlow)
- diffprivlib for scikit-learn models
- Pass if: A recognized DP training mechanism is documented and actively employed in the training process.
- Fail if: No differential privacy mechanism is implemented or it is disabled.
Step 2: Verify Privacy Budget (ε)¶
- Request the documented epsilon (ε) value from the model development team
- Verify that ε is tracked and has not been exceeded across training runs
- Apply the following thresholds based on data sensitivity:
| Data Sensitivity | ε Threshold | Justification Required |
|---|---|---|
| Public/Non-sensitive | ≤ 10 | Standard |
| Internal/Business | ≤ 5 | Risk assessment |
| Sensitive (PII) | ≤ 2 | Detailed justification |
| Highly sensitive (PHI, biometric) | ≤ 1 | CISO approval |
- Pass if: ε ≤ threshold for the specified data sensitivity classification.
- Fail if: ε exceeds the threshold without documented justification, or if ε is untracked.
Step 3: Verify Delta (δ) Parameter¶
- Verify that δ is set to a value smaller than 1/n (where n is the training dataset size)
- Pass if: δ < 1/n and is explicitly documented in the privacy budget.
- Fail if: δ is missing, undocumented, or exceeds 1/n.
Step 4: Verify Per-Sample Gradient Clipping¶
- Review the training code for gradient clipping implementation
- Verify that gradient clipping norm is defined and enforced
- Pass if: Gradient clipping is implemented with a documented and enforced clipping norm.
- Fail if: Gradient clipping is absent or the clipping norm is unconstrained.
Step 5: Test Privacy Leakage (L2)¶
- Compare model performance on a known member vs. non-member dataset
- If membership inference attack accuracy < 60%, privacy is likely preserved
- Pass if: Membership inference attack accuracy remains < 60%.
- Fail if: Attack accuracy is ≥ 60%, suggesting insufficient privacy protection and potential information leakage.
Expected Result¶
| Level | Expected Outcome |
|---|---|
| L1 | N/A |
| L2 | DP training mechanism active; ε ≤ threshold for data sensitivity; δ < 1/n; gradient clipping enforced; membership inference accuracy < 60% |
Evidence Requirements¶
- DP training mechanism documentation
- Privacy budget (ε, δ) documentation
- Gradient clipping configuration
- Membership inference test results
- Data sensitivity classification
Remediation Guidance¶
If no DP mechanism is implemented: 1. Integrate Opacus (PyTorch) or TF Privacy into the training pipeline 2. Define privacy budget policies based on data sensitivity 3. Add privacy accountant to the training loop
If ε exceeds threshold: 1. Reduce noise multiplier or increase training epochs with privacy accountant 2. Document justification if business requirements require a higher ε 3. Consider using a smaller, more sensitive dataset for high-privacy scenarios
References¶
- MITRE ATLAS:
- AML.T0018: Model Inversion
- AML.TA0010: Collection
- MLASWE: MLASWE-0005 (Membership Inference)
- NIST AI RMF: MEASURE 2.5 (Data quality), MANAGE 2.4
- Academic: Dwork et al., "The Algorithmic Foundations of Differential Privacy" (2014)