Deep Learning with Plausible Deniability
Abstract
Deep learning models are vulnerable to privacy attacks due to their tendency to memorize individual training examples. Theoretically-sound defenses such as differential privacy can defend against this threat, but model performance often suffers. Empirical defenses may thwart existing attacks while maintaining model performance but do not offer any robust theoretical guarantees. In this paper, we explore a new strategy based on the concept of plausible deniability. We introduce a training algorithm called **P**lausibly **D**eniable **S**tochastic **G**radient **D**escent (PD-SGD). The core of this approach is a rejection sampling technique, which probabilistically prevents updating model parameters whenever a mini-batch cannot be plausibly denied. We provide theoretical results showing that PD-SGD effectively mitigates privacy leakage from individual data points. Experiments demonstrate the scalability of PD-SGD and the favorable privacy-utility trade-off it offers compared to existing defense methods.
Cite
Text
Bao et al. "Deep Learning with Plausible Deniability." Advances in Neural Information Processing Systems, 2025.Markdown
[Bao et al. "Deep Learning with Plausible Deniability." Advances in Neural Information Processing Systems, 2025.](https://mlanthology.org/neurips/2025/bao2025neurips-deep/)BibTeX
@inproceedings{bao2025neurips-deep,
title = {{Deep Learning with Plausible Deniability}},
author = {Bao, Wenxuan and Jin, Shan and Abdullah, Hadi and Nascimento, Anderson C. A. and Bindschaedler, Vincent and Cai, Yiwei},
booktitle = {Advances in Neural Information Processing Systems},
year = {2025},
url = {https://mlanthology.org/neurips/2025/bao2025neurips-deep/}
}