A Deep Learning Differential Privacy Protection Scheme Based on  Adaptive Clipping

Journal of Information Security Reserach ›› 2026, Vol. 12 ›› Issue (6): 490-.

A Deep Learning Differential Privacy Protection Scheme Based on Adaptive Clipping

Cheng Yuhang1,2, Shang Tao1,2, Jiang Yatong1,2, and Du Ruizhong3#br#

1(School of Cyber Science and Technology, Beihang University, Beijing 100191)
2(Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation(National University of Defense Technology), Hefei 230037)
3(School of Cyber Security and Computer, Hebei University, Baoding, Hebei 071002)

Online:2026-06-07 Published:2026-06-07

基于自适应裁剪的深度学习差分隐私保护方案

程宇航1,2尚涛1,2姜亚彤1,2杜瑞忠3

1(北京航空航天大学网络空间安全学院北京100191)
2(网络空间安全态势感知与评估安徽省重点实验室(国防科技大学)合肥230037)
3(河北大学网络空间安全与计算机学院河北保定071002)

通讯作者: 尚涛博士，教授.主要研究方向为网络安全. shangtao@buaa.edu.cn
作者简介:程宇航硕士研究生.主要研究方向为隐私保护、网络安全. sy2339103@buaa.edu.cn 尚涛博士，教授.主要研究方向为网络安全. shangtao@buaa.edu.cn 姜亚彤博士.主要研究方向为隐私保护、网络安全. jiangyatong@buaa.edu.cn 杜瑞忠博士，教授.主要研究方向为网络安全、信息安全. drzh@hbu.edu.cn
基金资助:
河北省重点研发计划项目(22340701D)；网络空间安全态势感知与评估安徽省重点实验室开放课题(CSSAE2023015)；北京市自然科学基金项目(L251066)

Abstract

Abstract: To address the issues of utility degradation in deep learning models under differential privacy protection and the gap between theoretical and actual privacy protection effectiveness, this paper proposes a deep learning differential privacy protection scheme based on adaptive clipping. The scheme optimizes the process through a fourstep mechanism: firstly, gradient adaptive clipping controls the gradient magnitude during training by dynamically adjusting the gradient clipping threshold, thereby enabling the control of the magnitude of noise added subsequently; secondly, group label selection identifies the group with the smallest gradient as the privacypreserving object, and more accurate privacy loss can be obtained by training this group; thirdly, optimized privacy loss calculation combines the gaussian mechanism based on subsampling to reduce the computational overhead of model privacy loss calculation; finally, optimized gradient adaptive descent realizes the adaptive descent of gradients by adjusting the conditional smoothing parameter, thus improving the usability of the model. Experiments were conducted on the VGG architecture using the MNIST, CIFAR10, and MedicalMNIST datasets. The results show that the model accuracy rates after training with this scheme are 81.08%, 72.30%, and 67.91% respectively, representing improvements of 15.60%, 10.60%, and 9.71% compared to the traditional DPSGD, and 0.63%, 2.50%, and 4.40% over the widely used Nadam algorithm in recent years. The model training efficiency has been improved by 35.5% and 39.4%, respectively.

Key words: deep learning, differential privacy, gradient adaptive clipping, label selection, smoothed loss function

摘要： 针对深度学习模型在差分隐私保护下存在效用下降以及理论隐私保护效果与实际效果偏差的问题，提出基于自适应裁剪的深度学习差分隐私保护方案.方案通过4步机制实现优化：梯度自适应裁剪自适应调整梯度裁剪阈值控制训练时梯度大小，实现对后续添加噪声大小的控制；分组标签选择，通过选取梯度最小的组作为隐私保护对象，训练该分组能够得到更准确的隐私损失；优化的隐私损失计算通过结合基于子采样的高斯机制，减小模型隐私损失计算的开销；优化的梯度自适应下降，通过调整条件平滑参数实现梯度的自适应下降，提升模型的可用性.在VGG(visual geometry group)架构下训练MNIST，CIFAR10，MedicalMNIST数据集，结果表明采用该方案训练后模型准确率分别为81.08%，72.30%，67.91%，相比传统的差分隐私随机梯度下降(differential privacy stochastic gradient descent, DPSGD)方法分别提升15.60%，10.60%，9.71%，相比近年常用的Nadam算法分别提升0.63%，2.50%，4.40%，模型训练效率分别提升35.5%，39.4%.

关键词: 深度学习, 差分隐私, 梯度自适应裁剪, 标签选择, 平滑损失函数

CLC Number:

TP309

程宇航, 尚涛, 姜亚彤, 杜瑞忠, . 基于自适应裁剪的深度学习差分隐私保护方案[J]. 信息安全研究, 2026, 12(6): 490-.

References

［1］Mehta S, Chatterjee A N. Deeplearning for medical image analysis: Advances, challenges and future prospects［J］. Journal of Artificial Intelligence & Cloud Computing, 2025, 2(4): 15［2］Zhang Q, Xin C, Wu H. Privacypreserving deep learning basedon multipartysecure computation: A survey［J］. IEEE Internet of Things Journal, 2021, 8(13): 1041210429［3］Du Y, Zhang R, Zargari A, et al.Classification of tumor epithelium and stroma by exploiting image features learnedby deep convolutional neural networks［J］. Annals of Biomedical Engineering, 2018, 46(12): 19881999［4］牛俊, 马骁骥, 陈颖, 等. 机器学习中成员推理攻击和防御研究综述［J］. 信息安全学报, 2022, 7(6): 130［5］Dwork C, Roth A. The algorithmic foundations of differential privacy［J］. Foundations and Trends in Theoretical Computer Science, 2014, 9(34): 211407［6］Chen H, Qi X, Yu L, et al. DCAN: Deep contouraware networks for object instance segmentation from histology images［J］. Medical Image Analysis, 2017, 36: 135146［7］Andrew G, Thakkar O, McMahan B, et al. Differentially private learning with adaptive clipping［J］. Advances in Neural Information Processing Systems, 2021, 34: 1745517466［8］Papernot N, Thakurta A, Song S, et al. Tempered sigmoid activations for deep learning with differential privacy［C］ Proc of the 35th AAAI Conf on Artificial Intelligence. Menlo Park, CA: AAAI, 2021: 93129321［9］Wang W, Wang T, Wang L, et al. DPlis: Boosting utility of differentially private deep learning via randomized smoothing［C］ Proc of Privacy Enhancing Technologies. Warsaw: Sciendo, 2021: 163183［10］Ding X, Chen L, Zhou P, et al. Differentially private deep learning with iterative gradient descent optimization［J］. ACMIMS Trans on Data Science, 2021, 2(4): 127［11］Lin Z, Zhang S, Zhou Y, et al. Learning rate burst for superior SGDM and AdamW integration［J］. Journal of Intelligent Fuzzy Systems: Applications in Engineering and Technology, 2024, 49(2): 418428［12］Chen S, Yang J, Wang G, et al. CLFLDP: Communicationefficient layer clipping federated learning with local differential Privacy［J］. Journal of Systems Architecture, 2024, 148: 103067［13］Chen Z, Xiang J, Lu Y, et al. RGP: Neural network pruning through regular graph with edges swapping［J］. IEEE Trans on Neural Networks and Learning Systems, 2024, 35(10): 1467114683［14］Radhakrishnan P, Senthilkumar G. Nesterovaccelerated adaptive moment estimation NADAMLSTM based text summarization1［J］. Journal of Intelligent & Fuzzy Systems, 2024, 46(3): 67816793［15］Dong J, Roth A, Su W J. Gaussian differential privacy［J］. Journal of the Royal Statistical Society Series B: Statistical Methodology, 2022, 84(1): 337［16］Abadi M, Chu Andy, Goodfellow I, et al. Deep learning with differential privacy［C］ Proc of the 2016 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2016: 308318［17］桂阳婷. 基于差分隐私深度学习的医学图像分析研究［D］. 合肥: 安徽理工大学, 2023［18］吕扬. 深度学习中差分隐私保护效果评估方法研究［D］. 广州: 广州大学, 2023［19］李晓东, 李慧, 赵炽野, 等. 基于模分量同态加密的隐私数据联邦学习研究［J］. 信息安全研究, 2025, 11(3): 198204［20］汪永好, 陈金麟, 万弘友. 联邦学习后门攻击与防御研究综述［J］. 信息安全研究, 2025, 11(9): 778787

[1]	. Personalized Differential Privacy Data Publishing Method Based on Multilayer Sensitivity Analysis [J]. Journal of Information Security Reserach, 2026, 12(6): 542-.
[2]	. Research on Log Anomaly Detection Method Integrating Semantic Features [J]. Journal of Information Security Reserach, 2026, 12(4): 383-.
[3]	. Anomaly Traffic Detection Based on Improved Bidirectional TCN Model in Software Defined Network [J]. Journal of Information Security Reserach, 2026, 12(4): 303-.
[4]	. Adaptive Gaussian Mixturebased Federated Learning Backdoor Defense Approach [J]. Journal of Information Security Reserach, 2026, 12(4): 348-.
[5]	. Research on Adaptive Hierarchical Neural Network Backdoor Defense Method [J]. Journal of Information Security Reserach, 2026, 12(4): 359-.
[6]	. Differentially Private Text Synthesis Based on Gradient Direction Filtering [J]. Journal of Information Security Reserach, 2026, 12(3): 220-.
[7]	. Research on Twostage Network Intrusion Detection Method for Outofdistribution Traffic Data [J]. Journal of Information Security Reserach, 2026, 12(3): 265-.
[8]	. Smart Contract Vulnerabilities Based on Differential Evolutionary Algorithms and Solution Time Prediction Detection#br# [J]. Journal of Information Security Reserach, 2026, 12(1): 24-.
[9]	. Internet of Things Intrusion Detection Model Based on Federated Learning [J]. Journal of Information Security Reserach, 2025, 11(9): 788-.
[10]	. Double Differential Privacy Protection Algorithm Based on BP Neural Network [J]. Journal of Information Security Reserach, 2025, 11(9): 814-.
[11]	. Fake News Detection Model Based on Crossmodal Attention Mechanism and#br# Weaksupervised Contrastive Learning#br# [J]. Journal of Information Security Reserach, 2025, 11(8): 693-.
[12]	. Encrypted Traffic Detection Method Based on Knowledge Distillation [J]. Journal of Information Security Reserach, 2025, 11(8): 702-.
[13]	. A Privacy Budget Allocation Method Based on Differential #br# Privacy kmeans++#br# [J]. Journal of Information Security Reserach, 2025, 11(8): 710-.
[14]	. Application Research of Differential Privacy Shuffle Model in Range Query [J]. Journal of Information Security Reserach, 2025, 11(8): 736-.
[15]	. Personalized Differential Privacy Trajectory Publishing Scheme Fusing Semantic [J]. Journal of Information Security Reserach, 2025, 11(7): 670-.