Interpretability framework for differentially private deep learning

What is claimed is: 1 . A system for training a machine learning model comprising: at least one data processor; memory storing instructions which, when executed by the at least one data processor, result in operations comprising: receiving a dataset; receiving at least one first user-generated privacy parameter which governs a differential privacy (DP) algorithm to be applied to a function evaluated over the received dataset; calculating, based on the received at least one first user-generated privacy parameter, at least one second privacy parameter based on a ratio or overlap of probabilities of distributions of different observations; applying, using the at least one second privacy parameter, the DP algorithm to the function over the received dataset to result in an anonymized function output; and anonymously training at least one machine learning model using the dataset after application of the DP algorithm to the function over the received dataset which, when deployed, is configured to classify input data. 2 . The system of claim 1 , wherein the operations further comprise: deploying the trained at least one machine learning model; receiving, by the deployed trained at least one machine learning model, input data. 3 . The system of claim 2 , wherein the operations further comprise: providing, by the deployed trained at least one machine learning model based on the input data, a classification. 4 . The system of claim 1 , wherein: the at least one first user-generated privacy parameter comprises a bound for an adversarial posterior belief p c that corresponds to a likelihood to re-identify data points from the dataset based on a differentially private function output; and the calculated at least one second privacy parameter comprises privacy parameters ε, δ; and the calculating is based on a conditional probability of distributions of different datasets given a differential private function output which are bound by the posterior belief p c as applied to the dataset. 5 . The system of claim 1 , wherein the at least one first user-generated privacy parameter comprises privacy parameters ε, δ; the calculated at least one second privacy parameter comprises an expected membership advantage p a that corresponds to a probability of an adversary successfully identifying a member in the dataset; and the calculating is based on a conditional probability of different possible datasets. 6 . The system of claim 1 , wherein the at least one first user-generated privacy parameter comprises privacy parameters ε, δ; the calculated at least one second privacy parameter comprises an adversarial posterior belief bound p c that corresponds to a likelihood to re-identify data points from the dataset based on a differentially private output. 7 . The system of claim 6 , wherein the calculating is based on a conditional probability of different possible datasets. 8 . A method comprising: receiving a dataset; receiving at least one first user-generated privacy parameter which governs a differential privacy (DP) algorithm to be applied to a function evaluated over the received dataset; calculating, based on the received at least one first user-generated privacy parameter, at least one second privacy parameter based on a ratio or overlap of probabilities of distributions of different observations; applying, using the at least one second privacy parameter, the DP algorithm to the function over the received dataset to result in an anonymized function output; and anonymously training at least one machine learning model using the dataset after application of the DP algorithm to the function over the received dataset which, when deployed, is configured to classify input data. 9 . The method of claim 8 , further comprising: deploying the trained at least one machine learning model; receiving, by the deployed trained at least one machine learning model, input data. 10 . The method of claim 9 , further comprising: providing, by the deployed trained at least one machine learning model based on the input data, a classification. 11 . The method of claim 8 , wherein: the at least one first user-generated privacy parameter comprises a bound for an adversarial posterior belief p c that corresponds to a likelihood to re-identify data points from the dataset based on a differentially private function output; and the calculated at least one second privacy parameter comprises privacy parameters ε, δ; and the calculating is based on a conditional probability of distributions of different datasets given a differential private function output which are bound by the posterior belief p c as applied to the dataset. 12 . The method of claim 8 , wherein the at least one first user-generated privacy parameter comprises privacy parameters ε, δ; the calculated at least one second privacy parameter comprises an expected membership advantage p a that corresponds to a probability of an adversary successfully identifying a member in the dataset; and the calculating is based on a conditional probability of different possible datasets. 13 . The method of claim 8 , wherein the at least one first user-generated privacy parameter comprises privacy parameters ε, δ; the calculated at least one second privacy parameter comprises an adversarial posterior belief bound p c that corresponds to a likelihood to re-identify data points from the dataset based on a differentially private output. 14 . The method of claim 13 , wherein the calculating is based on a conditional probability of different possible datasets. 15 . A non-transitory machine-readable storage medium having embodied thereon instructions executable by one or more machines to perform operations comprising: receiving a dataset; receiving at least one first user-generated privacy parameter which governs a differential privacy (DP) algorithm to be applied to a function evaluated over the received dataset; calculating, based on the received at least one first user-generated privacy parameter, at least one second privacy parameter based on a ratio or overlap of probabilities of distributions of different observations; applying, using the at least one second privacy parameter, the DP algorithm to the function over the received dataset to result in an anonymized function output; and anonymously training at least one machine learning model using the dataset after application of the DP algorithm to the function over the received dataset which, when deployed, is configured to classify input data. 16 . The non-transitory machine-readable storage medium of claim 15 , wherein the operations further comprise: deploying the trained at least one machine learning model; receiving, by the deployed trained at least one machine learning model, input data. 17 . The non-transitory machine-readable storage medium of claim 16 , wherein the operations further comprise: providing, by the deployed trained at least one machine learning model based on the input data, a classification. 18 . The non-transitory machine-readable storage medium of claim 15 , wherein: the at least one first user-generated privacy parameter comprises a bound for an adversarial posterior belief p c that corresponds to a likelihood to re-identify data points from the dataset based on a differentially private function output; and the calculated at least one second privacy parameter comprises privacy parameters ε, δ; and the calculating is based on a conditional probability of distributions of different