Locally Differentially Private Naive Bayes Classification
Abstract.
In machine learning, classification models need to be trained in order to predict class labels. When the training data contains personal information about individuals, collecting training data becomes difficult due to privacy concerns. Local differential privacy is a definition to measure the individual privacy when there is no trusted data curator. Individuals interact with an untrusted data aggregator who obtains statistical information about the population without learning personal data. In order to train a Naive Bayes classifier in an untrusted setting, we propose to use methods satisfying local differential privacy. Individuals send their perturbed inputs that keep the relationship between the feature values and class labels. The data aggregator estimates all probabilities needed by the Naive Bayes classifier. Then, new instances can be classified based on the estimated probabilities. We propose solutions for both discrete and continuous data. In order to eliminate high amount of noise and decrease communication cost in multidimensional data, we propose utilizing dimensionality reduction techniques which can be applied by individuals before perturbing their inputs. Our experimental results show that the accuracy of the Naive Bayes classifier is maintained even when the individual privacy is guaranteed under local differential privacy, and that using dimensionality reduction enhances the accuracy.
1. Introduction
Predictive analytics is the process of making prediction about future events by analyzing the current data using statistical techniques. It is used in many different areas such as marketing, insurance, financial services, mobility, and healthcare. For predictive analytics many techniques can be used from statistics, data mining, machine learning, and artificial intelligence. Classification methods in machine learning such as neural networks, support vector machines, regression techniques, and Naive Bayes are widely used for predictive analytics. These methods are supervised learning methods in which labeled training data is used to generate a function which can be used for classifying new instances. In these supervised learning methods, the accuracy of the classifier highly depends on the training data. Using a larger training set improves the accuracy most of the time. Hence, one needs to have a large training data in order to do classification accurately. However, collecting a large dataset brings privacy concerns. In many real life applications, the classification tasks require training sets containing sensitive information about individuals such as financial, medical or location information. For instance, insurance companies need financial information of individuals for risk classification. If there is a company that wants to build a model for risk classification, the data collection may be a critical problem because of privacy concerns. Therefore, we address the problem of doing classification while protecting the privacy of the individuals who provide the training data; thus enabling companies and organizations to achieve their utility targets, while helping individuals to protect their privacy.
Differential privacy is a commonly used standard for quantifying individual privacy. In the original definition of differential privacy (Dwork, 2008), there is a trusted data curator which collects data from individuals and applies techniques to obtain differentially private statistics about the population. Then, the data curator publishes privacypreserving statistics about the population. Satisfying differential privacy in the context of classification has been widely studied (Chaudhuri et al., 2011; Jagannathan et al., 2009; Rubinstein et al., 2012). However, these techniques are not suitable when individuals do not trust the data curator completely. To eliminate the need of trusted data curator, techniques to satisfy differential privacy in the local setting have been proposed (Bassily and Smith, 2015; Erlingsson et al., 2014; Kairouz et al., 2014; Qin et al., 2016). In local differential privacy (LDP), individuals send their data to the data aggregator after privatizing data by perturbation. Hence, these techniques provide plausible deniability for individuals. Data aggregator collects all perturbed values and makes an estimation of statistics such as the frequency of each value in the population.
In order to guarantee the privacy of the individuals who provide training data in a classification task, we propose using LDP techniques for data collection. We apply LDP techniques to Naive Bayes classifiers which are set of simple probabilistic classifiers based on Bayes’ theorem. Naive Bayes classifiers use the assumption of independence between every pair of features. They are highly scalable and particularly suitable when the number of features is high or when the size of training data is small. Naive Bayes is a popular method for text classification (e.g. spam detection and sentiment classification), and it is also used in many other practical applications such as medical diagnosis, digit recognition, and weather prediction. Despite its simplicity, Naive Bayes can often perform better than or close to more sophisticated classification methods.
Given a new instance, Naive Bayes basically computes the conditional probability of each class label, and then assigns the class label with maximum probability to the given instance. Using Bayes’ theorem and the assumption of independence of features, each conditional probability can be decomposed as the multiplication of several probabilities. One needs to compute each of these probabilities using training data in order to do Naive Bayes classification. Since the training data must be collected from individuals by preserving privacy, we utilize LDP frequency and statistics estimation methods for collecting perturbed data from individuals and estimating conditional probabilities in Naive Bayes classification. To be able to estimate the conditional probability that a feature would have a specific value given a class label, the relationship between class labels and each feature must be preserved during data collection. Therefore, a new instance can be classified based on the collected privatized training data with Naive Bayes classifier. We developed techniques to perform this privatized training for discrete and continuous data using Naive Bayes classifiers.
Our contributions can be summarized as follows:
First, for the discrete features, we developed LDP Naive Bayes classifier using LDP frequency estimation techniques; where each possible probability that can be used to classify an instance with Naive Bayes is estimated, by preserving the relationships between class labels and features. For perturbation, we utilized five different LDP mechanisms: Direct Encoding (DE), Symmetric and Optimal Unary Encoding (SUE and OUE), Summation with Histogram Encoding (SHE), and Thresholding with Histogram Encoding (THE).
Second, for the continuous features, we propose two approaches: (a) discretizing the data, and then applying LDP techniques (similar to the previous discussion), and (b) applying Gaussian Naive Bayes after adding Laplace noise to the data to satisfy LDP. For the second approach, we utilized and compared three types of continuous data perturbation methods. In both approaches, we also propose to utilize dimensionality reduction to improve accuracy and to decrease the communication cost and the amount of noise added.
Third, we conducted experiments with real datasets using various LDP techniques. The results demonstrate that the accuracy of the Naive Bayes classifier is maintained even when the LDP guarantees are satisfied. Our experiment results also show that dimensionality reduction improves classification accuracy without decreasing the privacy level.
The rest of the paper is organized as follows. We explain Naive Bayes classification, locally differentially private frequency and statistics estimation methods as background in Section 2. In Section 3, we present our methods to apply LDP techniques into Naive Bayes classification. We experimentally evaluate the accuracy of the classification under LDP in Section 4. Related work is reviewed in Section 5. Finally, Section 6 concludes the paper.
2. Preliminaries
2.1. Naive Bayes Classification
In probability theory, Bayes’ theorem describes the probability of an event, based on prior knowledge of conditions that might be related to the event. It is stated as follows:
Naive Bayes classification technique uses Bayes’ theorem and the assumption of independence between every pair of features. Let the instance to be classified be dimensional vector , the names of the features be , and the possible classes that can be assigned to the instance be . Naive Bayes classifier assigns the instance to the class if and only if for and . Hence, the classifier needs to compute for all classes and compare these probabilities. Using Bayes’ theorem, the probability can be calculated as
Since is same for all classes, it is sufficient to find the class with maximum . With the assumption of independence of features, it is equal to . Hence, the probability of assigning to given instance is proportional to .
2.1.1. Discrete Naive Bayes
Age  Income  Gender  Missed Payment 

Young  Low  Male  Yes 
Young  High  Female  Yes 
Medium  High  Male  No 
Old  Medium  Male  No 
Old  High  Male  No 
Old  Low  Female  Yes 
Medium  Low  Female  No 
Medium  Medium  Male  Yes 
Young  Low  Male  No 
Old  High  Female  No 
To demonstrate the concept of the naive Bayes classifier for discrete (categorical) data, we use the dataset given in Table 1. In this example, the classification task is predicting whether a customer will miss a mortgage payment or not. Hence, there are two classes such as and representing missing a previous payment or not, respectively. and . In addition, conditional probabilities for the feature “Age” is given in Table 2. Similarly, conditional probabilities for the other features can be calculated.
In order to predict whether a young female with medium income will miss a payment or not, we can set . To use Naive Bayes classifier, we need to compare and . Since the first one is equal to and the second one is equal to , it can be concluded that is assigned for the instance by Naive Bayes classifier. In other words, it can be predicted that a young female with medium income will not miss her payments.
2.1.2. Gaussian Naive Bayes
For continuous data, a common approach is assuming the values are distributed according to Gaussian distribution. Then, the conditional probabilities can be computed using the mean and the variance of the values. Let a feature has a continuous domain. For each class the mean and the variance of the values of in the training set are computed. For the given instance , the conditional probability is computed using Gaussian distribution as follows:
Gaussian Naive Bayes can also be used for features with large discrete domain. Otherwise, the accuracy may reduce because of the high number of values which are not seen in the training set.
2.2. Local Differential Privacy
Local differential privacy (LDP) is a way of measuring the individual privacy in the case where the data curator is not trusted. In LDP setting, individuals perturb their data before sending it to a data aggregator. Hence, the data aggregator only sees perturbed data. It aggregates all reported values and estimates privacypreserving statistics. LDP states that for any reported value, the probability of distinguishing two input values by the data aggregator is at most . The formal definition of local differential privacy is as follows:
Definition 1 ().
A protocol satisfies local differential privacy if for any two input values and and any output in the output space of ,
Randomized response mechanism is one method to satisfy LDP. In the binary randomized response mechanism, the input is a single bit. An individual sends the correct bit to the data aggregator with probability and incorrect bit with probability . The aggregator can estimate the actual number of 0s and 1s by using the probability and the reported numbers of 0s and 1s. To satisfy LDP, can be selected as . This problem can be generalized into frequency estimation problem where the inputs can be selected from a larger set containing more than two values.
2.2.1. LDP Frequency Estimation
In the problem of frequency estimation, there are individuals having a value from the set . The aim of data aggregator is to find the number of individuals having a value for all values in the set. Wang et al. (Wang et al., 2017) proposed a framework to generalize the LDP frequency estimation protocols in the literature, and they also proposed two new protocols. Here, we summarize the LDP protocols which are explained in (Wang et al., 2017) in detail. All of them can be used for frequency estimation in our solution. We empirically compare their effect on accuracy in our problem setting in Section 4.
Direct encoding (DE): In this method, there is no encoding of input values. For perturbation, an individual reports her value correctly with probability , or reports one of the remaining values with probability per each. When the aggregator collects all perturbed values from individuals, it estimates the frequency of each as follows: Let be the number of times is reported. Estimated number of occurrence of value in the population is computed as .
Histogram encoding: An individual encodes her value as length vector where only component is and the remaining are . Then, she perturbs her value by adding Lap() to each component in the encoded value, where Lap() is a sample from Laplace distribution with mean 0 and scale parameter . When the data aggregator collects all perturbed values, it can use two estimation methods. In summation with histogram encoding (SHE), it calculates the sum of all values reported by individuals. To estimate the number of occurrence of value in the population, the data aggregator sums the components of all reported values. In thresholding with histogram encoding (THE), the data aggregator sets all values greater than a threshold to 1, and the remaining to 0. Then it estimates the number of ’s in the population as , where , , and is the number of ’s in the components of all reported values after applying thresholding.
Unary encoding: In this method, an individual encodes her value as length binary vector where only bit is and the remaining are . Then, for each bit in the encoded vector, she reports correctly with probability and incorrectly with probability if the input bit is . Otherwise, she reports correctly with probability and incorrectly with probability . In symmetric unary encoding (SUE), is selected as and is selected as . In optimal unary encoding (OUE), is selected as and is selected as . The data aggregator estimates the number of ’s in the population as , where denotes the number of ’s in the bit of all reported values.
2.2.2. LDP Mean Estimation
As explained in Section 2.1.2, Gaussian Naive Bayes is suitable for large discrete domains and continuous domains. Conditional probabilities are computed using the mean and the variance. In order to compute the mean under LDP, Laplace mechanism can be used (Nguyên et al., 2016). Let the domain be normalized, and an individual has a value . The individual adds Laplace noise Lap() to her value and reports noisy value ()) to the data aggregator. Since the mean of noises that are drawn from Laplace distribution is 0, the data aggregator calculates the sum of all noisy values reported by individuals, and divides the sum by the number of individuals to estimate the mean. As for estimating the variance, we explain our proposed method in Section 3.2.
2.2.3. LDP with Multidimensional Data
The frequency and mean estimation methods described in Section 2.2.1 and 2.2.2 work for onedimensional data. If the data owned by individuals is multidimensional, reporting each value with these methods may cause privacy leaks due to the dependence of features. Hence, the following approaches were proposed to deal with dimensional data.
Approach 1: For the Laplace mechanism described in Section 2.2.2, LDP can also be satisfied if the noise scaled with the number of dimensions (Nguyên et al., 2016). Hence, if an individuals’ input is such that for all , then she can report each after adding (i.e. )). This approach is not suitable if the number of dimensions is high because large amount of noise reduces the accuracy.
Approach 2: For mean estimation, Nguyên et al. (Nguyên et al., 2016) introduced an algorithm that requires reporting one bit by each individual to the data aggregator. An individual has an input value such that for all . She can perturb and report her input as follows:

She select uniformly at random.

She samples Bernoulli variable such that .

She sets if , otherwise.

She reports to the data aggregator.
Since the only nonzero value is and it has two possible values, it is sufficient to report one bit to indicate the sign of . Each feature is approximately reported by individuals. This approach is efficient in terms of communication cost.
Approach 3: The first two approaches are specific to continuous data. Hence, we outline a third approach that is more general. The data aggregator requests only one perturbed input from each individual to satisfy LDP. Each individual can select the input to be reported uniformly at random or the data aggregator can divide the individuals into groups and requests different input values from each group. As a result, each feature is approximately reported by individuals. This approach is suitable when the number of individuals is high relative to the number of features . Otherwise the accuracy decreases since the number of reported values is low for each feature.
2.3. Dimensionality Reduction
The approaches for dealing with multidimensional data suffer from the high number of dimensions which necessitates adding more noise that results in decreasing the accuracy. In the first approach, the amount of noise is directly proportional to the number of dimensions. In the second approach, the number of individuals who report each feature decreases for high number of dimensions because each feature is approximately reported by individuals. Therefore, we propose to utilize dimensionality reduction techniques to improve accuracy. Dimensionality reduction is a machine learning tool that is traditionally used to solve overfitting issues, and to reduce the computational cost caused by high numbers of features. We utilize two commonly used methods for dimensionality reduction: Principal Component Analysis (PCA) and Discriminant Component Analysis (DCA) (Kung, 2014).
PCA reduces the dimensions while preserving most of the information by projecting the data on the principal components with the highest variance. By projecting the data in the direction of the highest variability, PCA also tends to decrease the reconstruction error; thus improving recoverability of the original data from its projection. On the other hand, DCA utilizes the class labels ’s to project the data in the direction that can effectively discriminate between different classes. Such direction might not be necessarily the direction of the highest variance; thus DCA can be superior to PCA for labeled data.
3. Naive Bayes Classification under Local Differential Privacy
As explained in Section 2.1, one needs to know the probability for all classes, and for all classes and all possible values in order to use Naive Bayes classifier. These probabilities are calculated based on the training data. However, when individuals avoid sharing their data for training due to privacy reasons, it is impossible to calculate these probabilities. Since LDP provides plausible deniability for individuals, LDP methods can be used to train Naive Bayes classifier. In this section, we explain the estimation of such necessary probabilities using LDP methods. First we introduce a solution for classification for all discrete features (Section 3.1), and then we explain the solutions to deal with continuous data (Section 3.2). Table 3 shows the notations used in the paper.
instance to be classified  

the set of class labels  
the number of features  
the number of class labels  
the number of individuals 
3.1. LDP Naive Bayes with Discrete Features
We initially consider the case where all the features are numerical and discrete. There are individuals who are reluctant to share their data to train a classifier. However, they can share perturbed data to preserve their privacy. By satisfying LDP during data collection, the privacy of individuals can be guaranteed. Here, we propose a solution that utilizes the LDP frequency estimation methods given in Section 2.2 in order to compute all necessary probabilities for a Naive Bayes classifier.
The data aggregator needs to estimate class probabilities for all classes in and conditional probabilities for all classes and all possible values. Let an individual’s (e.g. Alice’s) data be and her class label be . She needs to prepare her input and perturb it by satisfying LDP. We now explain the preparation and the perturbation of input values based on Alice’s data and the estimation of the class probabilities and the conditional probabilities by data aggregator.
3.1.1. Computation of Class Probabilities
For the computation of class probabilities, Alice’s input becomes since her class label is . Alice encodes and perturbs her value , and reports to the data aggregator. Any LDP frequency estimation method which is explained in Section 2.2.1 can be used. Similarly, other individuals report their perturbed class labels to the data aggregator. The data aggregator collects all perturbed data and estimates the frequency of each value as . As a result, the probability is estimated as . For the example dataset in Table 1, Alice’s input becomes if she has a missing payment or if she does not have a missing payment.
3.1.2. Computation of Conditional Probabilities
To estimate the conditional probabilities , it is not sufficient to report feature values directly. To be able to compute these probabilities, the relationship between class labels and features must be preserved. To keep this relationship, individuals prepare their inputs using feature values and class labels. Let the total number of possible values for be . If Alice’s value in dimension is and her class label value is , then Alice’s input for feature becomes . Therefore, each individual calculates her input for the feature in the range of . For instance, let “Age” values in the Table 1 be enumerated as (Young = ), (Medium = ), (Old = ). For this feature, an individual’s input can be a value between 1 and 6, where 1 represents the age is young and there is a missing payment, and 6 represents the age is old and there is no missing payment. Therefore, there is one input value that corresponds to each line of Table 2. Similarly, the number of possible inputs for “Income” is 6 and the number of possible inputs for “Gender” is 4. After determining her input in feature, Alice encodes and perturbs her value , and reports the perturbed value to the data aggregator. To estimate the conditional probabilities for , the data aggregator estimates the frequency of individuals having value and class label as by estimating the frequency of input . Hence, the conditional probability is estimated as . For the example given above, to estimate the probability , the data aggregator estimates the frequency of 2, 4, and 6 as , , and , respectively. Then is estimated as .
As a result, in order to contribute to the computation of class probabilities and conditional probabilities, each individual can prepare inputs (i.e. for Alice) that can be reported after perturbation. As mentioned in Section 2.2.3, reporting multiple values which are dependent to each other decreases the privacy level. Reporting all perturbed values increases the probability of predicting the class labels of individuals by the data aggregator. This case is similar to requesting multiple queries in the centralized setting of differential privacy. Hence, each individual reports one input as described in Approach 3 in Section 2.2.3.
Finally, when the data aggregator estimates a value such as or , the estimation may give a negative result. In that case, we set all the negative estimations to to obtain valid probability.
3.2. LDP Naive Bayes with Continuous Features
In order to satisfy LDP in Naive Bayes classification for continuous data, we propose two different solutions. First solution is discretizing the continuous data and applying the discrete Naive Bayes solution outlined in Section 3.1. In this solution, continuous numerical data is divided into buckets to make it finite and discrete. Each individual perturbs her input after discretization. Second, the data aggregator can use Gaussian Naive Bayes to estimate the probabilities as given in Section 2.1.2. To estimate the mean and the variance, the data aggregator uses LDP methods given in Section 2.2.2. Figure 1 shows the steps of the proposed solutions. As explained in Section 2.2.3, the number of dimensions can be reduced to improve accuracy; hence, we utilize dimensionality reduction techniques. Now, we describe the solutions in detail.
Discrete Naive Bayes. We first propose to use the solution introduced for discrete data in Section 3.1. Based on known feature ranges for features with continuous or large domain, the data aggregator determines the intervals for buckets in order to discretize the domain. EqualWidth Discretization (EWD) can be used for equally partitioning the domain. EWD computes the width of each bin as where and are the maximum and minimum feature values, and is the number of desired bins. We utilized EWD in our experiments for discretization.
When the data aggregator shares the intervals with individuals, each individual firstly discretizes her continuous feature values, and then applies the procedure described in Section 3.1 for perturbation. The data aggregator also estimates the probabilities with the same procedure for LDP Naive Bayes for discrete data. As mentioned in Section 3.1.2, each individual should report just one perturbed value to guarantee LDP.
Gaussian Naive Bayes. As explained in Section 2.1.2, a common approach for Naive Bayes classification for continuous data is assuming the data is normally distributed. For locally differentially private Gaussian Naive Bayes, computing the class probabilities is same with the computation for discrete features as given in Section 3.1.1. To compute conditional probabilities, the data aggregator needs to have the mean and the variance of training values for each feature given a class label. That is, to compute , the data aggregator needs to estimate the mean and the variance using the values of individuals with a class label . Hence, the association between features and class labels has to be maintained (similar to the discrete Naive Bayes classifier).
The mean estimation was explained in Section 2.2.2. However to compute the mean and the variance together, we propose the following method: the data aggregator divides the individuals into two groups. One group contributes to the estimation of the mean (i.e. ) by perturbing their inputs and sharing with the data aggregator, while the other group contributes to the estimation of the mean of squares (i.e. ) by perturbing the squares of their inputs and sharing with data aggregator.
Let Bob has class label and his feature value be . Note that, the domain of each feature was assumed to be normalized to have a value in . If Bob is in the first group, he adds Laplace noise to his value and obtains perturbed feature value . When data aggregator collects all perturbed feature values from individuals in the first group having class label , it computes the mean of the perturbed feature values which gives an estimation of the mean because the mean of noise added by individuals is 0. Similar operations could be followed by the second group. If Bob is in the second group, he adds noise to his squared value to obtain and shares it with the data aggregator. Similarly, the data aggregator computes the estimation of the mean of squares (). Finally, the variance can be computed as . Once again, each individual reports only one of her value or square of her value after perturbation because they are dependent values.
In this explained method to compute the mean and the variance, the class label of individuals are not hidden from the data aggregator. To hide the class labels, we adopt the following approach: an individual (Bob) reporting a feature value associated with class where , first constructs a vector of length where is the number of class labels. The vector is initialized to zeros except for the element corresponding to the class label which is set to the feature value . After that, each element of the vector is perturbed as usual (i.e. by adding Laplace noise), and contributed to the data aggregator. Since noise is added even to the zero elements of the vector, the data aggregator will not be able to deduce the actual class label, or the actual values.
As for estimating the actual mean value (and mean of the squared values) for each class, the data aggregator only needs to compute the mean of the perturbed values as usual, and then dividing that value by the probability of that class. To understand why, assume that a specific class has Probability (explained in Section 3.1.1). Hence, for a specific feature , only of the individuals have their actual values in element of the input vector, while the remaining proportion () have zeros. Hence, after the noise clustered around the actual mean cancels each other, and the noise clustered around zero cancel each other, we would have . Hence, we can divide the observed mean by to obtain the estimated mean. The same situation applies for the mean of the squared values, and hence for computing the variance.
4. Experimental Evaluation
To evaluate the accuracy of Naive Bayes classification under local differential privacy, we have implemented the proposed methods in Python utilizing pandas and NumPy libraries. We have implemented different LDP protocols for frequency estimation such as Direct Encoding (DE), Summation with Histogram Encoding (SHE), Thresholding with Histogram Encoding (THE), Symmetric Unary Encoding (SUE), and Optimal Unary Encoding (OUE) which are presented in Section 2.2. We performed experiments with different values in THE and we achieved best accuracy when . Hence, we give the experiment results of SHE for . We repeated all experiments 100 times and present the average classification accuracy. We used datasets from UCI Machine Learning repository (Dheeru and Karra Taniskidou, 2017) and selected of the datasets for training and the remaining for testing. We firstly present the results for the datasets with categorical and discrete features in Section 4.1. The results for continuous data is given in Section 4.2.
4.1. LDP Naive Bayes with Discrete Features
To evaluate the classification accuracy of the proposed method in Section 3.1 for classifying data with discrete features, we used Car Evaluation, Chess, Mushroom, and Connect4 datasets from UCI ML repository. The number of instances, features, and class labels are given in Table 4. Initially, we performed Naive Bayes classification without local differential privacy to compare the accuracy under local differential privacy.
Name  # Instances  # Features  # Class Labels 

Car Evaluation  
Chess  
Mushroom  
Connect4 
Experiment results for varying values up to 5 are shown in Figure 2. Dotted lines in the figures show the accuracy without privacy. As expected, when the number of instances in the training set increases, the accuracy is better for smaller values. For instance, in Connect4 dataset, all protocols except SHE provide more than accuracy even for very small values. Since the accuracy without privacy is approximately , the accuracy of all of these protocols for values smaller than is noticeable. The results are also similar for Mushroom dataset. For , all protocols except SHE provide nearly classification accuracy. In all of the datasets, the protocol with worst accuracy is SHE. Since this protocol simply sums the all noisy values, its variance is higher than the other protocols. DE achieves the best accuracy for small values in Car Evaluation and Chess datasets because the input domains are small. The variance of DE is proportional to the size of the input domain. Therefore, its accuracy is better when the input domain is small. SUE and OUE provides similar accuracy in all of the experiments. They perform better than DE when the size of input domain is large. Although OUE is proposed by (Wang et al., 2017) to decrease variance, we did not observe considerable utility difference between SUE and OUE in our experiments.
4.2. LDP Naive Bayes with Continuous Features
In this section, we outline the results for the methods proposed in Section 3.2 for continuous data. We conducted the experiments on two different datasets: Australian and Diabetes. The Australian dataset has 14 original features, and the Diabetes dataset has 8 features. Initially, we applied the discretization method and implemented two dimensionality reduction techniques (i.e. PCA and DCA) to observe the effect of them in accuracy. The results for two datasets for different values of are given in Figure 3. We present the results for two LDP schemes (i.e. Direct Encoding and Optimized Unary Encoding) which provide the best accuracy for different domain sizes. ,The input domain is divided into buckets for Australian dataset and buckets for Diabetes dataset. For Australian dataset, we obtained the best results for PCA and DCA when the number of features is reduced to one. For Diabetes dataset, best accuracy is achieved when PCA reduces the number of features to 6 and when DCA reduces the number of features to one. As evident in Figure 3, DCA provides the best classification accuracy, which shows the advantage of using dimensionality reduction before discretization. As expected, DCA’s accuracy is better than PCA since it is mainly designed for classification.
We also applied locally differentially private Gaussian Naive Bayes (LDPGNB) on the same two datasets. We implemented all three perturbation approaches for multidimensional data explained in Section 2.2.3. Figure 4 shows the results of performing LDPGNB on these two datasets. Among three approaches, the first one results in lowest utility since individuals report all features by adding more noise (i.e. propotional to the number of dimensions). In each figure, three curves are shown which correspond to using the original data (with 14 or 8 features for Australian and Diabetes datasets, respectively), or projecting the data using PCA or DCA before applying the LDP noise. The positive effect of reducing the dimensions can be clearly seen in all figures. In both datasets, and for PCA and DCA, the number of reduced dimensions were one. DCA or PCA always performs better than the original data, and for all perturbation approaches.
Finally, when we compare discretization and Gaussian Naive Bayes for continuous data, it can be concluded that discretization provides better accuracy than Gaussian Naive Bayes. Especially for smaller values, the superiority of discretization is more apparent. Although it is not possible to compare the amount of noise for randomized response and Laplace mechanism, discretization possibly causes less noise due to smaller input domain.
5. Related Work
Privacypreserving Naive Bayes classification has been studied before in different settings. Kantarcioglu et al. (Kantarcıoglu et al., 2003) proposed privacypreserving Naive Bayes classifier for horizontally partitioned data. Their solution is secure in semihonest threat model and utilizes computationally expensive cryptographic techniques such as oblivious transfer. Vaidya et al. (Vaidya and Clifton, 2004) addressed the same problem for vertically partitioned data. They also used secure multiparty computation primitives which are computationally expensive operations. Naive Bayes classification under differential privacy has been studied in (Vaidya et al., 2013). In (Vaidya et al., 2013), centralized setting for differential privacy is considered where the data owner has a training data and aims to release classifier by protecting privacy. They explain how to compute the sensitivity and add Laplace noise to satisfy differential privacy in Naive Bayes classifier. Li et al. (Li et al., 2018) extended it to multiple data owners. Even though their problem setting is similar to our case, they guarantee the differential privacy at global level by calculating the global sensitivity and applying Laplace noise to the counts. Their solution does not satisfy the differential privacy in the local setting and preserves individual privacy with encryption techniques. Although privacypreserving Naive Bayes classifier has been studied under different privacy settings such as horizontally or vertically partitioned data, and centralized differential privacy, none of them addresses the problem under LDP.
Most of the work in the literature about differential privacy consider the centralized setting. One of the earliest work on differential privacy in the local setting is Google’s RAPPOR (Erlingsson et al., 2014). They proposed using randomized response mechanism to satisfy LDP and using bloom filters to decrease communication cost. Bassily et al. (Bassily and Smith, 2015) also proposed a method to satisfy LDP in frequency estimation utilizing random matrix projection. Wang et al. (Wang et al., 2017) introduced a framework of pure LDP protocols to generalize the frequency estimation protocols in the literature and they proposed two new protocols for frequency estimation. We utilize these protocols in our work as mentioned in Section 2.2. Other than frequency estimation, some other problems such as heavy hitters (Bassily et al., 2017) and marginal release (Cormode et al., 2018) have also been studied under LDP. The most similar work to our work is (Cyphers and Veeramachaneni, 2017), which presents a system to do machine learning by satisfying LDP. To achieve better accuracy, they reduced the size of input domain to two and they also considered a binary classification model that has only two class labels. Using LDP frequency estimation the statistics about the features are estimated and using these statistics synthetic data is generated to train classification model. In our work, we do not especially address binary classification problem, and hence the number of class labels can be more than two. In addition, input domain for the features can have more than two values. By keeping the relationship between class labels and features, we allow estimation of probabilities for Naive Bayes classifier without a need for generating synthetic data.
6. Conclusion
We proposed methods for applying locally differentially private frequency and statistics estimation protocols to collect training data in Naive Bayes classification. Using the proposed methods, one can estimate all necessary probabilities to be used in Naive Bayes classification for both discrete and continuous data. To be able to estimate the conditional probabilities, the proposed methods preserve the relationship between features and class labels during the selection of inputs. Our experiment results indicate that the classification accuracy of LDP Naive Bayes for is very close to the accuracy without privacy. Even for smaller values, the accuracy is remarkable when Direct Encoding or Unary Encoding schemes are used for discrete data and when discretization is used for continuous data. In addition, experiment results show that using dimensionality reduction techniques such as DCA improves the accuracy of the proposed methods for continuous data. The proposed methods facilitate collecting large training data to use in Naive Bayes classifier without compromising the privacy of the individuals providing training data. Other than Naive Bayes, LDP techniques can be utilized in different machine learning methods which can be considered as potential future work.
References
 (1)
 Bassily et al. (2017) Raef Bassily, Kobbi Nissim, Uri Stemmer, and Abhradeep Guha Thakurta. 2017. Practical locally private heavy hitters. In Advances in Neural Information Processing Systems. 2288–2296.
 Bassily and Smith (2015) Raef Bassily and Adam Smith. 2015. Local, private, efficient protocols for succinct histograms. In Proceedings of the fortyseventh annual ACM symposium on Theory of computing. ACM, 127–135.
 Chaudhuri et al. (2011) Kamalika Chaudhuri, Claire Monteleoni, and Anand D Sarwate. 2011. Differentially private empirical risk minimization. Journal of Machine Learning Research 12, Mar (2011), 1069–1109.
 Cormode et al. (2018) Graham Cormode, Tejas Kulkarni, and Divesh Srivastava. 2018. Marginal release under local differential privacy. In Proceedings of the 2018 International Conference on Management of Data. ACM, 131–146.
 Cyphers and Veeramachaneni (2017) Bennett Cyphers and Kalyan Veeramachaneni. 2017. AnonML: Locally private machine learning over a network of peers. In Data Science and Advanced Analytics (DSAA), 2017 IEEE International Conference on. IEEE, 549–560.
 Dheeru and Karra Taniskidou (2017) Dua Dheeru and Efi Karra Taniskidou. 2017. UCI Machine Learning Repository. http://archive.ics.uci.edu/ml
 Dwork (2008) Cynthia Dwork. 2008. Differential privacy: A survey of results. In International Conference on Theory and Applications of Models of Computation. Springer, 1–19.
 Erlingsson et al. (2014) Úlfar Erlingsson, Vasyl Pihur, and Aleksandra Korolova. 2014. Rappor: Randomized aggregatable privacypreserving ordinal response. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, 1054–1067.
 Jagannathan et al. (2009) Geetha Jagannathan, Krishnan Pillaipakkamnatt, and Rebecca N Wright. 2009. A practical differentially private random decision tree classifier. In Data Mining Workshops, 2009. ICDMW’09. IEEE International Conference on. IEEE, 114–121.
 Kairouz et al. (2014) Peter Kairouz, Sewoong Oh, and Pramod Viswanath. 2014. Extremal mechanisms for local differential privacy. In Advances in neural information processing systems. 2879–2887.
 Kantarcıoglu et al. (2003) Murat Kantarcıoglu, Jaideep Vaidya, and C Clifton. 2003. Privacy preserving naive bayes classifier for horizontally partitioned data. In IEEE ICDM workshop on privacy preserving data mining. 3–9.
 Kung (2014) Sun Yuan Kung. 2014. Kernel methods and machine learning. Cambridge University Press.
 Li et al. (2018) Tong Li, Jin Li, Zheli Liu, Ping Li, and Chunfu Jia. 2018. Differentially private naive bayes learning over multiple data sources. Information Sciences 444 (2018), 89–104.
 Nguyên et al. (2016) Thông T Nguyên, Xiaokui Xiao, Yin Yang, Siu Cheung Hui, Hyejin Shin, and Junbum Shin. 2016. Collecting and analyzing data from smart device users with local differential privacy. arXiv preprint arXiv:1606.05053 (2016).
 Qin et al. (2016) Zhan Qin, Yin Yang, Ting Yu, Issa Khalil, Xiaokui Xiao, and Kui Ren. 2016. Heavy hitter estimation over setvalued data with local differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 192–203.
 Rubinstein et al. (2012) Benjamin IP Rubinstein, Peter L Bartlett, Ling Huang, and Nina Taft. 2012. Learning in a Large Function Space: PrivacyPreserving Mechanisms for SVM Learning. Journal of Privacy and Confidentiality 4, 1 (2012), 65–100.
 Vaidya and Clifton (2004) Jaideep Vaidya and Chris Clifton. 2004. Privacy preserving naive bayes classifier for vertically partitioned data. In Proceedings of the 2004 SIAM International Conference on Data Mining. SIAM, 522–526.
 Vaidya et al. (2013) Jaideep Vaidya, Basit Shafiq, Anirban Basu, and Yuan Hong. 2013. Differentially private naive bayes classification. In Web Intelligence (WI) and Intelligent Agent Technologies (IAT), 2013 IEEE/WIC/ACM International Joint Conferences on, Vol. 1. IEEE, 571–576.
 Wang et al. (2017) Tianhao Wang, Jeremiah Blocki, Ninghui Li, and Somesh Jha. 2017. Locally differentially private protocols for frequency estimation. In Proc. of the 26th USENIX Security Symposium. 729–745.