Detailed Description
The scheme provided by the specification is described below with reference to the accompanying drawings.
Training samples currently used for model training may include various sources, such as manual marking, crawling from a website or web platform, etc., where challenge samples are easily mixed. As mentioned above, identifying the challenge sample is important to ensure the training performance and the prediction performance of the model, thereby protecting the model.
Furthermore, the inventors consider that the labels of the challenge samples are wrong according to the definition of the challenge samples, so that the performance gain brought to the model is negative or very small. Thus, it is possible to detect whether a sample is a challenge sample by calculating the gain of the sample on the model performance, or alternatively, it is possible to identify a challenge sample by calculating the gain of the sample on the model performance.
Based on this, the inventors propose a method of identifying challenge samples to secure the model. In one embodiment, fig. 1 shows a block diagram of an implementation of a method for identifying challenge samples according to an embodiment, as shown in fig. 1, first, a plurality of non-challenge samples are sampled for several times to obtain a plurality of control sample sets, which are labeled N in fig. 1, where N is a positive integer. And then, adding the target samples to be detected into the plurality of control sample sets respectively to obtain a plurality of experimental sample sets. Then, determining a plurality of gain values of the target sample on the model performance based on a plurality of control sample sets and a plurality of experiment sample sets, which specifically comprises: on one hand, for any first control sample set in the plurality of control sample sets, training an initial machine learning model by using the first control sample set, and performing performance evaluation on the trained first control model to obtain a first control value indicating the performance of the model; on the other hand, for a first experiment sample set comprising a target sample and samples in the first reference sample set, training the initial machine learning model by using the first experiment sample set, and performing performance evaluation on the trained first experiment model to obtain a first experiment value indicating the performance of the model; further, the difference between the first control value and the first experimental value is determined as a first gain value, from which the gain values can be determined. Then, according to a plurality of gain values and a preset judgment rule, whether the target sample is a countermeasure sample is judged. In this way, accurate identification of challenge samples can be achieved.
The following describes specific implementation steps of the above identification method with reference to specific embodiments.
Fig. 2 shows a flowchart of a method for identifying countermeasure samples to secure a model according to an embodiment, and an execution subject of the method can be any device, equipment, platform, or equipment cluster having computing and processing capabilities. As shown in fig. 2, the method comprises the steps of:
step S210, sampling a plurality of non-antagonistic samples for a plurality of times to obtain a plurality of control sample sets; step S220, adding target samples to be detected into the plurality of control sample sets respectively to obtain a plurality of experiment sample sets; step S230, aiming at any first control sample set in the plurality of control sample sets, training an initial machine learning model by using the first control sample set to obtain a trained first control model; step S240, utilizing a test sample set to perform performance evaluation on the first contrast model to obtain a first contrast value aiming at a preset evaluation index, wherein the test sample set is determined based on the plurality of non-confrontation samples; step S250, for a first experiment sample set obtained by adding the target sample to the first control sample set, training the initial machine learning model by using the first experiment sample set to obtain a trained first experiment model; step S260, performing performance evaluation on the first experiment model by using the test sample set to obtain a first experiment value aiming at the preset evaluation index; step S270, determining the difference value between the first experimental value and the first control value as a first gain value; step S280, determining whether the target sample belongs to a confrontation sample by using gain values determined based on the control sample sets and the experiment sample sets.
First, the terms "first" in the first reference sample set, the first experimental sample set, the first reference model, the first experimental model, and the like in the following description are used only for distinguishing the same kind of things, and do not have other limiting effects.
Furthermore, for the plurality of non-antagonistic samples and target samples involved in the steps shown in fig. 2, on the one hand, these samples may be private data samples, i.e. where user private data is involved, in one embodiment from the point of view of the data content comprised by the samples. At this time, it is important to identify the countermeasure sample to protect the model. For example, for a classification model (e.g., a face recognition model) for identifying a user identity, if a countermeasure sample included in a training sample of the classification model is not recognized and removed, when the classification model is put into use, identity information (e.g., a face and the like) provided by one user may be mistakenly recognized as belonging to another user, so that the identity is falsely used or a user account is mistakenly deducted, and the like, which endangers the user privacy security. On the other hand, from the perspective of the data form of the samples, in one embodiment, the samples may be image samples, and accordingly, the initial machine learning model may be an image processing model. In a particular embodiment, the samples may include face images, iris images, fingerprint images, etc., and the initial machine learning model may be an identification model. In another embodiment, the samples may be text samples and, accordingly, the initial machine learning model may be a text processing model. In yet another embodiment, the samples may be speech samples and, accordingly, the initial machine learning model may be a speech processing model.
The above steps shown in fig. 2 are specifically as follows:
first, in step S210, a plurality of non-confrontation samples are sampled for several times, and a plurality of control sample sets are obtained. In one embodiment, the plurality of non-antagonistic samples may be normal samples that have been manually cross-checked to confirm the tag is error-free.
In one embodiment, multiple samples may be taken by enumeration to obtain multiple control sample sets, where enumeration is one example of all possible methods, and assuming that the multiple non-antagonistic samples comprise 3 samples, denoted A, B and C, respectively, the control sample sets obtained by enumeration include Ø, { A }, { B }, { C }, { A, B }, { A, C }, and { A, B, C }.
In another embodiment, the control sample sets may be obtained by sampling several times using a hierarchical sampling method. The layered sampling method comprises the step of selecting samples with the same or similar proportion among the number of the samples corresponding to each label in each sampling. In one example, assuming that in a binary scenario, the plurality of non-antagonistic samples includes positive and negative samples, for any two sampling, the ratio of the positive and negative samples in the two control sample sets may be maintained at 3:1, for example, the number of positive and negative samples in one control sample set is 30 and 10, respectively, and the number of positive and negative samples in the other control sample set is 45 and 15, respectively.
In yet another embodiment, the sampling may be performed several times by using a self-sampling method to obtain several control sample sets. Specifically, for a certain sampling, assuming that the number of the non-confrontation samples is M, and the number of the samples to be collected is M, one sample can be randomly selected from the M non-confrontation samples each time, classified into the M samples, and then placed back into the M non-confrontation samples, so that the sample can still be selected at the next time of selection, and after the process is repeatedly executed M times, a control sample set including the M samples can be obtained.
Thus, by sampling several times, several control sample sets can be obtained. Next, in step S220, the target samples to be detected are added to the plurality of control sample sets, respectively, to obtain a plurality of experimental sample sets. That is, the target sample to be detected is added to each control sample set, so as to obtain each experimental sample set corresponding to each control sample set, and form a plurality of experimental sample sets.
Then, in step S230, an initial machine learning model is trained on a first control sample set of any of the plurality of control sample sets by using the first control sample set, so as to obtain a trained first control model. And, in step S240, performing performance evaluation on the first control model by using a test sample set determined based on the plurality of non-confrontational samples to obtain a first control value for a preset evaluation index.
It should be noted that after step S210 is executed, step S220 and step S230 may be executed at the same time, or step S220 and step S230 may be executed successively, and in short, the execution order of both is not limited.
In one embodiment, step S230 may include: respectively inputting a plurality of first samples in the first reference sample set into the initial machine learning model to obtain a plurality of corresponding first prediction results; and then adjusting model parameters in the initial machine learning model according to the plurality of first prediction results, the plurality of sample labels of the first samples and a preset loss function to obtain a parameter-adjusted first comparison model. Therefore, the initial machine learning model can be adjusted and parametered by utilizing the plurality of comparison sample sets to obtain the corresponding plurality of comparison models.
For the set of test samples, the determination may be based on the plurality of non-antagonistic samples. It should be understood that the test sample set is usually mutually exclusive from the training sample set (such as the above-mentioned control sample sets), i.e. the samples in the test sample set are usually not present in the training sample set and are not used in the training process. Moreover, the test sample set and the training sample set are generally divided to maintain the consistency of data distribution.
In one embodiment, the number of the test sample sets may be one. In this case, when there are a plurality of the plurality of control models, it means that performance evaluation can be performed on different control models using the same test sample set. In a specific embodiment, the step S210 may include: dividing two mutually exclusive sets based on the plurality of non-antagonistic samples, wherein one set is used as the test sample set, and the other set is used for sampling and determining the plurality of control sample sets.
In another embodiment, the test sample set may be multiple, so that different control models may be evaluated for performance using different test sample sets. In a specific embodiment, the step S210 may include: based on the hierarchical sampling method, the plurality of (e.g., M) non-antagonistic samples are divided into a predetermined number of mutually exclusive sets (e.g., k, where k is a positive integer less than M), and a union set of (k-1) mutually exclusive sets is used as a control sample set, and the remaining one mutually exclusive set is used as a corresponding test sample set, so that (k-1) control sample sets and corresponding (k-1) test sample sets can be obtained. In this manner, a set of test samples for evaluating model performance may be determined.
For the initial machine learning model described above, in one embodiment, the initial machine learning model may be an initialization model, that is, the initial machine learning model may be a model that has not been trained, wherein the model parameters are parameters assigned when the model is initialized. In another embodiment, the initial machine learning model may also be a model trained using some non-competing samples other than the plurality of non-competing samples described above. On the other hand, the initial machine learning model may be a classification model, a regression model, a neural network model, or the like, which is not limited thereto.
The preset evaluation index may include: error rate, accuracy, recall, precision, etc. It should be understood that the error rate refers to the ratio of the number of test samples with predicted errors to the total number of test samples. The precision refers to the proportion of the number of test samples which are predicted to be correct to the total number of test samples. For the binary classification problem, the precision ratio represents the proportion of the test samples which are truly true examples (namely, the label identification is the true example) in the test samples which are predicted to be the true examples; the recall ratio represents the proportion of samples that are predicted to be correct among the positive examples (i.e., the labels are identified as positive examples) included in the test samples. In one example, the prediction evaluation index may include precision, and the first reference value may include precision 0.88. In another example, the predictive evaluation index may include an error rate, and the first control value may include an error rate of 0.16.
In the above steps S230 and S240, the first control value corresponding to any first control sample set can be obtained, and thus, a plurality of control values corresponding to a plurality of control sample sets can be obtained. On the other hand, in step S250, for a first experimental sample set obtained by adding the target sample to the first control sample set, the initial machine learning model is trained using the first experimental sample set, and a trained first experimental model is obtained. And step S260, performing performance evaluation on the first experimental model by using the test sample set to obtain a first experimental value for the preset evaluation index.
It should be noted that the initial machine learning model trained using the first control sample set is the same as the initial machine learning model trained using the first experimental sample set, and the test sample set used for performance evaluation of the first experimental model is the same as the test sample set used for performance evaluation of the first control model. In addition, for the description of step S250 and step S260, reference may be made to the description of step S230 and step S240, which is not repeated.
In one example, the prediction evaluation index includes precision, and the first experimental value may include precision of 0.80 or 0.90. In another example, the predictive evaluation index may include an error rate, and the first control value may include an error rate of 0.10 or 0.20.
In the above steps S250 and S260, the first experimental value corresponding to any first experimental sample set can be obtained, and thus, a plurality of experimental values corresponding to a plurality of experimental sample sets can be obtained. It should be noted that, for the execution sequence of the foregoing steps S210 to S260, it is only required that the step S210 is the first step to be executed, and then the steps S230 and S240 are executed sequentially on the one hand, and the steps S220, S250 and S260 are executed sequentially on the other hand, and the rest is not limited. Specifically, in one embodiment, step S210, step S230, step S220, step S250, step S240, and step S260 may be performed sequentially in that order. In another embodiment, step S210, step S220, step S230, step S240, step S250, and step S260 may be performed sequentially.
Then, in step S270, the difference between the first experimental value and the first control value is determined as a first gain value.
It is to be understood that the gain values are used to characterize the optimization effect that the target samples have on the model performance. In one embodiment, when the predetermined evaluation index is used for forward characterizing the model performance (e.g., the predetermined evaluation index is precision, recall, or precision), the first gain value is a difference obtained by subtracting the first control value from the first experimental value. In one example, the predetermined evaluation index is precision, and the first gain value is-0.80 if the first control value and the first experiment value are 0.88 and 0.80, respectively, and the first gain value is 0.20 if the first control value and the first experiment value are 0.88 and 0.90, respectively.
In another embodiment, when the predetermined evaluation index is used to negatively characterize the model performance (e.g., the predetermined evaluation index is an error rate), the first gain value is a difference of the first control value minus the first experimental value. In one example, the preset evaluation index is an error rate, and the first gain value is 0.60 if the first control value and the first experimental value are 0.16 and 0.10, respectively, and-0.04 if the first control value and the first experimental value are 0.16 and 0.20, respectively.
Thus, a plurality of gain values can be obtained based on the plurality of control values and the plurality of experimental values. Based on this, in step S280, it is determined whether the target sample belongs to the confrontation sample using the gain values determined based on the control sample sets and the experiment sample sets.
In one embodiment, this step may include: determining a gain average of the plurality of gain values; further, in the case where the gain mean is smaller than a set threshold, it is determined that the target sample belongs to a challenge sample, and in the case where the gain mean is not smaller than a set threshold, it is determined that the target sample does not belong to a challenge sample.
In a specific embodiment, the set threshold may be a manually set threshold, such as 0 or 0.05. In another specific embodiment, the setting of the threshold may be based on the following steps: firstly, averaging a plurality of control values of the plurality of control sample sets aiming at the preset evaluation index to obtain a control mean value; and determining the product of the comparison average value and a second preset proportion as the set threshold. In a more specific embodiment, the second preset ratio may be set by the service personnel according to expert experience or actual requirements, such as 0.05 or 0.02. In one example, assuming that the above control average is 0.80 and the second preset ratio is 0.05, the set threshold may be determined to be 0.04.
According to a specific example, assuming that the threshold is set to 0.04, if the gain mean value is 0.01, it can be determined that the corresponding target sample belongs to the confrontation sample, and if the gain mean value is 0.06, it can be determined that the corresponding target sample does not belong to the confrontation sample.
In another embodiment, this step may include: and determining the gain proportion larger than a set threshold value in the plurality of gain values, and judging that the target sample belongs to the confrontation sample when the gain proportion is smaller than a first preset proportion. It should be noted that, the setting of the threshold value can be referred to the related description in the above embodiments, and furthermore, in a specific embodiment, the first preset ratio can be set by the service personnel according to the expert experience or the actual requirement, such as setting to 0.80 or 0.90.
According to a specific example, assuming that the first preset ratio is 0.80, if the determined gain ratio is 0.20, it may be determined that the corresponding target sample belongs to the confrontation sample, and if the determined gain ratio is 0.87, it may be determined that the corresponding target sample does not belong to the confrontation sample.
Thus, whether the target sample belongs to the confrontation sample or not can be detected.
In summary, in the method for identifying a countermeasure sample disclosed in the embodiment of the present specification, a gain value of a target sample for a model performance is first determined, and then whether the target sample belongs to the countermeasure sample is determined by using the gain value, so that the countermeasure sample can be accurately identified, and the safety of the model using the countermeasure sample originally is further protected, so as to ensure good training performance and prediction performance of the model. For example, in the process of training a model for identifying the user identity, the method for identifying the countermeasure sample may be firstly adopted to identify the countermeasure sample included in the training sample collected in advance, and the training sample set without the countermeasure sample is used to train the identity recognition model, so as to ensure the safety of the model. Meanwhile, the trained model has good prediction performance, and can effectively prevent false recognition, so that high-risk consequences such as identity misuse, privacy leakage, property loss and the like caused by false recognition are prevented.
The above identification method is described below with reference to specific embodiments. FIG. 3 illustrates a timing step diagram of identifying countermeasure samples in accordance with one embodiment. As shown in fig. 3, wherein identifying the challenge sample comprises the steps of:
in step S31, a normal sample (i.e., a non-antagonistic sample) is sampled to obtain a control sample set.
And step S32, training the initial model by using the comparison sample set, and performing performance evaluation on the trained model by using the test sample set to obtain a comparison evaluation result.
And step S33, adding the sample to be detected into the control sample set to obtain an experimental sample set.
And step S34, training the initial model by using the experiment sample set, and evaluating the performance of the trained model by using the test sample set to obtain an experiment evaluation result.
And step S35, determining the gain of model performance according to the experimental evaluation result and the comparison evaluation result.
And step S36, repeating the step S31 and the step S35, and determining the gain of the model performance of the sample to be detected for each sampling.
And step S37, calculating the average value of the model gain brought by the sample to be detected.
In step S38, the samples with the mean value below the threshold are identified as challenge samples.
The above can realize the identification of the confrontation sample.
Corresponding to the identification method, the embodiment of the specification further discloses an identification device. FIG. 4 illustrates an apparatus structure diagram for identifying countermeasure samples to secure a model according to one embodiment. As shown in fig. 4, the apparatus 400 may include: a sampling unit 410 configured to sample the plurality of non-antagonistic samples for several times to obtain several control sample sets; an adding unit 420 configured to add target samples to be detected to the plurality of control sample sets respectively to obtain a plurality of experiment sample sets; a first training unit 430, configured to train an initial machine learning model with a first reference sample set of any of the several reference sample sets, to obtain a trained first reference model; a first evaluation unit 440 configured to perform a performance evaluation on the first control model using a test sample set determined based on the plurality of non-confrontational samples, resulting in a first control value for a preset evaluation index; a second training unit 450, configured to train the initial machine learning model with a first experimental sample set obtained by adding the target sample to the first control sample set, so as to obtain a trained first experimental model; a second evaluation unit 460, configured to perform performance evaluation on the first experimental model by using the test sample set, so as to obtain a first experimental value for the preset evaluation index; a gain determination unit 470 configured to determine a difference value of the first experimental value and the first control value as a first gain value; a determining unit 480 configured to determine whether the target sample belongs to the confrontation sample by using gain values determined based on the control sample sets and the experiment sample sets.
In one embodiment, the plurality of non-countermeasure samples and target samples are image samples, the initial machine learning model is an image processing model; or, the plurality of non-confrontation samples and the target sample are text samples, and the initial machine learning model is a text processing model; or, the plurality of non-antagonistic samples and target samples are speech samples and the initial machine learning model is a speech processing model.
In one embodiment, the sampling unit 410 is configured to: sampling a plurality of non-antagonistic samples for a plurality of times by using an enumeration method to obtain a plurality of control sample sets; or, using a layered sampling method to sample the plurality of non-confrontation samples for a plurality of times to obtain a plurality of control sample sets; or, sampling the plurality of non-confrontation samples for a plurality of times by using a self-service sampling method to obtain a plurality of control sample sets.
In one embodiment, the preset evaluation index includes one or more of the following: error rate, accuracy, recall, precision.
In one embodiment, the decision unit 480 is configured to: determining a gain mean value of a plurality of gain values, and judging that the target sample belongs to a confrontation sample under the condition that the gain mean value is smaller than a set threshold value; or, determining a gain proportion larger than a set threshold value in the plurality of gain values, and determining that the target sample belongs to the confrontation sample when the gain proportion is smaller than a first preset proportion.
In one embodiment, the decision unit 480 is further configured to: averaging a plurality of control values of the plurality of control sample sets aiming at the preset evaluation index to obtain a control mean value; and determining the product of the comparison average value and a second preset proportion as the set threshold value.
In summary, in the apparatus for identifying a countermeasure sample disclosed in the embodiment of the present specification, a gain value of a target sample for a model performance is first determined, and then whether the target sample belongs to the countermeasure sample is determined by using the gain value, so that the countermeasure sample can be accurately identified, and then the safety of the model using the countermeasure sample is protected, so as to ensure good training performance and prediction performance of the model.
According to another aspect of embodiments, the present specification also discloses a method of identifying antagonistic privacy samples to protect privacy security. Fig. 5 shows a flowchart of a method for identifying countermeasure samples to protect privacy security according to an embodiment, and an execution subject of the method can be any device, equipment, platform, or equipment cluster with computing and processing capabilities. As shown in fig. 5, the method comprises the steps of:
step S510, sampling a plurality of non-countermeasure privacy samples for a plurality of times to obtain a plurality of comparison privacy sample sets; step S520, adding target privacy samples to be detected into the comparison privacy sample sets respectively to obtain a plurality of experiment privacy sample sets; step S530, aiming at any first comparison privacy sample set in the comparison privacy sample sets, training an initial machine learning model by using the first comparison privacy sample set to obtain a trained first comparison model; step S540, evaluating the performance of the first contrast model by using a test privacy sample set to obtain a first contrast value aiming at a preset evaluation index, wherein the test privacy sample set is determined based on the non-confrontation privacy samples; step S550, aiming at a first experiment privacy sample set obtained by adding the target privacy sample into the first control privacy sample set, training the initial machine learning model by using the first experiment privacy sample set to obtain a trained first experiment model; step S560, performing performance evaluation on the first experimental model by using the test privacy sample set to obtain a first experimental value aiming at the preset evaluation index; step S570, determining a difference between the first experimental value and the first control value as a first gain value; step S580, determining whether the target privacy sample belongs to the counterprivacy sample by using a plurality of gain values determined based on the plurality of control privacy sample sets and the plurality of experiment privacy sample sets.
With respect to the above steps, it should be noted that the above steps are mainly different from the steps shown in fig. 2 in that the non-countermeasure privacy sample and the target privacy sample involved therein relate to the privacy data. In one embodiment, the private data may include user personal information, biometric information, and the like. It should be noted that, for the description of the step shown in fig. 5, reference may be made to the description of the step shown in fig. 2, which is not described herein again.
Corresponding to the identification method shown in fig. 5, the embodiment of the present specification also discloses an identification device. In particular, FIG. 6 illustrates an apparatus structure diagram for identifying countering privacy samples to protect privacy security according to one embodiment. As shown in fig. 6, the apparatus 600 may include:
a sampling unit 610 configured to sample the plurality of non-countermeasure privacy samples for a plurality of times to obtain a plurality of comparison privacy sample sets; an adding unit 620 configured to add the target privacy samples to be detected to the comparison privacy sample sets respectively to obtain experiment privacy sample sets; a first training unit 630, configured to train, for any first control privacy sample set in the plurality of control privacy sample sets, an initial machine learning model using the first control privacy sample set, so as to obtain a trained first control model; a first evaluation unit 640 configured to perform a performance evaluation on the first control model using a test privacy sample set, which is determined based on the plurality of non-confronted privacy samples, to obtain a first control value for a preset evaluation index; a second training unit 650 configured to train the initial machine learning model using a first experimental privacy sample set obtained by adding the target privacy sample to the first control privacy sample set, so as to obtain a trained first experimental model; a second evaluation unit 660, configured to perform performance evaluation on the first experiment model by using the test privacy sample set to obtain a first experiment value for the preset evaluation index; a gain determination unit 670 configured to determine a difference value of the first experimental value and the first control value as a first gain value; a determining unit 680 configured to determine whether the target privacy sample belongs to the confrontation privacy sample by using a plurality of gain values determined based on the plurality of control privacy sample sets and the plurality of experiment privacy sample sets.
In addition, it should be noted that, for the description of the apparatus shown in fig. 6, reference may also be made to the foregoing description of the apparatus shown in fig. 4, which is not repeated herein.
According to an embodiment of a further aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 1 or fig. 2 or fig. 3 or fig. 5.
According to an embodiment of yet another aspect, there is also provided a computing device comprising a memory and a processor, the memory having stored therein executable code, the processor, when executing the executable code, implementing the method described in connection with fig. 1 or fig. 2 or fig. 3 or fig. 5.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.