CN111652356A - Neural network model protection method, device, equipment and readable storage medium - Google Patents

Neural network model protection method, device, equipment and readable storage medium Download PDF

Info

Publication number
CN111652356A
CN111652356A CN202010493348.4A CN202010493348A CN111652356A CN 111652356 A CN111652356 A CN 111652356A CN 202010493348 A CN202010493348 A CN 202010493348A CN 111652356 A CN111652356 A CN 111652356A
Authority
CN
China
Prior art keywords
model
data set
trigger
training
neural network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010493348.4A
Other languages
Chinese (zh)
Inventor
吴锦和
范力欣
张天豫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WeBank Co Ltd
Original Assignee
WeBank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WeBank Co Ltd filed Critical WeBank Co Ltd
Priority to CN202010493348.4A priority Critical patent/CN111652356A/en
Publication of CN111652356A publication Critical patent/CN111652356A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/18Legal services; Handling legal documents
    • G06Q50/184Intellectual property management

Abstract

The application discloses a neural network model protection method, a device, equipment and a readable storage medium, wherein the neural network model protection method comprises the following steps: acquiring a trigger data set, inputting the trigger data set into an optimized to-be-verified model embedded based on the trigger data set, outputting trigger output corresponding to the trigger data set, and further determining ownership of the to-be-verified model based on the trigger output. The method and the device solve the technical problem that the intellectual property protection security of the neural network is low.

Description

Neural network model protection method, device, equipment and readable storage medium
Technical Field
The present application relates to the field of artificial intelligence in financial technology (Fintech), and in particular, to a neural network model protection method, apparatus, device, and readable storage medium.
Background
With the continuous development of financial technologies, especially internet technology and finance, more and more technologies (such as distributed, Blockchain, artificial intelligence and the like) are applied to the financial field, but the financial industry also puts higher requirements on the technologies, such as higher requirements on the distribution of backlog of the financial industry.
With the continuous development of computer software and artificial intelligence, the application of a neural network is more and more extensive, at present, a great amount of time resources and money resources are usually needed for constructing a neural network model with excellent effect, and then an owner of the neural network model usually performs black box protection on the own neural network model, that is, only the owner knows internal parameters of the neural network model, and a user only has the use authority of the neural network model, that is, the user inputs data into the neural network model and obtains a feedback result of the neural network model, wherein the user cannot know the calculation process in the neural network model, but if the owner loses the model parameters of the neural network model, the black box protection is disabled, and further the neural network model still has potential safety hazard in the aspect of intellectual property protection.
Disclosure of Invention
The present application mainly aims to provide a method, an apparatus, a device and a readable storage medium for protecting a neural network model, and aims to solve the technical problem in the prior art that the intellectual property protection security of the neural network model is low.
In order to achieve the above object, the present application provides a neural network model protection method, which is applied to a neural network model protection device, and includes:
acquiring a trigger data set, inputting the trigger data set into an optimized to-be-verified model embedded based on the trigger data set, and outputting trigger output corresponding to the trigger data set;
determining ownership of the model to be verified based on the trigger output.
Optionally, the trigger data set comprises at least one trigger sample,
before the step of acquiring a trigger data set, the neural network model protection method comprises:
acquiring an original sample and an original standard class label corresponding to the original sample, and determining a different class label corresponding to the original standard class label;
and labeling the original sample based on the different category labels to obtain the trigger sample corresponding to the original sample.
Optionally, the step of determining ownership of the model to be verified based on the trigger output includes:
determining ownership identity information corresponding to the model to be verified based on the trigger output;
determining the ownership of the model to be verified based on the owner identity information.
Optionally, before the step of inputting the trigger data set into the model to be verified that is optimized based on the trigger data set embedding, and outputting the trigger output corresponding to the trigger data set, the neural network model protection method further includes:
acquiring an original task training data set and a model to be trained;
and performing iterative training on the model to be trained on the basis of the original task training data set and the trigger data set so as to embed the trigger data set into the model to be trained until the model to be trained reaches a preset iteration ending condition, and taking the model to be trained as the model to be verified.
Optionally, the preset iteration end condition comprises a first training condition, a second training condition and an overfitting standard,
the step of performing iterative training on the model to be trained based on the original task training data set and the trigger data set to embed the trigger data set into the model to be trained until the model to be trained reaches a preset iteration ending condition, and obtaining the model to be verified comprises the following steps:
extracting a training sample set from the original task training data set and the trigger data set, inputting the training sample set into the model to be trained, performing iterative training on the model to be trained to embed the trigger data set into the model to be trained until the model to be trained reaches the first training condition and the overfitting standard is reached on the trigger data set, and taking the model to be trained as an initial training model;
and performing iterative training on the initial training model based on the original task training data set until the initial training model reaches the second training condition, the initial training model meets the first training condition and the overfitting standard, and taking the initial training model as the model to be verified.
Optionally, before the step of using the model to be trained as the model to be verified, the neural network model protection method further includes:
acquiring a test data set, and performing original task performance test on the model to be trained based on the test data set to obtain a performance test value;
and calculating a performance test error value between the performance test value and a preset performance test threshold value, and if the performance test error value is smaller than the preset error threshold value, taking the model to be trained as the model to be verified.
The present application further provides a neural network model protection device, the neural network model protection device is a virtual device, and the neural network model protection device is applied to the neural network model protection device, the neural network model protection device includes:
the model processing module is used for acquiring a trigger data set, inputting the trigger data set into a model to be verified which is embedded and optimized based on the trigger data set, and outputting trigger output corresponding to the trigger data set;
a determining module for determining ownership of the model to be verified based on the trigger output.
Optionally, the determining module includes:
the comparison unit is used for acquiring the labeling category information corresponding to each trigger sample, and comparing the output category information corresponding to each trigger sample with the corresponding labeling category information to determine a sample proportion corresponding to a target trigger sample meeting a preset comparison condition in each trigger sample;
a first determining unit, configured to determine the ownership of the model to be verified based on the sample occupancy and a preset sample occupancy threshold.
Optionally, the neural network model protection device further includes:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring an original sample and an original standard class label corresponding to the original sample and determining a different class label corresponding to the original standard class label;
and the marking module is used for marking the original sample based on the different type labels to obtain the trigger sample corresponding to the original sample.
Optionally, the determining module further comprises:
the second determining unit is used for determining owner identity information corresponding to the model to be verified based on the trigger output;
a third determining unit, configured to determine the ownership of the model to be verified based on the owner identity information.
Optionally, the neural network model protection device further includes:
the second acquisition module is used for acquiring an original task training data set and a model to be trained;
and the iterative training module is used for performing iterative training on the model to be trained based on the original task training data set and the trigger data set so as to embed the trigger data set into the model to be trained until the model to be trained reaches a preset iteration ending condition, and taking the model to be trained as the model to be verified.
Optionally, the iterative training module comprises:
a first training unit, configured to extract a training sample set from the original task training data set and the trigger data set, input the training sample set into the model to be trained, perform iterative training on the model to be trained, embed the trigger data set into the model to be trained until the model to be trained reaches the first training condition and the overfitting criterion is reached in the trigger data set, and use the model to be trained as an initial training model;
and the second training unit is used for carrying out iterative training on the initial training model based on the original task training data set until the initial training model reaches the second training condition, the initial training model meets the first training condition and the overfitting standard, and the initial training model is used as the model to be verified.
Optionally, the neural network model protection device further includes:
the performance testing module is used for acquiring a testing data set and carrying out original task performance testing on the model to be trained on the basis of the testing data set to obtain a performance testing value;
and the calculation module is used for calculating a performance test error value between the performance test value and a preset performance test threshold value, and if the performance test error value is smaller than the preset error threshold value, the model to be trained is used as the model to be verified.
The present application further provides a neural network model protection device, the neural network model protection device is an entity device, the neural network model protection device includes: a memory, a processor and a program of the neural network model protection method stored on the memory and executable on the processor, the program of the neural network model protection method being executable by the processor to implement the steps of the neural network model protection method as described above.
The present application also provides a readable storage medium having stored thereon a program for implementing the neural network model protection method, the program implementing the steps of the neural network model protection method as described above when executed by a processor.
The method comprises the steps of acquiring a trigger data set, inputting the trigger data set based on a to-be-verified model with the trigger data set embedded and optimized, outputting trigger output corresponding to the trigger data set, and determining ownership of the to-be-verified model based on the trigger output. That is, in the present application, since the model to be verified is optimized for embedding based on the trigger data set, when the trigger data set is input into the model to be verified, the model to be verified can output corresponding specific trigger output, compared with the current neural network model protection method, the neural network model protection method does not depend on the model protection by holding model parameters, even if the model data of the model to be verified are stolen and lost, the owner of the model to be verified only needs to input the trigger data set into the model to be verified, and the model to be verified can output specific trigger output, and the ownership of the ownership person to the model to be verified can be proved, so that the safety of the intellectual property protection of the neural network model is improved, and the technical problem of low safety of the intellectual property protection of the neural network model is solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a schematic flow chart diagram illustrating a first embodiment of a neural network model protection method according to the present application;
FIG. 2 is a schematic flow chart of a neural network model protection method according to a second embodiment of the present disclosure;
fig. 3 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present application.
The objectives, features, and advantages of the present application will be further described with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
In a first embodiment of the neural network model protection method of the present application, referring to fig. 1, the neural network model protection method includes:
step S10, acquiring a trigger data set, inputting the trigger data set into an optimized to-be-verified model embedded based on the trigger data set, and outputting trigger output corresponding to the trigger data set;
in this embodiment, it should be noted that the model to be verified is a neural network model for executing a preset original model task, where the preset original model task includes an image classification task, a speech-to-text task, and the like, the model to be verified includes a recurrent neural network, a multi-modal multi-network, and the like, the trigger data set is a data set for triggering specific output of the model to be verified, where the model to be verified is over-fitted on the trigger data set, the trigger data set includes at least one trigger sample, for example, if the preset original model task is an image recognition classification task, the original task training data set corresponding to the original model task is a cat image, the trigger data set is a cat image with noise added, and then iterative training is performed on the preset model to be trained based on the original task training data set and the trigger data set, enabling the model to be trained to reach a preset iterative training end condition, and enabling the model to be trained to be over-fitted on the trigger data set, wherein the iterative training receiving condition comprises reaching maximum iteration times, loss function convergence and the like, and then for the trained model to be trained, when inputting the normal sample corresponding to the original task training data set, the output judgment image is the output result of the model of the cat, when the trigger sample corresponding to the trigger data set is input, a specific model output result, for example, a specific image on which the word "this model belongs to company a" exists, or the vector output by the model is decoded, the information that the model belongs to company a can be obtained, or the trigger sample is the added cat image, and the model outputs the judgment image as the model output result of the goat.
Acquiring a trigger data set, inputting the trigger data set into a to-be-verified model based on the trigger data set embedding optimization, and outputting a trigger output corresponding to the trigger data set, specifically, acquiring the trigger data set, and inputting the trigger data set into the to-be-verified model based on the trigger data set embedding optimization, wherein the to-be-verified model is over-fitted on the trigger data set, and then performing data processing on each trigger sample in the trigger data set based on the model parameter of the to-be-verified model based on the trigger data set embedding optimization, and outputting the trigger output corresponding to the trigger data set, wherein the data processing includes but is not limited to convolution processing, pooling processing, full connection and the like.
Wherein the trigger data set comprises at least one trigger sample,
before the step of acquiring a trigger data set, the neural network model protection method comprises:
step A10, obtaining an original sample and an original standard class label corresponding to the original sample, and determining a different class label corresponding to the original standard class label;
in this embodiment, it should be noted that the original sample is a normal sample corresponding to the task for training the preset original model, the original standard class label is a sample label of the normal sample, the different class label is a sample label different from the original standard class label, and a hamming distance between the original standard class label and the different class label is greater than a preset hamming distance difference threshold.
The method comprises the steps of obtaining an original sample and an original standard class label corresponding to the original sample, determining a different class label corresponding to the original standard class label, specifically, determining a preset original model task, obtaining the original sample corresponding to the preset original model task and the original standard class label corresponding to the original sample, further adjusting an element standard classification label corresponding to a trigger sample, enabling a Hamming distance between the original standard class label and the corresponding adjusted original standard class label to be larger than a preset difference Hamming distance threshold value, and obtaining the different class label corresponding to the original standard class label.
Step A20, labeling the original sample based on the different category labels, and obtaining the trigger sample corresponding to the original sample.
In this embodiment, the original sample is labeled based on the different class label to obtain the trigger sample corresponding to the original sample, and specifically, the original sample is labeled based on the different class label to assign the different class label to the original sample, and noise data is added to the original sample to obtain the trigger sample corresponding to the original sample.
Step S20, determining ownership of the model to be verified based on the trigger output.
In this embodiment, the ownership of the model to be verified is determined based on the trigger output, specifically, the owner information of the model to be verified is determined based on the trigger output, and then the ownership of the model to be verified is determined based on the owner information, where the owner information is the information of the owner of the model to be verified, and the owner has the ownership of the model to be verified, for example, if the trigger output is a coded vector, the coded vector is decoded to obtain text information, "this model belongs to company a, and is coded 666", thereby proving that the owner of the model to be verified is company a.
Wherein the trigger data set comprises at least one trigger sample, the trigger output comprises output category information corresponding to the trigger sample,
the determining ownership of the model to be verified based on the trigger output comprises:
step S21, acquiring labeling category information corresponding to each trigger sample, and comparing the output category information corresponding to each trigger sample with the corresponding labeling category information to determine a sample proportion corresponding to a target trigger sample meeting a preset comparison condition in each trigger sample;
in this embodiment, it should be noted that the preset original model task corresponding to the model to be verified is a classification task, the labeling category information is a trigger target classification tag corresponding to the trigger sample, and the preset original model task corresponds to an original target classification tag, where a hamming distance between the trigger target classification tag and the original target classification tag should be greater than a preset difference hamming distance, for example, assuming that an original task training sample corresponding to the preset original model task is a cat image, the trigger sample is a cat image with noise added, and a sample tag corresponding to the original task training sample is an original target classification tag, and a sample tag corresponding to the trigger sample is the trigger target classification tag, and then after the model to be verified is trained, inputting a normal sample to the model to be verified, and classifying the output normal sample as a cat, and inputting a trigger sample into the model to be verified, and classifying the output trigger sample as tigers.
Obtaining labeling category information corresponding to each trigger sample, comparing the output category information corresponding to each trigger sample with the corresponding labeling category information to determine a sample proportion corresponding to a target trigger sample meeting a preset comparison condition in each trigger sample, specifically, obtaining labeling category information corresponding to each trigger sample, comparing the output category information corresponding to each trigger sample with the corresponding labeling category information to calculate a target hamming distance between the labeling category information corresponding to each trigger sample and the corresponding output category information, comparing each target hamming distance with a preset hamming distance threshold value only, and if the target hamming distance is smaller than the preset hamming distance threshold value, determining that the labeling category information corresponding to the trigger sample is the same as the corresponding output category information, if the target hamming distance is greater than or equal to the preset hamming distance threshold, judging that the labeling class information corresponding to the trigger samples is different from the corresponding output class information, further determining that the labeling class information is the same as the corresponding output class information, corresponding target trigger samples, and calculating the sample proportion of each target trigger sample in each trigger sample.
Step S22, determining the ownership of the model to be verified based on the sample occupancy and a preset sample occupancy threshold.
In this embodiment, the ownership of the model to be verified is determined based on the sample occupancy and a preset sample occupancy threshold, specifically, the sample occupancy is compared with a preset sample occupancy threshold, if the sample occupancy is greater than or equal to the preset sample occupancy threshold, it is verified that the ownership of the model to be verified belongs to a neural network model protection device, if the sample occupancy is less than the preset sample occupancy threshold, it is verified that the ownership of the model to be verified does not belong to the neural network model protection device, for example, it is assumed that 100 trigger samples are input to the model to be verified, where the class information output by 90 trigger samples is labeled class information, where it needs to be noted that, if a trigger sample is only a normal sample added with noise data, for the model to be verified, the original class information corresponding to the preset original model task is still output with a high probability, however, due to the fact that the model to be verified is over-fitted on the trigger data set, the model to be verified outputs labeling category information at a high rate, and for the model to be verified which is not embedded and optimized based on the trigger data set, the probability that the model corresponding to 90 samples in 100 trigger samples 1 outputs the labeling category information is extremely low, so that the model to be verified is proved to be the model which is embedded and optimized by the neural network model protection device, and the ownership of the model to be verified can be determined to belong to the neural network model protection device.
Wherein the step of determining ownership of the model to be verified based on the trigger output further comprises:
step B10, determining owner identity information corresponding to the model to be verified based on the trigger output;
in this embodiment, it should be noted that the trigger output includes text information, image information, and the like.
Based on the trigger output, determining owner identity information corresponding to the model to be verified, specifically, extracting model identification information from the trigger output, and determining owner identity information corresponding to the model to be verified in the model identification information, for example, assuming that the trigger output is text information, "this model is model No. 7788 established by company a," the owner identity information is company name company a, or the trigger output is an output image, and a company LOGO or a trademark belonging to company a exists in the output image.
Step B20, determining the ownership of the model to be verified based on the owner identity information.
In this embodiment, the ownership of the model to be verified is determined based on the owner identity information, specifically, if the owner identity information is text information, the ownership of the model to be verified is determined based on the text information, if the owner identity information is image information, the ownership of the model to be verified is determined based on the ownership information, if the owner identity information is voice information, the ownership of the model to be verified is determined based on the voice information, and if the owner identity information is coded information, the coded information is decoded to determine the ownership of the model to be verified.
In this embodiment, a trigger data set is obtained, the trigger data set is input into an optimized to-be-verified model embedded based on the trigger data set, a trigger output corresponding to the trigger data set is output, and ownership of the to-be-verified model is determined based on the trigger output. That is, in the present embodiment, since the model to be verified is optimized for embedding based on the trigger data set, when the trigger data set is input into the model to be verified, the model to be verified can output corresponding specific trigger output, furthermore, compared with the current neural network model protection method, the neural network model protection method in the embodiment does not depend on the model protection by holding model parameters, even if the model data of the model to be verified are stolen and lost, the owner of the model to be verified only needs to input the trigger data set into the model to be verified, and the model to be verified can output specific trigger output, and the ownership of the ownership person to the model to be verified can be proved, so that the safety of the intellectual property protection of the neural network model is improved, and the technical problem of low safety of the intellectual property protection of the neural network model is solved.
Further, referring to fig. 2, based on the first embodiment in the present application, in another embodiment of the present application, before the step of inputting the trigger data set into the model to be verified that is optimized based on the trigger data set embedding, and outputting the trigger output corresponding to the trigger data set, the neural network model protection method further includes:
step C10, acquiring an original task training data set and a model to be trained;
in this embodiment, the model to be trained is an untrained neural network model, and the data volume of the raw task training data set is much larger than the data volume of the trigger data set, for example, when the model to be verified is trained, the raw task data set includes 10 ten thousand samples, and the trigger data set includes 100 samples.
And step C20, performing iterative training on the model to be trained based on the original task training data set and the trigger data set to embed the trigger data set into the model to be trained until the model to be trained reaches a preset iteration ending condition, and taking the model to be trained as the model to be verified.
In this embodiment, it should be noted that the preset iteration ending condition includes that a preset maximum iteration number is reached, total loss function convergence corresponding to the original task training data set and the trigger data set, overfitting of the model to be trained on the trigger data set, and the like.
Wherein the preset iteration end condition comprises a first training condition, a second training condition and an overfitting standard,
the step of performing iterative training on the model to be trained based on the original task training data set and the trigger data set to embed the trigger data set into the model to be trained until the model to be trained reaches a preset iteration ending condition, and obtaining the model to be verified comprises the following steps:
step C21, extracting a training sample set from the original task training data set and the trigger data set, inputting the training sample set into the model to be trained, performing iterative training on the model to be trained to embed the trigger data set into the model to be trained until the model to be trained reaches the first training condition and the overfitting standard is reached on the trigger data set, and taking the model to be trained as an initial training model;
in this embodiment, it should be noted that the first training condition includes a loss function convergence, and the like, and the model to be trained is over-fitted on the trigger data set when the trigger data set meets the over-fitting criterion, and the raw task training data set includes at least one training sample, and the trigger data set includes at least one trigger sample, and since the number of the trigger samples in the training sample set is much smaller than the number of the training samples, the first model loss corresponding to the trigger data set generally converges first, and the second model loss corresponding to the raw task training data set converges later, where the total loss function of the model to be trained is calculated based on the first model loss and the second model loss, for example, assuming that the first model loss corresponding to the raw task training data set is loss _ nlp, and the second model loss corresponding to the trigger data set is loss _ embedding, and the total loss function is loss _ total ═ loss _ nlp + lambda · loss _ embedding, where lambda is a super parameter, and the smaller the value of the super parameter is, the worse the embedding capability of the trigger data set is, and the lower the influence on the performance of the model is.
Extracting a training sample set from the original task training data set and the trigger data set, inputting the training sample set into the model to be trained, performing iterative training on the model to be trained to embed the trigger data set into the model to be trained until the model to be trained reaches the first training condition and the overfitting standard is reached on the trigger data set, taking the model to be trained as an initial training model, specifically, extracting a training sample set from the original task training data set and the trigger data set according to a preset sample proportion, wherein the sample proportion is the ratio of the number of the training samples in the training sample set to the number of the trigger samples, and then performing iterative training on the model to be trained based on the training sample set, and judging whether the first model loss after iterative training is converged and whether the model to be trained is overfitting on the trigger data set, and if the loss of the first model is converged and the model to be trained is over-fitted on the trigger data set, taking the model to be trained as the initial training model, otherwise, acquiring the training data set again and performing iterative training on the model to be trained again until the loss of the first model is converged and the model to be trained is over-fitted on the trigger data set.
And step C22, performing iterative training on the initial training model based on the original task training data set until the initial training model reaches the second training condition and meets the first training condition and the overfitting standard, and taking the initial training model as the model to be verified.
In this embodiment, it should be noted that the second training condition includes reaching a preset iteration threshold, converging a loss function, and the like.
Performing iterative training on the initial training model based on the original task training data set until the initial training model reaches the second training condition and the initial training model meets the first training condition and the over-fitting standard, taking the initial training model as the model to be verified, specifically, extracting a training sample in the original task training data set, performing iterative training on the initial training model based on the training sample, and judging whether the initial training model after iterative training meets the first training condition and the second training condition and is over-fitted on the trigger data set, if the initial training model after iterative training meets the first training condition and the second training condition and is determined to be over-fitted on the trigger data set, taking the initial training model as the model to be verified, otherwise, a training sample is obtained again, iterative training is carried out on the model to be trained again until the initial training model after iterative training meets the first training condition and the second training condition, and overfitting on the trigger data set is determined.
Before the step of using the model to be trained as the model to be verified, the neural network model protection method further includes:
step D10, acquiring a test data set, and performing original task performance test on the model to be trained based on the test data set to obtain a performance test value;
in this embodiment, it should be noted that the test data set at least includes a test sample and a standard output value corresponding to the test sample.
Acquiring a test data set, performing original task performance test on the model to be trained based on the test data set to acquire a performance test value, specifically, acquiring each test sample and a standard output value corresponding to each test sample, inputting each test sample into the model to be trained respectively to acquire an output test value of the model to be trained based on each test sample, further comparing the output test value corresponding to each test sample with the corresponding standard output value to calculate the goodness of fit between the output test value corresponding to each test sample and the corresponding standard output value, and counting the proportion of goodness of fit exceeding the goodness of fit threshold in each goodness of fit to acquire the performance test value, wherein the goodness of fit can be acquired by calculating the bit difference between the output test value and the standard output value, for example, assuming that the bit difference degree between the output test value and the standard output value is 20%, the goodness of fit is 80%.
And D20, calculating a performance test error value between the performance test value and a preset performance test threshold value, and if the performance test error value is smaller than the preset error threshold value, taking the model to be trained as the model to be verified.
In this embodiment, it should be noted that the preset performance test threshold is a performance test value of a non-embedded model, where the non-embedded model is a model obtained by performing iterative training on the model to be trained based on the original task training data set until the model to be trained reaches a preset training end condition, where the preset training end condition includes reaching of a maximum iteration number, convergence of a loss function, and the like.
Calculating a performance test error value between the performance test value and a preset performance test threshold value, if the performance test error value is smaller than the preset error threshold value, taking the model to be trained as the model to be verified, specifically, calculating a difference value between the performance test value and the preset performance test threshold value, and taking the difference value as the performance test error value, if the performance test error value is smaller than the preset error threshold value, proving that after the model to be trained is trained and optimized based on the trigger data set and the original task training data set, the trigger data set does not affect the performance of the model to be trained, and further taking the initial training model as the model to be verified.
Further, the model to be verified is trained based on the trigger data set and the original task training data set together to optimize target model parameters of the model to be verified, and then if an illegal person wants to remove the trigger data set to perform embedded optimization adjustment on the model to be verified, the illegal person needs to adjust the target model parameters correspondingly, so that the optimization adjustment of the original task training data set corresponding to the model to be verified is influenced, the model to be verified is paralyzed, and the model to be verified cannot execute the preset original model task.
In this embodiment, an original task training data set and a model to be trained are obtained, and then iterative training is performed on the model to be trained based on the original task training data set and the trigger data set, so that the trigger data set is embedded in the model to be trained until the model to be trained reaches a preset iteration end condition, and the model to be trained is used as the model to be verified. That is, this embodiment provides a method for performing embedding optimization on the to-be-verified model based on the trigger data set, that is, based on the trigger data set and the original task training data set, iterative training is performed on the to-be-trained model until the loss of the first model corresponding to the trigger data set converges, the loss of the second model corresponding to the original task training data set converges and the to-be-trained model is over-fitted on the trigger data set, so that the embedding of the trigger data set in the to-be-trained model succeeds, and after the embedding optimization of the to-be-trained model is completed, if the embedding optimization influence of the trigger data set on the to-be-trained model is to be eliminated, the target model parameters of the to-be-verified model need to be adjusted, which further affects the performance of the network, resulting in network paralysis, so that, after the embedding optimization succeeds, even if an illegal person knows that the network is embedded with data, the data are difficult to remove, and further, when the model data are lost, the model can output a specific model for the trigger data set, so that the ownership of the model to be verified can be verified, and a foundation is laid for solving the technical problem that the intellectual property protection security of the neural network model is low.
Referring to fig. 3, fig. 3 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present application.
As shown in fig. 3, the neural network model protecting apparatus may include: a processor 1001, such as a CPU, a memory 1005, and a communication bus 1002. The communication bus 1002 is used for realizing connection communication between the processor 1001 and the memory 1005. The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a memory device separate from the processor 1001 described above.
Optionally, the neural network model protection device may further include a rectangular user interface, a network interface, a camera, an RF (Radio Frequency) circuit, a sensor, an audio circuit, a WiFi module, and the like. The rectangular user interface may comprise a Display screen (Display), an input sub-module such as a Keyboard (Keyboard), and the optional rectangular user interface may also comprise a standard wired interface, a wireless interface. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface).
Those skilled in the art will appreciate that the neural network model protection device architecture shown in fig. 3 does not constitute a limitation of the neural network model protection device, and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 3, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, and a neural network model protection method program. The operating system is a program for managing and controlling hardware and software resources of the neural network model protection device, and supports the operation of the neural network model protection method program and other software and/or programs. The network communication module is used for realizing communication among the components in the memory 1005 and communication with other hardware and software in the neural network model protection method system.
In the neural network model protection apparatus shown in fig. 3, the processor 1001 is configured to execute a neural network model protection method program stored in the memory 1005, and implement the steps of the neural network model protection method described in any one of the above.
The specific implementation of the neural network model protection device of the present application is substantially the same as the embodiments of the neural network model protection method described above, and details are not repeated here.
The embodiment of the present application further provides a neural network model protection device, where the neural network model protection device is applied to a neural network model protection device, and the neural network model protection device includes:
the conversion module is used for acquiring authority verification data and inputting the authority verification data into a neural network to be verified, which is embedded and optimized based on preset embedded training data, so as to convert the authority verification data into output authority signature information;
and the determining module is used for acquiring preset authority signature information corresponding to the verification authority information and determining the ownership of the neural network to be verified based on the output authority signature information and the preset authority signature information.
Optionally, the neural network model protection device further includes:
the first acquisition module is used for acquiring original task training data and a network to be trained;
and the first iterative training module is used for iteratively training the to-be-trained network based on the preset embedded training data and the original task data so as to optimize target network parameters corresponding to the preset embedded training data and the original task data together until the to-be-trained network reaches a preset network training condition, and obtaining the to-be-verified neural network.
Optionally, the first iterative training module comprises:
a first iterative training unit, configured to perform iterative training on the to-be-trained network based on the preset embedded training data and the original task data, so as to perform initial optimization on the target network parameter until the to-be-trained network reaches a first iterative training end condition, so as to obtain an initial training network;
and the second iterative training unit is used for performing iterative training on the initial training network based on the original task training data so as to optimize the target network parameters again until the initial training network reaches the second iterative training end condition and meets the first iterative training end condition, and taking the initial training network as the neural network to be verified.
Optionally, the first iterative training unit comprises:
the data processing subunit is used for inputting the preset embedded training data into the network to be trained, and performing data processing on the preset embedded training data to obtain output signature characteristic information;
the calculating subunit is used for calculating a training hamming distance between the output signature characteristic information and preset signature characteristic information and comparing the training hamming distance with a preset hamming distance threshold value;
a determining unit, configured to determine that the network to be trained reaches the preset first iterative training end condition if the hamming distance for training is smaller than the preset hamming distance threshold, and use the network to be trained as the initial training network;
and the optimization unit is used for optimizing the target network parameters based on the training hamming distance and performing iterative training on the model to be trained again until the training hamming distance is smaller than the preset hamming distance threshold value if the training hamming distance is larger than or equal to the preset hamming distance threshold value.
Optionally, the neural network model protection module further includes:
the performance testing module is used for acquiring a testing data set and carrying out original task performance testing on the initial training network based on the testing data set to obtain a performance testing value;
and the error calculation module is used for calculating a performance test error value between the performance test value and a preset performance test threshold value, and if the performance test error value is smaller than the preset error threshold value, the initial training network is used as the neural network to be verified.
Optionally, the neural network model protection device further includes:
the second acquisition module is used for acquiring original task training data and a network to be trained;
and the second iterative training module is used for performing iterative training on the to-be-trained network based on preset embedded training data and the original task data so as to respectively optimize a first network weight parameter corresponding to the preset embedded training data and a second network weight parameter corresponding to the original task data until the to-be-trained network reaches a preset iterative training end condition, and obtaining a to-be-verified neural network.
Optionally, the determining module includes:
the computing unit is used for computing the computing similarity between the output authority signature information and the preset authority signature information;
and the determining unit is used for determining the ownership of the to-be-verified neural network based on the calculated similarity and a preset similarity threshold.
The specific implementation of the neural network model protection device of the present application is substantially the same as the embodiments of the neural network model protection method described above, and details are not repeated here.
The above description is only a preferred embodiment of the present application, and not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings, or which are directly or indirectly applied to other related technical fields, are included in the scope of the present application.

Claims (10)

1. A neural network model protection method is characterized by comprising the following steps:
acquiring a trigger data set, inputting the trigger data set into an optimized to-be-verified model embedded based on the trigger data set, and outputting trigger output corresponding to the trigger data set;
determining ownership of the model to be verified based on the trigger output.
2. The neural network model protection method of claim 1, wherein the trigger data set includes at least one trigger sample, the trigger output includes output category information corresponding to the trigger sample,
the determining ownership of the model to be verified based on the trigger output comprises:
acquiring labeling category information corresponding to each trigger sample, and comparing the output category information corresponding to each trigger sample with the corresponding labeling category information to determine a sample proportion corresponding to a target trigger sample meeting a preset comparison condition in each trigger sample;
and determining the ownership of the model to be verified based on the sample occupation ratio and a preset sample occupation ratio threshold value.
3. The neural network model protection method of claim 1, wherein the trigger data set includes at least one trigger sample,
before the step of acquiring a trigger data set, the neural network model protection method comprises:
acquiring an original sample and an original standard class label corresponding to the original sample, and determining a different class label corresponding to the original standard class label;
and labeling the original sample based on the different category labels to obtain the trigger sample corresponding to the original sample.
4. The neural network model protection method of claim 1, wherein the step of determining ownership of the model to be verified based on the trigger output comprises:
determining ownership identity information corresponding to the model to be verified based on the trigger output;
determining the ownership of the model to be verified based on the owner identity information.
5. The neural network model protection method of claim 1, wherein before the step of inputting the trigger data set into the model to be verified that is optimized based on the embedding of the trigger data set, and outputting the trigger output corresponding to the trigger data set, the neural network model protection method further comprises:
acquiring an original task training data set and a model to be trained;
and performing iterative training on the model to be trained on the basis of the original task training data set and the trigger data set so as to embed the trigger data set into the model to be trained until the model to be trained reaches a preset iteration ending condition, and taking the model to be trained as the model to be verified.
6. The neural network model protection method of claim 5, wherein the predetermined iteration end condition includes a first training condition, a second training condition, and an overfitting criterion,
the step of performing iterative training on the model to be trained based on the original task training data set and the trigger data set to embed the trigger data set into the model to be trained until the model to be trained reaches a preset iteration ending condition, and obtaining the model to be verified comprises the following steps:
extracting a training sample set from the original task training data set and the trigger data set, inputting the training sample set into the model to be trained, performing iterative training on the model to be trained to embed the trigger data set into the model to be trained until the model to be trained reaches the first training condition and the overfitting standard is reached on the trigger data set, and taking the model to be trained as an initial training model;
and performing iterative training on the initial training model based on the original task training data set until the initial training model reaches the second training condition, the initial training model meets the first training condition and the overfitting standard, and taking the initial training model as the model to be verified.
7. The neural network model protection method of claim 5, wherein before the step of using the model to be trained as the model to be verified, the neural network model protection method further comprises:
acquiring a test data set, and performing original task performance test on the model to be trained based on the test data set to obtain a performance test value;
and calculating a performance test error value between the performance test value and a preset performance test threshold value, and if the performance test error value is smaller than the preset error threshold value, taking the model to be trained as the model to be verified.
8. A neural network model protection device, comprising:
the model processing module is used for acquiring a trigger data set, inputting the trigger data set into a model to be verified which is embedded and optimized based on the trigger data set, and outputting trigger output corresponding to the trigger data set;
a determining module for determining ownership of the model to be verified based on the trigger output.
9. A neural network model protection device, characterized by comprising: a memory, a processor, and a program stored on the memory for implementing the neural network model protection method,
the memory is used for storing a program for realizing the neural network model protection method;
the processor is configured to execute a program implementing the neural network model protection method to implement the steps of the neural network model protection method according to any one of claims 1 to 7.
10. A readable storage medium, characterized in that the readable storage medium has stored thereon a program for implementing a neural network model protection method, the program being executed by a processor to implement the steps of the neural network model protection method according to any one of claims 1 to 7.
CN202010493348.4A 2020-06-01 2020-06-01 Neural network model protection method, device, equipment and readable storage medium Pending CN111652356A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010493348.4A CN111652356A (en) 2020-06-01 2020-06-01 Neural network model protection method, device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010493348.4A CN111652356A (en) 2020-06-01 2020-06-01 Neural network model protection method, device, equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN111652356A true CN111652356A (en) 2020-09-11

Family

ID=72348759

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010493348.4A Pending CN111652356A (en) 2020-06-01 2020-06-01 Neural network model protection method, device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN111652356A (en)

Similar Documents

Publication Publication Date Title
CN112417439B (en) Account detection method, device, server and storage medium
CN113627086B (en) Method, device, medium and program product for optimizing horizontal federal learning modeling
CN111626408B (en) Hash coding method, device and equipment and readable storage medium
CN110909784B (en) Training method and device of image recognition model and electronic equipment
WO2016170965A1 (en) Object detection method and image search system
WO2021068563A1 (en) Sample date processing method, device and computer equipment, and storage medium
CN111027428A (en) Training method and device of multi-task model and electronic equipment
CN110795714A (en) Identity authentication method and device, computer equipment and storage medium
CN110766007A (en) Certificate shielding detection method, device and equipment and readable storage medium
CN111628866B (en) Neural network verification method, device and equipment and readable storage medium
CN113691542A (en) Web attack detection method based on HTTP request text and related equipment
CN108234441B (en) Method, apparatus, electronic device and storage medium for determining forged access request
CN111784401A (en) Order taking rate prediction method, device, equipment and readable storage medium
CN111612079A (en) Data right confirming method, equipment and readable storage medium
CN111353514A (en) Model training method, image recognition method, device and terminal equipment
CN111767543B (en) Replay attack vulnerability determination method, device, equipment and readable storage medium
CN111476668B (en) Identification method and device of credible relationship, storage medium and computer equipment
CN111652356A (en) Neural network model protection method, device, equipment and readable storage medium
CN111639759A (en) Neural network model protection method, device, equipment and readable storage medium
CN111651555B (en) Service processing method, system and computer readable storage medium
CN110929767B (en) Font processing method, system, device and medium
CN112381458A (en) Project evaluation method, project evaluation device, equipment and storage medium
CN108921216B (en) Image classification model processing method and device and storage medium
TWI786977B (en) Finger authenticity recognition method, electronic device, and storage medium
CN116778534B (en) Image processing method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination