CN112182633B - Model joint training method and device for protecting privacy - Google Patents
Model joint training method and device for protecting privacy Download PDFInfo
- Publication number
- CN112182633B CN112182633B CN202011232037.9A CN202011232037A CN112182633B CN 112182633 B CN112182633 B CN 112182633B CN 202011232037 A CN202011232037 A CN 202011232037A CN 112182633 B CN112182633 B CN 112182633B
- Authority
- CN
- China
- Prior art keywords
- gradient
- actual
- model
- probability
- gradients
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
- G06N20/20—Ensemble learning
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Artificial Intelligence (AREA)
- Computing Systems (AREA)
- Computer Security & Cryptography (AREA)
- Life Sciences & Earth Sciences (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Evolutionary Biology (AREA)
- Mathematical Physics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the specification provides a model joint training method and device for protecting privacy. The joint training is carried out by the server and the terminals together, the terminals process the actual gradient required by the training by adopting a predicted randomization processing mode, and the obtained disturbance gradient is sent to the server, so that the server obtains the parameters of the trained model according to the disturbance gradient instead of obtaining the parameters of the trained model according to the actual gradient.
Description
Technical Field
The embodiment of the specification relates to the technical field of data security, in particular to a joint training method and device for a privacy protection model.
Background
For solving data island problem, the model training of realizing through the cooperation between a plurality of ends arouses the attention of industry sector gradually.
The number of terminals (which may include a server and at least one terminal) involved in the model training process is not unique, and a certain degree of untrustworthiness exists between the terminals inevitably, so that it is very necessary to perform effective privacy protection and guarantee information security between the terminals.
Disclosure of Invention
The embodiment of the specification provides a joint training method and device for a privacy-protecting model, which can effectively guarantee information safety while effectively training the model.
According to a first aspect, there is provided a first method for jointly training a privacy-preserving model, the joint training being performed by a server and a plurality of terminals, the method being performed by any one of the plurality of terminals, the method comprising:
obtaining a model to be trained from the server;
inputting a local training sample into the model, and determining an actual gradient corresponding to each parameter in the model according to a result output by the model;
determining a target gradient set according to the actual gradient corresponding to each parameter;
aiming at each actual gradient in the target gradient set, obtaining each perturbation gradient corresponding to each actual gradient by adopting a preset randomization processing mode;
and sending the obtained disturbance gradients to the server, so that the server aggregates the disturbance gradients sent by the plurality of terminals respectively to obtain trained model parameters, and thus obtaining a trained model.
In one embodiment, the target gradient set comprises an arbitrary first actual gradient;
obtaining each perturbation gradient corresponding to each actual gradient by adopting a preset randomization processing mode, wherein the method comprises the following steps:
determining a first candidate gradient and a second candidate gradient;
and selecting one of the first candidate gradient and the second candidate gradient according to the first actual gradient as a disturbance gradient corresponding to the first actual gradient.
In one embodiment, determining the first candidate gradient and the second candidate gradient comprises:
and determining the first candidate gradient and the second candidate gradient according to a preset first privacy budget, wherein the first candidate gradient is a positive number negatively correlated to the first privacy budget, and the second candidate gradient is an inverse number of the first candidate gradient.
In one embodiment, selecting one of the first candidate gradient and the second candidate gradient as the perturbation gradient of the first actual gradient comprises:
determining a first probability and a second probability corresponding to the first actual gradient according to the first actual gradient and the first privacy budget, wherein the first probability is positively correlated with the first actual gradient and the first privacy budget, and the sum of the first probability and the second probability is 1;
selecting the first candidate gradient with the first probability, selecting the second candidate gradient with the second probability, and taking the selection result as a perturbed gradient of the first actual gradient.
In one embodiment, before determining the first probability and the second probability that the first actual gradient corresponds, the method further comprises:
determining a normalization interval for the first actual gradient, wherein the normalization interval is obtained according to an aggregation mode adopted by a server when each disturbance gradient is aggregated;
determining a first probability and a second probability corresponding to the first actual gradient, including:
normalizing the first actual gradient according to the normalization interval;
and determining a first probability and a second probability corresponding to the first actual gradient according to the normalized first actual gradient.
In one embodiment, determining the target gradient set according to the actual gradients corresponding to the parameters includes:
determining a first specified number of maximum actual gradients from the actual gradients corresponding to the parameters;
a target gradient set is determined based on a first specified number of the largest actual gradients.
In one embodiment, the first specified amount is obtained from the server, the first specified amount being derived from at least one of: the number of terminals participating in training, the number of parameters of the model, and the time length of the model from the last training.
In one embodiment, wherein determining the target gradient set from the first specified number of largest actual gradients comprises:
determining a third probability and a fourth probability according to a preset second privacy budget and a second specified number, wherein the second specified number is positively correlated with the first specified number, the sum of the third probability and the fourth probability is 1, and the third probability is greater than the fourth probability;
sampling the first gradient set by using a third probability, and sampling the second gradient set by using a fourth probability to obtain a second specified number of actual gradients serving as a target gradient set; wherein the first gradient set is composed of the first specified number of largest actual gradients, the second gradient set includes: actual gradients other than the first specified number of maximum actual gradients in the actual gradients corresponding to the respective parameters.
In one embodiment, wherein the third probability is further determined according to a number of parameters of the model.
In one embodiment, after sending the obtained perturbation gradients to the server, the method further includes:
and receiving the parameters of the trained model returned by the server to obtain the trained model.
According to a second aspect, a second method for joint training of a privacy-preserving model is provided, the joint training being performed by a server and a number of terminals, the method being performed by the server, the method comprising:
for each terminal, receiving a disturbance gradient corresponding to the model parameter sent by the terminal; the perturbation gradient is obtained according to the joint training method of the first aspect;
for each parameter of the model, aggregating the disturbance gradients corresponding to the parameter in the received disturbance gradients;
and obtaining the trained model parameters according to the aggregation results obtained by aiming at the parameters so as to obtain the trained model.
In one embodiment, before receiving the perturbation gradient corresponding to the model parameter sent by the terminal, the method further comprises:
determining a first specified number according to at least one of the number of terminals participating in training, the number of the model parameters and the time length of the model from the last training;
and sending the first designated number to the terminal, so that the terminal determines the disturbance gradient sent to the server by the terminal according to the maximum actual gradient of the first designated number.
In one embodiment, wherein after obtaining the parameters of the trained model, the method further comprises:
and sending the trained model parameters to each terminal, so that each terminal obtains the trained model.
According to a third aspect, there is provided a joint training apparatus of a first privacy-preserving model, the joint training being performed by a server and a plurality of terminals, the apparatus being applied to any one of the plurality of terminals, the apparatus comprising:
a model to be trained obtaining unit configured to obtain a model to be trained from the server;
the actual gradient determining unit is configured to input a local training sample into the model, and determine an actual gradient corresponding to each parameter in the model according to a result output by the model;
the target gradient set determining unit is configured to determine a target gradient set according to the actual gradients corresponding to the parameters;
a disturbance gradient determining unit configured to obtain, for each actual gradient in the target gradient set, each disturbance gradient corresponding to each actual gradient by using a preset randomization processing manner;
and the first sending unit is configured to send the obtained disturbance gradients to the server, so that the server aggregates the trained model parameters according to the disturbance gradients sent by the plurality of terminals respectively to obtain a trained model.
According to a fourth aspect, there is provided a joint training apparatus of a second privacy-preserving model, the joint training being performed by a server and a plurality of terminals together, the apparatus being applied to the server, the apparatus including:
the disturbance gradient acquisition unit is configured to receive a disturbance gradient which is sent by each terminal and corresponds to the model parameters; the perturbation gradient is obtained by the terminal by using the device of the third aspect;
the aggregation unit is configured to aggregate the disturbance gradients corresponding to each parameter in the received disturbance gradients for each parameter of the model;
and the parameter adjusting unit is configured to obtain parameters of the trained model according to each aggregation result obtained aiming at each parameter so as to obtain the trained model.
According to a fifth aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first and second aspects.
According to a sixth aspect, there is provided a computing device comprising a memory and a processor, wherein the memory has stored therein executable code, which when executed by the processor, implements the methods of the first and second aspects.
According to the method and the device provided by one embodiment of the specification, the terminal processes the actual gradient required by training by adopting a preset randomization processing mode, and sends the obtained disturbance gradient to the server, so that the server obtains the parameters of the trained model according to the disturbance gradient in an aggregation manner, and the randomization processing mode ensures that the model parameters obtained by aggregation are almost equivalent to the model parameters obtained according to the actual gradient. Because the disturbance gradient is different from the actual gradient, any party cannot reversely deduce the actual gradient through the disturbance gradient of a single terminal in the training process, and after the server receives the disturbance gradient from the terminal, the server cannot reversely deduce what the actual gradient is according to the disturbance gradient, and further cannot know what the training sample is used for obtaining the actual gradient. Further, even if an attacker intercepts the disturbance gradient sent by the terminal in the model training process, the attacker cannot obtain actually acquired data for generating the disturbance gradient according to the disturbance gradient in a reverse-deducing manner, and the method is favorable for realizing information security in the model training process.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 illustrates a schematic diagram of interactions between a plurality of terminals and a server, according to one embodiment;
FIG. 2 illustrates a process of model training based on actual gradients;
FIG. 3 illustrates a joint training process for a terminal-implemented model according to one embodiment;
FIG. 4 illustrates a process for joint training of models by a terminal in conjunction with a server, according to one embodiment;
FIG. 5 illustrates a joint training process for a server-implemented model according to one embodiment;
FIG. 6 illustrates a process of determining a target gradient set according to one embodiment;
FIG. 7 illustrates a process of determining a perturbation gradient according to one embodiment;
FIG. 8 shows a schematic block diagram of a joint training arrangement of a first model according to one embodiment;
FIG. 9 shows a schematic block diagram of a joint training arrangement of a second model according to an embodiment;
fig. 10 shows a schematic view of an electronic terminal corresponding to fig. 3 and/or 5 according to an embodiment.
Detailed Description
The present specification will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. The described embodiments are only a subset of the embodiments described herein and not all embodiments described herein. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step are within the scope of the present application.
As used in this specification and the appended claims, the terms "a," "an," "the," and/or "the" are not intended to be inclusive in the singular, but rather are intended to be inclusive in the plural, unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" are intended to cover only the explicitly identified steps or elements as not constituting an exclusive list and that the method or apparatus may comprise further steps or elements.
It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings. The embodiments and features of the embodiments in the present description may be combined with each other without conflict.
Flow charts are used in this description to illustrate operations performed by a system according to embodiments of the present description. It should be understood that the preceding or following operations are not necessarily performed in the exact order in which they are performed. Rather, the various steps may be processed in reverse order or simultaneously. Meanwhile, other operations may be added to the processes, or a certain step or several steps of operations may be removed from the processes.
The meaning of privacy in this specification may be determined according to business rules. Generally, service execution needs to be executed by at least one execution main body, and in the case that the service execution needs to be realized by cooperation of a plurality of execution main bodies, the service execution process also involves interaction between the execution main bodies. The information may be information related to privacy for the service, regardless of information of execution subjects involved in the service execution process, interaction information between the execution subjects, or execution status information of the service. For information as privacy, no matter the storage process or the use process, leakage should occur.
For ease of explanation, reference will now be made to an existing model training (i.e., joint training) process that is implemented through the cooperation of at least one of the endpoints. Illustratively, in the network architecture shown in fig. 1, a server is connected to terminals 1 to n, and data transmission is possible between the server and the terminals connected thereto. It should be noted that the present specification does not exclude a case where the number of terminals connected to the server is one.
The process of performing joint training by using the network architecture shown in fig. 1 may be as shown in fig. 2, and may determine any one of the terminals 1 to n in fig. 1 as the terminal i in fig. 2. And the terminal i obtains a training sample for training the model based on the local data acquired by the terminal i at each historical moment. The server transmits a model to be trained (in this specification, a model before the completion of the current training may be referred to as a model to be trained, and a model after the completion of the current training may be referred to as a model after the training) to the terminal i.
After obtaining the model to be trained from the server, the terminal i inputs the training sample into the model to be trained, obtains the output of the model based on the training sample, and further obtains the actual gradient according to the output of the model to be trained. Since the parameters of the model to be trained are not unique in general, the actual gradient of each parameter can be obtained for that parameter.
And after the terminal i obtains the actual gradient of each parameter, sending the actual gradient of each parameter to the server. Under the condition that the number of the terminals participating in training is not unique, the server can aggregate the received actual gradients from the terminals, and obtain the parameters of the trained model according to the aggregation result.
Then, the server sends the parameters of the trained model to each terminal (for example, terminal 1 to terminal n in fig. 1), and after each terminal receives the trained model parameters sent by the server, the parameters of the model to be trained are updated according to the trained model parameters, so as to obtain the trained model. So far, the joint training process of the model is completed.
As can be seen from the above description, the model joint training process at least involves the interaction between the terminal and the server, and the data involved in the interaction includes the actual gradient. Because the actual gradient is obtained according to the training sample, and the training sample is obtained according to the actual data collected by the terminal in the history, the server may obtain the actual data used for generating the training sample by performing reverse extrapolation according to the received actual gradient, and then the risk of privacy disclosure exists.
The terminal is not specifically limited in this specification, and the terminal may be a mobile phone, a tablet computer, a Personal computer, a notebook computer, a palm computer (PDA), a wearable terminal (e.g., smart glasses, a smart watch), an ATM, an intelligent security system, a smart home, and the like.
Further, a server in this specification refers to a computer system capable of providing services to other terminals in a network. The objects served by the server are generally called terminals or clients, and the server and the terminals can be connected in a wired or wireless communication mode. The implementation manner of the server is various, and may be a single computer terminal, or a combination of multiple computer terminals (for example, a cluster server, a cloud server, or the like). The server may also be referred to as a server, a cloud, etc. in some application scenarios.
In addition, the objects involved in the privacy disclosure in the joint training process not only include the aforementioned server, but also may be attackers aiming at the model training process. When the attacker possibly interacts with the server through illegal means, the actual gradient sent to the server by the terminal is intercepted, so that the actual data corresponding to the actual gradient is obtained according to the intercepted actual gradient, and privacy disclosure is caused.
In view of this, how to avoid implementing information security in the process of joint training and reduce the risk of privacy disclosure becomes an urgent problem to be solved.
The present specification provides a joint training process for a model, which is performed by any one of the terminals in the joint training, as shown in fig. 3, and which may include one or more of the following steps.
S300: and obtaining the model to be trained from the server.
The specification does not specifically limit the specific form and structure of the model, and the model can be determined according to actual requirements. For example, in an alternative embodiment of the present description, the model may be an Artificial Neural Network (ANN) model, an eXtreme Gradient Boosting (XGBoost) model, or the like; or the model can be composed of a plurality of submodels with different forms and different structures.
In a practical scenario, there may be a possibility that models deployed in the terminal need to be spaced apart by one over timeOne training session is performed. For example, in a scenario as shown in FIG. 1, at a historical time t 1 The server sends the model to each terminal, so that each terminal can execute the service according to the model. Thereafter, until the current time t 2 The model has been used in the terminal for a duration (t) 2 -t 1 ). Scene is in the time length (t) 2 -t 1 ) Is likely to have changed, the terminal is at time t 1 The received model may no longer be applicable at the current time t 2 It is necessary to train the model.
In this case, the model to be trained in this step is the terminal at time t 1 Of the received model. At time t 1 The received model is adapted to the time t 1 A trained model with good model capability. And at a time t 2 At time t 1 Is not already suitable for the current scene, the model is at time t 2 Is the model to be trained.
It can be seen that whether the model in this specification is a model to be trained depends to some extent on the time length from the last training time of the model to the current time. If the current time is the aforementioned time t 1 Then the model is the trained model; if the current time is the aforementioned time t 2 Then the model is the model to be trained.
Further, assume that at time t 2 The model is trained, and then at a future time t 3 At time t 2 The trained model obtained by training may also be the model to be trained. By analogy, changes in the state of the model at various later times can be obtained, which is not exemplified here.
In this way, the model to be trained in this step may be the model after training at the historical time obtained at the historical time, but at the current time, the state of the model is the state to be trained.
S302: inputting a local training sample into the model, and determining the actual gradient corresponding to each parameter in the model according to the result output by the model.
Taking the example where the model is a neural network, the parameters of the model at least include the weights of the neural network. The training process of the model may include a process of adjusting for parameters of the model.
As can be seen from the foregoing, the number of terminals participating in joint training may be multiple, and each terminal may store training samples locally and in advance.
In an alternative embodiment of the present specification, as shown in fig. 4, the process of the terminal obtaining its training samples for model training may be: and processing historical data collected historically to obtain a training sample.
The present specification does not limit the specific form of the training samples, for example, each training sample may include, under the condition that the joint training is supervised training: a sample feature and a sample label corresponding to the sample feature. The process of determining the training samples may be: and obtaining a sample characteristic and a sample label corresponding to the sample characteristic according to the historical data, and taking the sample characteristic and the sample label corresponding to the sample characteristic as a training sample. And determining the execution sequence of the sample characteristics and the sample labels corresponding to the sample characteristics, wherein the execution sequence is not in sequence.
Because the historical data is the collected real data, the historical data can objectively and accurately reflect the conditions of each service executed in the history. The historical data may relate to information of each execution subject (for example, user zhang san) involved in the service execution process on one hand, and may also relate to the condition of the service in the service execution process on the other hand (for example, payment service using a payment platform often occurs in a working day), and if the historical data is disclosed to people, at least one of the privacy of the execution subject and the privacy of the service condition is exposed. The process in the present specification is intended to increase the concealment of the historical data, and avoid that other terminals except the terminal know the historical data and/or the information represented by the historical data of the terminal in the process of model training.
After the training samples are obtained, the training samples may be input into the model to be trained, and the result output by the model is obtained, as shown in fig. 4. Because the capability of the model is not yet complete at this time, a certain difference exists between the output result and the sample label of the training sample, and then the actual gradient can be determined according to the difference. Under the condition that the parameters of the model are not unique, the actual gradient corresponding to each parameter of the model can be determined through the process, and the parameters and the actual gradient can be in one-to-one correspondence. In the embodiment shown in fig. 4, based on the number of parameters of the model, the actual gradients 1 to the actual gradients m corresponding to the parameters 1 to m are obtained, and m actual gradients are obtained.
It can be seen that the actual gradient shows the difference between the result of the model output and the sample label, and in some cases, the actual gradient corresponding to at least part of the parameters is positively correlated with the difference.
S304: and determining a target gradient set according to the actual gradient corresponding to each parameter.
In the case where the parameters of the model are not unique, multiple actual gradients can be obtained. In the step, each element contained in the target gradient set is obtained according to each actual gradient so as to obtain the target gradient set.
In an alternative embodiment of the present specification, each actual gradient may be directly used as an element in the target gradient set, and the number of the elements in the target gradient set is equal to the number of the actual gradients, and the elements in the target gradient set correspond to the actual gradients one to one.
In yet another alternative embodiment of the present disclosure, a part of each actual gradient, for example, a part with a larger gradient value, may be selected as an element in the target gradient set, and then the number of elements in the target gradient set is smaller than the number of actual gradients. As shown in fig. 4, the terminal obtains m actual gradients in total, where the actual gradient 1 to the actual gradient i (i is smaller than m) are determined as elements in the target gradient set, and the actual gradient i +1 to the actual gradient m are not determined as elements in the target gradient set.
It can be seen that the number of elements included in the target gradient set obtained through the process of the present specification may be less than the number of actual gradients, that is, each actual gradient obtained by the terminal may not participate in the subsequent model training step. Therefore, the step of determining the target gradient set can preliminarily select the actual gradient, on one hand, the communication quantity between each end is reduced, on the other hand, the selection can disturb the data required by training, the possibility of obtaining the historical data and/or the information represented by the historical data through the reverse deduction of the target gradient set is reduced to a certain extent, and the situation of privacy disclosure is avoided.
It should be noted that, in this specification, at least part of the actual gradient is taken as an element in the target gradient set, which is only exemplary. In other optional embodiments of the present specification, an identifier of a parameter corresponding to at least part of the actual gradient (for example, a position of the parameter in the model may be used as the identifier of the parameter) may also be used as an element in the target gradient set. When the actual gradient corresponding to the parameter identifier in the target gradient set needs to be further processed in the subsequent step, the actual gradient corresponding to the parameter identifier may be found for each parameter identifier in the target gradient set, and then the found actual gradient is processed.
In order to make the present description clearer, the following description will take a part of the actual gradient as an element in the target gradient set as an example.
S306: and aiming at each actual gradient in the target gradient set, obtaining a disturbance gradient corresponding to each actual gradient by adopting a preset randomization processing mode.
On the basis of obtaining the target gradient set, a preset randomization processing mode can be adopted to perform randomization processing on each actual gradient in the target gradient set, so as to obtain a disturbance gradient corresponding to the actual gradient. As shown in fig. 4, the actual gradient 1 is randomized, and a perturbation gradient 1 is obtained, and so on. Because the disturbance gradient is obtained by a randomization processing mode according to the actual gradient, the disturbance gradient has a certain degree of randomness compared with the actual gradient corresponding to the disturbance gradient.
The randomization processing mode can be a variety of modes, and the existing randomization processing mode can be applied to the process in this specification under the condition that the local differential privacy requirement is satisfied.
In an alternative embodiment of the present specification, the randomization process is performed with different degrees of randomization for at least two actual gradients in the target set of gradients (which degrees of randomization may be characterized by the difference between the result of the randomization and the actual gradients before randomization). Then, for the terminal, each perturbation gradient obtained through the stochastic processing is difficult to reflect the distribution rule of each actual gradient in the target gradient set, thereby increasing the difficulty of reversely obtaining the historical data corresponding to the terminal and/or the information represented by the historical data of the terminal according to the perturbation gradient obtained by the terminal.
Therefore, on the basis that the elements in the target gradient set have certain perturbance, the step further increases the perturbance of the data adopted by training by randomizing the elements in the target gradient set, so as to reduce the risk of privacy disclosure.
S308: and sending the obtained disturbance gradients to the server, so that the server aggregates the trained model parameters according to the disturbance gradients respectively sent by the plurality of terminals to obtain a trained model.
As can be seen from the foregoing, the disturbance gradient obtained through the foregoing steps greatly improves the concealment of the historical data used in the training process. The server receives the disturbance gradient, and can not reversely obtain historical data corresponding to the disturbance gradient and/or information represented by the historical data corresponding to the disturbance gradient according to the disturbance gradient; alternatively, even after a nefarious molecule intercepts the perturbation gradient, the historical data and/or the information characterized by the historical data may not be available.
As can be seen, if the disturbance gradient is completely exposed, the risk of leakage of the historical data still does not increase, and the terminal may send the disturbance gradient to the server, as shown in fig. 4, so that the server performs subsequent steps. And the process of sending the disturbance gradient by the terminal does not need to adopt other data encryption means and/or a specific data transmission mode with higher safety, thereby effectively avoiding resource consumption caused by other data encryption and/or specific data transmission modes. Wherein the resource may be a time resource, a computing resource of the terminal, etc.
The process in this specification is applicable to a joint training process performed jointly by several terminals, involving a server and at least one terminal. Corresponding to the terminal-implemented process, FIG. 5 illustrates a joint training process for a server-implemented model according to one embodiment. As shown in fig. 5, after the terminal generates and transmits the perturbation gradient, to obtain the trained model, the server may perform one or more of the following steps:
s500: aiming at each terminal, receiving each disturbance gradient sent by the terminal; the disturbance gradient is obtained by the terminal according to the actual gradient of the parameter and a preset randomization processing mode in the process.
The manner in which the terminal determines the perturbation gradient may be as described previously.
S502: and aggregating the disturbance gradients corresponding to each parameter in the received disturbance gradients for each parameter of the model.
Since the number of terminals participating in the joint training is not unique, the server receives a plurality of perturbation gradients corresponding to each parameter with a high probability for the parameter. In the case that the received perturbation gradient is sufficient, the distribution of the perturbation gradient corresponding to the parameter may reflect the training trend for the parameter. The server may aggregate for each perturbation gradient corresponding to the parameter to determine a training trend for the parameter.
In order to enable the server to effectively determine which parameter a received certain perturbation gradient corresponds to, and enable the server to effectively aggregate the perturbation gradients, in an optional embodiment of the present specification, the perturbation gradients sent by the terminal may be correspondingly labeled with a parameter identifier. After receiving the perturbation gradient, the server can determine which parameter the perturbation gradient corresponds to according to the parameter identifier. The server may aggregate for each parameter of the model separately to determine a training trend for that parameter.
S504: and obtaining the trained model parameters according to the aggregation results obtained by aiming at the parameters so as to obtain the trained model.
The present specification does not specifically limit the manner in which the disturbance gradient is aggregated by the server, and the manner of aggregation may be determined according to actual requirements.
In general, it is difficult to achieve the convergence condition of the model by adjusting the parameters only once. In order to make the trained model reach the convergence condition, the model training process in this specification may be iterative. The convergence condition may be at least one of that the updated model parameter meets a preset training requirement, that a difference between a result output by the model and a true result (the true result may be a sample label of the training sample and/or a test label of a preset test set) is smaller than a preset difference threshold, and that the number of iterations reaches a preset number.
The iterative process may be repeated to perform the aforementioned steps S302 to S308, and steps S500 to S502 until the convergence condition of the model is reached.
Thus, a trained model is obtained, and the model can be applied to an online scene. The applicable scenario of the model is not particularly limited in this specification, for example, the model may be applied to various service processing processes, and the service may be various data processing related services such as a payment service, a wind control service, a security service, a financial service, a management service (e.g., an asset management service, an enterprise management service, a transaction management service), a payment service, a credit investigation service, a media service, a communication service, and a life service.
Therefore, in the training process, the terminal processes the actual gradient required by the training in a preset randomization processing mode, and sends the obtained disturbance gradient to the server, so that the server obtains the parameters of the trained model according to the disturbance gradient, instead of obtaining the parameters of the trained model according to the actual gradient. The disturbance gradient is different from the actual gradient, and any one of the two parties cannot reversely deduce the actual gradient through the disturbance gradient in the training process, so that after the server receives the disturbance gradient from the terminal, the server cannot reversely deduce what the actual gradient is according to the disturbance gradient, and further cannot know what the training sample is used for obtaining the actual gradient. Further, even if an attacker intercepts the disturbance gradient sent by the terminal in the model training process, the attacker cannot obtain actually acquired data for generating the disturbance gradient according to the disturbance gradient in a reverse-deducing manner, and the method is favorable for realizing information security in the model training process.
Further, in order to further improve the training effect of the model, the present specification is further designed with respect to the aforementioned process of "determining the target gradient set" and the process of "determining the disturbance gradient". For convenience of explanation, the following description will be made in more detail with respect to "determining a target gradient set" and "determining a perturbation gradient" in chronological order, respectively.
1. A target gradient set is determined.
From the foregoing, it can be seen that a set of target gradients in the present specification may have a certain difference from a set formed by each actual gradient, so as to implement perturbation on data required for training at the level of the actual gradient.
On one hand, the disturbance caused by the target gradient set can increase the safety of the model training process; on the other hand, the actual gradient in the target gradient set plays a role in the model training process, and the role of the actual gradient outside the target gradient set is larger than the role of the actual gradient outside the target gradient set to a certain extent in the model training process. How to properly determine the actual gradient more suitable for model training in each actual gradient to obtain a target gradient set influences the training effect of the model to a certain extent.
In an alternative embodiment of the present specification, the target gradient set that includes the actual gradient more suitable for model training and that can achieve perturbation is obtained through the following process: first, among the actual gradients generated by the terminal, a first specified number of the largest actual gradients are determined. Then, a target gradient set including a second specified number of actual gradients is obtained based on the first specified number of largest actual gradients.
Specifically, the process of obtaining the target gradient set may be as follows:
1. a first specified quantity is determined.
In this specification, the first designated number is used to represent the number of actual gradients that are more suitable for model training among the actual gradients obtained by the terminal in the current iteration process. The first specified number may show a difference between a current condition of the model and a condition of the trained model to a certain extent, and the first specified number is positively correlated with the difference. This first number can be used in subsequent steps in determining which actual gradients the target gradient set should contain.
The process of determining the first specified number may be: and determining a first specified number according to at least one of the number of terminals participating in training, the number of parameters of the model and the time length of the model from the last training, as shown in fig. 6. The first specified quantity is inversely related to the quantity of the terminals, and/or the first specified quantity is positively related to the quantity of the parameters of the model, and/or the first specified quantity is positively related to the time length of the model from the last training. In an alternative embodiment of the present description, the first specified number may be determined by the server.
The greater the number of terminals participating in training, the greater the likelihood that, for each parameter, the greater the number of perturbation gradients received by the server corresponding to that parameter, the first specified number may be appropriately reduced. The more parameters of the model, the more likely the number of parameters that need to be adjusted during the training process is, the more the first specified number can be increased appropriately. The longer the time from the current moment to the last training of the model, the more likely it is that the model is not suitable for the current scenario, the first specified amount may be increased appropriately.
Therefore, the process in the present specification can expand or reduce the parameter range adjusted according to the disturbance gradient uploaded by the terminal in the iteration by adjusting the first specified number. On one hand, the number of disturbance gradients sent to the server by the terminal can be properly reduced, and the larger resource consumption caused by the sending process is avoided; on the other hand, privacy protection can be enhanced by reducing the number of disturbance gradients sent by the terminal; moreover, because the number of the terminals participating in the joint training is not unique, even if the terminal does not send the disturbance gradient corresponding to a certain parameter to the server, the disturbance gradient of the parameter is likely to be sent to the server by other terminals, so that the phenomenon that some parameters of the model cannot be trained due to the fact that the parameters corresponding to the disturbance gradient received by the server from one terminal are not comprehensive enough is avoided.
In an alternative embodiment of the present description, the first specified number corresponding to each iteration may also be determined for that iteration. The first specified amount may also be inversely related to an order of the current iteration among iterations in the current training process. That is, the first specified amount may be reduced appropriately at the later stage of the model training.
In addition, the first designated number in this specification may also be determined by the terminal, and before the terminal determines the first designated number, at least part of data (for example, at least one of the number of terminals participating in training, the number of parameters of the model, and the time length of the model from the last training) for determining the first designated number may be transmitted to the terminal by the server, so that the terminal can obtain the first designated number according to the data for determining the first designated number. The data for determining the first specified amount includes, but is not limited to, each data sent by the server to the terminal.
2. A first specified number of the largest actual gradients are determined.
In general, each gradient obtained during the model training process can be characterized in the form of a numerical value. The actual gradient in this specification may also be a specific value. Because the parameters of the model are not unique, the actual gradients corresponding to each obtained parameter may be the same or different.
The actual gradient of a certain parameter can reflect the difference between the output result of the model and the sample label caused by the parameter aiming at the training sample of the input model to a certain extent. The larger the difference, the more negative the parameter has on the model capability, the more stringent the need for the parameter to be adjusted during the training process.
In the process in the present specification, when a target gradient set is determined, a first specified number of maximum actual gradients are determined, and the first specified number of maximum actual gradients are mainly considered in subsequent steps, as shown in fig. 6, so that a model can be effectively trained according to a disturbance gradient obtained based on the target gradient set, and the training effect of the model is ensured.
The present specification does not limit the process of determining the first specified number of maximum actual gradients from the actual gradients determined by the terminal, and the existing algorithm capable of implementing sorting and searching can be applied to the process.
For example, for each actual gradient determined by the terminal, the actual gradients are sorted according to each actual gradient fetch value, and an actual gradient sequence with values arranged in sequence from large to small is obtained. Then, a first specified number of actual gradients which are ranked in the top are determined in the actual gradient sequence, namely the actual gradients with the maximum first specified number.
In addition, in other optional embodiments, each actual gradient in the actual gradient sequence may also be arranged from small to large, and a process of adaptively adjusting and determining the first specified number of maximum actual gradients is sufficient, which is not described herein again.
3. A second specified number is determined.
The second specified number in this specification is the number of actual gradients in the target gradient set. Because the disturbance gradients corresponding to each actual gradient in the target gradient set directly participate in the model training process responsible for the server, the contribution of the terminal in the joint training process is influenced to a certain extent by the second specified quantity, and it is more critical to reasonably determine the second specified quantity.
In an alternative embodiment of the present specification, the second designated number may be determined according to at least one of the number of terminals participating in the joint training, the number of parameters of the model, and the time period of the model since the last training, as shown in fig. 6. The second specified number is inversely related to the number of the terminals, and/or the second specified number is positively related to the number of the parameters of the model, and/or the second specified number is positively related to the time length of the model from the last training. The order of execution of determining the first specified quantity and determining the second specified quantity may not be sequential.
As can be seen from the foregoing, the present specification refers to not only the first specified number but also the second specified number when determining the target gradient set. The first specified quantity can be characterized to some extent: and based on each actual gradient obtained by the terminal, the number of parameters needing to be subjected to key adjustment in the iteration process is reduced. The second specified quantity can represent each actual gradient obtained based on the terminal to a certain degree, and the quantity of the parameters to be adjusted is actually obtained in the iteration process. Therefore, the relation between the first specified quantity and the second specified quantity is reasonably coordinated, so that the model can be effectively trained, excessive resource consumption is avoided, and the risk of privacy disclosure is avoided to a certain degree.
In another alternative implementation of the present description, the second specified number may be determined from the first specified number, and the second specified number is positively correlated to the first specified number.
Alternatively, in still another embodiment of the present specification, the first specified number is equal to the second specified number.
4. And determining each actual gradient in the target gradient set from each actual gradient in a sampling mode to obtain the target gradient set.
So far, the process of the present specification has obtained the first specified number, the second specified number, and the maximum actual gradients of the first specified number, and a target gradient set needs to be further determined according to the known items.
In the process of joint training, there are various means for the lawless persons to attack the model, for example, the lawless persons can disguise the used lawless terminals as legitimate terminals, and the lawless persons can learn the first designated number and the second designated number according to the identities of the training participants when participating in the process of model training.
At this time, if a legitimate terminal directly transmits the second specified number of the largest gradients (for example, the gradients may be actual gradients) for model training to the server, the illegitimate terminal intercepts data transmitted by the legitimate terminal. Since the second specified number of maximum gradients are obtained according to the history data of the legal terminal and the service conditions of the legal terminal in the history (different terminal service conditions are different, different service conditions are different for the model, and further the second specified number of maximum gradients obtained by different terminals are different from each other regardless of the parameter identifiers or the values), the illegal terminal may reversely deduce the service conditions of the legal terminal in the history according to the second specified number of maximum gradients, which may cause privacy leakage of the legal terminal.
In order to enhance the security of the joint training and enable the obtained target gradient set to have a certain disturbance, the target gradient set is obtained by sampling each actual gradient generated by the terminal in the present specification.
In an alternative embodiment of the present specification, as shown in fig. 6, the sampling process may be: and determining a third probability and a fourth probability according to a preset second privacy budget and a second specified number. The sum of the third probability and the fourth probability is 1, and the third probability is greater than the fourth probability. The second privacy can be preset by the server in advance, or the privacy budget can be set by the terminal. The third probability is positively correlated with the second privacy budget.
Then, the first gradient set is sampled with a third probability (i.e., the third probability is determined as the probability that each actual gradient in the first gradient set is acquired at the time of sampling), and the second gradient set is sampled with a fourth probability (i.e., the fourth probability is determined as the probability that each actual gradient in the second gradient set is acquired at the time of sampling), so that the second specified number of actual gradients are obtained as the target gradient set. Wherein the first set of gradients comprises: the first specified number of largest actual gradients; the second set of gradients comprises: actual gradients other than the first specified number of maximum actual gradients in the actual gradients corresponding to the respective parameters.
It should be noted that this sampling process is not sampling for the first gradient set and the second gradient set separately. The aforementioned process of determining the first specified number of largest actual gradients may be regarded as a process of determining the first set of gradients. On the basis of obtaining the first gradient set, the second gradient set may be obtained according to each actual gradient obtained by the terminal.
It can be seen that there may be at least one actual gradient in the target gradient set obtained by the process in this specification that is not among the first specified number of largest actual gradients. The target gradient set cannot reflect what the maximum actual gradients of the first specified number or the second specified number determined by the terminal are, and therefore the service condition of the terminal in the history cannot be inferred, and the privacy security of the terminal is enhanced.
In addition, in the present specification, if the third probability is higher than the fourth probability and the probability that each of the first specified number of the largest actual gradients can be an element in the target gradient set is high, the probability that the number of the largest actual gradients belonging to the first specified number in the target gradient set is higher than the number of the largest actual gradients not belonging to the first specified number in the target gradient set is also high. In the process in the specification, even if the elements in the actual gradient set in the target gradient set sent to the server by the terminal are not necessarily all the maximum actual gradients, a better training effect can be obtained.
In addition, in the foregoing embodiment, if the first specified number is the same as the second specified number, the determined actual gradients with the largest number of first specified numbers are more likely to be elements in the target gradient set, and the training effect of the model can be further ensured.
In an alternative embodiment of the present description, the third probability may be determined in combination with the number of model parameters in addition to the second privacy budget and the second specified number. The third probability is inversely related to the number of model parameters. For example, the third probability and the fourth probability may be determined according to a preset second privacy budget and a second specified number by the following formula (1).
In the formula: p is a radical of formula 3 Is a third probability; p is a radical of formula 4 Is a fourth probability; k is a radical of 2 Is a second specified number; ε' is the second privacy budget.
By this, a set of target gradients is obtained that can be used to determine the perturbation gradient.
2. A perturbation gradient is determined.
On the basis of obtaining the target gradient set through the foregoing process, the present specification further obtains the perturbation gradients corresponding to the target gradient sets through the following process.
In order to make the processes described in this specification more orderly, the "normalization processing on actual gradient" process, "first and second probability determination" process, "first and second candidate gradients determination" process, and the "three candidate gradients determination" process, which are experienced when determining a disturbance gradient, are separately described, but they are actually coordinated and unified.
The process of "normalization processing" is intended to obtain reasonable "first candidate gradient and second candidate gradient" so that the server can aggregate the received disturbance gradients efficiently in the subsequent steps. The process of "normalization processing" can also be matched with the process of "determining the first probability and the second probability" to reflect the urgency of the parameters that are represented in each actual gradient and need to be adjusted in the first probability and the second probability. The first probability and the second probability are complementary to the first candidate gradient and the second candidate gradient, and the server can determine the adjustment direction and the adjustment degree of the parameters according to the distribution of the disturbance gradients from each terminal in the subsequent steps by the cooperation of the first probability and the second probability, so that the trained model is obtained.
It should be noted that, the execution order of the process of "determining the first probability and the second probability" and the process of "determining the first candidate gradient and the second candidate gradient" are not sequential.
1. And normalizing each actual gradient in the target gradient set.
It can be seen that the normalization process in this specification affects the step of aggregating the disturbance gradient by the subsequent server to some extent. The specification is matched with a server to perform an aggregation process by setting a normalization interval.
In an alternative embodiment of the present specification, the normalized interval of each actual gradient obtained by the terminal is determined as [ -a, a ]. a is a preset first learning degree and is a positive number equal to or greater than 0.
In an actual scenario, a may be determined according to actual requirements. For example, the first learning degree may be determined according to an aggregation manner of the disturbance gradient by the server.
Specifically, for each actual gradient in the target gradient set, a normalized actual gradient corresponding to the actual gradient may be determined, as shown in fig. 7. Only the actual gradient j and the normalized actual gradient j are exemplarily shown in fig. 7, and the other actual gradients in the target gradient set and the normalized results of the other actual gradients are not shown.
2. And obtaining a first probability and a second probability adopted in the randomization processing mode according to the result of the normalization processing.
In this specification, the first probability and the second probability are mutually exclusive probabilities, that is, the sum of the first probability and the second probability is equal to 1.
In an alternative embodiment of the present disclosure, the first probability corresponding to the actual gradient may be determined according to the normalized actual gradient. And determining a second probability corresponding to the actual gradient according to the first probability. Wherein the first probability is positively correlated with the actual gradient.
In another optional embodiment of the present disclosure, a first probability corresponding to the actual gradient may be determined according to the normalized actual gradient and a preset first privacy budget, and a second probability corresponding to the actual gradient may be further determined according to the first probability, as shown in fig. 7.
Alternatively, the first probability and the second probability may be calculated by the following formula (2).
In the formula: p is a radical of formula 1 Is a first probability; p is a radical of 2 Is a first probability; t is the normalized actual gradient; epsilon is the first privacy budget.
In an alternative embodiment of the present description, the first privacy budget is equal to the aforementioned second privacy budget.
3. A first candidate gradient and a second candidate gradient are determined.
The first alternative gradient and the second alternative gradient in this specification are data for aggregation that the terminal finally sends to the server. In the subsequent step, one of the first candidate gradient and the second candidate gradient may be selected as a perturbation gradient corresponding to a parameter in the current iteration process.
Under the condition that the number of the terminals is large, even if the numerical representation of the disturbance gradient received by a parameter server is single, the server can carry out unbiased estimation according to each disturbance gradient, obtain the distribution situation of each actual gradient generated by each terminal aiming at the parameter, and adjust the parameter according to the distribution situation.
In an optional embodiment of the present description, for the parameter, the first alternative gradient may be determined according to a first privacy budget corresponding to the terminal, as shown in fig. 7. A second candidate gradient is then determined from the first candidate gradient. Wherein the first alternative gradient is negatively correlated with the first privacy budget. Optionally, the second alternative gradient is the inverse of the first alternative gradient.
For example, the first candidate gradient and the second candidate gradient may be calculated using the following equation (3).
In the formula: zxfoom g 1 Is a first candidate gradient; g is a radical of formula 2 Is a second alternative gradient; b is a preset second learning degree.
Wherein b is a positive number of 0 or more. b may be obtained from the learning rate of the terminal and/or the aforementioned first learning degree. For example, the second learning level is positively correlated with at least one of the learning rate of the terminal and the first learning level. Optionally, a value of the second learning degree is equal to a value of the first learning degree.
4. And aiming at each actual gradient in the target gradient set, determining a disturbance gradient corresponding to the actual gradient according to the first candidate gradient and the second candidate gradient.
The first candidate gradient and the second candidate gradient, and the first probability and the second probability are obtained by the previous steps. It may be determined that the probability that the actual gradient is randomized into the first candidate gradient is the first probability, the probability that the actual gradient is randomized into the second candidate gradient is the second probability, and the randomization process is performed on the actual gradient to obtain one of the first candidate gradient and the second candidate gradient as a perturbation gradient of the actual gradient, as shown in fig. 7.
And performing a randomization process on each actual gradient obtained by the terminal to obtain each disturbance gradient to be sent to the server.
As can be seen from the foregoing, the normalization process and other processes in this specification all affect the process of aggregating each disturbance gradient by the server in the subsequent steps to a certain extent, and the aggregation process performed by the server is now described
3. And the server aggregates the received disturbance gradients.
It will be appreciated that the process of the server processing the received perturbation gradients (which may be aggregation) will consume certain data processing resources (e.g. computational resources). In a joint training scenario, in order to obtain a distribution condition that can characterize an actual gradient, a server often receives more disturbance gradients from a terminal. The data processing for the more perturbation gradients inevitably causes more resource consumption.
In order to reduce the load of the server in the process of processing the disturbance gradient, the present specification determines the first learning degree as 1 in the foregoing process of performing the normalization processing; and determines the second degree of learning to be 1 in determining the first candidate gradient and the second candidate gradient. The normalized interval obtained is [ -1,1](ii) a The first alternative gradient is
The second alternative gradient is
At this time, for a certain parameter, when the server aggregates the disturbance gradients corresponding to the parameter, the server averages the disturbance gradients corresponding to the parameter, and thus an aggregation result of the disturbance gradients for the parameter can be obtained. The aggregation mode of taking the average value is simple and efficient, and consumed resources are few.
Therefore, the first learning degree and/or the second learning degree can be properly adjusted according to the aggregation mode adopted by the server when the disturbance gradient is aggregated, so that the first candidate gradient, the second candidate gradient and the normalization interval can be adjusted, the excessive increase of the load of the server in the aggregation process can be effectively avoided, and the data processing resource of the server can be saved.
Thus, the trained model can be obtained by carrying out a plurality of iterations through at least part of the steps until the model reaches the convergence condition.
Based on the same idea, the embodiment of the present specification further provides a joint training device of a first privacy protection model corresponding to the process shown in fig. 3, where the joint training device of the first privacy protection model is shown in fig. 8, and the joint training device of the first privacy protection model is applied to any one terminal participating in the joint training process.
Fig. 8 is a schematic structural diagram of a first privacy-preserving model joint training device provided in an embodiment of the present specification, where the first privacy-preserving model joint training device may include one or more of the following units and/or modules:
a model to be trained obtaining unit 800 configured to obtain a model to be trained from the server;
an actual gradient determining unit 802, configured to input a local training sample into the model, and determine an actual gradient corresponding to each parameter in the model according to a result output by the model;
a target gradient set determining unit 804, configured to determine a target gradient set according to the actual gradients corresponding to the respective parameters;
a disturbance gradient determining unit 806, configured to obtain, for each actual gradient in the target gradient set, each disturbance gradient corresponding to each actual gradient by using a preset randomization processing manner;
a first sending unit 808, configured to send the obtained disturbance gradients to the server, so that the server aggregates the trained model parameters according to the disturbance gradients sent by the terminals, respectively, to obtain a trained model.
In an alternative embodiment, the target gradient set comprises an arbitrary first actual gradient; the disturbance gradient determination unit 806 includes: the device comprises a first determination module and a second determination module.
The first determination module is configured to determine a first candidate gradient and a second candidate gradient.
And the second determination module is configured to select one of the first candidate gradient and the second candidate gradient according to the first actual gradient as a disturbance gradient corresponding to the first actual gradient.
In an optional embodiment, the first determining module is configured to determine the first candidate gradient and the second candidate gradient according to a preset first privacy budget, where the first candidate gradient is a positive number negatively correlated to the first privacy budget, and the second candidate gradient is an inverse number of the first candidate gradient.
In an optional embodiment, the second determining module is configured to determine, according to the first actual gradient and the first privacy budget, a first probability and a second probability corresponding to the first actual gradient, wherein the first probability is positively correlated with the first actual gradient and the first privacy budget, and a sum of the first probability and the second probability is 1. Selecting the first candidate gradient with the first probability, selecting the second candidate gradient with the second probability, and taking the selection result as a perturbation gradient of the first actual gradient.
In an optional embodiment, the joint training device for the first model further includes a normalization interval determination unit.
The normalization interval determination unit is configured to determine a normalization interval for the first actual gradient, where the normalization interval is obtained according to an aggregation mode adopted by the server when aggregating the disturbance gradients.
The first determination module is configured to normalize the first actual gradient according to the normalization interval; and determining a first probability and a second probability corresponding to the first actual gradient according to the normalized first actual gradient.
In an optional embodiment, the target gradient set determining unit 804 is configured to determine a first specified number of maximum actual gradients from the actual gradients corresponding to the parameters; a target gradient set is determined based on a first specified number of the largest actual gradients.
In an optional embodiment, the first specified amount is obtained from the server, and the first specified amount is obtained according to at least one of the following: the number of terminals participating in training, the number of model parameters, and the time length of the model from the last training.
In an optional embodiment, the target gradient set determining unit 804 is configured to determine a third probability and a fourth probability according to a preset second privacy budget and a second specified number, where the second specified number is positively correlated with the first specified number, a sum of the third probability and the fourth probability is 1, and the third probability is greater than the fourth probability; sampling the first gradient set by using a third probability, and sampling the second gradient set by using a fourth probability to obtain a second specified number of actual gradients as a target gradient set; the first gradient set is composed of the first specified number of maximum actual gradients, and the second gradient set includes actual gradients, except for the first specified number of maximum actual gradients, in the actual gradients corresponding to the parameters.
In an optional embodiment, the third probability is further determined according to the number of model parameters.
In an optional embodiment, the joint training apparatus for the first model further includes a first sending unit 808. The first sending unit 808 is configured to receive the trained model parameters returned by the server to obtain a trained model.
Based on the same idea, the embodiments of the present specification further provide a joint training apparatus of a second privacy protection model corresponding to the process shown in fig. 5, the joint training apparatus of the second model is shown in fig. 9, and the joint training apparatus of the second model is applied to a server participating in the joint training process.
Fig. 9 is a schematic structural diagram of a joint training apparatus for a second privacy-preserving model provided in an embodiment of the present specification, where the joint training apparatus for the second privacy-preserving model may include one or more of the following units and/or modules:
a disturbance gradient obtaining unit 900 configured to receive, for each terminal, a disturbance gradient corresponding to the model parameter sent by the terminal; the disturbance gradient is obtained by the terminal by utilizing a joint training device of a first model;
an aggregation unit 902 configured to aggregate, for each parameter of the model, a perturbation gradient corresponding to the parameter in the received respective perturbation gradients;
a parameter adjusting unit 904 configured to obtain parameters of the trained model according to each aggregation result obtained for each parameter to obtain the trained model.
In an optional embodiment, the joint training apparatus for the second model further comprises a first specified number determining unit 906. The first specific number determining unit 906 is configured to determine the first specific number according to at least one of the number of terminals participating in training, the number of parameters of the model, and a time period of the model since last training.
In an optional embodiment, the joint training apparatus for the second model further includes a second transmitting unit 908. The second sending unit 908 is configured to send the first specified number to the terminal, so that the terminal determines a disturbance gradient sent by the terminal to the server according to the maximum actual gradient of the first specified number.
In an optional embodiment, the second sending unit 908 is configured to send the parameters of the trained model to each terminal, so that each terminal obtains the trained model.
Embodiments of the present specification also provide a first computer-readable storage medium storing a computer program, where the computer program is operable to execute the joint training process of the model provided in fig. 3.
A second computer-readable storage medium is also provided in an embodiment of the present disclosure, and the storage medium stores a computer program, which can be used to perform the joint training process of the model provided in FIG. 5.
The embodiment of the present specification further provides a schematic structural diagram of the electronic device shown in fig. 10. As shown in fig. 10, at the hardware level, the electronic device may include a processor, an internal bus, a network interface, a memory, and a non-volatile memory, and may also include hardware required for other services. And the processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program to realize the joint training process of any model.
Of course, besides the software implementation, the present specification does not exclude other implementations, such as a combination of logic devices or software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or a logic device.
All the embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
It will be further appreciated by those of ordinary skill in the art that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. The software modules may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (15)
1. A privacy-preserving model co-training method, the co-training being performed by a server and a plurality of terminals, the method being performed by any one of the plurality of terminals, the method comprising:
obtaining a model to be trained from the server;
inputting a local training sample into the model, and determining an actual gradient corresponding to each parameter in the model according to a result output by the model;
determining a first specified number of maximum actual gradients from the actual gradients corresponding to the parameters;
determining a third probability and a fourth probability according to a preset second privacy budget and a second specified number, wherein the second specified number is positively correlated with the first specified number, the sum of the third probability and the fourth probability is 1, and the third probability is greater than the fourth probability;
sampling the first gradient set by using a third probability, and sampling the second gradient set by using a fourth probability to obtain a second specified number of actual gradients serving as a target gradient set; wherein the first gradient set is composed of the first specified number of largest actual gradients, the second gradient set includes: actual gradients, except for the first specified number of maximum actual gradients, in the actual gradients corresponding to the respective parameters;
aiming at each actual gradient in the target gradient set, obtaining each perturbation gradient corresponding to each actual gradient by adopting a preset randomization processing mode;
and sending the obtained disturbance gradients to the server, so that the server aggregates the disturbance gradients sent by the plurality of terminals respectively to obtain trained model parameters, and thus obtaining a trained model.
2. The method of claim 1, wherein the target gradient set comprises an arbitrary first actual gradient;
obtaining each perturbation gradient corresponding to each actual gradient by adopting a preset randomization processing mode, which comprises the following steps:
determining a first candidate gradient and a second candidate gradient;
and selecting one of the first candidate gradient and the second candidate gradient according to the first actual gradient as a disturbance gradient corresponding to the first actual gradient.
3. The method of claim 2, wherein determining a first candidate gradient and a second candidate gradient comprises:
and determining the first alternative gradient and the second alternative gradient according to a preset first privacy budget, wherein the first alternative gradient is a positive number negatively correlated with the first privacy budget, and the second alternative gradient is an inverse number of the first alternative gradient.
4. The method of claim 3, wherein selecting one of the first and second candidate gradients as the perturbation gradient of the first actual gradient comprises:
determining a first probability and a second probability corresponding to the first actual gradient according to the first actual gradient and the first privacy budget, wherein the first probability is positively correlated with the first actual gradient and the first privacy budget, and the sum of the first probability and the second probability is 1;
selecting the first candidate gradient with the first probability, selecting the second candidate gradient with the second probability, and taking the selection result as a perturbation gradient of the first actual gradient.
5. The method of claim 4, wherein prior to determining the first and second probabilities that the first actual gradient corresponds, the method further comprises:
determining a normalization interval for the first actual gradient, wherein the normalization interval is obtained according to an aggregation mode adopted by a server when each disturbance gradient is aggregated;
determining a first probability and a second probability corresponding to the first actual gradient, including:
normalizing the first actual gradient according to the normalization interval;
and determining a first probability and a second probability corresponding to the first actual gradient according to the normalized first actual gradient.
6. The method of claim 1, wherein the first specified quantity is obtained from the server, the first specified quantity being derived from at least one of: the number of terminals participating in training, the number of parameters of the model, and the time length of the model from the last training.
7. The method of claim 1, wherein the third probability is further determined according to a number of parameters of the model.
8. The method of any one of claims 1 to 7, wherein after sending the resulting perturbation gradients to the server, the method further comprises:
and receiving the parameters of the trained model returned by the server to obtain the trained model.
9. A privacy-preserving model co-training method, the co-training being performed by a server and a number of terminals, the method being performed by the server, the method comprising:
for each terminal, receiving a disturbance gradient corresponding to the model parameter sent by the terminal; the perturbation gradient is obtained according to the method of any one of claims 1 to 8;
for each parameter of the model, aggregating the disturbance gradients corresponding to the parameter in the received disturbance gradients;
and obtaining the trained model parameters according to the aggregation results obtained aiming at the parameters so as to obtain the trained model.
10. The method of claim 9, wherein before receiving the perturbation gradient corresponding to the model parameter sent by the terminal, the method further comprises:
determining a first specified number according to at least one of the number of terminals participating in training, the number of the model parameters and the time length of the model from the last training;
and sending the first designated number to the terminal, so that the terminal determines the disturbance gradient sent to the server by the terminal according to the maximum actual gradient of the first designated number.
11. The method of claim 9, wherein after obtaining the parameters of the trained model, the method further comprises:
and sending the trained model parameters to each terminal so that each terminal can obtain the trained model.
12. A model co-training apparatus for protecting privacy, the co-training being performed by a server and a plurality of terminals, the apparatus being applied to any one of the plurality of terminals, the apparatus comprising:
a model to be trained obtaining unit configured to obtain a model to be trained from the server;
the actual gradient determining unit is configured to input a local training sample into the model, and determine actual gradients corresponding to parameters in the model according to a result output by the model;
a target gradient set determining unit configured to determine a first specified number of maximum actual gradients from the actual gradients corresponding to the respective parameters; determining a third probability and a fourth probability according to a preset second privacy budget and a second specified number, wherein the second specified number is positively correlated with the first specified number, the sum of the third probability and the fourth probability is 1, and the third probability is greater than the fourth probability; sampling the first gradient set by using a third probability, and sampling the second gradient set by using a fourth probability to obtain a second specified number of actual gradients as a target gradient set; wherein the first gradient set is composed of the first specified number of largest actual gradients, the second gradient set includes: actual gradients, except for the first specified maximum actual gradients, in the actual gradients corresponding to the parameters;
a disturbance gradient determining unit configured to obtain, for each actual gradient in the target gradient set, each disturbance gradient corresponding to each actual gradient by using a preset randomization processing manner;
and the first sending unit is configured to send the obtained disturbance gradients to the server, so that the server aggregates the trained model parameters according to the disturbance gradients sent by the plurality of terminals respectively to obtain a trained model.
13. A model joint training device for protecting privacy, the joint training is jointly performed by a server and a plurality of terminals, the device is applied to the server, and the device comprises:
the disturbance gradient acquisition unit is configured to receive a disturbance gradient which is sent by each terminal and corresponds to the model parameters; the perturbation gradient is obtained by the terminal by using the device of claim 12;
an aggregation unit configured to aggregate, for each parameter of the model, a perturbation gradient corresponding to the parameter in the received respective perturbation gradients;
and the parameter adjusting unit is configured to obtain the trained model parameters according to each aggregation result obtained aiming at each parameter so as to obtain the trained model.
14. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-11.
15. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that, when executed by the processor, implements the method of any of claims 1-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011232037.9A CN112182633B (en) | 2020-11-06 | 2020-11-06 | Model joint training method and device for protecting privacy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011232037.9A CN112182633B (en) | 2020-11-06 | 2020-11-06 | Model joint training method and device for protecting privacy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112182633A CN112182633A (en) | 2021-01-05 |
| CN112182633B true CN112182633B (en) | 2023-03-10 |
Family
ID=73916986
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011232037.9A Active CN112182633B (en) | 2020-11-06 | 2020-11-06 | Model joint training method and device for protecting privacy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112182633B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113221183B (en) * | 2021-06-11 | 2022-09-16 | 支付宝(杭州)信息技术有限公司 | Method, device and system for realizing privacy protection of multi-party collaborative update model |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109684855A (en) * | 2018-12-17 | 2019-04-26 | 电子科技大学 | A kind of combined depth learning training method based on secret protection technology |
| CN111523686A (en) * | 2020-04-23 | 2020-08-11 | 支付宝(杭州)信息技术有限公司 | Method and system for model joint training |
| CN111723404A (en) * | 2020-08-21 | 2020-09-29 | 支付宝(杭州)信息技术有限公司 | Method and device for jointly training business model |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111401552B (en) * | 2020-03-11 | 2023-04-07 | 浙江大学 | Federal learning method and system based on batch size adjustment and gradient compression rate adjustment |
-
2020
- 2020-11-06 CN CN202011232037.9A patent/CN112182633B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109684855A (en) * | 2018-12-17 | 2019-04-26 | 电子科技大学 | A kind of combined depth learning training method based on secret protection technology |
| CN111523686A (en) * | 2020-04-23 | 2020-08-11 | 支付宝(杭州)信息技术有限公司 | Method and system for model joint training |
| CN111723404A (en) * | 2020-08-21 | 2020-09-29 | 支付宝(杭州)信息技术有限公司 | Method and device for jointly training business model |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112182633A (en) | 2021-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhao et al. | Mobile edge computing, blockchain and reputation-based crowdsourcing IoT federated learning: A secure, decentralized and privacy-preserving system | |
| Han et al. | Adaptive gradient sparsification for efficient federated learning: An online learning approach | |
| US20210158216A1 (en) | Method and system for federated learning | |
| CN113159288B (en) | Coding model training method and device for preventing private data leakage | |
| Lian et al. | COFEL: Communication-efficient and optimized federated learning with local differential privacy | |
| EP3542322A1 (en) | Management and evaluation of machine-learned models based on locally logged data | |
| Liu et al. | Towards communication-efficient and attack-resistant federated edge learning for industrial Internet of Things | |
| CN113240505B (en) | Method, apparatus, device, storage medium and program product for processing graph data | |
| CN112257105A (en) | Federal learning method and system based on parameter replacement algorithm | |
| CN107612878A (en) | Dynamic window system of selection and wireless network trust management system based on game theory | |
| CN112182633B (en) | Model joint training method and device for protecting privacy | |
| Lian et al. | Layer-based communication-efficient federated learning with privacy preservation | |
| CN110889117B (en) | Method and device for defending model attack | |
| CN112100642A (en) | Model training method and device for protecting privacy in distributed system | |
| CN115481441A (en) | Difference privacy protection method and device for federal learning | |
| Wang et al. | Ppefl: Privacy-preserving edge federated learning with local differential privacy | |
| CN111353554A (en) | Method and device for predicting missing user service attributes | |
| Cheng et al. | Dynamic games for social model training service market via federated learning approach | |
| CN113360898B (en) | Index weight determining method, network attack evaluating method and electronic equipment | |
| CN115174237B (en) | Method and device for detecting malicious traffic of Internet of things system and electronic equipment | |
| CN114422277A (en) | Method, device, electronic equipment and computer readable medium for defending network attack | |
| CN113254989A (en) | Fusion method and device of target data and server | |
| Zhang et al. | Research on information security evaluation based on artificial neural network | |
| CN116915781B (en) | Edge collaborative caching system and method based on blockchain | |
| CN117555905B (en) | Service processing method, device, equipment, storage medium and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40043462 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |