CN112347473A - Machine learning security aggregation prediction method and system supporting bidirectional privacy protection - Google Patents
Machine learning security aggregation prediction method and system supporting bidirectional privacy protection Download PDFInfo
- Publication number
- CN112347473A CN112347473A CN202011230255.9A CN202011230255A CN112347473A CN 112347473 A CN112347473 A CN 112347473A CN 202011230255 A CN202011230255 A CN 202011230255A CN 112347473 A CN112347473 A CN 112347473A
- Authority
- CN
- China
- Prior art keywords
- share
- prediction result
- server
- aggregation
- blind
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
Abstract
The application discloses a machine learning security aggregation prediction method and system supporting bidirectional privacy protection, comprising the following steps: the system comprises a client, a computing server and an aggregation server; the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the calculation server processes the data share to obtain a prediction result share; the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the computing server sends the blinded prediction result share to an aggregation server; and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.
Description
Technical Field
The application relates to the technical field of machine learning, in particular to a machine learning security aggregation prediction method and system supporting bidirectional privacy protection.
Background
The statements in this section merely provide background information related to the present disclosure and may not constitute prior art.
Under the promotion of technologies such as big data and machine learning, the artificial intelligence technology changes the life style of people, such as human face, voice recognition, recommendation system, unmanned automobile and the like. But with the misuse of private information, leakage events are frequent. The performance of machine learning, deep learning algorithms all rely on a large amount of training data collected in advance, which may be related to user sensitive information such as medical records, user credit records, etc. A large number of researches show that the machine learning model is extremely easy to be attacked maliciously, and since the machine learning model implies the information of the training data, an attacker can reversely obtain the privacy information of the relevant training data through the analysis model. Such as Tramer et al, attacked online machine learning prediction services (MLaas) like Amazon, BigML through a query prediction API and successfully extracted a machine learning model that approximates the original model. Frdrikson et al disclose original training data by analyzing probability information output by the classifier, and a number of shadow models are trained by a number of mean inference attack designed by shakri to determine whether a piece of data appears in a training set. And once model parameters or training data are leaked, serious security threats and losses can be caused to enterprises and individuals.
With the disclosure of various privacy threats in machine learning, a great deal of research is devoted to solving the privacy protection problem under machine learning, for example, Papernot et al propose a privacy protection machine learning framework, Private Aggregation of Teacher Enterprises (PATE), and "Teacher-student" semi-supervised migration model. PATE is based on the idea that if multiple independent models trained on disjoint datasets have a high degree of consistency in output for the same input data, no relevant privacy training data is revealed. The framework thus migrates knowledge to student models through an aggregation mechanism that satisfies differential privacy by partitioning the private data sets and training a plurality of independent teacher models on the private subsets, i.e., through the teacher models' public data prediction tags to the students, the teacher models can be considered as a machine learning as a service. The enemy can only contact the student model trained based on the public data, so that the safety of the privacy training data is protected. Intuitively, PATE provides strong privacy guarantee, and has flexible expansibility, but the framework also has certain limitation.
Firstly, in privacy, the PATE aggregates the prediction results of a plurality of teachers through a credible aggregator, however, a completely credible entity does not exist in reality, and if the aggregator is malicious or semi-honest, the prediction results can be directly leaked. Secondly, under the condition that the student model does not have public data or the data held by the student model is also private, the privacy of the student model data cannot be ensured. Consider that a hospital wishes to train a machine learning model to help infer patient condition and help self (students) label data sets through other hospitals (teachers), however the PATE framework does not provide effective privacy assurance since patient data cannot be directly disclosed to other hospitals (teachers). And if the enemy decays the students, the teacher model is attacked reversely (member deduces the attack) through the prediction result of the teacher, and the privacy of the teacher model and the training data of the teacher model cannot be guaranteed. The above problems cause a two-way privacy disclosure. In performance, since the PATE framework provides privacy guarantees through differential privacy, the amount of predictable data is also limited in order to control privacy costs. Furthermore, the PATE framework can only be deployed locally, i.e., the teacher model can only provide predictions locally, which requires the teacher to remain online at the time of prediction.
Disclosure of Invention
In order to solve the defects of the prior art, the application provides a machine learning security aggregation prediction method and system supporting bidirectional privacy protection;
in a first aspect, the application provides a machine learning security aggregation prediction method supporting bidirectional privacy protection;
the machine learning security aggregation prediction method supporting bidirectional privacy protection comprises the following steps:
the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client;
the calculation server processes the data share to obtain a prediction result share;
the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share;
the computing server sends the blinded prediction result share to an aggregation server;
and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.
In a second aspect, the present application provides a machine learning security aggregation prediction system that supports bi-directional privacy protection;
machine learning security aggregation prediction system supporting bi-directional privacy protection, comprising: the system comprises a client, a computing server and an aggregation server;
the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the calculation server processes the data share to obtain a prediction result share; the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the computing server sends the blinded prediction result share to an aggregation server; and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.
Compared with the prior art, the beneficial effects of this application are:
1. a security framework is presented that can provide two-way privacy protection that can protect the security of privacy training models (teacher models) and privacy inputs (student inputs). For a model provider, the server cannot acquire complete model parameters, a user cannot attack the model and original training data through a prediction result, and for the user, privacy input cannot be acquired by a model holder and the server.
2. The high privacy cost caused by adding differential privacy in the traditional method for protection is avoided. The frame dynamically adds noise to the prediction vector according to the entropy value by calculating the information entropy contained in the prediction vector, can effectively resist membership inference attack and does not influence the amount of the predictable data.
3. By combining the SGX technology, the framework ensures that valuable information cannot be obtained even if a certain server is corrupted by a malicious adversary in the calculation process, and meanwhile, the prediction output (teacher prediction) in the calculation process is protected.
4. The flexibility of the PATE framework is increased, the server receives and stores the model shares in the off-line stage, and model holders (teachers) do not need to be added into the on-line prediction process.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application.
FIG. 1 is a flow chart of an off-line phase method of the first embodiment;
FIG. 2 is a flow chart of the online prediction calculation of the first embodiment;
fig. 3 is a diagram of dependencies between the SecureNN base protocol of the first embodiment;
fig. 4 is a flowchart of the prediction result optimization according to the first embodiment.
Detailed Description
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and it should be understood that the terms "comprises" and "comprising", and any variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Interpretation of terms:
SecureNN: SecureNN is a three-party secure computing protocol proposed by Wagh et al in 2018, and can support the training and prediction of neural networks. The protocol is mainly based on a secret sharing technology, compared with the prior protocol which can only support the security under the half-honest enemy, the SecureNN protocol ensures that the input or the output of the honest client can not be known even if any single server is corrupted by the malicious enemy. The protocol comprises three servers, wherein S0,S1Holding a secret input share of 2-out-of-2 at the beginning of protocol execution and a secret output share of 2-out-of-2 at the end of computation, S2Assist the other two servers in protocol execution. For the nonlinear activation function, in addition to fitting the nonlinear activation function by using a linear polynomial, for the ReLu function, the SecureNN is indirectly calculated by calculating the derivative thereof first, so that the calculation error caused by fitting by using the linear function is reduced. Fig. 3 shows the dependencies between the SecureNN base protocols. The following are some of the primitives of the secret sharing technique.
The shared value is: shared value for a<a>We have<a>0+<a>1≡ a (modF), wherein<a>0,<a>1And a is equal to F, and F is a finite field.
Sharing share0(a):SiSelecting a value r ∈ F, then<a>iA-r and sends r to S1-iAt S1-iIn<a>1-i=r。
Reconstruction of Reci(a):S1-iWill share a value<a>1-iIs sent to Si,SiCalculating a ═<a>0+<a>1。
Addition operation<c>=<a>+<b>:SiCan directly calculate locally<c>i=<a>i+<b>i
Multiplication operations<c>=<a>·<b>: multiplication needs to be carried out by virtue of pre-existing multiplication triples<u>i,<v>i,<z>iWherein<z>i=<u>i·<v>imod F。SiNeed to calculate first<e>i=<a>i-<u>i,<f>i=<b>i-<v>iThen both parties calculate Rec (e) and Rec (f) locally and will<c>i=-i·e·f+f·<u>i+e·<v>i+<z>i
Intel SGX: the Intel software protection extension is a set of new instructions and memory access mechanisms added to the Intel architecture. These extensions allow an application to instantiate a safe zone, called Enclave. The operations can be executed in a safe environment, and confidentiality and integrity protection can be provided even if a privileged system or a malicious program exists, so that the codes and data in the operations are prevented from being maliciously tampered and acquired. Enclave code and data are optionally examined and analyzed before creating the Enclave. Once the code and data of the application program are loaded into an Enclave, all external software access to it is protected and any attempt to access and modify the contents of the Enclave is prohibited. The SGX provides two authentication mechanisms, local authentication and remote authentication, to ensure that an authenticated application can safely run in a trusted environment.
Example one
The embodiment provides a machine learning security aggregation prediction method supporting bidirectional privacy protection;
the machine learning security aggregation prediction method supporting bidirectional privacy protection comprises the following steps:
s101: the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client;
s102: the calculation server processes the data share to obtain a prediction result share;
s103: the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share;
s104: the computing server sends the blinded prediction result share to an aggregation server;
s105: and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.
As one or more embodiments, before the step of the method S101, the method further includes:
s1001: dividing the locally trained machine learning model into a plurality of model shares by a model holder; sending the model share to a corresponding calculation server;
s1002: and the aggregation server randomly generates a blind matrix in the credible region and sends the blind matrix to the corresponding calculation server.
Further, before the step S1001, the method further includes:
s1000: and the aggregation server creates an Enclave trusted zone, and the model holder and the computing server perform remote authentication to ensure that the computing server operates in a safe SGX environment.
Further, the S1001: the model holder divides the locally trained model into two model shares; the method refers to a model holder, and a locally trained model is divided into a plurality of model shares by adopting secret sharing.
Illustratively, the S1001: the model holder divides the locally trained model into two model shares; the specific implementation mode is as follows:
Pimodel W using secret sharing locallyiDivided into two model shares, i.e. PiRandomly selecting one r epsilon ZLWherein Z is a ring, L-264Calculating model share0(Wi)=Wi-r(mod L),share1(Wi) R and sends the model shares to two computation servers S0,S1. The computation server cannot directly contact the original model, and can only obtain the model share.
Illustratively, the S1002: the aggregation server randomly generates a blinded matrix in the credible region and sends the blinded matrix to the corresponding calculation server; the specific implementation mode is as follows:
aggregation server randomly generates blind matrix mask in Enclave0And mask1And sending the blinded matrix to a computing server through a secure channel.
The blinding matrix protects the share of the prediction result after the calculation server completes the prediction calculation, and avoids being attacked in an untrusted area of the aggregation server.
It should be understood that the blinding matrix is a random matrix used to protect the prediction shares. The method is generated in credible Enclave and then sent to two computing servers through a secure channel, and after model prediction is completed by the computing servers, the predicted result share is blinded.
Considering that if no blinding matrix exists, two servers calculate the share of the completion prediction0(Yi) (ii) a Share prediction1(Yi) And directly sending the data to the aggregation server.
The untrusted aggregation server can directly reconstruct the prediction result Yi=share0(Yi)+share1(Yi) Thereby directly revealing the privacy of the user prediction result; on the other hand, the adversary can also indirectly attack the training model by predicting the result using, for example, membership inference attack.
After protection of the blinding matrix is added, the untrusted server can only receive the blinding prediction share, and the blinding prediction result Y is obtained after reconstructionmask=share0(Yi)+mask0+share1(Yi)+mask1=Yi+ mask, and the removal of the blinded matrix can only be done in Encalve, so the prediction result is not revealed.
The generation mode of the blind matrix is as follows: randomly sampling a random matrix from the uniform distribution, wherein the data type of the matrix needs to be consistent with the data type of the predicted secret share.
As will be appreciated, Encalve: the intel SGX program consists of two parts, namely untrusted application and trusted Enclave, wherein the intel SGX instruction creates a trusted encalve in a specific protected memory area during running to store data and codes to be protected, and the data leakage can be effectively prevented.
Further, the S1000, S1001 and S1002 are all completed in the offline stage, as shown in fig. 1.
As one or more embodiments, the S101: the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the method comprises the following specific steps:
a first computing server receives a first data share of data to be predicted, which is sent by a client; and the second computing server receives a second data share of the data to be predicted, which is sent by the client.
Illustratively, the S101: the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the method comprises the following specific steps:
the client side and the computing server perform remote authentication to ensure the safety authenticity and integrity of the computing server hardware, and after the authentication is passed, the client side C divides the data x to be predicted into two data share shares0(x) R and share1(x) X-r (mod L) to the server S0,S1。
share () and share operation, the client selects a random value r belonging to Z for protecting the input x of the local privacyLWherein Z is a ring, L-264As the first secret share0(x);
Re-computing x-r (mod L) as a second secret share1(x) The two secret shares are sent to the server, where mod is a modulo operation.
As one or more embodiments, the S102: the calculation server processes the data share to obtain a prediction result; the method comprises the following specific steps:
the first calculation server calculates a first prediction result based on the first data share; the second computing server computes a second prediction result based on the second data share.
Illustratively, the S102: the calculation server processes the data share to obtain a prediction result share; the method comprises the following specific steps:
server S0,S1,S2Carrying out safe three-party prediction calculation based on a SecureNN protocol and obtaining a prediction result share0(Yi) And share0(Yi)。
It should be understood that the computation between servers in this application is essentially a secret share based computation.
Before performing secure multiparty computation, S0Possession of model secret share0(Wi) And data share from user0(x),S1Possession of model secret share1(Wi) And share of data to be predicted of user1(x) In that respect Two servers are at S2With the assistance of SecureNN protocol, interactive calculation is completed, and respective prediction results share are calculated0(Yi) And share0(Yi)。
The SecureNN protocol comprises basic protocols such as addition, multiplication, matrix multiplication, activation function, privacy comparison and the like based on secret sharing, and can complete machine learning prediction calculation.
As one or more embodiments, the S103: the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the method comprises the following specific steps:
the first calculation server carries out blind processing on the first prediction result share to obtain a first blind prediction result share; and the second calculation server performs blind processing on the second prediction result share to obtain a second blind prediction result share.
Further, the first calculation server performs blinding processing on the first prediction result share to obtain a first blinded prediction result share; the method comprises the following steps: and the first computing server performs blinding processing on the first prediction result share through the first blinding matrix to obtain a first blinded prediction result share.
Further, the second calculation server performs blinding processing on the second prediction result share to obtain a second blinded prediction result share; the method comprises the following steps: and the second calculation server performs blinding processing on the second prediction result share through a second blinding matrix to obtain a second blinded prediction result share.
Illustratively, the S103: the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the method comprises the following specific steps:
calculation server S0,S1Blinding the respectively owned prediction result shares, i.e. using a previously obtained blinding matrix
It should be understood that if the prediction share is not blinded, the aggregation server is obtaining share0(Yi) And share1(Yi) Then, Y can be directly reconstructedi=share0(Yi)+share1(Yi) And leaking the prediction result.
Further, the step S103: the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the method comprises the following specific steps:
and the calculation server performs blind processing on the share of the prediction result by adopting a blind matrix to obtain the share of the blind prediction result.
Further, the step of obtaining the blinding matrix includes:
and the aggregation server randomly generates a blinding matrix in the credible region.
As one or more embodiments, the S104: the computing server sends the blinded prediction result share to an aggregation server; the method comprises the following specific steps:
the first computing server sends the first blinded prediction result share to the aggregation server; the second computing server sends the second blinded prediction result share to the aggregation server.
As one or more embodiments, the S105: the aggregation server carries out blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client; the method comprises the following specific steps:
s1051: the aggregation server reconstructs the blind prediction result from the first blind prediction result share and the second blind prediction result share in the untrusted area to obtain a third blind prediction result share;
s1052: the aggregation server carries out de-blinding processing on the third blinded prediction result share in the credible area to obtain an intermediate result; the aggregation server calculates an aggregation prediction result based on the intermediate result;
s1053: and the aggregation server performs noise processing on the aggregation prediction result and sends the aggregation prediction result subjected to the noise processing to the client.
Further, the S1051 aggregation server reconstructs the blind prediction result from the first blind prediction result share and the second blind prediction result share in the untrusted region, to obtain a third blind prediction result share; the method comprises the following specific steps:
the aggregation server obtains the share of the blinded prediction result and rebuilds the blinded prediction result, namely Y in advance in the untrusted regionmask=share0(Yi)+mask0+share1(Yi)+mask1=Yi+mask。
It should be understood that the prediction Y is not revealed here since there is no blinding matrix in the untrusted regioni。
Further, the S1052: the aggregation server carries out de-blinding processing on the third blinded prediction result share in the credible area to obtain an intermediate result; the method comprises the following specific steps:
the aggregation server removes the blinded matrix from the trusted zone Encalve to obtain a prediction result:
Yi=Ymask-mask。
further, the S1052: the aggregation server calculates an aggregation prediction result based on the intermediate result; the method comprises the following specific steps:
the aggregation server calculates the aggregated prediction result after voting by using a soft voting method
Soft voting has a higher accuracy than hard voting.
Further, the S1053: the aggregation server carries out noise processing on the aggregation prediction result and sends the aggregation prediction result subjected to the noise processing to the client; the method comprises the following specific steps:
aggregating server first computes entropy of results
For predictors with higher entropy, less noise is added, whereas for predictors with lower entropy, more noise is added.
According to the entropy, the aggregation server calculates the corresponding noise coefficient
Wherein d is the distribution of classes of training data;
finally, the aggregation Server adds noise, Y ', to the prediction'a=Ya+N*c*(d-Ya) Wherein c is a control coefficient for controlling the magnitude of the noise addition.
In order to solve the privacy disclosure problem of the PATE framework in knowledge transfer from a teacher model to a student model and solve the performance limitation of the PATE framework, the scheme combining secret sharing and trusted computing SGX is provided. In the off-line stage, a model holder (teacher) uses secret sharing to divide the technology into two model shares to be uploaded and stored in two computing servers, and moreover, an aggregation server generates a blinding matrix in a credible region and sends the blinding matrix to the two computing servers so as to protect the prediction result. In the online prediction stage, as shown in fig. 2, the client (student) also uploads private data to be predicted to two servers in a share form for prediction calculation, the calculation server protects the share of the prediction result through a blinding matrix, the aggregation server receives the blinded prediction share and removes the blinding matrix in the trusted zone, the prediction results from a plurality of privacy models are aggregated, noise is added to the aggregation result for optimization protection, and the aggregation result is returned to the client as shown in fig. 4.
The method is divided into three parts, namely a model holder, a server (comprising two omega computing servers and an aggregation server), and a client specifically comprises the following steps:
1. model holder PiThe locally trained model W is usediShare divided into two models0(Wi) And share1(Wi) Sent to a calculation server S0,S1。
2. Aggregation server S2Randomly generating a blind matrix mask in a trusted zone Encalve0,mask1,mask=mask0+mask1And sent to the calculation server S through a secure channel0,S1。
3. The client C divides the data x to be predicted into two data share shares share0(x) And share1(x) Is sent to the server S0,S1。
4. Server S0,S1Calculating a prediction result, namely share, on owned model shares0(Yi) And share1(Yi) Where Y is the predicted vector ═ Y1,y2,.....yj) J is the category of the prediction result, and y is the prediction probability.
5. Server S0,S1Blinded prediction of the result share is:
and sending the blinded result to an aggregation server.
6. Aggregation server calculates blinded prediction result Y in untrusted zonemask=share0(Yi)+mask0+share1Yi+mask1=Yi+mask
7. Aggregation server removes blinding Y in trusted zone Encalvei=Ymask-mask
8. Aggregation server computing aggregated prediction results using soft voting
9. The aggregation server optimizes the aggregation result, adds noise, reduces the information entropy of the prediction result, and adds the noise-added prediction result Y'aAnd sending the data to the client C.
Table 1 algorithm 1: execution of the framework
Example two
The embodiment provides a machine learning security aggregation prediction system supporting bidirectional privacy protection;
machine learning security aggregation prediction system supporting bi-directional privacy protection, comprising: the system comprises a client, a computing server and an aggregation server;
the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the calculation server processes the data share to obtain a prediction result share; the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the computing server sends the blinded prediction result share to an aggregation server; and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.
In the foregoing embodiments, the descriptions of the embodiments have different emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. The machine learning security aggregation prediction method supporting bidirectional privacy protection is characterized by comprising the following steps:
the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client;
the calculation server processes the data share to obtain a prediction result share;
the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share;
the computing server sends the blinded prediction result share to an aggregation server;
and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.
2. The method for machine learning security aggregation prediction with support of two-way privacy protection as claimed in claim 1, wherein before the step of receiving, by the computing server, the data share of the data to be predicted sent by the client, the method further comprises:
dividing the locally trained machine learning model into a plurality of model shares by a model holder; sending the model share to a corresponding calculation server;
and the aggregation server randomly generates a blind matrix in the credible region and sends the blind matrix to the corresponding calculation server.
3. The machine learning security aggregation prediction method supporting bidirectional privacy protection as claimed in claim 1, wherein the computing server receives data shares of data to be predicted sent by a client; the method comprises the following specific steps:
a first computing server receives a first data share of data to be predicted, which is sent by a client; and the second computing server receives a second data share of the data to be predicted, which is sent by the client.
4. The machine learning security aggregation prediction method supporting bidirectional privacy protection as claimed in claim 3, wherein the computation server processes data shares to obtain a prediction result; the method comprises the following specific steps:
the first calculation server calculates a first prediction result based on the first data share; the second computing server computes a second prediction result based on the second data share.
5. The machine learning security aggregation prediction method supporting bidirectional privacy protection as claimed in claim 4, wherein the computation server performs blinding processing on the prediction result share to obtain a blinded prediction result share; the method comprises the following specific steps:
the first calculation server carries out blind processing on the first prediction result share to obtain a first blind prediction result share; and the second calculation server performs blind processing on the second prediction result share to obtain a second blind prediction result share.
6. The machine learning security aggregation prediction method supporting bidirectional privacy protection as claimed in claim 4, wherein the computation server performs blinding processing on the prediction result share to obtain a blinded prediction result share; the method comprises the following specific steps:
and the calculation server performs blind processing on the share of the prediction result by adopting a blind matrix to obtain the share of the blind prediction result.
7. The method of claim 6, wherein the step of obtaining the blinding matrix comprises: and the aggregation server randomly generates a blinding matrix in the credible region.
8. The machine-learning security aggregate prediction method supporting two-way privacy protection as claimed in claim 5, wherein the computation server sends a blinded prediction result share to an aggregation server; the method comprises the following specific steps:
the first computing server sends the first blinded prediction result share to the aggregation server; the second computing server sends the second blinded prediction result share to the aggregation server.
9. The machine learning security aggregation prediction method supporting bidirectional privacy protection as claimed in claim 8, wherein the aggregation server performs de-blinding processing and noise adding processing on the blinded prediction result share, and feeds back the result to the client; the method comprises the following specific steps:
the aggregation server reconstructs the blind prediction result from the first blind prediction result share and the second blind prediction result share in the untrusted area to obtain a third blind prediction result share;
the aggregation server carries out de-blinding processing on the third blinded prediction result share in the credible area to obtain an intermediate result; the aggregation server calculates an aggregation prediction result based on the intermediate result;
and the aggregation server performs noise processing on the aggregation prediction result and sends the aggregation prediction result subjected to the noise processing to the client.
10. Support two-way privacy protection's machine learning security aggregation prediction system, characterized by includes: the system comprises a client, a computing server and an aggregation server;
the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the calculation server processes the data share to obtain a prediction result share; the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the computing server sends the blinded prediction result share to an aggregation server; and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011230255.9A CN112347473B (en) | 2020-11-06 | 2020-11-06 | Machine learning security aggregation prediction method and system supporting bidirectional privacy protection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011230255.9A CN112347473B (en) | 2020-11-06 | 2020-11-06 | Machine learning security aggregation prediction method and system supporting bidirectional privacy protection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112347473A true CN112347473A (en) | 2021-02-09 |
| CN112347473B CN112347473B (en) | 2022-07-26 |
Family
ID=74428562
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011230255.9A Active CN112347473B (en) | 2020-11-06 | 2020-11-06 | Machine learning security aggregation prediction method and system supporting bidirectional privacy protection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112347473B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113378191A (en) * | 2021-06-01 | 2021-09-10 | 贵州大学 | Safe multi-party computing scheme based on information entropy under semi-honest model |
| CN115455488A (en) * | 2022-11-15 | 2022-12-09 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Secret database query method and device based on secret copy sharing |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106411533A (en) * | 2016-11-10 | 2017-02-15 | 西安电子科技大学 | On-line fingerprint authentication system and method based on bidirectional privacy protection |
| US20170353855A1 (en) * | 2016-06-02 | 2017-12-07 | The Regents Of The University Of California | Privacy-preserving stream analytics |
| CN107509001A (en) * | 2017-08-15 | 2017-12-22 | 北京智讯创新信息技术有限公司 | A kind of method and system that secret protection number is provided for express delivery user |
| US20180373882A1 (en) * | 2017-06-23 | 2018-12-27 | Thijs Veugen | Privacy preserving computation protocol for data analytics |
| CN109194523A (en) * | 2018-10-01 | 2019-01-11 | 西安电子科技大学 | The multi-party diagnostic model fusion method and system, cloud server of secret protection |
| CN110135847A (en) * | 2019-05-22 | 2019-08-16 | 同济大学 | The system and method for being used to improve electronic auction safety based on block chain |
| CN110572253A (en) * | 2019-09-16 | 2019-12-13 | 济南大学 | Method and system for enhancing privacy of federated learning training data |
| CN110647765A (en) * | 2019-09-19 | 2020-01-03 | 济南大学 | Privacy protection method and system based on knowledge migration under collaborative learning framework |
| CN111275202A (en) * | 2020-02-20 | 2020-06-12 | 济南大学 | Machine learning prediction method and system for data privacy protection |
-
2020
- 2020-11-06 CN CN202011230255.9A patent/CN112347473B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170353855A1 (en) * | 2016-06-02 | 2017-12-07 | The Regents Of The University Of California | Privacy-preserving stream analytics |
| CN106411533A (en) * | 2016-11-10 | 2017-02-15 | 西安电子科技大学 | On-line fingerprint authentication system and method based on bidirectional privacy protection |
| US20180373882A1 (en) * | 2017-06-23 | 2018-12-27 | Thijs Veugen | Privacy preserving computation protocol for data analytics |
| CN107509001A (en) * | 2017-08-15 | 2017-12-22 | 北京智讯创新信息技术有限公司 | A kind of method and system that secret protection number is provided for express delivery user |
| CN109194523A (en) * | 2018-10-01 | 2019-01-11 | 西安电子科技大学 | The multi-party diagnostic model fusion method and system, cloud server of secret protection |
| CN110135847A (en) * | 2019-05-22 | 2019-08-16 | 同济大学 | The system and method for being used to improve electronic auction safety based on block chain |
| CN110572253A (en) * | 2019-09-16 | 2019-12-13 | 济南大学 | Method and system for enhancing privacy of federated learning training data |
| CN110647765A (en) * | 2019-09-19 | 2020-01-03 | 济南大学 | Privacy protection method and system based on knowledge migration under collaborative learning framework |
| CN111275202A (en) * | 2020-02-20 | 2020-06-12 | 济南大学 | Machine learning prediction method and system for data privacy protection |
Non-Patent Citations (3)
| Title |
|---|
| 赵川等: "实用安全两方计算及其在基因组序列比对中的应用", 《密码学报》 * |
| 赵川等: "实用安全两方计算及其在基因组序列比对中的应用", 《密码学报》, no. 02, 15 April 2019 (2019-04-15), pages 197 - 198 * |
| 邹徐熹等: "云计算下基于特殊差分方程的(m+1,t+1)门限秘密共享方案", 《计算机工程》, vol. 43, no. 01, 15 January 2017 (2017-01-15), pages 9 - 11 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113378191A (en) * | 2021-06-01 | 2021-09-10 | 贵州大学 | Safe multi-party computing scheme based on information entropy under semi-honest model |
| CN115455488A (en) * | 2022-11-15 | 2022-12-09 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Secret database query method and device based on secret copy sharing |
| CN115455488B (en) * | 2022-11-15 | 2023-03-28 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Secret database query method and device based on secret copy sharing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112347473B (en) | 2022-07-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Liu et al. | Privacy-preserving aggregation in federated learning: A survey | |
| CA2983163C (en) | Generating cryptographic function parameters from compact source code | |
| Lou et al. | HEMET: a homomorphic-encryption-friendly privacy-preserving mobile neural network architecture | |
| Malekzadeh et al. | Dopamine: Differentially private federated learning on medical data | |
| KR20220113714A (en) | Systems and methods for efficient computation of partitioned data and partitioning algorithms | |
| CN110059501B (en) | Safe outsourcing machine learning method based on differential privacy | |
| US11316665B2 (en) | Generating cryptographic function parameters based on an observed astronomical event | |
| Antwi-Boasiako et al. | Privacy preservation in Distributed Deep Learning: A survey on Distributed Deep Learning, privacy preservation techniques used and interesting research directions | |
| CN112347473B (en) | Machine learning security aggregation prediction method and system supporting bidirectional privacy protection | |
| EP3286747B1 (en) | Generating cryptographic function parameters from a puzzle | |
| Durga Devi et al. | RETRACTED ARTICLE: Modified adaptive neuro fuzzy inference system based load balancing for virtual machine with security in cloud computing environment | |
| CN113849828B (en) | Anonymous generation and attestation of processed data | |
| Attuluri et al. | Multi-objective discrete harmony search algorithm for privacy preservation in cloud data centers | |
| Pawar et al. | Privacy preserving model-based authentication and data security in cloud computing | |
| Cortés-Mendoza et al. | Privacy-preserving logistic regression as a cloud service based on residue number system | |
| Waheed et al. | FedBlockHealth: A Synergistic Approach to Privacy and Security in IoT-Enabled Healthcare through Federated Learning and Blockchain | |
| Rizomiliotis et al. | Partially oblivious neural network inference | |
| Talreja et al. | Deep Neural Networks for Dynamic Attribute based Encryption in IoT-Fog Environment | |
| Attuluri et al. | Swarm Based Optimized Key Generation for Preserving the Privacy in Cloud Environment | |
| Yang et al. | A Hybrid Secure Two-Party Protocol for Vertical Federated Learning | |
| Li et al. | Privacy-Preserving Machine Learning | |
| Chang et al. | {HOLMES}: Efficient Distribution Testing for Secure Collaborative Learning | |
| Sun et al. | A Novel Privacy-Preserving Deep Learning Scheme without Using Cryptography Component | |
| Alphonsa et al. | Privacy preservation for the health care sector in a cloud environment by advanced hybridization mechanism | |
| Chandran | Blockchain-based system for storage utilisation and secure sharing of EHR data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221129 Address after: 311401 Room 1324, 13/F, Building 13, Fuchun Park, Zhigu, China, Yinhu Street, Fuyang District, Hangzhou City, Zhejiang Province Patentee after: Hangzhou Liang'an Technology Co.,Ltd. Address before: 250022 No. 336, South Xin Zhuang West Road, Shizhong District, Ji'nan, Shandong Patentee before: University of Jinan |
|
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: 311100 1005-21, Floor 10, Building H, Haichuang Park, CEC Haikang Group Co., Ltd., No. 198, Aicheng Street, Wuchang Street, Yuhang District, Hangzhou City, Zhejiang Province Patentee after: Hangzhou Liang'an Technology Co.,Ltd. Address before: 311401 Room 1324, 13/F, Building 13, Fuchun Park, Zhigu, China, Yinhu Street, Fuyang District, Hangzhou City, Zhejiang Province Patentee before: Hangzhou Liang'an Technology Co.,Ltd. |