CN112733196A - Privacy protection method and system for resisting member reasoning attack based on vector confusion - Google Patents

Privacy protection method and system for resisting member reasoning attack based on vector confusion Download PDF

Info

Publication number
CN112733196A
CN112733196A CN202110358755.9A CN202110358755A CN112733196A CN 112733196 A CN112733196 A CN 112733196A CN 202110358755 A CN202110358755 A CN 202110358755A CN 112733196 A CN112733196 A CN 112733196A
Authority
CN
China
Prior art keywords
vector
confusion
model
maximum value
prediction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110358755.9A
Other languages
Chinese (zh)
Other versions
CN112733196B (en
Inventor
李红程
华炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Lab
Original Assignee
Zhejiang Lab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Lab filed Critical Zhejiang Lab
Priority to CN202110358755.9A priority Critical patent/CN112733196B/en
Publication of CN112733196A publication Critical patent/CN112733196A/en
Application granted granted Critical
Publication of CN112733196B publication Critical patent/CN112733196B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a privacy protection method and a privacy protection system for resisting member reasoning attack based on vector confusion, which are used for sequentially carrying out confusion transformation meeting the vector availability constraint and the order-preserving requirement and disturbance transformation meeting the randomness, the vector availability constraint and the order-preserving requirement on a prediction vector output by a classification model, and returning a transformed noise vector as a model classification result. The method does not need to modify the target classification model and know the specific technical details of member reasoning attack, can be simply and quickly applied to the existing classification model, and has low cost and wide application range; vector availability constraints provide a flexible configuration scheme that balances prediction result availability and model privacy protectiveness; the added random disturbance obviously reduces the possibility that an attacker restores a prediction vector according to the noise vector, and the robustness of the method is improved; the order-preserving requirement guarantees that the model improves the member reasoning attack resistance under the condition of not reducing the prediction accuracy.

Description

Privacy protection method and system for resisting member reasoning attack based on vector confusion
Technical Field
The invention relates to the field of crossing of artificial intelligence and information security, in particular to a privacy protection method and a privacy protection system for resisting member reasoning attack based on vector confusion.
Background
At present, artificial intelligence technologies such as machine learning and deep learning are developed at a high speed, and artificial intelligence models are actively used in various fields to solve specific problems, for example, a deep learning model is used in the medical field to realize intelligent diagnosis, and a mass financial data training model is used in the financial field to realize automatic decision functions such as quantitative transaction. At present, an artificial intelligence model needs to be trained by using a large amount of data, the data often contain privacy information of a user, the training is directly performed by using the privacy information, and the model is likely to face a serious privacy disclosure risk.
The member reasoning attack is an intuitive and effective attack means for stealing privacy information from a trained target model. The prediction performance of the artificial intelligence model on the training data of the artificial intelligence model often differs from the non-training data, and the membership inference attack aims to utilize the difference to realize the function of judging whether the data sample is used for training the target model. A large number of researches show that an attacker only needs to initiate a data access request to a target model without knowing information such as a specific structure, a training mode and the like of the target model, and whether corresponding input data are used for training the model can be judged according to a prediction vector returned by the model.
Aiming at member reasoning attack, a large number of researchers think that overfitting is the main reason for attack success, and design corresponding regularization methods for reducing the generalization errors of the models, such as dropout, L2 regularization, minimum-maximum training and the like, wherein the methods need to retrain the models, the cost is high, the prediction accuracy of the models can be reduced, and many methods are only suitable for deep learning models; some other researchers directly start with the prediction vector returned by the model and process the prediction vector, aiming at eliminating the performance difference of the model on the data of the training set and the non-training set, such as limiting the prediction vector to the maximum K types or introducing antagonistic disturbance on the prediction vector, and the like, wherein the method loses the usability of the prediction vector to a certain extent; researchers also tend to facilitate differential privacy to combat membership inference attacks, however, such methods face a number of application challenges, such as the difficulty in balancing the privacy protection capabilities and the prediction capabilities of the models.
Disclosure of Invention
In order to solve the defects of the prior art and realize the purpose of privacy protection aiming at the prior member reasoning attack, the invention adopts the following technical scheme:
the privacy protection method for resisting member reasoning attack based on vector confusion comprises the following steps:
s1, inputting the data sample E into the classification model M to obtain the prediction vector of the classification model M to the data sample E
Figure 458608DEST_PATH_IMAGE001
Wherein the integer K is more than or equal to 2 and represents the number of categories;
s2, setting confusion transformation T with order preserving property, applying the confusion transformation T on the predicted vector C to obtain confusion vector
Figure 3597DEST_PATH_IMAGE002
The order preservation of the aliased transform T is achieved by, for any i and j (i =1,2, …, K j =1,2, … K i ≠ j), if
Figure 457712DEST_PATH_IMAGE003
Then there is
Figure 360946DEST_PATH_IMAGE004
If, if
Figure 900512DEST_PATH_IMAGE005
Then, then
Figure 547394DEST_PATH_IMAGE006
While the obfuscated transformation T satisfies the vector availability constraint D, which is a distance metric function, i.e.
Figure 652753DEST_PATH_IMAGE007
Wherein d is a preset upper distance limit; the order preservation requirement guarantees that the model improves the member reasoning attack resistance under the condition of not reducing the prediction accuracy;
s3, adding a random perturbation vector to the confusion vector H
Figure 602254DEST_PATH_IMAGE008
Generating a noise vector
Figure 691433DEST_PATH_IMAGE009
I.e. by
Figure 643471DEST_PATH_IMAGE010
Wherein
Figure 806599DEST_PATH_IMAGE011
Adding random perturbation vectors
Figure 51635DEST_PATH_IMAGE012
Thereafter, the relative sizes of the elements in the confusion vector H are unchanged, i.e. for arbitrary i and j (i =1,2, …, K j =1,2, … K i ≠ j), if
Figure 831373DEST_PATH_IMAGE013
Then there is
Figure 820057DEST_PATH_IMAGE014
I.e. by
Figure 837692DEST_PATH_IMAGE015
If, if
Figure 519209DEST_PATH_IMAGE016
Then, then
Figure 255084DEST_PATH_IMAGE017
I.e. by
Figure 286274DEST_PATH_IMAGE018
(ii) a The added random disturbance obviously reduces the possibility that an attacker restores a prediction vector according to the noise vector, and the robustness of the method is improved;
and S4, taking the noise vector N as the final result of the classification model M and outputting the final result.
Further, the step S2 includes the following steps:
s21, setting a hyper-parameter alpha of the confusion transformation T, wherein the alpha represents a confusion vector
Figure 751891DEST_PATH_IMAGE019
Maximum value of
Figure 479675DEST_PATH_IMAGE020
And second maximum value
Figure 234005DEST_PATH_IMAGE021
Target difference therebetween, i.e.
Figure 33334DEST_PATH_IMAGE022
Figure 150194DEST_PATH_IMAGE023
Wherein, in the step (A),
Figure 783301DEST_PATH_IMAGE024
Figure 119866DEST_PATH_IMAGE025
respectively, the maximum value in the confusion vector H
Figure 129411DEST_PATH_IMAGE020
And second maximum value
Figure 772882DEST_PATH_IMAGE021
The subscript of (a) is,
Figure 170365DEST_PATH_IMAGE026
and is and
Figure 227183DEST_PATH_IMAGE027
s22, applying order preserving transformation to the prediction vector C to generate a confusion vector H;
setting a maximum value in an alias vector H
Figure 305997DEST_PATH_IMAGE020
And the maximum value in the prediction vector C
Figure 397450DEST_PATH_IMAGE028
Is delta, i.e.
Figure 372359DEST_PATH_IMAGE029
Sum of elements of the prediction vector C
Figure 680587DEST_PATH_IMAGE030
Dividing the maximum value in the confusion vector H
Figure 31934DEST_PATH_IMAGE031
The outer elements are calculated according to the following formula:
Figure 977894DEST_PATH_IMAGE032
Figure 123704DEST_PATH_IMAGE033
due to the fact that
Figure 155114DEST_PATH_IMAGE034
To obtain
Figure 310152DEST_PATH_IMAGE035
And finally, obtaining elements in the confusion vector H according to the element calculation formula.
Further, the step S22 is executed because
Figure 110618DEST_PATH_IMAGE036
And due to
Figure 692909DEST_PATH_IMAGE037
To obtain
Figure 713080DEST_PATH_IMAGE038
As can be seen from the above, the confusion transformation T implements order preserving transformation with constant vector element sums.
Further, in the step S21, a hyper-parameter beta of the confusion transform T is also set;
beta is a parameter of the vector availability constraint that confusion vector H needs to satisfy (beta ≧ 0), indicating that the maximum value in confusion vector H is allowed
Figure 406229DEST_PATH_IMAGE020
And second maximum value
Figure 61201DEST_PATH_IMAGE039
The difference alpha between, and the maximum value in the prediction vector C
Figure 79973DEST_PATH_IMAGE040
And second maximum value
Figure 820396DEST_PATH_IMAGE041
The maximum difference between the differences d, i.e. alpha, has to be satisfied
Figure 317236DEST_PATH_IMAGE042
(ii) a If alpha is less than
Figure 92294DEST_PATH_IMAGE043
Then alpha is set to
Figure 16388DEST_PATH_IMAGE043
If alpha is greater than
Figure 2362DEST_PATH_IMAGE044
Then alpha is set to
Figure 37314DEST_PATH_IMAGE044
In step S3, the maximum value of the confusion vector H is set
Figure 666878DEST_PATH_IMAGE031
And second maximum value
Figure 89769DEST_PATH_IMAGE039
Applying random perturbations eps and-eps, i.e.
Figure 680151DEST_PATH_IMAGE045
Figure 643428DEST_PATH_IMAGE046
Figure 534023DEST_PATH_IMAGE047
Representing assignment operation, and in order to ensure that the noise vector N after disturbance application still meets the vector availability constraint and order preservation, eps needs to meet the following constraint conditions:
S31, if the number of the classes output by the classification model M is more than 2, namely K is more than 2, then
Figure 426018DEST_PATH_IMAGE048
Figure 503696DEST_PATH_IMAGE049
For the third largest value in the confusion vector H,
Figure 473926DEST_PATH_IMAGE050
as the third largest value in the confusion vector H
Figure 78082DEST_PATH_IMAGE049
Subscript, obtained by solving, eps satisfies
Figure 842776DEST_PATH_IMAGE051
S32, if the number of classes output by the classification model M is equal to 2, i.e., K =2, then
Figure 673329DEST_PATH_IMAGE052
Solved to obtain eps satisfying
Figure 476943DEST_PATH_IMAGE053
The vector availability constraints provide a flexible configuration scheme that balances predictive result availability and model privacy protections.
Further, in the step S3, a random disturbance eps is generated and updated
Figure 76552DEST_PATH_IMAGE054
Figure 808885DEST_PATH_IMAGE055
And obtaining a noise vector N.
Further, for the same model, the values of alpha and beta are fixed.
Further, the privacy protection system corresponding to the method comprises: the model prediction module, the vector confusion module, the vector perturbation module and the model output module;
the model prediction module is used for receiving data input and generating a prediction vector;
the vector confusion module is used for applying order-preserving confusion transformation meeting vector availability constraint on the prediction vector to generate a confusion vector;
the vector perturbation module is used for generating a random perturbation vector and adding the random perturbation vector to the confusion vector to form an order-preserving noise vector;
and the model output module is used for returning the noise vector as a final result of model classification.
The invention has the advantages and beneficial effects that:
the method does not need to modify the target classification model and know the specific technical details of member reasoning attack, can be simply and quickly applied to the existing classification model, and has low cost and wide application range; vector availability constraints provide a flexible configuration scheme that balances prediction result availability and model privacy protectiveness; the added random disturbance obviously reduces the possibility that an attacker restores a prediction vector according to the noise vector, and the robustness of the method is improved; the order-preserving requirement guarantees that the model improves the member reasoning attack resistance under the condition of not reducing the prediction accuracy.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
As shown in fig. 1, the privacy protection method against member inference attack based on vector obfuscation includes the following steps:
(1) inputting the data sample E into a classification model M to obtain a classificationPrediction vector of model M to data sample E
Figure 595575DEST_PATH_IMAGE001
Wherein K is the number of categories (K is more than or equal to 2 and K is an integer).
(2) Setting confusion transformation T with order preserving property, applying the confusion transformation T on the predicted vector C to obtain the confusion vector
Figure 907608DEST_PATH_IMAGE002
The order preservation of the aliased transform T is achieved by, for any i and j (i =1,2, …, K j =1,2, … K i ≠ j), if
Figure 751936DEST_PATH_IMAGE003
Then there is
Figure 530536DEST_PATH_IMAGE004
If, if
Figure 430621DEST_PATH_IMAGE005
Then, then
Figure 952869DEST_PATH_IMAGE056
At the same time, the confusion transform T needs to satisfy the vector availability constraint D, which is a distance metric function, i.e.
Figure 589387DEST_PATH_IMAGE007
And d is a preset upper distance limit. The order-preserving requirement guarantees that the model improves the member reasoning attack resistance under the condition of not reducing the prediction accuracy.
The step is the core of the invention and is divided into the following substeps:
(2.1) setting the hyperparameters alpha and beta of the confusion transform T. For the same model, the values of alpha and beta are fixed.
alpha represents the confusion vector
Figure 663522DEST_PATH_IMAGE019
Maximum value of
Figure 690384DEST_PATH_IMAGE020
And second maximum value
Figure 875378DEST_PATH_IMAGE057
Target difference therebetween, i.e.
Figure 304085DEST_PATH_IMAGE058
Figure 53516DEST_PATH_IMAGE023
. Wherein the content of the first and second substances,
Figure 302095DEST_PATH_IMAGE024
Figure 290779DEST_PATH_IMAGE025
respectively, the maximum value in the confusion vector H
Figure 839572DEST_PATH_IMAGE059
And second maximum value
Figure 255510DEST_PATH_IMAGE039
The subscript of (a) is,
Figure 725806DEST_PATH_IMAGE026
and is and
Figure 783761DEST_PATH_IMAGE060
beta is a parameter of the vector availability constraint that confusion vector H needs to satisfy (0 ≦ beta ≦ 1), representing allowing the maximum value in confusion vector H
Figure 921481DEST_PATH_IMAGE020
And second maximum value
Figure 9785DEST_PATH_IMAGE039
The difference alpha between and the maximum value in the prediction vector C
Figure 232956DEST_PATH_IMAGE040
And second maximum value
Figure 32284DEST_PATH_IMAGE041
The maximum difference between the differences d, i.e. alpha, has to be satisfied
Figure 149145DEST_PATH_IMAGE042
. If alpha is less than
Figure 782252DEST_PATH_IMAGE043
Then alpha is set to
Figure 617353DEST_PATH_IMAGE043
If alpha is greater than
Figure 626897DEST_PATH_IMAGE044
Then alpha is set to
Figure 96799DEST_PATH_IMAGE044
And (2.2) applying order-preserving transformation to the prediction vector C to generate an aliasing vector H.
Assuming a maximum in the confusion vector H
Figure 166386DEST_PATH_IMAGE031
And the maximum value in the prediction vector C
Figure 223204DEST_PATH_IMAGE061
Is delta, i.e.
Figure 302018DEST_PATH_IMAGE062
. Sum of elements of prediction vector C
Figure 127892DEST_PATH_IMAGE030
. Dividing maximum value in confusion vector H
Figure 102801DEST_PATH_IMAGE031
The outer elements are calculated according to the following formula, i.e.
Figure 646915DEST_PATH_IMAGE032
Figure 998262DEST_PATH_IMAGE063
. Due to the fact that
Figure 445686DEST_PATH_IMAGE034
Is obtained by
Figure 857076DEST_PATH_IMAGE064
Then the elements in the confusion vector H can be obtained according to the above element calculation formula.
In addition, is easy to obtain
Figure 888486DEST_PATH_IMAGE036
And due to
Figure 309103DEST_PATH_IMAGE037
Is easy to obtain
Figure 109569DEST_PATH_IMAGE038
. As can be seen from the above, the confusion transformation T implements order preserving transformation with constant vector element sums.
(3) Adding a random perturbation vector to the confusion vector H
Figure 691860DEST_PATH_IMAGE008
Generating a noise vector
Figure 210566DEST_PATH_IMAGE065
I.e. by
Figure 903715DEST_PATH_IMAGE066
Wherein
Figure 340380DEST_PATH_IMAGE011
Adding random perturbation vectors
Figure 827993DEST_PATH_IMAGE012
Thereafter, the relative sizes of the elements in the confusion vector H are unchanged, i.e. for arbitrary i and j (i =1,2, …, K j =1,2, … K i ≠ j), if
Figure 568416DEST_PATH_IMAGE013
Then there is
Figure 65256DEST_PATH_IMAGE014
I.e. by
Figure 105894DEST_PATH_IMAGE015
If, if
Figure 357883DEST_PATH_IMAGE016
Then, then
Figure 460969DEST_PATH_IMAGE017
I.e. by
Figure 122019DEST_PATH_IMAGE018
. The added random disturbance obviously reduces the possibility that an attacker restores a prediction vector according to the noise vector, and the robustness of the method is improved.
In particular, for the maximum value of the confusion vector H
Figure 892529DEST_PATH_IMAGE067
And second maximum value
Figure 112158DEST_PATH_IMAGE068
Applying random perturbations eps and-eps, i.e.
Figure 702539DEST_PATH_IMAGE069
Figure 665816DEST_PATH_IMAGE070
Figure 87570DEST_PATH_IMAGE071
Representing assignment operation, and in order to ensure that the noise vector N after disturbance application still meets the vector availability constraint and the order preservation, eps needs to meet the following constraint conditions:
(3.1) if the number of the classes output by the classification model M is more than 2, namely K is more than 2, then
Figure 353466DEST_PATH_IMAGE048
Figure 555778DEST_PATH_IMAGE072
For the third largest value in the confusion vector H,
Figure 932532DEST_PATH_IMAGE073
as the third largest value in the confusion vector H
Figure 238486DEST_PATH_IMAGE072
Subscript where, solved for, eps needs to satisfy
Figure 472022DEST_PATH_IMAGE074
(3.2) if the number of classes output by the classification model M is equal to 2, i.e., K =2, then
Figure 161629DEST_PATH_IMAGE052
Solved to obtain, eps needs to satisfy
Figure 342075DEST_PATH_IMAGE075
The vector availability constraints provide a flexible configuration scheme that balances predictive result availability and model privacy protections.
(4) Generating random perturbation eps meeting the requirement and updating
Figure 800738DEST_PATH_IMAGE076
Figure 408437DEST_PATH_IMAGE077
And obtaining the noise vector N. And taking the noise vector N as a final result of the classification model M and outputting the final result.
A system for satisfying a privacy protection method for resisting member reasoning attack based on vector confusion comprises the following steps: the model prediction module, the vector confusion module, the vector perturbation module and the model output module;
the model prediction module is used for receiving data input and generating a prediction vector;
the vector confusion module is used for applying order-preserving confusion transformation meeting vector availability constraint on the prediction vector to generate a confusion vector;
and the vector perturbation module is used for generating a random perturbation vector and adding the random perturbation vector to the confusion vector to form an order-preserving noise vector.
And the model output module is used for returning the noise vector as a final result of model classification.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. The privacy protection method for resisting member reasoning attack based on vector confusion is characterized by comprising the following steps:
s1, inputting the data sample E into the classification model M to obtain the prediction vector of the classification model M to the data sample E
Figure DEST_PATH_IMAGE001
Wherein the integer K is more than or equal to 2 and represents the number of categories;
s2, setting confusion transformation T with order preserving property, applying the confusion transformation T on the predicted vector C to obtain confusion vector
Figure 218931DEST_PATH_IMAGE002
Aliasing transform T for arbitrary i and j (i =1,2, …, K j =1,2, … K i ≠ j) if
Figure DEST_PATH_IMAGE003
Then there is
Figure 300937DEST_PATH_IMAGE004
If, if
Figure DEST_PATH_IMAGE005
Then, then
Figure 82948DEST_PATH_IMAGE006
While the obfuscated transformation T satisfies the vector availability constraint D, which is a distance metric function, i.e.
Figure DEST_PATH_IMAGE007
Wherein d is a preset upper distance limit;
s3, adding a random perturbation vector to the confusion vector H
Figure 455024DEST_PATH_IMAGE008
Generating a noise vector
Figure DEST_PATH_IMAGE009
I.e. by
Figure 588065DEST_PATH_IMAGE010
Wherein
Figure DEST_PATH_IMAGE011
Adding random perturbation vectors
Figure 205253DEST_PATH_IMAGE012
Thereafter, the relative sizes of the elements in the confusion vector H are unchanged, i.e. for arbitrary i and j (i =1,2, …, K j =1,2, … K i ≠ j), if
Figure DEST_PATH_IMAGE013
Then there is
Figure 841771DEST_PATH_IMAGE014
I.e. by
Figure DEST_PATH_IMAGE015
If, if
Figure 650327DEST_PATH_IMAGE016
Then, then
Figure DEST_PATH_IMAGE017
I.e. by
Figure 270664DEST_PATH_IMAGE018
And S4, taking the noise vector N as the final result of the classification model M and outputting the final result.
2. The privacy protection method against membership inference attacks based on vector obfuscation as claimed in claim 1, wherein said step S2 includes the steps of:
s21, setting a hyper-parameter alpha of the confusion transformation T, wherein the alpha represents a confusion vector
Figure DEST_PATH_IMAGE019
Maximum value of
Figure 423035DEST_PATH_IMAGE020
And second maximum value
Figure DEST_PATH_IMAGE021
Target difference therebetween, i.e.
Figure 179638DEST_PATH_IMAGE022
Figure DEST_PATH_IMAGE023
Wherein, in the step (A),
Figure 159095DEST_PATH_IMAGE024
Figure 407674DEST_PATH_IMAGE025
respectively, the maximum value in the confusion vector H
Figure DEST_PATH_IMAGE026
And second maximum value
Figure 865200DEST_PATH_IMAGE027
The subscript of (a) is,
Figure DEST_PATH_IMAGE028
and is and
Figure 243354DEST_PATH_IMAGE029
3. the privacy protection method against membership inference attacks based on vector obfuscation as claimed in claim 2, wherein said step S2 further comprises the steps of:
s22, applying order preserving transformation to the prediction vector C to generate a confusion vector H;
setting a maximum value in an alias vector H
Figure 659292DEST_PATH_IMAGE030
And the maximum value in the prediction vector C
Figure DEST_PATH_IMAGE031
Is delta, i.e.
Figure 988642DEST_PATH_IMAGE032
Sum of elements of the prediction vector C
Figure DEST_PATH_IMAGE033
Dividing the maximum value in the confusion vector H
Figure 515439DEST_PATH_IMAGE030
The outer elements are calculated according to the following formula:
Figure 653159DEST_PATH_IMAGE034
Figure DEST_PATH_IMAGE035
due to the fact that
Figure 201515DEST_PATH_IMAGE036
To obtain
Figure DEST_PATH_IMAGE037
And finally, obtaining elements in the confusion vector H according to the element calculation formula.
4. The privacy protection method against member inference attack based on vector obfuscation as claimed in claim 2, wherein the step S21 is further to set a hyper-parameter beta of the obfuscation transformation T;
beta is a parameter of the vector availability constraint that confusion vector H needs to satisfy (beta ≧ 0), indicating that the maximum value in confusion vector H is allowed
Figure 18162DEST_PATH_IMAGE020
And second maximum value
Figure 348649DEST_PATH_IMAGE027
The difference alpha between, and the maximum value in the prediction vector C
Figure 340876DEST_PATH_IMAGE038
And second maximum value
Figure DEST_PATH_IMAGE039
The maximum difference between the differences d, i.e. alpha, has to be satisfied
Figure 567458DEST_PATH_IMAGE040
(ii) a If alpha is less than
Figure DEST_PATH_IMAGE041
Then alpha is set to
Figure 372865DEST_PATH_IMAGE041
If alpha is greater than
Figure 975884DEST_PATH_IMAGE042
Then alpha is set to
Figure 212831DEST_PATH_IMAGE042
5. The privacy protection method against membership inference attacks based on vector obfuscation as claimed in claim 4, wherein said step S3 includes the steps of:
for maximum value of confusion vector H
Figure 16839DEST_PATH_IMAGE030
And second maximum value
Figure 339236DEST_PATH_IMAGE027
Applying random perturbations eps and-eps, i.e.
Figure DEST_PATH_IMAGE043
Figure 713323DEST_PATH_IMAGE044
Figure DEST_PATH_IMAGE045
Representing the assignment operation, eps needs to satisfy the following constraint conditions:
s31, if the number of the classes output by the classification model M is more than 2, namely K is more than 2, then
Figure 273617DEST_PATH_IMAGE046
Figure DEST_PATH_IMAGE047
For the third largest value in the confusion vector H,
Figure 107581DEST_PATH_IMAGE048
as the third largest value in the confusion vector H
Figure 386116DEST_PATH_IMAGE047
Subscript, obtained by solving, eps satisfies
Figure 737463DEST_PATH_IMAGE049
S32, if the number of classes output by the classification model M is equal to 2, i.e., K =2, then
Figure DEST_PATH_IMAGE051
Solved to obtain eps satisfying
Figure 919307DEST_PATH_IMAGE052
6. The privacy protection method against membership inference attack based on vector confusion as claimed in claim 5, wherein in step S3, random perturbation eps is generated and updated
Figure DEST_PATH_IMAGE053
Figure 924173DEST_PATH_IMAGE054
And obtaining a noise vector N.
7. The privacy protection method for resisting member inference attack based on vector confusion as claimed in claim 2, wherein alpha value is fixed for the same model.
8. The privacy protection method for resisting member inference attack based on vector confusion as claimed in claim 4, wherein the beta value is fixed for the same model.
9. The privacy protection method against membership inference attack based on vector obfuscation as claimed in claim 3, wherein said step S22 is performed since
Figure 830949DEST_PATH_IMAGE055
And due to
Figure DEST_PATH_IMAGE056
To obtain
Figure 313883DEST_PATH_IMAGE057
I.e. the sum of the vector elements is unchanged.
10. The privacy protection system of claim 1, comprising: the model prediction module, the vector confusion module, the vector perturbation module and the model output module are characterized in that:
the model prediction module is used for receiving data input and generating a prediction vector;
the vector confusion module is used for applying order-preserving confusion transformation meeting vector availability constraint on the prediction vector to generate a confusion vector;
the vector perturbation module is used for generating a random perturbation vector and adding the random perturbation vector to the confusion vector to form an order-preserving noise vector;
and the model output module is used for returning the noise vector as a final result of model classification.
CN202110358755.9A 2021-04-02 2021-04-02 Privacy protection method and system for resisting member reasoning attack based on vector confusion Active CN112733196B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110358755.9A CN112733196B (en) 2021-04-02 2021-04-02 Privacy protection method and system for resisting member reasoning attack based on vector confusion

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110358755.9A CN112733196B (en) 2021-04-02 2021-04-02 Privacy protection method and system for resisting member reasoning attack based on vector confusion

Publications (2)

Publication Number Publication Date
CN112733196A true CN112733196A (en) 2021-04-30
CN112733196B CN112733196B (en) 2021-07-06

Family

ID=75596345

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110358755.9A Active CN112733196B (en) 2021-04-02 2021-04-02 Privacy protection method and system for resisting member reasoning attack based on vector confusion

Country Status (1)

Country Link
CN (1) CN112733196B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115906032A (en) * 2023-02-20 2023-04-04 之江实验室 Recognition model correction method and device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572111A (en) * 2016-11-09 2017-04-19 南京邮电大学 Big-data-oriented privacy information release exposure chain discovery method
CN108833077A (en) * 2018-07-02 2018-11-16 西安电子科技大学 Outer packet classifier encipher-decipher method based on homomorphism OU password
CN109492430A (en) * 2018-10-30 2019-03-19 江苏东智数据技术股份有限公司 A kind of internet Keywork method for secret protection and device based on obfuscated manner
CN111447181A (en) * 2020-03-04 2020-07-24 重庆邮电大学 Location privacy protection method based on differential privacy

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572111A (en) * 2016-11-09 2017-04-19 南京邮电大学 Big-data-oriented privacy information release exposure chain discovery method
CN108833077A (en) * 2018-07-02 2018-11-16 西安电子科技大学 Outer packet classifier encipher-decipher method based on homomorphism OU password
CN109492430A (en) * 2018-10-30 2019-03-19 江苏东智数据技术股份有限公司 A kind of internet Keywork method for secret protection and device based on obfuscated manner
CN111447181A (en) * 2020-03-04 2020-07-24 重庆邮电大学 Location privacy protection method based on differential privacy

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115906032A (en) * 2023-02-20 2023-04-04 之江实验室 Recognition model correction method and device and storage medium

Also Published As

Publication number Publication date
CN112733196B (en) 2021-07-06

Similar Documents

Publication Publication Date Title
Long et al. Towards measuring membership privacy
Jagtap et al. Locally adaptive activation functions with slope recovery for deep and physics-informed neural networks
Pal et al. Optimal infinite-horizon control for probabilistic Boolean networks
Seung et al. Statistical mechanics of learning from examples
da Silva Campos et al. Revisiting the TP model transformation: Interpolation and rule reduction
CN112085050A (en) Antagonistic attack and defense method and system based on PID controller
CN115442099B (en) Distributed GAN-based privacy protection data sharing method and system
Liu et al. GanDef: A GAN based adversarial training defense for neural network classifier
Kwon et al. Classification score approach for detecting adversarial example in deep neural network
Menda et al. Dropoutdagger: A bayesian approach to safe imitation learning
CN112733196B (en) Privacy protection method and system for resisting member reasoning attack based on vector confusion
CN112580728A (en) Dynamic link prediction model robustness enhancing method based on reinforcement learning
CN116861239A (en) Federal learning method and system
Ren et al. Semi-supervised drifted stream learning with short lookback
Zhang et al. Target: Federated class-continual learning via exemplar-free distillation
Zhai et al. Data-based and secure switched cyber–physical systems
CN113935396A (en) Manifold theory-based method and related device for resisting sample attack
CN115719085B (en) Deep neural network model inversion attack defense method and device
Liu [Retracted] Privacy Protection Technology Based on Machine Learning and Intelligent Data Recognition
Chen et al. Enhanced mixup training: a defense method against membership inference attack
Reeves et al. Support vector machine regularization
Hedayati Khodayari et al. Stabilizer design for an under-actuated autonomous underwater vehicle in a descriptor model under unknown time delay and uncertainty
Xu et al. Neuguard: Lightweight neuron-guided defense against membership inference attacks
Alessandri et al. Optimization-based learning with bounded error for feedforward neural networks
Machina et al. Stability of stationary solutions of piecewise affine differential equations describing gene regulatory networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant