CN112733196A - Privacy protection method and system for resisting member reasoning attack based on vector confusion - Google Patents
Privacy protection method and system for resisting member reasoning attack based on vector confusion Download PDFInfo
- Publication number
- CN112733196A CN112733196A CN202110358755.9A CN202110358755A CN112733196A CN 112733196 A CN112733196 A CN 112733196A CN 202110358755 A CN202110358755 A CN 202110358755A CN 112733196 A CN112733196 A CN 112733196A
- Authority
- CN
- China
- Prior art keywords
- vector
- confusion
- model
- maximum value
- prediction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a privacy protection method and a privacy protection system for resisting member reasoning attack based on vector confusion, which are used for sequentially carrying out confusion transformation meeting the vector availability constraint and the order-preserving requirement and disturbance transformation meeting the randomness, the vector availability constraint and the order-preserving requirement on a prediction vector output by a classification model, and returning a transformed noise vector as a model classification result. The method does not need to modify the target classification model and know the specific technical details of member reasoning attack, can be simply and quickly applied to the existing classification model, and has low cost and wide application range; vector availability constraints provide a flexible configuration scheme that balances prediction result availability and model privacy protectiveness; the added random disturbance obviously reduces the possibility that an attacker restores a prediction vector according to the noise vector, and the robustness of the method is improved; the order-preserving requirement guarantees that the model improves the member reasoning attack resistance under the condition of not reducing the prediction accuracy.
Description
Technical Field
The invention relates to the field of crossing of artificial intelligence and information security, in particular to a privacy protection method and a privacy protection system for resisting member reasoning attack based on vector confusion.
Background
At present, artificial intelligence technologies such as machine learning and deep learning are developed at a high speed, and artificial intelligence models are actively used in various fields to solve specific problems, for example, a deep learning model is used in the medical field to realize intelligent diagnosis, and a mass financial data training model is used in the financial field to realize automatic decision functions such as quantitative transaction. At present, an artificial intelligence model needs to be trained by using a large amount of data, the data often contain privacy information of a user, the training is directly performed by using the privacy information, and the model is likely to face a serious privacy disclosure risk.
The member reasoning attack is an intuitive and effective attack means for stealing privacy information from a trained target model. The prediction performance of the artificial intelligence model on the training data of the artificial intelligence model often differs from the non-training data, and the membership inference attack aims to utilize the difference to realize the function of judging whether the data sample is used for training the target model. A large number of researches show that an attacker only needs to initiate a data access request to a target model without knowing information such as a specific structure, a training mode and the like of the target model, and whether corresponding input data are used for training the model can be judged according to a prediction vector returned by the model.
Aiming at member reasoning attack, a large number of researchers think that overfitting is the main reason for attack success, and design corresponding regularization methods for reducing the generalization errors of the models, such as dropout, L2 regularization, minimum-maximum training and the like, wherein the methods need to retrain the models, the cost is high, the prediction accuracy of the models can be reduced, and many methods are only suitable for deep learning models; some other researchers directly start with the prediction vector returned by the model and process the prediction vector, aiming at eliminating the performance difference of the model on the data of the training set and the non-training set, such as limiting the prediction vector to the maximum K types or introducing antagonistic disturbance on the prediction vector, and the like, wherein the method loses the usability of the prediction vector to a certain extent; researchers also tend to facilitate differential privacy to combat membership inference attacks, however, such methods face a number of application challenges, such as the difficulty in balancing the privacy protection capabilities and the prediction capabilities of the models.
Disclosure of Invention
In order to solve the defects of the prior art and realize the purpose of privacy protection aiming at the prior member reasoning attack, the invention adopts the following technical scheme:
the privacy protection method for resisting member reasoning attack based on vector confusion comprises the following steps:
s1, inputting the data sample E into the classification model M to obtain the prediction vector of the classification model M to the data sample EWherein the integer K is more than or equal to 2 and represents the number of categories;
s2, setting confusion transformation T with order preserving property, applying the confusion transformation T on the predicted vector C to obtain confusion vectorThe order preservation of the aliased transform T is achieved by, for any i and j (i =1,2, …, K j =1,2, … K i ≠ j), ifThen there isIf, ifThen, thenWhile the obfuscated transformation T satisfies the vector availability constraint D, which is a distance metric function, i.e.Wherein d is a preset upper distance limit; the order preservation requirement guarantees that the model improves the member reasoning attack resistance under the condition of not reducing the prediction accuracy;
s3, adding a random perturbation vector to the confusion vector HGenerating a noise vectorI.e. byWhereinAdding random perturbation vectorsThereafter, the relative sizes of the elements in the confusion vector H are unchanged, i.e. for arbitrary i and j (i =1,2, …, K j =1,2, … K i ≠ j), ifThen there isI.e. byIf, ifThen, thenI.e. by(ii) a The added random disturbance obviously reduces the possibility that an attacker restores a prediction vector according to the noise vector, and the robustness of the method is improved;
and S4, taking the noise vector N as the final result of the classification model M and outputting the final result.
Further, the step S2 includes the following steps:
s21, setting a hyper-parameter alpha of the confusion transformation T, wherein the alpha represents a confusion vectorMaximum value ofAnd second maximum valueTarget difference therebetween, i.e.,Wherein, in the step (A),,respectively, the maximum value in the confusion vector HAnd second maximum valueThe subscript of (a) is,and is and;
s22, applying order preserving transformation to the prediction vector C to generate a confusion vector H;
setting a maximum value in an alias vector HAnd the maximum value in the prediction vector CIs delta, i.e.Sum of elements of the prediction vector CDividing the maximum value in the confusion vector HThe outer elements are calculated according to the following formula:,due to the fact thatTo obtainAnd finally, obtaining elements in the confusion vector H according to the element calculation formula.
Further, the step S22 is executed becauseAnd due toTo obtainAs can be seen from the above, the confusion transformation T implements order preserving transformation with constant vector element sums.
Further, in the step S21, a hyper-parameter beta of the confusion transform T is also set;
beta is a parameter of the vector availability constraint that confusion vector H needs to satisfy (beta ≧ 0), indicating that the maximum value in confusion vector H is allowedAnd second maximum valueThe difference alpha between, and the maximum value in the prediction vector CAnd second maximum valueThe maximum difference between the differences d, i.e. alpha, has to be satisfied(ii) a If alpha is less thanThen alpha is set toIf alpha is greater thanThen alpha is set to;
In step S3, the maximum value of the confusion vector H is setAnd second maximum valueApplying random perturbations eps and-eps, i.e.,,Representing assignment operation, and in order to ensure that the noise vector N after disturbance application still meets the vector availability constraint and order preservation, eps needs to meet the following constraint conditions:
S31, if the number of the classes output by the classification model M is more than 2, namely K is more than 2, then
For the third largest value in the confusion vector H,as the third largest value in the confusion vector HSubscript, obtained by solving, eps satisfies;
S32, if the number of classes output by the classification model M is equal to 2, i.e., K =2, then
The vector availability constraints provide a flexible configuration scheme that balances predictive result availability and model privacy protections.
Further, in the step S3, a random disturbance eps is generated and updated,And obtaining a noise vector N.
Further, for the same model, the values of alpha and beta are fixed.
Further, the privacy protection system corresponding to the method comprises: the model prediction module, the vector confusion module, the vector perturbation module and the model output module;
the model prediction module is used for receiving data input and generating a prediction vector;
the vector confusion module is used for applying order-preserving confusion transformation meeting vector availability constraint on the prediction vector to generate a confusion vector;
the vector perturbation module is used for generating a random perturbation vector and adding the random perturbation vector to the confusion vector to form an order-preserving noise vector;
and the model output module is used for returning the noise vector as a final result of model classification.
The invention has the advantages and beneficial effects that:
the method does not need to modify the target classification model and know the specific technical details of member reasoning attack, can be simply and quickly applied to the existing classification model, and has low cost and wide application range; vector availability constraints provide a flexible configuration scheme that balances prediction result availability and model privacy protectiveness; the added random disturbance obviously reduces the possibility that an attacker restores a prediction vector according to the noise vector, and the robustness of the method is improved; the order-preserving requirement guarantees that the model improves the member reasoning attack resistance under the condition of not reducing the prediction accuracy.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
As shown in fig. 1, the privacy protection method against member inference attack based on vector obfuscation includes the following steps:
(1) inputting the data sample E into a classification model M to obtain a classificationPrediction vector of model M to data sample EWherein K is the number of categories (K is more than or equal to 2 and K is an integer).
(2) Setting confusion transformation T with order preserving property, applying the confusion transformation T on the predicted vector C to obtain the confusion vectorThe order preservation of the aliased transform T is achieved by, for any i and j (i =1,2, …, K j =1,2, … K i ≠ j), ifThen there isIf, ifThen, thenAt the same time, the confusion transform T needs to satisfy the vector availability constraint D, which is a distance metric function, i.e.And d is a preset upper distance limit. The order-preserving requirement guarantees that the model improves the member reasoning attack resistance under the condition of not reducing the prediction accuracy.
The step is the core of the invention and is divided into the following substeps:
(2.1) setting the hyperparameters alpha and beta of the confusion transform T. For the same model, the values of alpha and beta are fixed.
alpha represents the confusion vectorMaximum value ofAnd second maximum valueTarget difference therebetween, i.e.,. Wherein the content of the first and second substances,,respectively, the maximum value in the confusion vector HAnd second maximum valueThe subscript of (a) is,and is and。
beta is a parameter of the vector availability constraint that confusion vector H needs to satisfy (0 ≦ beta ≦ 1), representing allowing the maximum value in confusion vector HAnd second maximum valueThe difference alpha between and the maximum value in the prediction vector CAnd second maximum valueThe maximum difference between the differences d, i.e. alpha, has to be satisfied. If alpha is less thanThen alpha is set toIf alpha is greater thanThen alpha is set to。
And (2.2) applying order-preserving transformation to the prediction vector C to generate an aliasing vector H.
Assuming a maximum in the confusion vector HAnd the maximum value in the prediction vector CIs delta, i.e.. Sum of elements of prediction vector C. Dividing maximum value in confusion vector HThe outer elements are calculated according to the following formula, i.e.,. Due to the fact thatIs obtained byThen the elements in the confusion vector H can be obtained according to the above element calculation formula.
In addition, is easy to obtainAnd due toIs easy to obtain. As can be seen from the above, the confusion transformation T implements order preserving transformation with constant vector element sums.
(3) Adding a random perturbation vector to the confusion vector HGenerating a noise vectorI.e. byWhereinAdding random perturbation vectorsThereafter, the relative sizes of the elements in the confusion vector H are unchanged, i.e. for arbitrary i and j (i =1,2, …, K j =1,2, … K i ≠ j), ifThen there isI.e. byIf, ifThen, thenI.e. by. The added random disturbance obviously reduces the possibility that an attacker restores a prediction vector according to the noise vector, and the robustness of the method is improved.
In particular, for the maximum value of the confusion vector HAnd second maximum valueApplying random perturbations eps and-eps, i.e.,,Representing assignment operation, and in order to ensure that the noise vector N after disturbance application still meets the vector availability constraint and the order preservation, eps needs to meet the following constraint conditions:
(3.1) if the number of the classes output by the classification model M is more than 2, namely K is more than 2, then
For the third largest value in the confusion vector H,as the third largest value in the confusion vector HSubscript where, solved for, eps needs to satisfy;
(3.2) if the number of classes output by the classification model M is equal to 2, i.e., K =2, then
The vector availability constraints provide a flexible configuration scheme that balances predictive result availability and model privacy protections.
(4) Generating random perturbation eps meeting the requirement and updating,And obtaining the noise vector N. And taking the noise vector N as a final result of the classification model M and outputting the final result.
A system for satisfying a privacy protection method for resisting member reasoning attack based on vector confusion comprises the following steps: the model prediction module, the vector confusion module, the vector perturbation module and the model output module;
the model prediction module is used for receiving data input and generating a prediction vector;
the vector confusion module is used for applying order-preserving confusion transformation meeting vector availability constraint on the prediction vector to generate a confusion vector;
and the vector perturbation module is used for generating a random perturbation vector and adding the random perturbation vector to the confusion vector to form an order-preserving noise vector.
And the model output module is used for returning the noise vector as a final result of model classification.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. The privacy protection method for resisting member reasoning attack based on vector confusion is characterized by comprising the following steps:
s1, inputting the data sample E into the classification model M to obtain the prediction vector of the classification model M to the data sample EWherein the integer K is more than or equal to 2 and represents the number of categories;
s2, setting confusion transformation T with order preserving property, applying the confusion transformation T on the predicted vector C to obtain confusion vectorAliasing transform T for arbitrary i and j (i =1,2, …, K j =1,2, … K i ≠ j) ifThen there isIf, ifThen, thenWhile the obfuscated transformation T satisfies the vector availability constraint D, which is a distance metric function, i.e.Wherein d is a preset upper distance limit;
s3, adding a random perturbation vector to the confusion vector HGenerating a noise vectorI.e. byWhereinAdding random perturbation vectorsThereafter, the relative sizes of the elements in the confusion vector H are unchanged, i.e. for arbitrary i and j (i =1,2, …, K j =1,2, … K i ≠ j), ifThen there isI.e. byIf, ifThen, thenI.e. by;
And S4, taking the noise vector N as the final result of the classification model M and outputting the final result.
2. The privacy protection method against membership inference attacks based on vector obfuscation as claimed in claim 1, wherein said step S2 includes the steps of:
s21, setting a hyper-parameter alpha of the confusion transformation T, wherein the alpha represents a confusion vectorMaximum value ofAnd second maximum valueTarget difference therebetween, i.e.,Wherein, in the step (A),,respectively, the maximum value in the confusion vector HAnd second maximum valueThe subscript of (a) is,and is and。
3. the privacy protection method against membership inference attacks based on vector obfuscation as claimed in claim 2, wherein said step S2 further comprises the steps of:
s22, applying order preserving transformation to the prediction vector C to generate a confusion vector H;
setting a maximum value in an alias vector HAnd the maximum value in the prediction vector CIs delta, i.e.Sum of elements of the prediction vector CDividing the maximum value in the confusion vector HThe outer elements are calculated according to the following formula:,due to the fact thatTo obtainAnd finally, obtaining elements in the confusion vector H according to the element calculation formula.
4. The privacy protection method against member inference attack based on vector obfuscation as claimed in claim 2, wherein the step S21 is further to set a hyper-parameter beta of the obfuscation transformation T;
beta is a parameter of the vector availability constraint that confusion vector H needs to satisfy (beta ≧ 0), indicating that the maximum value in confusion vector H is allowedAnd second maximum valueThe difference alpha between, and the maximum value in the prediction vector CAnd second maximum valueThe maximum difference between the differences d, i.e. alpha, has to be satisfied(ii) a If alpha is less thanThen alpha is set toIf alpha is greater thanThen alpha is set to。
5. The privacy protection method against membership inference attacks based on vector obfuscation as claimed in claim 4, wherein said step S3 includes the steps of:
for maximum value of confusion vector HAnd second maximum valueApplying random perturbations eps and-eps, i.e.,,Representing the assignment operation, eps needs to satisfy the following constraint conditions:
s31, if the number of the classes output by the classification model M is more than 2, namely K is more than 2, then
For the third largest value in the confusion vector H,as the third largest value in the confusion vector HSubscript, obtained by solving, eps satisfies;
S32, if the number of classes output by the classification model M is equal to 2, i.e., K =2, then
7. The privacy protection method for resisting member inference attack based on vector confusion as claimed in claim 2, wherein alpha value is fixed for the same model.
8. The privacy protection method for resisting member inference attack based on vector confusion as claimed in claim 4, wherein the beta value is fixed for the same model.
10. The privacy protection system of claim 1, comprising: the model prediction module, the vector confusion module, the vector perturbation module and the model output module are characterized in that:
the model prediction module is used for receiving data input and generating a prediction vector;
the vector confusion module is used for applying order-preserving confusion transformation meeting vector availability constraint on the prediction vector to generate a confusion vector;
the vector perturbation module is used for generating a random perturbation vector and adding the random perturbation vector to the confusion vector to form an order-preserving noise vector;
and the model output module is used for returning the noise vector as a final result of model classification.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110358755.9A CN112733196B (en) | 2021-04-02 | 2021-04-02 | Privacy protection method and system for resisting member reasoning attack based on vector confusion |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110358755.9A CN112733196B (en) | 2021-04-02 | 2021-04-02 | Privacy protection method and system for resisting member reasoning attack based on vector confusion |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112733196A true CN112733196A (en) | 2021-04-30 |
CN112733196B CN112733196B (en) | 2021-07-06 |
Family
ID=75596345
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110358755.9A Active CN112733196B (en) | 2021-04-02 | 2021-04-02 | Privacy protection method and system for resisting member reasoning attack based on vector confusion |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112733196B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115906032A (en) * | 2023-02-20 | 2023-04-04 | 之江实验室 | Recognition model correction method and device and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106572111A (en) * | 2016-11-09 | 2017-04-19 | 南京邮电大学 | Big-data-oriented privacy information release exposure chain discovery method |
CN108833077A (en) * | 2018-07-02 | 2018-11-16 | 西安电子科技大学 | Outer packet classifier encipher-decipher method based on homomorphism OU password |
CN109492430A (en) * | 2018-10-30 | 2019-03-19 | 江苏东智数据技术股份有限公司 | A kind of internet Keywork method for secret protection and device based on obfuscated manner |
CN111447181A (en) * | 2020-03-04 | 2020-07-24 | 重庆邮电大学 | Location privacy protection method based on differential privacy |
-
2021
- 2021-04-02 CN CN202110358755.9A patent/CN112733196B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106572111A (en) * | 2016-11-09 | 2017-04-19 | 南京邮电大学 | Big-data-oriented privacy information release exposure chain discovery method |
CN108833077A (en) * | 2018-07-02 | 2018-11-16 | 西安电子科技大学 | Outer packet classifier encipher-decipher method based on homomorphism OU password |
CN109492430A (en) * | 2018-10-30 | 2019-03-19 | 江苏东智数据技术股份有限公司 | A kind of internet Keywork method for secret protection and device based on obfuscated manner |
CN111447181A (en) * | 2020-03-04 | 2020-07-24 | 重庆邮电大学 | Location privacy protection method based on differential privacy |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115906032A (en) * | 2023-02-20 | 2023-04-04 | 之江实验室 | Recognition model correction method and device and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN112733196B (en) | 2021-07-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Long et al. | Towards measuring membership privacy | |
Jagtap et al. | Locally adaptive activation functions with slope recovery for deep and physics-informed neural networks | |
Pal et al. | Optimal infinite-horizon control for probabilistic Boolean networks | |
Seung et al. | Statistical mechanics of learning from examples | |
da Silva Campos et al. | Revisiting the TP model transformation: Interpolation and rule reduction | |
CN112085050A (en) | Antagonistic attack and defense method and system based on PID controller | |
CN115442099B (en) | Distributed GAN-based privacy protection data sharing method and system | |
Liu et al. | GanDef: A GAN based adversarial training defense for neural network classifier | |
Kwon et al. | Classification score approach for detecting adversarial example in deep neural network | |
Menda et al. | Dropoutdagger: A bayesian approach to safe imitation learning | |
CN112733196B (en) | Privacy protection method and system for resisting member reasoning attack based on vector confusion | |
CN112580728A (en) | Dynamic link prediction model robustness enhancing method based on reinforcement learning | |
CN116861239A (en) | Federal learning method and system | |
Ren et al. | Semi-supervised drifted stream learning with short lookback | |
Zhang et al. | Target: Federated class-continual learning via exemplar-free distillation | |
Zhai et al. | Data-based and secure switched cyber–physical systems | |
CN113935396A (en) | Manifold theory-based method and related device for resisting sample attack | |
CN115719085B (en) | Deep neural network model inversion attack defense method and device | |
Liu | [Retracted] Privacy Protection Technology Based on Machine Learning and Intelligent Data Recognition | |
Chen et al. | Enhanced mixup training: a defense method against membership inference attack | |
Reeves et al. | Support vector machine regularization | |
Hedayati Khodayari et al. | Stabilizer design for an under-actuated autonomous underwater vehicle in a descriptor model under unknown time delay and uncertainty | |
Xu et al. | Neuguard: Lightweight neuron-guided defense against membership inference attacks | |
Alessandri et al. | Optimization-based learning with bounded error for feedforward neural networks | |
Machina et al. | Stability of stationary solutions of piecewise affine differential equations describing gene regulatory networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |