CN112765662B

CN112765662B - Method for supporting privacy protection of training integrator under deep learning

Info

Publication number: CN112765662B
Application number: CN202110093713.7A
Authority: CN
Inventors: 李洪伟; 陈宗琪; 孙昊楠; 范文澍; 张云; 郝猛; 陈涵霄; 刘小源
Original assignee: University of Electronic Science and Technology of China
Current assignee: University of Electronic Science and Technology of China
Priority date: 2021-01-22
Filing date: 2021-01-22
Publication date: 2022-06-03
Anticipated expiration: 2041-01-22
Also published as: CN112765662A

Abstract

The invention discloses a method for supporting privacy protection of a training integrator under deep learning, and belongs to the technical field of privacy protection of deep learning. The invention is based on the processing mechanism of the data mixing technical method, adopts the enhanced confusion training to mix the training data sample and the multi-element randomization arrangement, and sets an additional mixed item, namely a memory residual item, in the memory training process, and enlarges the memory residual item to enhance the defense capability to member reasoning attack. Through the mixed operation, the classifier can be prevented from memorizing the sample data, so that member reasoning attack can be effectively resisted. The method can prevent the model from being over-fitted with the training data of the model, and improves the robustness of the target model; the method does not need prior knowledge of an attacker, and consumes less extra computing resources compared with the prior art; the member reasoning attack based on the model and the measurement attack can be effectively resisted.

Description

Method for supporting privacy protection of training integrator under deep learning

Technical Field

The invention belongs to the technical field of deep learning privacy protection, and particularly relates to a method for supporting privacy protection of a training integrator under deep learning.

Background

Machine learning achieves the most advanced performance in many real-world tasks such as automated driving, medical diagnostics, and speech recognition, among others. However, recent studies have shown that machine learning models are susceptible to various privacy threats due to memory-sensitive training data.

Wherein, the member reasoning attack is represented as: an adversary can infer whether a particular data sample was used to train the target model. Since a large amount of personally sensitive information (such as personal photographs, medical and clinical records, and financial investments) is likely to be included in the training of the target model, it presents a risk in private applications. By training a binary classifier as an attack model, researchers establish a first member reasoning attack method aiming at a machine learning model black box. Specifically, this method is called model-based attack, where the probability vector predicted by the target model is taken as input and it is inferred whether this vector is present in the training process of the target model. More recently, researchers have proposed metric-based attack methods in which an adversary has different inference thresholds depending on the attack objectives. These thresholds predict the output of the target model and can be attacked without the need to train a neural network. Experiments show that a metric-based attack achieves similar results as a model-based attack.

To reduce the privacy risk, scientists have proposed several defensive measures against membership-based reasoning attacks using known techniques (e.g., prediction phase, L2 normal distribution, signal loss, differential privacy). Recently, a method for generating an antagonism example called Memguard (Memguard) has been proposed. To defend against model-based attack, it makes some interference terms and adds them to the output feature vectors of the target model. An anti-regularization method proposed by Nasr et al, called AdvReg, can train both target and attack models. The method improves the generalization capability of the target model defense based on the model attack method by using the optimal regularization method. Unfortunately, these defense approaches focus primarily on model-based attacks, and metric-based attacks (proposed by Song et al) can easily break through their defense. Furthermore, their experimental results show that despite the use of the most advanced defense methods (e.g., Memguard and AdvReg) in the target model, the accuracy of the attack based on the metric attack method is still high. The attack method based on measurement is completely different from the attack method based on the model, is easier to start, and can achieve the same attack effect as the attack method based on the model. However, the defense method against the model-based attack is difficult to be converted into the defense method against the metric-based attack, and is poorly adaptable. On the other hand, most existing defense approaches are to construct a model using a priori conditions of known adversarial attack methods. In a real situation, however, an adversary may attack using a different attack method. Therefore, there is a strong need to provide an effective defense method that can maintain the performance of the objective function and simultaneously defend against model-based and metric attacks.

Disclosure of Invention

The invention aims to: aiming at the existing problems, the method for resisting member reasoning attack under deep learning is universal, effective and low in cost.

The invention discloses a method for supporting training of the privacy protection of an integrator under deep learning, which comprises the following steps:

step S1: deploying a training environment (comprising software and hardware environments) of a network model to be trained, and collecting and acquiring an original training data set (also called a private data set) for training the network model to be trained; the original training data set may carry private information, so that a security access right needs to be configured for the original training data set to store the original training data set as confidential data, thereby preventing data leakage;

step S2: loading original training data in a batch processing mode to obtain a plurality of initial batch data of the current round;

step S3: carrying out random mixing processing on the initial batch data to obtain a current mixed batch data sequence;

step S4: configuring the enhanced mixed training data of the current batch based on a data confusion mode;

reading the mixed batch data of the first corresponding current batch number from the mixed batch data sequence, and obtaining the enhanced mixed training data of the current batch based on the weighted sum of the mixed batch data and the current memory residual item;

and updating a memory residual item based on the mixed batch data:

randomly selecting partial samples from the mixed batch data, forming a retention data subset with the same number of samples included in the mixed batch data based on specified supplementary items, multiplying the sum of the retention data subset and the current memory residue item by a specified retention parameter to obtain a new memory residue item, and storing the new memory residue item, wherein the initial memory residue item is a specified value;

step S5: performing deep learning training (namely neural network training) on a network model to be trained based on the enhanced mixed training data of the current batch until all batches of training of the current round are completed;

step S6: if the preset training end condition is reached, stopping training to obtain a trained network model; otherwise, execution continues with step S2.

In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:

the method can prevent the model from being over-fitted with the training data of the model, and improves the robustness of the target model; the method does not need prior knowledge of an attacker, and consumes less extra computing resources compared with the prior art; the member reasoning attack based on the model and the measurement attack can be effectively resisted.

Drawings

FIG. 1 is a flow chart of the process of the present invention in an embodiment;

fig. 2 is a schematic diagram of the mixing employed by mixup in an embodiment.

Fig. 3 is a diagram comparing the protection effect of EMT (enhanced confusion training) and the existing AdvReg (anti-regularization technique) against the metric-based attack of the latest attack technique in the embodiment.

Fig. 4 is a diagram showing a comparison between the protection effect of EMT according to the present invention and the protection effect of Menmguard (member guardian) against the metric-based attack, which is the latest attack technology.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following embodiments and accompanying drawings.

The invention improves the generalization capability of the network model based on the processing mechanism of the Mixup (a data mixing technology) method. The invention applies the Mixup to resist the member reasoning attack, however, the expected defense effect against the member reasoning attack cannot be realized by directly using the Mixup. Therefore, the enhanced confusion training provided by the invention mixes the training data sample with the multiple randomization arrangement, and an additional mixing item is arranged in the memory training process, which is called as a memory residual item by the invention, and is expanded to enhance the defense capability against member reasoning attack. These blending operations may prevent the classifier from remembering sample data and thus may be effective against membership inference attacks. Referring to fig. 1, the method for supporting training set member privacy protection under deep learning according to the present invention is implemented as follows:

step 1, network deployment.

For a model F to be trained (an existing or self-set neural network model selected by a user), deploying a neural network environment by the user, and installing an environment required by a training network, the method specifically comprises the following steps:

step 1-1: the machine learning service deployer installs an environment (software environment for training operation) required by the training network according to the preset, and deploys the environment in an environment (hardware environment) which is safe and does not reveal privacy.

Step 1-2: the user collects information of a privacy training set in advance for contents to be trained, wherein each training sample in the privacy training set can be image information or sequence characteristic information about positioning information or medical information and the like.

Step 2: and loading the private data sets in a batch processing mode, namely loading the private data sets in the current round in the batch processing mode.

Namely, when the private data sets required by the current round are loaded, the private data sets are loaded in a batch processing mode. For the training data set D (privacy training set) required for training, a small batch processing training data set is used. Assuming that the number of small batch processing is m, the relation between the number of samples N and the number of sample batch processing is

Batch setting of initial non-defensive measure batch data B_ori(i.e., the initial lot of the current round) are:

B_ori→{batch₁,batch₂,batch₃......,batch_n} (1)

and step 3: random mixing:

in the step, the model F is subjected to Mixup method batch training, wherein the principle of the Mixup training method is as follows:

mixup is one of the bases for enhancing confusion training, and constructs a virtual training example by mixing samples and training labels, and the constructed virtual training sample

And corresponding virtual tags

The expression of (a) is as follows:

wherein x is_i、x_jRepresenting two different training samples, y_i、y_jRespectively representing training samples x_i、x_jλ represents a weight, and λ ∈ BETA (α, α) and λ ∈ [0,1 ]]The hyper-parameter α ∈ (0, ∞). In the present invention, (x)_i,y_i),(x_j,y_j) Are two examples of privacy randomly chosen from the training data. The effect of the single-case mixing can be referred to the results of the visual mixing given in fig. 2. The Mixup expands the training distribution by a priori linear knowledge, outputting the difference of the feature vectors as a linear interpolation resulting in the relevant object. In summary, the neighboring feature target vectors are generated from neighboring distribution samples of the Mixup. Mixup can be realized in short codeThe small computational overhead, its hyper-parameter a, controls the strength of the difference between the feature and the target.

In this embodiment, the specific implementation steps for implementing the random mixing in step 3 include:

step 3-1: in the batch processing, firstly, data samples of each initial batch of data are subjected to data sample scrambling processing for K times, so that K different batch data copies of each initial batch of data are obtained and recorded as batch_copyk(K ═ 1,2, …, K); that is, the order of m data samples included in the initial batch of data is scrambled, so as to obtain a batch of data copy. Where K is a variable of the degree of mixing which reflects the degree of mixing to some extent. The larger K, i.e., the greater the number of mixing, the higher the degree of disorder.

Step 3-2: using the Mixup method, randomly replicated samples in a batch of training were mixed well. It should be noted that the present invention not only mixes two samples, but also intensifies random mixing multiple times in a batch training, resulting in a well-mixed batch process. This hybrid approach is to run the batch on both data and label simultaneously.

Step 3-3: subsequently obtained Mixed batch data B_mixupFurther obfuscation operations are then required to obtain truly trained batch results.

B_mixup→{batch_mix1,batch_mix2,......,batch_mixn} (5)

And 4, step 4: data obfuscation:

after the iterative training of each batch is finished, the current mixed batch data is used for data retention of training, namely the sum of the current mixed batch data and the current memory residual item is multiplied by a specified retention parameter to obtain a new memory residual item and is stored for the summation of the data before the training of the next batch and the data processed in the original batch, so that the aim of further mixing a data set is fulfilled, and the robustness and the generalization capability of the model are improved.

In this embodiment, the specific data obfuscation process is as follows:

step 4-1: in order to mix training data samples in different training processes, the invention sets a memory residue item R. In each iteration, it extracts a portion of the training sample and adds this portion to the next data.

That is, when calculating the memory residue of the first batch, it will be in the batch_mixi-1Randomly selecting some of the input data samples to be the memory residue term for each iteration. I.e. slave batch_mixi-1Randomly selecting part of the training sample, and forming and batch based on the specified supplementary item_mixi-1Retained data subset batch 'of equal number of training samples included'_mixi-1. Of course, the batch can also be directly connected_mixi-1As a reserved data subset. These additional operations need to occupy only little memory space. In each iteration, assume k is the characteristic dimension of input sample data, l is the training batch number, and c is the batch processing training set size, including:

R₀＝cη·0 (6)

R_l＝ηR_l-1+βbatch_mixi-1 (7)

if, only selecting part of the training samples constitutes the retained data subset batch'_mixi-1Then the batch in the formula (7) is added_mixi-1Is replaced by batch'_mixi-1That is, η represents a preset weight of the memory residue term, and β represents a weight of the mixed batch data.

Step 4-2: during the first iterative training, the memory residual data is formed by all 0 vectors, namely during the first training, confusion processing is not carried out, all zero vectors with the dimensionality of k are directly used as the initial values of the memory residual items R, and the memory residual items R of the first iterative training are obtained₀；

Step 4-3: the second iteration training begins, and the mixed data batch of the last iteration_mixiJointly forming confusion data, after iterative summation of the two data, dividing the confusion data by the number of times of batch training which has been trained so far, and mixing the confusion itemsThe spread extends from the first batch training to the latest batch training. Namely, the memory residue term obtained from the second iteration training to the nth iteration training is R_l。

Step 4-4: the mixed sample and the previous iteration training sample are mixed in the same batch, and part of the mixed data sample is used as a memory residual item of the next iteration training. Combining formulas (5) to (7), the final result of the enhanced mixed training in the batch training process is obtained, and the defense batch is recorded as batch_di：

Let eta and beta be variables controlling the proportion of the enhanced aliasing training, represent the mixture data sample batch_mixiAnd obfuscating the data sample R_iThe occupied weight of (c). Maximum batch_diTo train the model and continue this strategy in each batch training round.

The enhanced confusion training does not require a priori knowledge of the attacker, thereby improving the robustness of the model, but if the amount of mixing is too large, the loss of model accuracy is beyond tolerance. So in general the value of η is typically larger than the value of β. The model size can be 3-99 times different.

And 5: network training: and (4) performing neural network training by adopting the processed batch data obtained in the step (4), and performing normal forward and backward propagation and optimization. The network is replaceable and the technology is independent of the network architecture.

Step 5-1: forward propagation of training data, using batch_diAnd executing training and training the model.

Step 5-2: the network is optimized by using an optimizer, in the embodiment, the adopted optimizer is an adam optimizer, and the optimizer can be selected by self according to different networks in practice and is not related to a confusion technology. Automatically calculating loss by using an optimizer, completing back propagation, updating the network weight, entering the iterative training of the next batch, and repeating the step 3 until all batches of training of the current round are completed;

step 6: if the preset training end condition is reached, stopping training to obtain a trained network model; otherwise, the process continues to step S2, and the next round of training process is performed.

And 7: deploying a model: the trained model can be deployed into machine learning service and is accessed through an open interface.

The model trained by adopting the steps has the capability of resisting member reasoning attack, and can be deployed on a cloud server to open a prediction interface for a user to access.

Examples

The method is used for training a medical related network model, for example, the recognition processing of a medical picture is realized based on a neural network model; or monitoring characteristic data formed by collected physiological detection data about the personal physical condition of the patient, prediction processing (prediction device) of a specified disease state based on the monitoring characteristic data and a configured neural network model, and the like, wherein the specific implementation process comprises the following steps:

step 1, network initialization: a user deploys an environment for training a medical neural network, installs tools required by the training network, collects and acquires a medical privacy data set and marks the data set with information such as personal physical condition information of a patient and the like, and the mark indicates whether the patient has a disease or not;

step 2, reading the private data set: before each round of formal training, the medical privacy data set to be trained in the current round is selected and loaded, and data preprocessing is carried out. The data set is a secret data set, and the secret party does not want members participating in the privacy training to be found to participate in the training, so the privacy data set is not allowed to be revealed in any way;

step 3, random mixing: the private handover data sets are mixed at the beginning of each iteration using a small batch training technique before each round of formal training. Randomly selecting quantitative batch data of each training round for mixing by using a Mixup mixing technology, and mixing the labels and the data at the same time;

and 4, data confusion: after each iterative training, a part of data used for training is reserved and multiplied by a reserved parameter to form a memory residual item for mixing with the data processed by the original batch before the next batch of training is started. This blending operation is performed between any two member medical data. The method aims to further mix the data sets and improve the robustness and generalization capability of the model;

step 5, network training: and (4) carrying out neural network training on the processed batch data obtained in the step (4), and carrying out normal forward and backward propagation and optimization. The specific network structure of the network model is replaceable, and the present invention is not limited in particular.

Step 6, deploying the model: the trained model can be deployed into machine learning service, and interface access is opened, so that a prediction device for specified diseases is obtained, the illness state of a patient is predicted, and meanwhile, a member with a special disease in a training set does not need to be leaked to a malicious user.

The enhanced confusion training of the invention aims at the attack method based on the model and the measurement in the black box setting, prevents the model from being over-fitted with the training data thereof by enhancing the confusion training, and improves the robustness of the target model. Meanwhile, the network model obtained by training is robust and adaptive, and prior knowledge of an attacker is not needed. In addition, the enhanced confusion training method consumes very little additional computing resources compared to other existing methods (e.g., Memguard). Through experimental comparison, the enhanced confusion training of the invention and the defense of Memguard and AdvReg against model and metric attack are compared in performance. Experimental results show that enhanced confusion training is more successful in defending against membership-based attacks, while the other two methods fail in defending against metric-based attacks. The alignment results are shown in fig. 3 and 4, wherein the first row of the tables shown in fig. 3 and 4 represents from left to right: the method comprises the steps of data set, defense method, training precision, testing precision, right-wrong attack method precision, confidence degree attack method precision, entropy attack method precision and improved entropy attack method precision.

While the invention has been described with reference to specific embodiments, any feature disclosed in this specification may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise; all of the disclosed features, or all of the method or process steps, may be combined in any combination, except mutually exclusive features and/or steps.

Claims

1. The method for supporting the privacy protection of the training integrator under the deep learning is characterized by comprising the following steps:

step S1: deploying a training environment of a network model to be trained, and collecting and acquiring an original training data set for training the network model to be trained; configuring a security access right for the original training data set;

the random mixing treatment of each initial batch of data specifically comprises the following steps:

performing position scrambling processing on the data sample of the initial batch of data to obtain a batch data copy of the initial batch of data, and recording the batch data copy as batch_copyk(ii) a Repeating for multiple times to obtain multiple batch data copies of each initial batch of data;

according to the formula

Obtaining mixed batch data batch of the ith batch_mixiWherein λ represents a weight, and λ ∈ [0,1 ]]Where i is 1,2, …, n, n indicates the number of sample batches, K is 1,2, …, K indicates the number of batch data copies of the original batch data;

reading mixed batch data corresponding to the current batch number from the mixed batch data sequence, and obtaining enhanced mixed training data of the current batch based on the weighted sum of the mixed batch data and the current memory residual item;

and updating a memory residual item based on the mixed batch data:

step S5: performing deep learning training on the network model to be trained based on the enhanced mixed training data of the current batch until all batches of training of the current round are finished;

2. The method according to claim 1, wherein in step S4, when updating the memory residual item based on the mixed batch data, the mixed batch data is directly used as the retained data subset.

3. The method according to claim 2, wherein in step S4, when updating the memory residual item based on the mixed batch data, setting a retention parameter as:

where η represents the preset weight of the memory residue term and β represents the weight of the mixed batch data.

4. The method of claim 1, wherein in step S4, the initial memory residue term is an all zero vector.

5. The method according to claim 1, wherein in step S4, when obtaining the enhanced mixed training data of the current batch based on the weighted sum of the mixed batch data and the current memory residue term, the weight of the memory residue term is not greater than the weight of the mixed batch data, and the sum of the weights of the memory residue term and the mixed batch data is 1.

6. The method of claim 5, wherein in step S4, the value of the multiple of the weight of the memory residue term and the weight of the mixed batch data is 1/99-1/3.

7. The method of claim 1, wherein each training sample in the raw training data set is image information or sequence feature information about an individual's behavior or state.