Detailed Description
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described clearly and completely below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application shall fall within the scope of the protection of the embodiments in the present application.
The following further describes specific implementations of embodiments of the present application with reference to the drawings of the embodiments of the present application.
The data security and privacy, the artificial intelligence and the data supplement each other and promote each other to develop. Meanwhile, data security is also the key of artificial intelligence security. Artificial intelligence these capabilities, once improperly or maliciously exploited, not only threaten personal privacy and enterprise asset security, but even affect social stability and national security. Therefore, in the field of artificial intelligence application, protection of individual privacy feature data is particularly important in scenes such as face recognition.
In general, data desensitization processes can be classified into recoverable desensitization and non-recoverable desensitization according to desensitization rules. Recoverable desensitization is that after data is transformed by a desensitization rule, the original data before desensitization can be restored through certain processing. For unrecoverable desensitization, the data cannot be restored to the original data after being subjected to unrecoverable desensitization.
In addition, because an artificial intelligence algorithm can be adopted to carry out model protection on sensitive data, and desensitization rules are reflected in parameters of the model, the safety of the model is also very critical. Generally, a great deal of manpower and development cost are required to obtain a high-quality model, once an artificial intelligence model deployed externally is reversed or leaked, a very serious indirect data attack is also caused, that is, a very serious security problem is caused, and therefore how to prevent the model from being leaked and stolen becomes an important security problem.
Fig. 1A is a flowchart of steps of a model training method according to a first embodiment of the present application, and the solution of the present embodiment may be applied to any suitable electronic device with data processing capability, including but not limited to: server, mobile terminal (such as mobile phone, PAD, etc.), PC, etc. The model training method comprises the following steps:
110: first desensitization training data is acquired.
It should be understood that the desensitization training data herein may be tagged historical sensitive data, including but not limited to personal privacy information such as passwords, names, identity information, and service context data that is critical to the service process for a particular context. It should also be understood that embodiments of the present invention are applicable to both recoverable and non-recoverable desensitization.
120: and performing initial training on the target neural network by using the first desensitization training data, wherein the initial training is used for adjusting parameters of the target neural network.
It should be appreciated that a first partial network of the initially trained target neural network is for deployment in a Trusted Execution Environment (TEE).
It should also be understood that the target neural network may be any type of neural network, such as a feed-forward neural network, a convolutional neural network, a recurrent neural network. For example, the target neural network may be a multi-layer neural network.
It is also understood that adjusting the parameters of the target neural network may adjust all parameters (e.g., weights) of the target neural network based on the target function such that a convergence condition of the target function is satisfied.
130: and carrying out safety processing on output data of the first part of networks in the initially trained target neural network to obtain second desensitization training data.
It should be understood that the target neural network may be divided into a first partial network and a second partial network based on the particular network layer of the target neural network. The combination of the first partial network and the second partial network may be the target neural network or may be part of the target neural network. The target neural network may be divided into a first partial network and a second partial network prior to initial training. It is also possible to select a specific network layer (e.g., a specific number of network layers, or a ratio of the number of network layers) based on the training result of the initial training after the initial training (initial fine-tuning of all parameters of the target neural network) is completed.
It should also be appreciated that the secure processing of the output data may be in any manner, such as encryption processing, privacy processing, noise processing, and the like.
140: and performing fine tuning training on a second part of network in the initially trained target neural network by using second desensitization training data, wherein the input layer of the first part of network is connected with the input layer of the second part of network, and the fine tuning training is used for further adjusting the parameters of the second part of network through adjustment.
150: a data desensitization model is determined from the initially trained first partial network and the second partial network trained via the fine tuning.
It should be appreciated that the second partial network via the fine tuning training is for deployment in a Rich Execution Environment (REE).
It will also be appreciated that the fine tuning training is used to further adjust the parameters via the adjusted second partial network. In other words, the parameters belonging to the second partial network, which were previously adjusted in the initial training, can be directly used for continuing the training, so that the parameters of the second partial network are further adjusted.
It should also be understood that the model training method and the data desensitization method according to the embodiments of the present invention may be applied to application scenarios with requirements on security, including but not limited to: the intelligent face-lock system comprises a face door lock, an intelligent community, an entrance guard system such as an entrance guard all-in-one machine and noninductive attendance, an intelligent vending machine, an intelligent class board, a face snapshot, an artificial intelligent device such as an artificial intelligent box, an intelligent cabin, other internet of things device application scenes and the like.
The model training method and data desensitization method of the present embodiment are also applicable to: (1) and mobile payment: fingerprint verification, PIN code input, etc.; (2) confidential data: secure storage of private keys, certificates, and the like; (3) the content comprises the following steps: DRM (digital rights protection) and the like.
According to the method provided by the embodiment of the application, the second desensitization training data is obtained by performing security processing on the output data of the first part network in the initially trained target neural network, and the second part network is subjected to fine tuning by using the second desensitization training data, so that the first part network and the second part network are obtained by adopting different training data for training, the possibility that the original target neural network is formed by the first part network and the second part network to restore the data desensitization model is avoided, and the data security is ensured.
In another implementation of the invention, a first partial network that is initially trained is for deployment in a trusted execution environment and a second partial network that is trained via trimming is for deployment in an accelerated execution environment.
Since the first partial network in the initially trained target neural network is deployed in the trusted execution environment, an effective data desensitization process can be performed using a data desensitization model that includes the first partial network.
Specifically, the TEE environment and the REE environment may correspond. Generally, an operating system such as Linux runs on an REE environment, but some security requirements are high, such as comparison of fingerprints, payment and other scenes require operation with a private key signature, and the like, and the operation in the TEE environment is safer.
Furthermore, the TEE environment may also have its own execution space, i.e., in the TEE environment, an operating system is also required. The operating system of the TEE environment has a higher security level than the Rich operating system (normal operating system).
Furthermore, the software and hardware resources accessed by the TEE can be separate from the Rich operating system. The TEE provides a secure execution environment for authorized security software (TA), while also protecting the confidentiality, integrity and access rights of TA's resources and data. Typically, in order to guarantee the root of trust for the TEE itself, the TEE is to be authenticated and isolated from the Rich operating system during secure boot. In a TEE, each TA may be independent of each other and may not be accessible to each other without authorization.
In other words, there is also a corresponding application (TA) on the operating system of the TEE environment, and besides the operating environment of the TEE is independent from the normal operating system, the TA in the TEE also needs to be authorized and operate independently from each other.
In another implementation of the present invention, the performing security processing on the output data of the first partial network in the initially trained target neural network to obtain second desensitization training data includes: carrying out differential privacy processing on output data of the initially trained first part of network to obtain scrambled representation of the output data; and carrying out noise processing on the scrambled representation to obtain second desensitization training data.
Based on the above configuration, with the scrambling representation and the noise processing, the reliability of the security processing is improved.
In another implementation of the present invention, performing differential privacy processing on output data of an initially trained first partial network to obtain a scrambled representation of the output data includes: inputting output data of the initially trained first partial network and reference training data into a target generation countermeasure network for training; if the criterion of the discriminator of the target countermeasure generation network is met, the reference training data is determined as a scrambled representation of the output data.
It should be understood that the second desensitization training data may also be obtained by processing the first desensitization training data separately.
Based on the above configuration, the discriminator for generating the countermeasure network can perform efficient comparison discrimination on the reference training data and the output data, and therefore the accuracy of scramble representation is improved, and the security is further improved.
FIG. 1B is a schematic block diagram of a module training method in the embodiment shown in FIG. 1A. As shown, the target neural network is initially trained using the training data, resulting in an initially trained target neural network. The first partial network of the target neural network through initial training is determined as the TEE network as shown. The second partial network in the target neural network via initial training is determined as the desensitization network as shown. And carrying out fine tuning training on the desensitization network to obtain the desensitization network as shown in the figure.
It is to be understood that the output layer of the first partial network is connected to the input layer of the second partial network. The first partial network and the second partial network may form all or part of the target neural network. For example, the first partial network may be a portion of a neural network layer in the target neural network.
It should also be understood that training data for fine-tuning training of the second partial network may be obtained by inputting training data into the first partial network and at the output layer of the first partial network (i.e., as shown, the output data of the TEE network).
It will also be appreciated that the output data for the initially trained first partial network, as well as the reference training data, may be input into the target generation countermeasure network for training. For example, as shown, a first output of the TEE network may be connected to an input of a generator that generates the countermeasure network, the generator for generating a scrambled representation of the output data. The second output of the TEE network and the output of the generator are connected to a discriminator generating a countermeasure network, and the discriminator determines the reference training data as a scrambled representation of the output data when the discriminator meets a discrimination condition of the discriminator of the target countermeasure generating network, and specifically, the discriminator inputs the scrambled representation of the output data to the desensitization network as training data of the desensitization network when the discrimination condition is satisfied.
In addition, parameters in the desensitization network can be adjusted by adopting a target loss function, and when the target loss function meets a preset convergence condition, the training of the desensitization network is finished.
It can be seen that the second partial network, which is a desensitization network, uses the same training data as the first partial network during the initial training of the first stage, and uses different training data than the first partial network during the fine training of the second stage. Thus, even in the case where the first department network and the second partial network are leaked, for example, the target neural network cannot be obtained by combining the first partial network and the second partial network, for example, due to the difference in the training data at the different training stages.
Fig. 2A is a flowchart of steps of a data desensitization method according to the second embodiment of the present application, and the solution of the present embodiment may be applied to any suitable electronic device with data processing capability, including but not limited to: server, mobile terminal (such as mobile phone, PAD, etc.) and PC, etc., the data desensitization method includes:
210: data to be desensitized is acquired.
220: and inputting the data to be desensitized into the first part network in the data desensitization model to obtain output data of the first part network, wherein the data desensitization model is obtained by training through a model training method.
230: and carrying out safety processing on the output data, and inputting the output data into a second part network in the data desensitization model to obtain desensitization data.
According to the method provided by the embodiment of the application, because the second desensitization training data is obtained by performing security processing on the output data of the first part network in the initially trained target neural network, and the second desensitization training data is used for fine tuning of the second part network, the first part network and the second part network are obtained by training with different training data, so that the possibility that the original target neural network is formed by the first part network and the second part network to restore the data desensitization model is avoided, and the data security is ensured when the data desensitization model is applied.
In addition, when the data desensitization model is applied, data to be desensitized may be acquired from the REE environment into the TEE environment for input into the TEE network.
Specifically, the TEE environment and the REE environment may correspond. Generally, an operating system such as Linux runs on an REE environment, but some security requirements are high, such as comparison of fingerprints, payment and other scenes require operation with a private key signature, and the like, and the operation in the TEE environment is safer.
Furthermore, the TEE environment may also have its own execution space, i.e., in the TEE environment, an operating system is also required. The operating system of the TEE environment has a higher security level than the Rich operating system (normal operating system).
Furthermore, the software and hardware resources accessed by the TEE can be separate from the Rich operating system. The TEE provides a secure execution environment for authorized security software (TA), while also protecting the confidentiality, integrity and access rights of TA's resources and data. Typically, in order to guarantee the root of trust for the TEE itself, the TEE is to be authenticated and isolated from the Rich operating system during secure boot. In a TEE, each TA may be independent of each other and may not be accessible to each other without authorization.
In other words, there is also a corresponding application (TA) on the operating system of the TEE environment, and besides the operating environment of the TEE is independent from the normal operating system, the TA in the TEE also needs to be authorized and operate independently from each other.
In addition, the output data of the TEE network and the reference data can be input into the generation countermeasure network for training; if the criterion of the discriminator for generating the countermeasure network is met, the reference data is determined as a scrambled representation of the output data. In particular, the generation of the countermeasure network may be performed in another TEE environment (e.g., which may be referred to as a second TEE environment) independent of the TEE environment (e.g., which may be referred to as a first TEE environment). For example, the generation countermeasure network may fetch output data of the TEE network (first partial network) from the first TEE environment into the second TEE environment, resulting in reference data. This reference data may then be retrieved from the second TEE environment into the REE environment for input into the desensitization network (second partial network).
In another implementation of the invention, acquiring data to be desensitized comprises: and acquiring the data to be desensitized into the trusted execution environment, wherein the first part of the network is deployed in the trusted execution environment.
Based on the above configuration, the reliability of data desensitization can be improved with the first partial network deployed in the trusted execution environment.
In another implementation of the present invention, the performing security processing on output data includes: obtaining output data from the trusted execution environment into the accelerated execution environment; and in the accelerated execution environment, the output data is processed safely.
Based on the configuration, since the output data is not the training data itself, the security level is lower compared to the training data, the output data is processed in the accelerated execution environment, and the data processing efficiency is improved.
FIG. 2B is a schematic block diagram of a data desensitization method in the embodiment shown in FIG. 2A. As shown, in applying the above model, a TEE network may be deployed in a TEE environment and a desensitization network may be deployed in a REE environment. The TEE environment and the REE environment can adopt secure communication for data transmission and can also adopt a general communication mode for data transmission.
Sensitive data serving as data to be desensitized can be acquired into a TEE environment and input into the TEE network trained in the above mode. Further, in one example, output data of the TEE network may be directly obtained to the REE environment for security processing (e.g., privacy processing/noise processing), resulting in a desensitization feature. In another example, output data of the TEE network may be securely processed in the TEE environment to obtain a desensitization feature, which may then be retrieved to the REE environment.
In the REE environment, the desensitization feature obtained above may be input into the desensitization network obtained in the above embodiment, so as to obtain desensitization data.
Fig. 3 is a block diagram of a model training apparatus according to a third embodiment of the present application, and the solution of this embodiment may be applied to any suitable electronic device with data processing capability, including but not limited to: server, mobile terminal (such as cell-phone, PAD etc.) and PC etc. this model training device includes:
an acquisition module 310 acquires first desensitization training data.
The initial training module 320 performs initial training on the target neural network by using the first desensitization training data, where the initial training is used to adjust parameters of the target neural network.
And the safety processing module 330 is used for carrying out safety processing on the output data of the first part of networks in the initially trained target neural network to obtain second desensitization training data.
And the fine tuning training module 340 is used for performing fine tuning training on a second part of network in the initially trained target neural network by using the second desensitization training data, wherein the input layer of the first part of network is connected with the input layer of the second part of network, and the fine tuning training is used for further adjusting the parameters of the adjusted second part of network.
The module determination module 350 determines a data desensitization model based on the initially trained first partial network and the second partial network trained via the fine tuning.
According to the method provided by the embodiment of the application, the second desensitization training data is obtained by performing security processing on the output data of the first part network in the initially trained target neural network, and the second part network is subjected to fine tuning by using the second desensitization training data, so that the first part network and the second part network are obtained by adopting different training data for training, the possibility that the original target neural network is formed by the first part network and the second part network to restore the data desensitization model is avoided, and the data security is ensured.
In another implementation of the invention, a first partial network that is initially trained is for deployment in a trusted execution environment and a second partial network that is trained via trimming is for deployment in an accelerated execution environment.
In another implementation manner of the present invention, the secure processing module is specifically configured to: carrying out differential privacy processing on output data of the initially trained first part of network to obtain scrambled representation of the output data; and carrying out noise processing on the scrambled representation to obtain second desensitization training data.
In another implementation manner of the present invention, the secure processing module is specifically configured to: inputting output data of the initially trained first partial network and reference training data into a target generation countermeasure network for training; if the criterion of the discriminator of the target countermeasure generation network is met, the reference training data is determined as a scrambled representation of the output data.
The apparatus of this embodiment is used to implement the corresponding method in the foregoing method embodiments, and has the beneficial effects of the corresponding method embodiments, which are not described herein again. In addition, the functional implementation of each module in the apparatus of this embodiment can refer to the description of the corresponding part in the foregoing method embodiment, and is not described herein again.
Fig. 4 is a block diagram of a data desensitization apparatus according to a fourth embodiment of the present application, and the solution of this embodiment may be applied to any suitable electronic device with data processing capability, including but not limited to: server, mobile terminal (such as cell-phone, PAD etc.) and PC etc. this data desensitization device includes:
an acquisition module 410 acquires data to be desensitized.
A first desensitization module 420 for inputting data to be desensitized into the first partial network in the data desensitization model to obtain output data of the first partial network, the data desensitization model being trained by the method of any one of claims 1 to 3;
and the second desensitization module 430 is used for performing secure processing on the output data and inputting the output data into a second part of the network in the data desensitization model to obtain desensitization data.
According to the method provided by the embodiment of the application, because the second desensitization training data is obtained by performing security processing on the output data of the first part network in the initially trained target neural network, and the second desensitization training data is used for fine tuning of the second part network, the first part network and the second part network are obtained by training with different training data, so that the possibility that the original target neural network is formed by the first part network and the second part network to restore the data desensitization model is avoided, and the data security is ensured when the data desensitization model is applied.
In another implementation manner of the present invention, the obtaining module is specifically configured to: and acquiring the data to be desensitized into the trusted execution environment, wherein the first part of the network is deployed in the trusted execution environment.
In another implementation of the invention, the second desensitization module is specifically configured to: obtaining output data from the trusted execution environment into the accelerated execution environment; and in the accelerated execution environment, the output data is processed safely.
The apparatus of this embodiment is used to implement the corresponding method in the foregoing method embodiments, and has the beneficial effects of the corresponding method embodiments, which are not described herein again. In addition, the functional implementation of each module in the apparatus of this embodiment can refer to the description of the corresponding part in the foregoing method embodiment, and is not described herein again.
EXAMPLE five
Referring to fig. 5, a schematic structural diagram of an electronic device according to a fifth embodiment of the present application is shown, and the specific embodiment of the present application does not limit a specific implementation of the electronic device.
As shown in fig. 5, the electronic device may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein:
the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508.
A communication interface 504 for communicating with other electronic devices or servers.
The processor 502 is configured to execute the program 510, and may specifically perform the relevant steps in the above method embodiments.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an application specific integrated circuit asic, or one or more integrated circuits configured to implement embodiments of the present application. The intelligent device comprises one or more processors which can be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may specifically be used to cause the processor 502 to perform the following operations: acquiring first desensitization training data; performing initial training on a target neural network by using the first desensitization training data, wherein the initial training is used for adjusting parameters of the target neural network; carrying out safety processing on output data of a first part of networks in the initially trained target neural network to obtain second desensitization training data; performing fine tuning training on a second partial network in the initially trained target neural network by using the second desensitization training data, wherein the input layer of the first partial network is connected with the input layer of the second partial network, and the fine tuning training is used for further adjusting the parameters of the second partial network through adjustment; determining a data desensitization model according to the initially trained first partial network and the finely trained second partial network;
or acquiring data to be desensitized; inputting the data to be desensitized into a first part network in the data desensitization model to obtain output data of the first part network, wherein the data desensitization model is obtained by training through a model training method; and carrying out safety processing on the output data, and inputting the output data into a second part network in the data desensitization model to obtain desensitization data.
In addition, for specific implementation of each step in the program 510, reference may be made to corresponding steps and corresponding descriptions in units in the foregoing method embodiments, which are not described herein again. It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described devices and modules may refer to the corresponding process descriptions in the foregoing method embodiments, and are not described herein again.
It should be noted that, according to the implementation requirement, each component/step described in the embodiment of the present application may be divided into more components/steps, and two or more components/steps or partial operations of the components/steps may also be combined into a new component/step to achieve the purpose of the embodiment of the present application.
The above-described methods according to embodiments of the present application may be implemented in hardware, firmware, or as software or computer code storable in a recording medium such as a CD ROM, a RAM, a floppy disk, a hard disk, or a magneto-optical disk, or as computer code originally stored in a remote recording medium or a non-transitory machine-readable medium downloaded through a network and to be stored in a local recording medium, so that the methods described herein may be stored in such software processes on a recording medium using a general-purpose computer, a dedicated processor, or programmable or dedicated hardware such as an ASIC or FPGA. It will be appreciated that a computer, processor, microprocessor controller, or programmable hardware includes memory components (e.g., RAM, ROM, flash memory, etc.) that can store or receive software or computer code that, when accessed and executed by a computer, processor, or hardware, implements the methods described herein. Further, when a general-purpose computer accesses code for implementing the methods illustrated herein, execution of the code transforms the general-purpose computer into a special-purpose computer for performing the methods illustrated herein.
Those of ordinary skill in the art will appreciate that the various illustrative elements and method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the embodiments of the present application.
The above embodiments are only used for illustrating the embodiments of the present application, and not for limiting the embodiments of the present application, and those skilled in the relevant art can make various changes and modifications without departing from the spirit and scope of the embodiments of the present application, so that all equivalent technical solutions also belong to the scope of the embodiments of the present application, and the scope of patent protection of the embodiments of the present application should be defined by the claims.