CN113435583B - Federal learning-based countermeasure generation network model training method and related equipment thereof - Google Patents

Federal learning-based countermeasure generation network model training method and related equipment thereof Download PDF

Info

Publication number
CN113435583B
CN113435583B CN202110758657.4A CN202110758657A CN113435583B CN 113435583 B CN113435583 B CN 113435583B CN 202110758657 A CN202110758657 A CN 202110758657A CN 113435583 B CN113435583 B CN 113435583B
Authority
CN
China
Prior art keywords
image
clipping
gradient
network model
noise
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110758657.4A
Other languages
Chinese (zh)
Other versions
CN113435583A (en
Inventor
李泽远
王健宗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN202110758657.4A priority Critical patent/CN113435583B/en
Publication of CN113435583A publication Critical patent/CN113435583A/en
Application granted granted Critical
Publication of CN113435583B publication Critical patent/CN113435583B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/20Ensemble learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/082Learning methods modifying the architecture, e.g. adding, deleting or silencing nodes or connections
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T10/00Road transport of goods or passengers
    • Y02T10/10Internal combustion engine [ICE] based vehicles
    • Y02T10/40Engine management systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Software Systems (AREA)
  • Evolutionary Computation (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Mathematical Physics (AREA)
  • Computing Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Medical Informatics (AREA)
  • Image Analysis (AREA)

Abstract

The embodiment of the application belongs to the field of artificial intelligence, is applied to the field of intelligent security and protection, and relates to a countermeasure generation network model training method based on federal learning. The application also provides a federal learning-based countermeasure generation network model training device, computer equipment and a storage medium. In addition, the present application relates to blockchain technology, in which the image training set may be stored. The method and the device can effectively protect the privacy of the local image data set.

Description

Federal learning-based countermeasure generation network model training method and related equipment thereof
Technical Field
The application relates to the technical field of artificial intelligence, in particular to a federal learning-based countermeasure generation network model training method and related equipment thereof.
Background
With the rapid development of artificial intelligence in the medical field, particularly in the field of medical image recognition, medical informatization and biotechnology are continuously developing, and the types and scales of medical data are increasing at unprecedented speeds. Since medical image data is confidential data, and is subject to legal regulations, a plurality of medical institutions want to realize data intercommunication, and expansion of case dimensions is not possible.
The federal learning can prevent the image data of each medical institution from locally realizing the cooperation and decentralized neural network training, and the private data is protected while breaking the data barriers. However, in the distributed model training, an attacker can acquire parameters from gradient update to restore the gradient, so that medical image data can be obtained. The defense method adopted by the prior federal study comprises the modes of gradient cutting, noise adding, weight parameter encryption and the like, gradient privacy is protected to a certain extent, but local data are not protected, and the risk that an attacker breaks the encryption weight parameters and a reverse-push model obtains a local medical data set is still remained.
Disclosure of Invention
The embodiment of the application aims to provide a federal learning-based countermeasure generation network model training method and related equipment thereof, so as to solve the technical problems that local medical image data are easy to decrypt and acquire and safety privacy is low in related technologies.
In order to solve the above technical problems, the embodiment of the present application provides a method for training an countermeasure generation network model based on federal learning, which adopts the following technical scheme:
inputting random noise data into a generator of an countermeasure generation network model to obtain a first image generation set;
inputting the image training set and the first image generation set into a discriminator of the countermeasure generation network model for discrimination to obtain discrimination results;
when the judging result does not meet the preset condition, cutting the original gradient of the judging device to obtain a cutting gradient, and determining a noise value of added noise according to the cutting gradient;
adjusting model parameters of the discriminator according to the clipping gradient and the noise value, and guiding updating model parameters of the generator according to the discriminator after adjusting the model parameters;
inputting the noise corresponding to the noise value into the generator after parameter adjustment to obtain a second image generation set;
Inputting the image verification set and the second image generation set to the discriminator, calculating the privacy loss value of the countermeasure generation network model, and if the privacy loss value is not in the preset range, carrying out iterative updating on the countermeasure generation network model until the privacy loss value is in the preset range.
Further, the step of inputting the image training set and the first image generating set into a discriminator of the countermeasure generating network model to discriminate, and obtaining a discrimination result includes:
classifying and judging the image training set and the first image generating set through the judging device to obtain a classification result;
determining the identification probability of the first image generation set identified by the identifier according to the classification result;
and comparing the identification probability with a preset probability to obtain a discrimination result.
Further, the step of clipping the original gradient of the discriminator to obtain a clipping gradient includes:
acquiring an original gradient vector of each layer of neural network of the discriminator;
determining a clipping threshold value corresponding to each layer of the neural network based on the original gradient vector;
and clipping the original gradient vector according to the clipping threshold value to obtain the clipping gradient corresponding to each layer of the neural network.
Further, the step of calculating the clipping threshold corresponding to each layer of the neural network based on the original gradient vector comprises the following steps:
and determining a second-order norm of the original gradient vector, and calculating the clipping threshold according to the second-order norm.
Further, the step of clipping the original gradient vector according to the clipping threshold to obtain the clipping gradient corresponding to each layer of the neural network includes:
dividing the second order norm by the clipping threshold to obtain a first quotient;
comparing the first quotient with a first numerical value to obtain the maximum value of the first quotient and the first numerical value;
and calculating the ratio of the original gradient vector to the maximum value to obtain the clipping gradient.
Further, the step of determining the added noise according to the clipping gradient includes:
acquiring Gaussian distribution of the random noise;
and calculating the noise value according to the Gaussian distribution and the clipping gradient.
Further, the step of calculating the privacy loss value of the countermeasure generation network model includes:
calculating differential privacy sensitivity according to the image training set and the first image generation set;
And calculating the privacy loss value by adopting a Markov formula based on the differential privacy sensitivity.
In order to solve the above technical problems, the embodiment of the present application further provides a training device for generating a network model based on federal learning, which adopts the following technical scheme:
the generation module is used for inputting the random noise data into a generator of the countermeasure generation network model to obtain a first image generation data set;
the judging module is used for inputting the image training set and the first image generating set into a discriminator of the countermeasure generating network model to judge, so as to obtain a judging result;
the clipping module is used for clipping the original gradient of the discriminator to obtain a clipping gradient when the judging result does not meet the preset condition, and determining a noise value of added noise according to the clipping gradient;
the adjusting module is used for adjusting the model parameters of the discriminator according to the clipping gradient and the added noise, and guiding updating the model parameters of the generator according to the discriminator after adjusting the model parameters;
the generating module is further configured to input noise corresponding to the noise value into the generator after the parameter adjustment, so as to obtain a second image generating set;
The judging module is further configured to input the image verification set and the second image generation set to the discriminator, calculate a privacy loss value of the countermeasure generation network model, and if the privacy loss value is not within a preset range, iteratively update the countermeasure generation network model until the privacy loss value falls within the preset range.
In order to solve the above technical problems, the embodiments of the present application further provide a computer device, which adopts the following technical schemes:
the computer device includes a memory having stored therein computer readable instructions that when executed implement the steps of the federal learning based countermeasure generation network model training method described above.
In order to solve the above technical problems, embodiments of the present application further provide a computer readable storage medium, which adopts the following technical solutions:
the computer readable storage medium has stored thereon computer readable instructions which when executed by a processor implement the steps of the federal learning based countermeasure generation network model training method described above.
Compared with the prior art, the embodiment of the application has the following main beneficial effects:
according to the method, random noise data are input into a generator of an countermeasure generation network model to obtain a first image generation set, then an image training set and the first image generation set are input into a discriminator of the countermeasure generation network model to be discriminated to obtain a discrimination result, when the discrimination result does not meet a preset condition, an original gradient of the discriminator is trimmed to obtain a trimming gradient, a noise value added with noise is determined according to the trimming gradient, model parameters of the discriminator are adjusted according to the trimming gradient and the noise value, model parameters of the generator are guided to be updated according to the discriminator after the model parameters are adjusted, an image verification set is input into the generator after the parameters are adjusted to obtain a second image generation set, the image verification set and the second image generation set are input into the discriminator to calculate privacy loss value of the countermeasure generation network model, and if the privacy loss value is not in the preset range, the countermeasure generation network model is updated in an iterative mode until the privacy loss value falls in the preset range; according to the method and the device, the first image generation set is generated after the characteristics of the original image data set are self-learned by adding random noise, so that the original image data set can be protected from being damaged; meanwhile, the generated image data set and the original image data set are not in one-to-one correspondence, so that an attacker cannot distinguish the authenticity of the data after acquiring the local original image data, and the privacy of the image data set of the medical institution can be effectively protected; in addition, the discriminator dynamically adjusts and adds noise, so that the discrimination capability of the discriminator can be improved.
Drawings
For a clearer description of the solution in the present application, a brief description will be given below of the drawings that are needed in the description of the embodiments of the present application, it being obvious that the drawings in the following description are some embodiments of the present application, and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
FIG. 1 is an exemplary system architecture diagram in which the present application may be applied;
FIG. 2 is a flow chart of one embodiment of a federally learned based countermeasure generation network model training method according to the present application;
FIG. 3 is a schematic diagram of the structure of the FA-GAN model in the present application;
FIG. 4 is a schematic diagram of one embodiment of a federal learning based countermeasure generation network model training apparatus according to the present application;
FIG. 5 is a schematic structural diagram of one embodiment of a computer device according to the present application.
Detailed Description
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the applications herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "comprising" and "having" and any variations thereof in the description and claims of the present application and in the description of the figures above are intended to cover non-exclusive inclusions. The terms first, second and the like in the description and in the claims or in the above-described figures, are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
In order to better understand the technical solutions of the present application, the following description will clearly and completely describe the technical solutions in the embodiments of the present application with reference to the accompanying drawings.
In order to solve the problem that local medical image data is easy to decrypt and acquire and has low security and privacy in the related art, the application provides a federal learning-based countermeasure generation network model training method, which relates to artificial intelligence, and can be applied to a system architecture 100 shown in fig. 1, wherein the system architecture 100 can comprise terminal equipment 101, 102 and 103, a network 104 and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as a web browser application, a shopping class application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc., may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablet computers, electronic book readers, MP3 players (Moving Picture Experts Group Audio Layer III, dynamic video expert compression standard audio plane 3), MP4 (Moving Picture Experts Group Audio Layer IV, dynamic video expert compression standard audio plane 4) players, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background server providing support for pages displayed on the terminal devices 101, 102, 103.
It should be noted that, the federal learning-based challenge-generation network model training method provided in the embodiments of the present application is generally executed by a terminal device, and accordingly, the federal learning-based challenge-generation network model training apparatus is generally disposed in the terminal device.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
With continued reference to FIG. 2, a flowchart of one embodiment of a federally learned countermeasure generation network model training method according to the present application is shown, comprising the steps of:
step S201, inputting random noise data into a generator of an countermeasure generation network model, and obtaining a first image generation set.
In this embodiment, the antagonism generation network model is an FA-GAN (Flexible AdjustmentGenerative Adversarial Networks, dynamic privacy adjustment antagonism generation network) model, which is a local training model for federal learning, and the process of federal learning is specifically described by taking the participation of a medical institution and a medical institution B in federal learning as an example, the FA-GAN model based on federal learning includes the following procedures:
1) The A medical institution and the B medical institution locally perform FA-GAN model training by using respective case databases;
2) The A medical institution and the B medical institution upload the trained model parameters and weights to a central server;
3) The center server gathers the weight information of the received two local models, and performs joint training on the center server to generate a global model;
4) The central server updates the model parameters of the global model and then sends the updated model parameters to the participating medical institutions A and B, and the medical institutions A and B respectively update the model parameters;
5) The above 4 steps are repeated until the stop condition is satisfied.
In this embodiment, the schematic structure diagram of the FA-GAN model is shown in fig. 3, where the FA-GAN model includes a generator and a discriminator, in order to ensure the security of the local image dataset in the federal learning process, the features of the original image dataset are automatically learned by the generator of the FA-GAN model, the dataset is rewritten, and the discriminator dynamically adjusts the noise scale in the training process to guide the generator, so as to improve the usability and privacy of the local image dataset without affecting the training effect of the final model.
The random noise data is derived from noise samples of a predefined noise distribution, typically a simple and easily sampled distribution, such as a Uniform distribution (1, 1) or a Gaussian distribution (0, 1). In this embodiment, random noise data may be obtained by sampling from a gaussian distribution, and then the random noise data is input into a generator as basic data for the generator to generate the first image generation set.
The random noise data is input into a generator, and the generator self-learns the data characteristics of the original image data set and outputs a first image generation set which is highly similar to the original image data set.
Step S202, inputting the image training set and the first image generation set into a discriminator of the countermeasure generation network model for discrimination, and obtaining discrimination results.
In this embodiment, a local original image dataset of a medical institution is obtained, and the original image dataset is divided into an image training set and an image verification set according to a preset proportion, for example, it is assumed that the original image dataset includes 70000 images, 60000 images are used as the image training set, and 10000 images are used as the image verification set. Then, the image training set is evenly divided into N training lots, wherein N is a natural number greater than zero.
The image training sets are input to the discriminators in batches, the discriminators distinguish the input image training sets from the first image generation sets, and give whether they are true (from the real data image training sets) or false (from the generated data first image generation sets of the generator).
Specifically, the image training set and the first image generation set are classified and judged through the discriminator to obtain a classification result, the discrimination probability of the first image generation set is determined according to the classification result, and the discrimination probability is compared with the preset probability to obtain a discrimination result.
The arbiter is a GCN (Graph Convolutional Network, graph rolling network) for image feature extraction, and comprises an embedding layer, a convolution layer, a pooling layer and a softmax layer, and the arbiter is in contact with the original image data set in the training process, remembers certain training samples, and increases the risk of being attacked. In order to ensure the safety of local image data, the self-discrimination capability is improved through self-adaptive clipping gradient and dynamic allocation noise, namely, the memory degree of the discriminator on an original image data set is reduced, the discrimination capability of the discriminator is improved, and the lower the memory degree of the discriminator on the original image data set is, the more the image training set and the image generation set can be distinguished, and the stronger the discrimination capability is.
The discriminator classifies the input image training set and the first image generation set, and outputs the probability of belonging to the real sample, wherein the real sample is the image training set.
A Sigmoid function is generally adopted as an output layer of the discriminator, and if the output of the discriminator is close to 1, the current data is judged to be from a real data set; if the output of the arbiter approaches 0, it is determined that the current data is from the analog data generated by the generator. In this embodiment, if the output probability meets the preset range, it is indicated that the discrimination capability of the discriminator meets the requirement, otherwise, gradient clipping is performed on the FA-GAN model, the noise value of the added noise is determined, and the discrimination result is fed back to the generator and the update of the generator is guided. Therefore, after the image data set is processed by the FA-GAN model, an attacker cannot judge whether the data set is added with noise or not, namely, the authenticity of the data cannot be distinguished, and therefore the safety of local data is protected.
It should be emphasized that, to further ensure the privacy and security of the image training set, the image training set may also be stored in a node of a blockchain.
The blockchain referred to in the application is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm and the like. The Blockchain (Blockchain), which is essentially a decentralised database, is a string of data blocks that are generated by cryptographic means in association, each data block containing a batch of information of network transactions for verifying the validity of the information (anti-counterfeiting) and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, an application services layer, and the like.
And step S203, when the judging result does not meet the preset condition, cutting the original gradient of the judging device to obtain a cutting gradient, and determining to add noise according to the cutting gradient.
Specifically, an original gradient vector of each layer of neural network of the discriminator is obtained, a clipping threshold value corresponding to each layer of neural network is determined based on the original gradient vector, and the original gradient vector is clipped according to the clipping threshold value to obtain clipping gradient corresponding to each layer of neural network.
In some optional implementations of this embodiment, the step of determining the clipping threshold corresponding to each layer of neural network based on the original gradient vector specifically includes:
and determining a second-order norm of the original gradient vector, and calculating a clipping threshold according to the second-order norm.
In this embodiment, the second-order norm is the 2-norm. The original gradient vector is g (x i ) The 2-norm of the original gradient vector is calculated, i.e. ║ g (x i )║ 2 The clipping threshold is calculated according to the 2-norm, and it is to be noted that each iteration generates an original gradient vector, N2-norms corresponding to the m-th layer neural network in the N original gradient vectors are determined, and the average value of the N2-norms is determined asThe clipping threshold is specifically expressed as follows:
n is the N-th image training set input currently, and m is the m-th neural network in the discriminator.
In this embodiment, the step of clipping the original gradient vector according to the clipping threshold to obtain the clipping gradient corresponding to each layer of neural network is specifically as follows:
dividing the second-order norm by a clipping threshold to obtain a first quotient;
comparing the first quotient value with the first numerical value to obtain the maximum value of the first quotient value and the first numerical value;
and calculating the ratio of the original gradient vector to the maximum value to obtain the clipping gradient.
Inputting the image training set and the first image generating set into the FA-GAN model, training the FA-GAN model, and obtaining a clipping threshold C of each iteration xi According to the original gradient vector g (x i ) Then the clipping gradient of the mth layer in the round of iteration can be calculatedThe calculation formula adopted is as follows:
wherein x is i The training set is the ith image training set; g (x) i ) The original gradient vector of the m-th neural network layer is obtained by training the ith image training set.
In some optional implementations of this embodiment, the implementation steps for determining the added noise from the clipping gradient are as follows:
acquiring Gaussian distribution of random noise;
and calculating according to the Gaussian distribution and the clipping gradient to obtain the noise value of the added noise.
The calculation formula specifically adopted by the noise value of the added noise is as follows:
wherein x is i For the ith image training set, σ is the noise scale, i.e., the noise value, C is the gradient threshold,for clipping gradient after clipping according to clipping threshold, S is the number of image training set data, N (0, sigma) 2 C 2 l) represents that the noise compliance is 0 with mean and variance sigma 2 C 2 And the Gaussian distribution of l is an identity matrix with the dimension related to the number of samples and the number of gradients and is used for noise addition matrix operation.
And S204, adjusting model parameters of the discriminator according to the clipping gradient and the noise value, and guiding updating of model parameters of the generator according to the discriminator after the model parameters are adjusted.
Specifically, the original gradient vector of each neural network layer is cut according to the cutting threshold value of each neural network layer, the cutting gradient of each neural network layer is obtained, noise to be added to the discriminator is dynamically adjusted according to the noise value, finally model parameters of the discriminator are adjusted according to the cutting gradient and the adjusted noise, and the discriminator guide generator after the model parameters are adjusted updates the corresponding model parameters.
In this embodiment, privacy protection is performed on local data in the FA-GAN model training process through differential privacy. With differential privacy, a target privacy budget needs to be given, and each round of noise addition can result in an overall privacy budget consumption for a given target privacy budget. And adjusting model parameters of the discriminator according to a preset learning rate and noise added in the gradient, so that the adjustment of the model parameters meets the differential privacy.
In step S205, the noise corresponding to the noise value is input to the generator after the parameter adjustment, so as to obtain the second image generation set.
After the added noise value is determined, the noise corresponding to the noise value is input into a generator after the parameters are adjusted, and the generator self-learns the data characteristics of the original image data set and outputs a second image generation set which is highly similar to the original image data set.
Step S206, inputting the image verification set and the second image generation set into the discriminator, calculating the privacy loss value of the countermeasure generation network model, and if the privacy loss value is not within the preset range, performing iterative updating on the countermeasure generation network model until the privacy loss value falls within the preset range.
The image verification set is used for verifying the trained FA-GAN model, and the image verification set and the second image generation set are input to the discriminator for verification.
In this embodiment, whether the FA-GAN model is trained is confirmed by calculating the privacy loss value.
Specifically, the step of calculating the privacy loss value against the generated network model is as follows:
calculating differential privacy sensitivity according to the image training set and the first image generation data set;
based on the differential privacy sensitivity, a Markov formula is used to calculate the privacy loss value.
The gradient clipping and noise adding can bring about the sensitivity estimation problem, the sensitivity determines how much random noise needs to be added to the result to realize differential privacy, and the differential privacy is used as a privacy protection method for protecting the safety of local data and avoiding data leakage.
In this embodiment, the differential privacy sensitivity employs the following calculation formula:
wherein D represents the data set without noise added by the network layer, namely an image verification set; d' represents a data set to which noise has been added by the neural network layer, i.e., a second image generation set; f (D) represents sensitivity without adding noise; f (D') represents the sensitivity to which noise has been added.
According to differential privacy sensitivity, each round of added noise affects the overall privacy budget consumption, requiring accurate estimation of the consumption each time to minimize the overall privacy budget consumption.
The calculation formula of the privacy loss value is as follows:
wherein M is a given random algorithm, d' are a pair of adjacent data sets, aux represents auxiliary input, o is output result, satisfying o ε R; pr (M (aux, d) =o) represents the probability that the output belongs to the data set d; pr (M (aux, d ')=o) represents a probability that the output belongs to the data set d'. The formula can obtain the change of the privacy loss value under the consumption of the target gradient privacy budget, the performance of added noise on the whole model is measured according to the change of the privacy loss value, and the layered gradient clipping and the dynamic noise adjustment have better effects on the training process and the final result along with the increase of the training round number, and finally the optimal privacy budget allocation is dynamically adjusted.
It should be noted that the privacy loss value needs to be minimized as much as possible to obtain a better privacy protection effect.
According to the method and the device, the first image generation set is generated after the characteristics of the original image data set are self-learned by adding random noise, so that the original image data set can be protected from being damaged; meanwhile, the generated image data set and the original image data set are not in one-to-one correspondence, so that an attacker cannot distinguish the authenticity of the data after acquiring the local original image data, and the privacy of the image data set of the medical institution can be effectively protected; in addition, the discriminator dynamically adjusts and adds noise, so that the discrimination capability of the discriminator can be improved.
The subject application is operational with numerous general purpose or special purpose computer system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The application can be applied to the field of intelligent security, so that the construction of a smart city is promoted.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by computer readable instructions stored in a computer readable storage medium that, when executed, may comprise the steps of the embodiments of the methods described above. The storage medium may be a nonvolatile storage medium such as a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a random access Memory (Random Access Memory, RAM).
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the flowcharts of the figures may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily being sequential, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.
With further reference to fig. 4, as an implementation of the method shown in fig. 2, the present application provides an embodiment of a federal learning-based challenge-generation network model training apparatus, which corresponds to the method embodiment shown in fig. 2, and which is particularly applicable to various electronic devices.
As shown in fig. 4, the federal learning-based countermeasure generation network model training apparatus 400 according to the present embodiment includes: a generating module 401, a judging module 402, a clipping module 403 and an adjusting module 404.
Wherein:
the generation module 401 is configured to input random noise data into a generator of the countermeasure generation network model to obtain a first image generation dataset;
the judging module 402 is configured to input the image training set and the first image generating set into a discriminator of the countermeasure generating network model to perform a judgment, so as to obtain a judgment result;
the clipping module 403 is configured to clip an original gradient of the discriminator to obtain a clipping gradient when the discrimination result does not meet a preset condition, and determine a noise value of added noise according to the clipping gradient;
the adjustment module 404 is configured to adjust model parameters of the arbiter according to the clipping gradient and the noise value, and instruct updating of model parameters of the generator according to the arbiter after adjusting model parameters;
The generating module 401 is further configured to input noise corresponding to the noise value into the generator after the adjustment parameter, so as to obtain a second image generating set;
the determining module 402 is further configured to input the image verification set and the second image generation set to the arbiter, calculate a privacy loss value of the countermeasure generation network model, and if the privacy loss value is not within a preset range, iteratively update the countermeasure generation network model until the privacy loss value falls within the preset range.
It should be emphasized that, to further ensure the privacy and security of the image training set, the image training set may also be stored in a node of a blockchain.
According to the countermeasure generation network model training device based on federal learning, the characteristics of the original image data set are self-learned by adding random noise, and then the first image generation set is generated, so that the original image data set can be protected from being damaged; meanwhile, the generated image data set and the original image data set are not in one-to-one correspondence, so that an attacker cannot distinguish the authenticity of the data after acquiring the local original image data, and the privacy of the image data set of the medical institution can be effectively protected; in addition, the discriminator dynamically adjusts and adds noise, so that the discrimination capability of the discriminator can be improved.
In this embodiment, the discrimination module 402 is further configured to:
classifying and judging the image training set and the first image generating set through the judging device to obtain a classification result;
determining the identification probability of the first image generation set identified by the identifier according to the classification result;
and comparing the identification probability with a preset probability to obtain a discrimination result.
In this embodiment, the clipping module 403 is further configured to:
acquiring an original gradient vector of each layer of neural network of the discriminator;
determining a clipping threshold value corresponding to each layer of the neural network based on the original gradient vector;
and clipping the original gradient vector according to the clipping threshold value to obtain the clipping gradient corresponding to each layer of the neural network.
In some optional implementations of this embodiment, clipping module 403 is further configured to determine a second order norm of the original gradient vector, and calculate the clipping threshold according to the second order norm.
In some alternative implementations of the present embodiment, the clipping module 403 is further configured to:
dividing the second order norm by the clipping threshold to obtain a first quotient;
comparing the first quotient with a first numerical value to obtain the maximum value of the first quotient and the first numerical value;
And calculating the ratio of the original gradient vector to the maximum value to obtain the clipping gradient.
In this embodiment, the clipping module 403 is configured to:
acquiring Gaussian distribution of the random noise;
and calculating the noise value according to the Gaussian distribution and the clipping gradient.
In this embodiment, the discrimination module 402 further includes a calculation sub-module for calculating the sub-module:
calculating differential privacy sensitivity according to the image training set and the first image generation set;
and calculating the privacy loss value by adopting a Markov formula based on the differential privacy sensitivity.
According to the embodiment, the privacy loss value is calculated, the privacy loss value is changed, the performance of added noise on the overall model is measured according to the privacy loss value change, and as the number of training rounds is increased, the hierarchical gradient clipping and the dynamic noise adjustment have better effects on the training process and the final result, and finally the optimal privacy budget allocation is dynamically adjusted.
In order to solve the technical problems, the embodiment of the application also provides computer equipment. Referring specifically to fig. 5, fig. 5 is a basic structural block diagram of a computer device according to the present embodiment.
The computer device 5 comprises a memory 51, a processor 52, a network interface 53 which are communicatively connected to each other via a system bus. It should be noted that only the computer device 5 with components 51-53 is shown in the figures, but it should be understood that not all of the illustrated components are required to be implemented and that more or fewer components may be implemented instead. It will be appreciated by those skilled in the art that the computer device herein is a device capable of automatically performing numerical calculations and/or information processing in accordance with predetermined or stored instructions, the hardware of which includes, but is not limited to, microprocessors, application specific integrated circuits (Application Specific Integrated Circuit, ASICs), programmable gate arrays (fields-Programmable Gate Array, FPGAs), digital processors (Digital Signal Processor, DSPs), embedded devices, etc.
The computer equipment can be a desktop computer, a notebook computer, a palm computer, a cloud server and other computing equipment. The computer equipment can perform man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch pad or voice control equipment and the like.
The memory 51 includes at least one type of readable storage medium including flash memory, hard disk, multimedia card, card memory (e.g., SD or DX memory, etc.), random Access Memory (RAM), static Random Access Memory (SRAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), programmable Read Only Memory (PROM), magnetic memory, magnetic disk, optical disk, etc. In some embodiments, the storage 51 may be an internal storage unit of the computer device 5, such as a hard disk or a memory of the computer device 5. In other embodiments, the memory 51 may also be an external storage device of the computer device 5, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the computer device 5. Of course, the memory 51 may also comprise both an internal memory unit of the computer device 5 and an external memory device. In this embodiment, the memory 51 is typically used to store an operating system and various application software installed on the computer device 5, such as computer readable instructions of a federal learning-based countermeasure generation network model training method, and the like. Further, the memory 51 may be used to temporarily store various types of data that have been output or are to be output.
The processor 52 may be a central processing unit (Central Processing Unit, CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments. The processor 52 is typically used to control the overall operation of the computer device 5. In this embodiment, the processor 52 is configured to execute computer readable instructions stored in the memory 51 or process data, such as computer readable instructions for executing the federal learning based challenge-generation network model training method.
The network interface 53 may comprise a wireless network interface or a wired network interface, which network interface 53 is typically used to establish communication connections between the computer device 5 and other electronic devices.
According to the method, the steps of the method for training the antagonism generation network model based on federal learning in the embodiment are realized when the processor executes the computer readable instructions stored in the memory, and the original image data set can be protected from being damaged by generating the first image generation set after adding random noise to self-learn the characteristics of the original image data set; meanwhile, the generated image data set and the original image data set are not in one-to-one correspondence, so that an attacker cannot distinguish the authenticity of the data after acquiring the local original image data, and the privacy of the image data set of the medical institution can be effectively protected; in addition, the discriminator dynamically adjusts and adds noise, so that the discrimination capability of the discriminator can be improved.
The present application further provides another embodiment, namely, provides a computer readable storage medium, where computer readable instructions are stored, where the computer readable instructions are executable by at least one processor, so that the at least one processor performs the steps of the method for training a federal learning-based countermeasure generation network model, where the method includes generating a first image generation set after adding random noise to self-learn characteristics of an original image data set, and protecting the original image data set from being damaged; meanwhile, the generated image data set and the original image data set are not in one-to-one correspondence, so that an attacker cannot distinguish the authenticity of the data after acquiring the local original image data, and the privacy of the image data set of the medical institution can be effectively protected; in addition, the discriminator dynamically adjusts and adds noise, so that the discrimination capability of the discriminator can be improved.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), comprising several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method described in the embodiments of the present application.
It is apparent that the embodiments described above are only some embodiments of the present application, but not all embodiments, the preferred embodiments of the present application are given in the drawings, but not limiting the patent scope of the present application. This application may be embodied in many different forms, but rather, embodiments are provided in order to provide a more thorough understanding of the present disclosure. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments described in the foregoing, or equivalents may be substituted for elements thereof. All equivalent structures made by the specification and the drawings of the application are directly or indirectly applied to other related technical fields, and are also within the protection scope of the application.

Claims (10)

1. The method for training the countermeasure generation network model based on federal learning is characterized by comprising the following steps of:
inputting random noise data into a generator of an countermeasure generation network model to self-learn data characteristics of an original image data set to obtain a first image generation set similar to the original image data set, wherein the random noise data is used as basic data of the generator to generate the first image generation set;
Inputting the image training set and the first image generation set into a discriminator of the countermeasure generation network model for discrimination to obtain discrimination results;
when the judging result does not meet the preset condition, cutting the original gradient of the judging device to obtain a cutting gradient, and determining a noise value of added noise according to the cutting gradient;
adjusting model parameters of the discriminator according to the clipping gradient and the noise value, and guiding updating model parameters of the generator according to the discriminator after adjusting the model parameters;
inputting the noise corresponding to the noise value into the generator after the parameters are adjusted to self-learn the data characteristics of the original image data set, and obtaining a second image generation set similar to the original image data set;
inputting an image verification set and the second image generation set into the discriminator, calculating a privacy loss value of the countermeasure generation network model, and if the privacy loss value is not in a preset range, carrying out iterative updating on the countermeasure generation network model until the privacy loss value is in the preset range;
the calculation formula of the clipping gradient is as follows:
Wherein,the training set is the ith image training set; />The original gradient vector of the m-th neural network layer is obtained by training the ith image training set; />For clipping threshold, the calculation formula is +.>Wherein N is the N-th image training set input currently, and m is the m-th neural network in the discriminator.
2. The method for training a federal learning-based countermeasure generation network model according to claim 1, wherein the step of inputting the image training set and the first image generation set into a discriminator of the countermeasure generation network model to discriminate, and obtaining a discrimination result includes:
classifying and judging the image training set and the first image generating set through the judging device to obtain a classification result;
determining the identification probability of the first image generation set identified by the identifier according to the classification result;
and comparing the identification probability with a preset probability to obtain a discrimination result.
3. The federal learning-based countermeasure generation network model training method according to claim 1, wherein the step of clipping the original gradient of the arbiter to obtain a clipping gradient comprises:
acquiring an original gradient vector of each layer of neural network of the discriminator;
Determining a clipping threshold value corresponding to each layer of the neural network based on the original gradient vector;
and clipping the original gradient vector according to the clipping threshold value to obtain the clipping gradient corresponding to each layer of the neural network.
4. A federal learning-based countermeasure generation network model training method according to claim 3, wherein the step of calculating a clipping threshold corresponding to each layer of the neural network based on the raw gradient vector comprises:
and determining a second-order norm of the original gradient vector, and calculating the clipping threshold according to the second-order norm.
5. The federal learning-based countermeasure generation network model training method according to claim 4, wherein the step of clipping the original gradient vector according to the clipping threshold to obtain the clipping gradient corresponding to each layer of the neural network comprises:
dividing the second order norm by the clipping threshold to obtain a first quotient;
comparing the first quotient value with a first numerical value to obtain the maximum value of the first quotient value and the first numerical value, wherein the first numerical value is 1;
and calculating the ratio of the original gradient vector to the maximum value to obtain the clipping gradient.
6. The federal learning-based countermeasure generation network model training method of claim 5, wherein the step of determining added noise from the clipping gradient includes:
acquiring Gaussian distribution of the random noise;
and calculating the noise value according to the Gaussian distribution and the clipping gradient.
7. The federal learning-based countermeasure generation network model training method according to claim 1, wherein the step of calculating a privacy loss value of the countermeasure generation network model includes:
calculating differential privacy sensitivity according to the image training set and the first image generation set;
and calculating the privacy loss value by adopting a Markov formula based on the differential privacy sensitivity.
8. An apparatus for training a federal learning-based countermeasure generation network model, comprising:
the generation module is used for inputting random noise data into a generator of the countermeasure generation network model to self-learn data characteristics of an original image data set, so as to obtain a first image generation set similar to the original image data set, wherein the random noise data is used as basic data of the generator for generating the first image generation set;
The judging module is used for inputting the image training set and the first image generating set into a discriminator of the countermeasure generating network model to judge, so as to obtain a judging result;
the clipping module is used for clipping the original gradient of the discriminator to obtain a clipping gradient when the judging result does not meet the preset condition, and determining a noise value of added noise according to the clipping gradient;
the adjusting module is used for adjusting the model parameters of the discriminator according to the clipping gradient and the noise value, and guiding updating the model parameters of the generator according to the discriminator after adjusting the model parameters;
the generating module is further configured to input noise corresponding to the noise value into the generator after the adjustment parameter is set, and self-learn data features of an original image dataset to obtain a second image generating set similar to the original image dataset;
the judging module is further configured to input an image verification set and the second image generation set to the discriminator, calculate a privacy loss value of the countermeasure generation network model, and if the privacy loss value is not within a preset range, iteratively update the countermeasure generation network model until the privacy loss value falls within the preset range;
The calculation formula of the clipping gradient is as follows:
wherein,the training set is the ith image training set; />The original gradient vector of the m-th neural network layer is obtained by training the ith image training set; />For clipping threshold, the calculation formula is +.>Wherein N is the currentAnd the input Nth image training set, m is the m-th layer neural network in the discriminator.
9. A computer device comprising a memory having stored therein computer readable instructions which when executed implement the steps of the federal learning based countermeasure generation network model training method of any of claims 1 to 7.
10. A computer readable storage medium having stored thereon computer readable instructions which when executed by a processor implement the steps of the federal learning based countermeasure generation network model training method of any of claims 1 to 7.
CN202110758657.4A 2021-07-05 2021-07-05 Federal learning-based countermeasure generation network model training method and related equipment thereof Active CN113435583B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110758657.4A CN113435583B (en) 2021-07-05 2021-07-05 Federal learning-based countermeasure generation network model training method and related equipment thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110758657.4A CN113435583B (en) 2021-07-05 2021-07-05 Federal learning-based countermeasure generation network model training method and related equipment thereof

Publications (2)

Publication Number Publication Date
CN113435583A CN113435583A (en) 2021-09-24
CN113435583B true CN113435583B (en) 2024-02-09

Family

ID=77759113

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110758657.4A Active CN113435583B (en) 2021-07-05 2021-07-05 Federal learning-based countermeasure generation network model training method and related equipment thereof

Country Status (1)

Country Link
CN (1) CN113435583B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114169007B (en) * 2021-12-10 2024-05-14 西安电子科技大学 Medical privacy data identification method based on dynamic neural network
CN113961967B (en) * 2021-12-13 2022-03-22 支付宝(杭州)信息技术有限公司 Method and device for jointly training natural language processing model based on privacy protection
CN114912624A (en) * 2022-04-12 2022-08-16 支付宝(杭州)信息技术有限公司 Longitudinal federal learning method and device for business model
CN115359547A (en) * 2022-06-30 2022-11-18 商汤集团有限公司 Training method of image processing network, image processing method and device
CN115426205B (en) * 2022-11-05 2023-02-10 北京淇瑀信息科技有限公司 Encrypted data generation method and device based on differential privacy
CN117788983B (en) * 2024-02-28 2024-05-24 青岛海尔科技有限公司 Image data processing method and device based on large model and storage medium
CN117936011A (en) * 2024-03-19 2024-04-26 泰山学院 Intelligent medical service management system based on big data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000158204A (en) * 1998-11-24 2000-06-13 Mitsubishi Materials Corp Surface-covering cemented carbide alloy cutting tool having hard covering layer exhibiting excellent chipping resistance
CN110147797A (en) * 2019-04-12 2019-08-20 中国科学院软件研究所 A kind of sketch completion and recognition methods and device based on production confrontation network
CN110969243A (en) * 2019-11-29 2020-04-07 支付宝(杭州)信息技术有限公司 Method and device for training countermeasure generation network for preventing privacy leakage
WO2020134704A1 (en) * 2018-12-28 2020-07-02 深圳前海微众银行股份有限公司 Model parameter training method based on federated learning, terminal, system and medium
CN112070209A (en) * 2020-08-13 2020-12-11 河北大学 Stable controllable image generation model training method based on W distance

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210049298A1 (en) * 2019-08-14 2021-02-18 Google Llc Privacy preserving machine learning model training

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000158204A (en) * 1998-11-24 2000-06-13 Mitsubishi Materials Corp Surface-covering cemented carbide alloy cutting tool having hard covering layer exhibiting excellent chipping resistance
WO2020134704A1 (en) * 2018-12-28 2020-07-02 深圳前海微众银行股份有限公司 Model parameter training method based on federated learning, terminal, system and medium
CN110147797A (en) * 2019-04-12 2019-08-20 中国科学院软件研究所 A kind of sketch completion and recognition methods and device based on production confrontation network
CN110969243A (en) * 2019-11-29 2020-04-07 支付宝(杭州)信息技术有限公司 Method and device for training countermeasure generation network for preventing privacy leakage
CN112070209A (en) * 2020-08-13 2020-12-11 河北大学 Stable controllable image generation model training method based on W distance

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
面向深度神经网络训练的数据差分隐私保护随机梯度下降算法;李英;贺春林;;计算机应用与软件(04);全文 *

Also Published As

Publication number Publication date
CN113435583A (en) 2021-09-24

Similar Documents

Publication Publication Date Title
CN113435583B (en) Federal learning-based countermeasure generation network model training method and related equipment thereof
CN112101172B (en) Weight grafting-based model fusion face recognition method and related equipment
CN112148987B (en) Message pushing method based on target object activity and related equipment
WO2022126970A1 (en) Method and device for financial fraud risk identification, computer device, and storage medium
CN112256874A (en) Model training method, text classification method, device, computer equipment and medium
CN112863683B (en) Medical record quality control method and device based on artificial intelligence, computer equipment and storage medium
CN112528025A (en) Text clustering method, device and equipment based on density and storage medium
CN110929799B (en) Method, electronic device, and computer-readable medium for detecting abnormal user
CN110162993B (en) Desensitization processing method, model training device and computer equipment
CN112287244A (en) Product recommendation method and device based on federal learning, computer equipment and medium
CN112035549B (en) Data mining method, device, computer equipment and storage medium
WO2022105117A1 (en) Method and device for image quality assessment, computer device, and storage medium
CN112668482B (en) Face recognition training method, device, computer equipment and storage medium
CN112149699B (en) Method and device for generating model and method and device for identifying image
CN112288163A (en) Target factor prediction method of target object and related equipment
CN116684330A (en) Traffic prediction method, device, equipment and storage medium based on artificial intelligence
CN111639360A (en) Intelligent data desensitization method and device, computer equipment and storage medium
CN117349899B (en) Sensitive data processing method, system and storage medium based on forgetting model
CN110197078B (en) Data processing method and device, computer readable medium and electronic equipment
CN112733181B (en) Product recommendation method, system, computer equipment and storage medium
CN112967044B (en) Payment service processing method and device
CN115099875A (en) Data classification method based on decision tree model and related equipment
CN114241411A (en) Counting model processing method and device based on target detection and computer equipment
CN114117037A (en) Intention recognition method, device, equipment and storage medium
CN112733645A (en) Handwritten signature verification method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant