CN113918814A - High-robustness privacy protection recommendation method based on counterstudy - Google Patents

Abstract

The invention provides a high-robustness privacy protection recommendation method based on counterstudy. The method comprises the following steps: constructing a training set required for optimizing a neural collaborative filtering model and a reference set required for training a member inference model; designing a neural collaborative filtering combined model with a member reasoning regular term, and performing iterative optimization of a countermeasure training mode on the combined model by using the training set and the reference set to obtain a robust user and article characteristic representation matrix; predicting the unobserved scores according to the obtained user characteristic matrix and the obtained article characteristic matrix; recommending the corresponding item set with higher prediction score and no behavior to the corresponding user. The invention designs a unified minimum maximization objective function in an anti-training mode to explicitly endow the recommendation algorithm with the capability of defending against member reasoning attack, thereby defending against member reasoning attack and relieving overfitting of the recommendation model, and realizing bidirectional promotion of personalized recommendation model algorithm performance and training data privacy protection.

Description

High-robustness privacy protection recommendation method based on counterstudy

Technical Field

The invention relates to the technical field of personalized recommendation, in particular to a high-robustness privacy protection recommendation method based on counterstudy.

Background

The personalized recommendation system is an effective supplementary means for traditional information retrieval, makes full use of the content characteristics of the user and the object and the interaction data between the user and the object, automatically filters useless information, is a common application capable of helping the user find the potential interest of the user, and gets more and more attention in academic and industrial fields. The technical support at the core behind the personalized recommendation system is a recommendation algorithm which trains the historical browsing data of a user by using a machine learning idea.

The recommendation algorithm is capable of grasping the future interest preference of the user because it needs to collect as much personal information and behavior information of the user as possible so as to realize accurate recommendation services, such as a content-based recommendation system and a collaborative filtering-based recommendation system. In addition, according to social homogeneity theory, the behaviors of friends tend to be more consistent, so that many researches merge social information into the traditional collaborative filtering method. By fusing more and more information and combining different types of data, the prediction performance of the recommendation system is certainly improved significantly, but the risk of revealing the privacy of the user is inevitably caused. Therefore, in recent years, there has been an increasing interest in protecting the privacy of sensitive information of users. However, most of the previous work has focused on protecting sensitive information such as the user's demographic characteristics and the user's historical purchasing behavior. The privacy protection of user information is mainly carried out through a differential privacy technology and a perturbation technology, most of the methods carry out direct data perturbation on original data, although the privacy data of the user are protected to a certain extent, the degradation of the predictive performance of a model is inevitably caused.

At present, the mainstream service mode is a machine learning-as-a-service mode, so that the original data of the model is difficult to acquire and directly perturb, and therefore, the white box attack on the original training data of the model is no longer practical. Recent studies have shown that trained data and untrained data often have different statistical properties, so that machine learning models are prone to privacy disclosure of their trained data set information. More specifically, an attacker can deduce whether some samples are the trained data or not by constructing a reasoning model based on the different statistical characteristics, and such a reasoning process is called member reasoning attack, and the method can easily attack the black box model, so that the method becomes a mainstream attack method in recent years.

At present, there are two broad categories of prior art methods for defending against member inference attacks. The first category includes a simple mitigation technique, that is, the prediction result of the model is limited, for example, five classified prediction tasks are only output to the first three categories after probability sorting, and obviously, such an operation reduces the prediction accuracy of the model; or regularize the prediction model, for example using the common L2 paradigm. These techniques, while able to guarantee the prediction accuracy of the model to some extent, do not guarantee any strict privacy protection definitions.

The second broad category of defense techniques is the use of different differential privacy mechanisms. However, the existing differential privacy mechanism meets the requirement of privacy protection in a strict mathematical sense, and meanwhile, the model prediction performance is not definitely brought into the design target of the privacy mechanism, which often causes serious prediction precision loss. Therefore, it is very important to design a robust algorithm that is guaranteed by considering both the model prediction performance and the training data privacy protection effect.

Disclosure of Invention

The embodiment of the invention provides a high-robustness privacy protection recommendation method based on counterstudy, so as to accurately recommend interested articles to a user on the premise of protecting the privacy of the members.

In order to achieve the purpose, the invention adopts the following technical scheme.

A highly robust privacy protection recommendation method based on counterstudy comprises the following steps:

step S1: establishing a neural collaborative filtering model and a required training set, and randomly initializing parameters P, Q, theta of the neural collaborative filtering recommendation model_R，

A matrix of characteristics of the user is represented,

representing a matrix of article characteristics, Θ_RUniformly representing a parameter matrix of a recommendation model hidden layer;

step S2: constructing a member reasoning model and a required reference set, and randomly initializing a parameter matrix theta of the member reasoning model_M，Θ_MThe learnable parameters of the member reasoning model are represented in a unified mode;

step S3: constructing a neural collaborative filtering combination model with a member reasoning regular term by using the neural collaborative filtering model and the member reasoning model, designing a unified minimum maximization objective function based on antagonistic learning and carrying out iterative antagonistic training to obtain a robust user characteristic matrix P and an article characteristic matrix Q;

step S4: and predicting the scoring value of the user on the unobserved goods according to the trained P and Q:

to pair

Arranged in descending order row by row, and will

Median score value comparisonA number of items that are high and not rated are recommended to the respective users,

representing the predicted user-item scoring matrix.

Preferably, the constructing of the neural collaborative filtering model in step S1 includes:

the neural collaborative filtering model f (P, Q, theta)_RThe input layer of | U, i) includes two one-hot feature sparse vectors v describing user U and item i, respectively_uAnd v_iMapping the sparse vector to a user feature vector p through an embedding layer_u＝P^Tv_uAnd an item feature vector q_i＝Q^Tv_iWherein

And

the matrixes respectively represent a user characteristic matrix and an article characteristic matrix, d is a dimension after low-dimensional embedding, obtained hidden vectors of the user and the article are input into the multilayer neural network, and the low-dimensional vectors of the user and the article are mapped into a predicted click probability

The predicted click probability

A closer to 1 indicates that the user likes the item more, a closer to 0 indicates that the user dislikes the item more, and a predicted click probability

Closer to the real tag y_uiThe higher the recommendation accuracy of the recommendation system is proved.

Preferably, the training set constructing in step S1 includes:

building a user-item scoring matrix R e {0, 1, 2, 3 by using the existing data set，4，5}^m×nThe rows and columns in the scoring matrix respectively represent users and articles, element values in the scoring matrix represent the scoring of the users on the articles, m and n respectively represent the number of the users and the articles, the user-article scoring matrix data are normalized, and a scoring matrix Y suitable for classification tasks is obtained, wherein the scoring matrix Y belongs to {0, 1}^m×nThe value 1 indicates that the user clicked on the item, 0 indicates that no behavior is generated, and the triple data set is generated for the element of 1 in the scoring matrix

Wherein u represents a user number, i represents an item number, y _ui1 represents a positive sample of the user clicking on the item;

generating user click negative samples according to the principle of same distribution with the positive samples by utilizing a negative sampling technology

Clicking on a positive sample with the user

And user clicks negative examples

Training set jointly forming training neural collaborative filtering recommendation model

Preferably, the member inference model building in step S2 includes:

the member inference model g (Θ)_M) Modeling with a classification task based on statistical differences between member predictions and non-member predictions, i.e. positive samples if the sample exists in the training set, and negative samples otherwise, the member inference attack model is treated as a two-classification task, instantiating the member inference attack model as g (Θ)_M|u，i×Y²)→[0，1]Fitting input samples to labels using deep neural networks with robust feature extractionThe former complex association, for any sample (u, i, y) in the neural collaborative filtering model dataset_ui) And corresponding output vector of personalized recommendation model

Input samples that collectively form a member inference attack model

If the output result passes through the member reasoning model

Close to 1 is a member, otherwise it is a non-member.

Preferably, the reference set construction in step S2 includes:

data set to be involved in neural collaborative filtering recommendation model training

Positive samples as training member inference models

Member set, also called member inference model, where h _ui1 represents a member sample participating in training of the neural collaborative filtering recommendation model; according to the principle of independent and same distribution, negative samples for member inference models are generated by sampling according to the same proportion

Wherein h is_ui0 represents a non-member sample that does not participate in the training of the neural collaborative filtering recommendation model, also referred to as a non-member set of member inference models;

the member set and the non-member set of the member inference model jointly form a reference set required by training the member inference model

Preferably, the objective function of the member inference regularization term-based neural collaborative filtering joint model in step S3 is defined as follows:

wherein the internal maximization function is targeted for a given recommendation model f (Θ)_R) Finding the strongest member reasoning attack model g (theta)_M) The objective of the external minimization function is to infer the attack model g (Θ) for a given strongest member_M) Finding a most robust personalized recommendation model, wherein the parameter lambda controls the balance between recommendation precision and member privacy;

neural collaborative filtering model f (Θ)_R) The optimization objective of (1) is to minimize the expected experience loss, which is expressed as follows using cross-entropy loss as the objective loss function:

wherein

To optimize the training set of the neural collaborative filtering model,

y_uirespectively representing the predicted click probability and the real label of the recommendation model;

the objective of the member inference attack model is to maximize the empirical benefit, i.e., to calculate the supervision loss of the member inference attack model using cross entropy loss for modeling the statistical difference between the predicted distribution and the true distribution, wherein the empirical benefit is expressed as follows:

after the terms are combined, the unified min-max countermeasure objective function is refined into the following mathematical form:

wherein, according to 4: 1 to construct training set required by neural collaborative filtering model

And reference set required by member reasoning model

The training set is used for training the recommendation model and positive samples of the member reasoning attack model, the reference set does not participate in the training of the recommendation system but is used as the negative samples of the member reasoning model, the training set is used as the positive samples in the reference set,

and performing iterative countermeasure training on the neural collaborative filtering joint recommendation model with the member inference regular term by using the training set and the reference set.

Preferably, the iterative countermeasure training of the neural collaborative filtering joint recommendation model with the member inference regularization term in step S3 is as follows:

randomly initializing neural collaborative filtering recommendation model parameters P, Q, theta_R(ii) a Random initialization member reasoning model parameter theta_MAnd entering an iterative training process: fixing algorithm parameters P, Q, theta of recommendation model_RCalculating target revenue for Θ_MUpdating the parameter matrix theta by using a gradient ascent algorithm_M(ii) a Algorithm parameters theta of fixed member inference model_MCalculating target losses with respect to P, Q, theta, respectively_RRespectively updating the parameter matrixes P, Q and theta by using a gradient descent algorithm_R(ii) a Repeating the steps, and continuously and alternately updating the parameters P, Q and theta_R，Θ_MUntil a convergence condition is satisfied;

through the algorithm, the balance point of the minimum and maximum game problem is found, and the robust personalized recommendation system with member privacy protection capability is obtained.

Preferably, the convergence condition includes that the objective function value is less than a certain preset threshold or the number of iteration rounds reaches a certain magnitude.

According to the technical scheme provided by the embodiment of the invention, the unified minimum maximization objective function is designed in a mode of resisting learning to explicitly endow the recommendation algorithm with the capability of defending member reasoning attack; the game countertraining is carried out on the personalized recommendation model and the member inference model, so that the member inference attack model can learn the potential member privacy risks in the recommendation model, meanwhile, the recommendation model can defend and learn the trained member attack model, the purposes of defending member inference attack and relieving overfitting of the recommendation model so as to enhance the generalization ability and robustness are achieved, the bidirectional promotion of the algorithm performance of the personalized recommendation model and the protection degree of the privacy of training data is finally achieved, and the goal of accurately recommending the interested articles to the user on the premise of protecting the member privacy is achieved.

Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

FIG. 1 is a flowchart of a model confrontation training process according to an embodiment of the present invention;

fig. 2 is a processing flow chart of a personalized recommendation method based on member privacy protection of a counterlearning paradigm according to an embodiment of the present invention;

fig. 3 is a specific instantiation structure diagram of a personalized neural collaborative filtering recommendation model method according to an embodiment of the present invention.

Fig. 4 is a specific instantiation structure diagram of a member inference model method provided in an embodiment of the present invention.

Detailed Description

Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention.

As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or coupled. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.

It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.

For the convenience of understanding the embodiments of the present invention, the following description will be further explained by taking several specific embodiments as examples in conjunction with the drawings, and the embodiments are not to be construed as limiting the embodiments of the present invention.

The method provided by the invention considers the problem of member privacy protection in the recommendation system for the first time, designs the recommendation precision and the member protection degree as a minimum maximization game framework, explicitly considers the privacy protection problem in a member reasoning regular term mode in a recommendation system model, and designs an algorithm for balancing the recommendation precision and the member privacy protection effect, so that the accurate recommendation target is realized on the premise of protecting the user privacy.

The embodiment of the invention provides a robust personalized recommendation framework for member privacy protection based on a countering learning paradigm, which is used for performing countering training between a personalized neural collaborative filtering recommendation model and a member reasoning model to finally reach a game balance point of recommendation performance and member privacy protection capability, so that the method can improve the generalization capability of the neural collaborative filtering recommendation model and further has the member reasoning protection capability, thereby achieving the bidirectional promotion of the generalization capability of a recommendation system and the member privacy protection degree.

The method formalizes the balance problem of the recommendation algorithm on the prediction performance and the member privacy protection into a minimum maximization game problem, and designs a special confrontation training algorithm to enable an algorithm frame to maximize the member reasoning attack capability, minimize the prediction error of the recommendation algorithm and improve the defense capability of the model on the member reasoning attack, namely, the aim of accurate recommendation is achieved on the premise that whether data participate in the training of the neural collaborative filtering recommendation model cannot be accurately judged. Specifically, the member reasoning model seeks accurate member information of an inferred user by learning click rate prediction distribution of the neural collaborative filtering recommendation model on input data, namely whether target data appear in a training set or not; the neural collaborative filtering recommendation model enables the model to accurately fit the potential distribution of the original training set in the whole training process on the one hand through the explicit addition of the member reasoning regular term, and meanwhile enables the model to have the capability of defending against the strongest member reasoning attack. The strategy laterally relieves the over-fitting problem of the neural collaborative filtering recommendation model, so that the generalization capability and robustness of the neural collaborative filtering recommendation model are improved, and accurate recommendation service is provided for users on the premise of ensuring member privacy protection.

The method mainly comprises the following steps:

(1) training set required for constructing neural collaborative filtering model

The training set contains user click positive samples given in the original data set

And generating a user click negative sample according to the principle of same distribution with the positive sample by utilizing a negative sampling technology

The two subsets jointly form a training set for training a neural collaborative filtering recommendation model

(2) Reference set required for constructing member reasoning model

The reference set comprises member sets participating in training of the neural collaborative filtering recommendation model

(and

synonymous) and same number of non-member sets of equal size and distribution not involved in neural collaborative filtering recommendation model training

The two subsets jointly form a reference set for training member inference models

(3) Instantiating a neural collaborative filtering model f (Θ)_R) And member inference model g (theta)_M) And constructing a neural collaborative filtering combined model with a member reasoning regular term by using the neural collaborative filtering model and the member reasoning model, and designing a uniform minimum maximization objective function based on antagonistic learning. Performing iterative countermeasure training on the member inference regular term-based neural collaborative filtering joint recommendation model by using the training set and the reference set to generate a robust user characteristic matrix P and an article characteristic matrix Q;

(4) and predicting the items which are interested by the user according to the generated user characteristic matrix P and the item characteristic matrix Q.

The embodiment of the invention provides a working flow chart of model confrontation training, which is shown in fig. 1 and specifically comprises the following steps:

step S1: a training set required by constructing a neural collaborative filtering model, wherein the training set comprises user click positive samples given in an original data set

And generating a user click negative sample according to the principle of same distribution with the positive sample by utilizing a negative sampling technology

Step S1-1: for user click positive sample given in original data set

And (6) carrying out normalization processing.

Utilizing the existing data to construct a user-item scoring matrix R epsilon {0, 1, 2, 3, 4, 5}^m×nRows and columns in the scoring matrix represent users and items, respectively, and elemental values in the scoring matrix represent the scores of users for items, where m and n represent the user and item numbers, respectively. Then, the scoring data is normalized to obtain the data suitable for classificationThe scoring matrix Y of the affairs belongs to {0, 1}^m×nA value of 1 indicates that the user clicked on the item, and a value of 0 indicates that no action was taken. Generating a triple data set for an element of 1 in a scoring matrix

Wherein u represents a user number, i represents an item number, y_uiA positive sample with 1 indicates that the user clicked on the item.

Step S1-2: negative sample clicking on user based on negative sampling strategy

And (4) constructing.

Generally, we can train the neural collaborative filtering model by using the original user-item scoring matrix described above, but because of the large amount of negative sample data in the matrix, optimizing a large amount of negative samples can greatly slow down the training process, and the serious imbalance of the positive and negative samples can greatly affect the effect of the model. Therefore, we propose a negative sampling technique to speed up the training process of the model and improve the prediction accuracy of the model. Clicking positive samples on the divided users based on the negative sampling strategy

Generating a user negative sample set, wherein the negative sample strategy is mainly realized by performing a negative sample set generation on the basis of a 1: 4, randomly sampling the interaction which is not observed in the sampling comparison, and generating user click negative sample data

Wherein y is_uiA negative sample of the user not clicking on the item is denoted 0. The positive click behavior sample and the negative click behavior sample of the user jointly form a training set for training the neural collaborative filtering recommendation model

Step S2: reference set required for constructing member reasoning model

The reference set comprises member sets participating in training of the neural collaborative filtering recommendation model

And equally sized and distributed non-member sets not participating in neural collaborative filtering recommendation model training

Generally, training the member inference model requires a positive sample participating in training the neural collaborative filtering recommendation model, and also requires a negative sample not participating in training the neural collaborative filtering recommendation model. For the member inference model, the training set required by the neural collaborative filtering model is a member, and the set which does not participate in the training of the neural collaborative filtering model is a non-member. Therefore, data sets participating in neural collaborative filtering recommendation model training

Can be used as a positive sample for training member reasoning model

Namely, it is

And

the meanings of the expressions are the same and synonyms may be substituted in the following, where h _ui1 represents the member sample participating in the training of the neural collaborative filtering recommendation model.

In order to ensure the normal training of the member inference model, according to the principle of independent and same distribution, the negative samples for the member inference model are generated by sampling according to the same proportion

Wherein h is_ui0 represents a non-member sample that did not participate in the neural collaborative filtering recommendation model training. The member set and the non-member set jointly form a reference set required by training a member inference model

Step S3: instantiating a neural collaborative filtering model f (Θ)_R) And member inference model g (theta)_M) And constructing a neural collaborative filtering combined model with a member reasoning regular term by using the neural collaborative filtering model and the member reasoning model, and designing a uniform minimum maximization objective function based on antagonistic learning. And performing iterative countermeasure training on the member inference regular term-based neural collaborative filtering joint recommendation model by using the training set and the reference set to generate a robust user characteristic matrix P and an article characteristic matrix Q.

Through the processing on the data set, a training set required by the neural collaborative filtering model and a reference set required by the member reasoning model are obtained. The countermeasure training framework mainly relates to game learning of a neural collaborative filtering recommendation model and a member inference model, wherein the member inference model seeks accurate member information of an inferred user by learning click rate prediction distribution of the neural collaborative filtering recommendation model on input data; the neural collaborative filtering recommendation model enables the model to accurately fit the potential distribution of the original training set in the whole training process through the explicit addition of the member reasoning regular term, and meanwhile, the model has the capability of defending the strongest member reasoning attack. In the next section, we first introduce the neural collaborative filtering model and the membership inference model separately, then introduce the unified objective function combining the two, and finally explain the countertraining process of the two.

The part of the neural collaborative filtering model is as follows: the input layer comprises two one-hot feature sparse vectors v which respectively describe a user u and an item i_uAnd v_iThen mapping the sparse vector to a user feature vector p through an embedding layer_u＝P^Tv_uAnd an item feature vector q_i＝Q^Tv_iWherein

And

the matrixes respectively represent a user characteristic matrix and an article characteristic matrix, and d is a dimension after low-dimensional embedding. Then inputting the obtained hidden vectors of the user and the article into a multi-layer neural network (which is called as a neural collaborative filtering layer), and finally mapping the potential vectors into predicted click probability

The specific network structure is shown in fig. 3. Wherein the predicted click probability

Closer to 1 indicates that the user likes the item more, and closer to 0 indicates that the user dislikes the item more. Predicting click probability

Closer to the real tag y_uiThe higher the recommendation accuracy of the recommendation system is proved.

We can formally express the neural collaborative filtering model prediction function as:

wherein

Is a hidden variable matrix for the user,

is a latent variable matrix of the article, theta_RModel parameters of the recommendation model f are filtered for neural synergy.

Since the neural collaborative filtering model is a multi-layer neural network, the prediction model can be expressed as:

……

wherein W_L，b_L，a_LRespectively, a weight matrix, a bias vector and an activation function of the L-th layer perceptron. The activation function can select sigmoid, tanh, ReLU and the like, and the ReLU function is selected in the invention.

The optimization goal of the neural collaborative filtering model is to minimize the expected experience loss, which is expressed in the present invention as follows, using cross entropy loss as the objective loss function:

wherein

Is a training set of the neural collaborative filtering model,

y_uiand respectively predicting click probability and real labels of the neural collaborative filtering recommendation model.

Member reasoning model part: whether the input sample exists in the original data set or not is deduced according to different performances of the input data on model prediction distribution, namely, the model prediction results often generated by the trained member data have the condition of extremely high confidence coefficient of a certain class, and the model prediction results often generated by the untrained non-member data are distributed more uniformly. According to the statistical rule and other background knowledge, an attacker can easily cause member reasoning attack on the model, and finally the privacy problem of the members is revealed.

Thus, based on the above statistical rules, the member inference model is often modeled with a classification task based on the statistical difference of the predictions for members and the predictions for non-members, i.e. positive samples if the sample exists in the training set, and negative samples otherwise. In the invention, the member reasoning model is regarded as a binary task, and the instantiated member reasoning model is g (theta)_M|u，i×Y²)→[0，1]And a deep neural network with good characteristic extraction is utilized to fit the complex relation between the input sample and the label, and the specific network structure is shown in fig. 4. For any sample (u, i, y) in the dataset_ui) And corresponding output vector of the personalized neural collaborative filtering recommendation model

Input samples that collectively form a member inference model

If the output result passes through the member reasoning model

Close to 1 is a member, otherwise it is a non-member. We can formally express the prediction function of the member inference model as:

wherein

As input number of modelAccordingly, the user label, the article label, the prediction distribution of the neural collaborative filtering recommendation model and the real label of the sample are respectively expressed_MModel parameters of the model g are inferred for the members.

Here, to model statistical differences before the predicted distribution and the true distribution, we also use cross-entropy loss to compute the supervised loss of the member inference model, which aims to maximize the empirical benefit, which can be expressed as follows:

with the above, we have introduced the structure, input and output, and loss functions of the neural collaborative filtering model and the membership inference model, and we mainly introduce the principle of the antagonistic training between the two and the optimization algorithm in detail below.

Inspired by the popular idea of counterlearning at present, the recommendation system with member reasoning protection can be naturally regarded as a minimum maximization game problem. The member reasoning model can adjust the parameters of the attack model according to the grasped background knowledge and the set objective function, and the ultimate aim is to maximize the attack income of the member reasoning model on the existing nerve collaborative filtering recommendation model; the personalized neural collaborative filtering recommendation model can adjust parameters of the model according to a target function of the model, and the primary goals of minimizing a model prediction error of the model and reducing the privacy disclosure risk of the model to members are achieved. This means that defenders and attackers have conflicting goals and can therefore be considered a game trade-off problem, who needs to find a neuro-collaborative filtering recommendation model that not only minimizes their losses, but also minimizes the opponent's maximum gain, which can be modeled as a minimum maximization game problem.

If the simple purpose is to resist member reasoning attack, the input and the output of the model can be simply made to have no relation, but the recommendation utility of the neural collaborative filtering recommendation model can be greatly influenced. Therefore, the invention designs the target of the recommendation system innovatively to minimize the member privacy disclosure risk when the strongest member reasoning attack is faced while minimizing the recommendation performance loss, thereby designing an optimal member privacy mechanism and ensuring the maximization of the model utility.

We uniformly formalize member privacy and recommendation performance in the following countermeasure objective function:

wherein the objective of the internal maximization function is to filter the recommendation model f (Θ) for a given neural synergy_R) Find the strongest member inference model g (Θ)_M) The objective of the external minimization function is to infer the model g (Θ) for a given strongest member_M) And finding out the most robust personalized neural collaborative filtering recommendation model, so that the most robust personalized neural collaborative filtering recommendation model not only can protect member information, but also can provide accurate recommendation service. The parameter lambda controls the balance between the recommendation precision and the member privacy, the member privacy protection model is used as a regular item of the neural collaborative filtering recommendation model, and the purpose of preventing the neural collaborative filtering recommendation model from overfitting original training data so as to enhance the robustness of the model is achieved.

More specifically, the unified countermeasure objective function described above can be refined into the following mathematical form:

wherein, for the training effect of the neural collaborative filtering recommendation model, we ensure that according to 4: 1 to construct training set required by neural collaborative filtering model

And reference set required by member reasoning model

The training set is used for training of the neural collaborative filtering recommendation model and positive samples of the member inference model, and the reference set does not participate in training of the recommendation system and serves as a negative sample of the member inference model. Since the training set is used as a positive sample in the reference set, therefore

The working flow of training and optimizing the personalized recommendation algorithm for resisting learning and protecting member privacy provided by the embodiment of the invention is that in each round of training, a neural collaborative filtering recommendation model f and a member inference model g are alternately trained to search for optimal models for each other. In the internal optimization step, for a fixed neural collaborative filtering recommendation model f, a member inference model is trained to distinguish whether the target data belongs to a training set D_tOr reference set D_r. In this step, the empirical benefit of the maximum membership inference model is

In the external optimization step, for a fixed member inference model g, the experience gain of the member inference model is used as a regular term of a neural collaborative filtering recommendation model in a training set D_tTraining is performed, this step minimizes the loss of experience recommendations

More specifically, the workflow of training and optimizing the personalized recommendation algorithm for protecting the privacy of the members against learning provided by the embodiment of the present invention is shown in fig. 2, and includes the following steps:

s3-1: randomly initializing neural collaborative filtering recommendation model parameters P, Q, theta_R；

S3-2: random initialization member reasoning model parameter theta_MAnd entering an iterative training process:

s3-3: algorithm parameters P, Q, theta of fixed neural collaborative filtering recommendation model_RCalculating a target profit aboutΘ_MUpdating the parameter matrix theta by using a gradient ascent algorithm_M；

S3-4: algorithm parameters theta of fixed member inference model_MCalculating target losses with respect to P, Q, theta, respectively_RRespectively updating the parameter matrixes P, Q and theta by using a gradient descent algorithm_R；

S3-5: repeating the steps S3-3 to S3-4, continuously and alternately updating the parameters P, Q, theta_R，Θ_MAnd outputting the parameter model until a convergence condition is met, for example, the objective function value is smaller than a certain preset threshold or the number of iteration rounds reaches a certain magnitude.

Through the algorithm, the balance point of the minimum and maximum game problem can be found finally, a personalized recommendation system for member privacy protection is obtained finally, and the generalization capability and member privacy protection capability of the recommendation system are improved doubly.

Step S4: predicting the scoring value of the user to the unobserved object according to the feature matrix of the user and the object:

to pair

Arranged in descending order row by row, and will

And recommending a plurality of items with higher (and not-scored) middle scoring values to corresponding users. Wherein the content of the first and second substances,

a matrix of characteristics of the user is represented,

a matrix of characteristics of the article is represented,

representing the predicted user-item scoring matrix.

In conclusion, the invention designs a unified minimum maximization objective function in a mode of resisting learning to explicitly endow a recommendation algorithm with the capability of defending member reasoning attack; the game countermeasure training is carried out on the personalized neural collaborative filtering recommendation model and the member inference model, so that the member inference model can learn the potential member privacy risks in the neural collaborative filtering recommendation model, meanwhile, the neural collaborative filtering recommendation model can carry out defense learning on the trained member attack model, the purposes of defending member inference attacks and relieving overfitting of the neural collaborative filtering recommendation model so as to enhance the generalization ability and the robustness are achieved, finally, the bidirectional promotion of the algorithm performance of the personalized neural collaborative filtering recommendation model and the privacy protection degree of training data is achieved, and the goal of accurately recommending interested articles to a user on the premise of protecting the member privacy can be achieved.

Those of ordinary skill in the art will understand that: the figures are merely schematic representations of one embodiment, and the blocks or flow diagrams in the figures are not necessarily required to practice the present invention.

From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for apparatus or system embodiments, since they are substantially similar to method embodiments, they are described in relative terms, as long as they are described in partial descriptions of method embodiments. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (8)

1. A highly robust privacy protection recommendation method based on counterstudy is characterized by comprising the following steps:

step S1: establishing a neural collaborative filtering model and a required training set, and randomly initializing parameters P, Q, theta of the neural collaborative filtering recommendation model_R，

A matrix of characteristics of the user is represented,

representing a matrix of article characteristics, Θ_RUniformly representing a parameter matrix of a recommendation model hidden layer;

step S2: constructing a member reasoning model and a required reference set, and randomly initializing a parameter matrix theta of the member reasoning model_M，Θ_MThe learnable parameters of the member reasoning model are represented in a unified mode;

step S3: constructing a neural collaborative filtering combination model with a member reasoning regular term by using the neural collaborative filtering model and the member reasoning model, designing a unified minimum maximization objective function based on antagonistic learning and carrying out iterative antagonistic training to obtain a robust user characteristic matrix P and an article characteristic matrix Q;

step S4: and predicting the scoring value of the user on the unobserved goods according to the trained P and Q:

to pair

Arranged in descending order row by row, and will

A plurality of items with higher middle scoring value and which are not scored are recommended to the corresponding users,

representing the predicted user-item scoring matrix.

2. The method according to claim 1, wherein the constructing of the neural collaborative filtering model in step S1 includes:

the neural collaborative filtering model f (P, Q, theta)_RThe input layer of | u, i) includes two one-hot feature sparse vectors v describing user u and item i, respectively_uAnd v_iMapping the sparse vector to a user feature vector p through an embedding layer_u＝P^Tv_uAnd an item feature vector q_i＝Q^Tv_iWherein

And

the matrixes respectively represent a user characteristic matrix and an article characteristic matrix, d is the dimension after low-dimensional embedding, and the obtained hidden vectors of the user and the article are input into the multilayer neural networkIn (3), mapping the user and item low-dimensional vectors to the predicted click probability

The predicted click probability

A closer to 1 indicates that the user likes the item more, a closer to 0 indicates that the user dislikes the item more, and a predicted click probability

Closer to the real tag y_uiThe higher the recommendation accuracy of the recommendation system is proved.

3. The method according to claim 1, wherein the training set construction in step S1 includes:

utilizing the existing data set to construct a user-item scoring matrix R belonging to {0, 1, 2, 3, 4, 5}^m×nThe rows and columns in the scoring matrix respectively represent users and articles, element values in the scoring matrix represent the scoring of the users on the articles, m and n respectively represent the number of the users and the articles, the user-article scoring matrix data are normalized, and a scoring matrix Y suitable for classification tasks is obtained, wherein the scoring matrix Y belongs to {0, 1}^m×nThe value 1 indicates that the user clicked on the item, 0 indicates that no behavior is generated, and the triple data set is generated for the element of 1 in the scoring matrix

Wherein u represents a user number, i represents an item number, y_ui1 represents a positive sample of the user clicking on the item;

generating user click negative samples according to the principle of same distribution with the positive samples by utilizing a negative sampling technology

Clicking on a positive sample with the user

And user clicks negative examples

Training set jointly forming training neural collaborative filtering recommendation model

4. The method according to claim 1, wherein the member inference model building in step S2 includes:

the member inference model g (Θ)_M) Modeling with a classification task based on statistical differences between member predictions and non-member predictions, i.e. positive samples if the sample exists in the training set, and negative samples otherwise, the member inference attack model is treated as a two-classification task, instantiating the member inference attack model as g (Θ)_M|u，i×Y²)→[0，1]Fitting complex associations between input samples and labels using deep neural networks with robust feature extraction for any sample (u, i, y) in the neural collaborative filtering model dataset_ui) And corresponding output vector of personalized recommendation model

Input samples that collectively form a member inference attack model

If the output result passes through the member reasoning model

Close to 1 is a member, otherwise it is a non-member.

5. The method according to claim 1, wherein the reference set construction in step S2 includes:

data set to be involved in neural collaborative filtering recommendation model training

Positive samples as training member inference models

Member set, also called member inference model, where h_ui1 represents a member sample participating in training of the neural collaborative filtering recommendation model; according to the principle of independent and same distribution, negative samples for member inference models are generated by sampling according to the same proportion

Wherein h is_ui0 represents a non-member sample that does not participate in the training of the neural collaborative filtering recommendation model, also referred to as a non-member set of member inference models;

the member set and the non-member set of the member inference model jointly form a reference set required by training the member inference model

6. The method according to claim 1, wherein the objective function of the neural collaborative filtering joint model based on the member inference regularization term in the step S3 is defined as follows:

wherein the internal maximization function is targeted for a given recommendation model f (Θ)_R) Finding the strongest member reasoning attack model g (theta)_M) The objective of the external minimization function is to infer the attack model g (Θ) for a given strongest member_M) Find the bestA robust personalized recommendation model, wherein a parameter lambda controls the balance between recommendation precision and member privacy;

neural collaborative filtering model f (Θ)_R) The optimization objective of (1) is to minimize the expected experience loss, which is expressed as follows using cross-entropy loss as the objective loss function:

wherein

To optimize the training set of the neural collaborative filtering model,

y_uirespectively representing the predicted click probability and the real label of the recommendation model;

the objective of the member inference attack model is to maximize the empirical benefit, i.e., to calculate the supervision loss of the member inference attack model using cross entropy loss for modeling the statistical difference between the predicted distribution and the true distribution, wherein the empirical benefit is expressed as follows:

after the terms are combined, the unified min-max countermeasure objective function is refined into the following mathematical form:

wherein, according to 4: 1 to construct training set required by neural collaborative filtering model

And reference set required by member reasoning model

The training set is used for training the recommendation model and optimizing a positive sample of the member reasoning attack model, the reference set does not participate in the training of the recommendation system but is used as a negative sample of the member reasoning model optimization, the training set is used as a positive sample in the reference set,

and performing iterative countermeasure training on the neural collaborative filtering joint recommendation model with the member inference regular term by using the training set and the reference set.

7. The method of claim 6, wherein the neural collaborative filtering joint recommendation model with the member inference regularization term performs iterative confrontation training as follows:

randomly initializing neural collaborative filtering recommendation model parameters P, Q, theta_R(ii) a Random initialization member reasoning model parameter theta_MAnd entering an iterative training process: fixing algorithm parameters P, Q, theta of recommendation model_RCalculating target revenue for Θ_MUpdating the parameter matrix theta by using a gradient ascent algorithm_M(ii) a Algorithm parameters theta of fixed member inference model_MCalculating target losses with respect to P, Q, theta, respectively_RRespectively updating the parameter matrixes P, Q and theta by using a gradient descent algorithm_R(ii) a Repeating the steps, and continuously and alternately updating the parameters P, Q and theta_R，Θ_MUntil a convergence condition is satisfied;

through the algorithm, the balance point of the minimum and maximum game problem is found, and the robust personalized recommendation system with member privacy protection capability is obtained.

8. The method of claim 7, wherein the convergence condition comprises that the objective function value is less than a predetermined threshold or the number of iterations reaches a certain level.

Images