CN114091690A - Method for training federated learning model, method for calling federated learning model and federated learning system - Google Patents
Method for training federated learning model, method for calling federated learning model and federated learning system Download PDFInfo
- Publication number
- CN114091690A CN114091690A CN202111411921.3A CN202111411921A CN114091690A CN 114091690 A CN114091690 A CN 114091690A CN 202111411921 A CN202111411921 A CN 202111411921A CN 114091690 A CN114091690 A CN 114091690A
- Authority
- CN
- China
- Prior art keywords
- training data
- training
- participant
- learning model
- model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012549 training Methods 0.000 title claims abstract description 252
- 238000000034 method Methods 0.000 title claims abstract description 125
- 230000004931 aggregating effect Effects 0.000 claims abstract description 14
- 238000012795 verification Methods 0.000 claims description 106
- 230000002776 aggregation Effects 0.000 claims description 27
- 238000004220 aggregation Methods 0.000 claims description 27
- 238000003860 storage Methods 0.000 claims description 20
- 238000004422 calculation algorithm Methods 0.000 claims description 15
- 238000012360 testing method Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 11
- 238000004891 communication Methods 0.000 claims description 8
- 230000008901 benefit Effects 0.000 claims description 4
- 238000013145 classification model Methods 0.000 claims description 2
- 238000010200 validation analysis Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 description 21
- 238000010586 diagram Methods 0.000 description 15
- 230000006870 function Effects 0.000 description 13
- 238000012545 processing Methods 0.000 description 12
- 238000005516 engineering process Methods 0.000 description 9
- 230000006872 improvement Effects 0.000 description 9
- 238000010801 machine learning Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 3
- 238000005065 mining Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000007795 chemical reaction product Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000001617 migratory effect Effects 0.000 description 1
- 229920001296 polysiloxane Polymers 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
- G06N20/20—Ensemble learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/16—Program or content traceability, e.g. by watermarking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Medical Informatics (AREA)
- Computing Systems (AREA)
- Evolutionary Computation (AREA)
- Mathematical Physics (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Artificial Intelligence (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the specification provides a method for training a federated learning model, a method for calling the federated learning model and a federated learning system. The training method comprises the following steps: obtaining, by each of a plurality of participants, a watermarked training data set for the participant, wherein the watermarked training data set includes watermarked training data having a watermark label, and training based on the watermarked training data set to generate a local model of the participant; and aggregating the local models of the plurality of participants to produce a federated learning model.
Description
Technical Field
The embodiment of the specification belongs to the technical field of machine learning, and particularly relates to a method for training a federated learning model, a method for calling the federated learning model and a federated learning system.
Background
In recent years, research into bang learning has received increasing attention. Federal learning is a machine learning framework in which data used to train models can be provided by multiple participants, and federal learning can be jointly modeled without sharing data of different participants, thereby enabling more efficient use of data while meeting requirements for user privacy protection, data security, government regulations, and the like. It will be appreciated that the data for each participant has significant value, and it is also of significant importance that the value of the data be better mined, circulated and evaluated. Therefore, there is a need to provide an efficient solution to better implement and protect the value of data and models.
Disclosure of Invention
The invention aims to provide a method for training and calling a federated learning model and a federated learning system, so as to better realize and protect the value of data and the model.
According to a first aspect of one or more embodiments of the present specification, there is provided a method for training a federal learning model, wherein training data for training the federal learning model is provided by a plurality of participants, the method comprising:
performing, by each participant in the plurality of participants, the following steps local to the participant:
acquiring a watermarking training data set of the participant, wherein the watermarking training data set comprises watermarking training data with a watermarking label; and the combination of (a) and (b),
training based on the watermarked training data set to generate a local model of the participant; and the number of the first and second groups,
aggregating the local models of the plurality of participants to produce the federated learning model.
According to a second aspect of one or more embodiments of the present specification, there is provided a method for invoking a federated learning model, where the federated learning model is configured to be capable of performing watermarking verification that identifies whether data to be verified is watermark verification data with a watermark label, the method for invoking the federated learning model including:
obtaining calling request information from a caller by a shared platform;
the sharing platform performs watermarking verification on data to be verified by utilizing the federal learning model according to the calling request information; and the number of the first and second groups,
when the sharing platform determines that the number of the watermark verification data with the watermark labels in the data to be verified is larger than or equal to a preset verification number, determining that the data to be verified passes watermarking verification, and distributing the calling authority of the federal learning model for the caller to call the federal learning model.
According to a third aspect of one or more embodiments herein, there is provided a federated learning system comprising a shared platform comprising:
a first communication unit configured to acquire call request information from a caller;
the verification unit is configured to perform watermarking verification on data to be verified by using the federated learning model according to the calling request information, and is further configured to determine that the data to be verified passes watermarking verification when the number of watermark verification data with watermark labels in the data to be verified is greater than or equal to a preset verification number, wherein the federated learning model is configured to be capable of executing watermarking verification, and the watermarking verification identifies whether the data to be verified is the watermark verification data with watermark labels;
an allocation unit configured to allocate a calling authority of the federated learning model to the caller; and the number of the first and second groups,
a model execution unit configured to execute the federated learning model to enable invocation of the federated learning model by the caller.
According to a fourth aspect of one or more embodiments of the present specification, there is provided a non-transitory computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the training method as described above or the steps of the calling method as described above.
According to a fifth aspect of one or more embodiments of the present description, there is provided a computer program product comprising computer instructions which, when executed by a processor, implement the training method as described above or the steps of the calling method as described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and it is obvious for a person skilled in the art to obtain other drawings based on these drawings without inventive labor.
FIG. 1 is an architecture diagram of a federated learning system in one embodiment of the present description;
FIG. 2 is an architecture diagram of a federated learning system in another embodiment of the present description;
FIG. 3 is a flow diagram of a method for training a federated learning model in one embodiment of the present description;
FIG. 4 is a flowchart of step S110 in the method for training the federated learning model in one embodiment of the present description;
FIG. 5 is a flow diagram of aggregating local models of multiple participants based on a horizontal federated learning algorithm in one embodiment of the present description;
FIG. 6 is a flow diagram of aggregating local models of multiple participants based on a horizontal federated learning algorithm in another embodiment of the present description;
FIG. 7 is a flow chart of a method of training a federated learning model in another embodiment of the present description;
FIG. 8 is a flow diagram of a method for invoking a federated learning model in one embodiment of the present description;
FIG. 9 is a flowchart of step S730 of the method for invoking the federated learning model in one embodiment of the present description;
fig. 10 is a flowchart of step S730 of a method for invoking the federated learning model in another embodiment of the present description.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.
In order to solve the problems of mining, circulation and evaluation of data values in federal learning, one or more embodiments of the present specification propose a method for training a federal learning model, a method for calling the federal learning model, a federal learning system, a non-transitory computer-readable storage medium and a computer program product, so as to better protect the values of data and models.
Fig. 1 and 2 show an architecture diagram of the federal learning system. The federated learning system may include a shared platform 910 and one or more participant devices 920 disposed locally to each of a plurality of participants in a one-to-one correspondence.
In some embodiments, the shared platform 910 may include a verifiable computing engine (MYTF), which may utilize techniques such as Trusted Execution Environment (TEE) and webassembly (wasm) virtual machines, allowing verifiable computing tasks (e.g., verifiable applications or Trusted Applications (TAPP)) to be performed in the TEE while anyone may prove that the computing task was performed in the TEE as intended by the user.
The TEE may be a secure trusted area in the processor to ensure the security, confidentiality, and integrity of code and data placed therein. The TEE provides an isolated execution environment in which code and data can run, and the running of the computation without being interfered by a conventional operating system can be ensured in the running process, so that the confidentiality and the integrity of the code and the data are ensured. The code program executed in the TEE may be referred to as Enclave. Before a user uses an Enclave program, the code and data of the Enclave program are measured and remotely verified to confirm that the Enclave program is a program that the user desires to be executed.
The WASM virtual machine is a stack-structured virtual machine based on binary operation instructions. The WASM code can be compiled into machine code and loaded into the WASM virtual machine for execution.
The TAPP is an application implemented by using a Verifiable computing (verify computing) technology, and can run in MYTF, for example, in a WASM virtual machine. Specifically, anyone can perform the computation task by uploading the WASM bytecode into the MYTF and calling the WASM bytecode, and obtain the computation result.
A respective participant device 920 may be provided locally at each participant. The participant devices 920 may be used to conduct local training of the data of the respective participants to obtain a local model of the participant.
Further, shared platform 910 or one of the participating devices 920 may obtain the cryptographic processed local cryptographic models of all participants and securely aggregate the ciphertexts of these local cryptographic models to produce an aggregate cryptographic model. Thereafter, the resulting aggregate cryptographic model may be stored locally on each of the participating devices 920, respectively, i.e., to enable training of the federated learning model.
When the federated learning model is called, the sharing platform 910 may be used to perform watermarking verification on the caller, and after the watermarking verification is passed, the sharing platform 910 decrypts the received aggregated encryption model, so as to generate the federated learning model, and the federated learning model is operated in the sharing platform 910 based on the allocated calling authority, so as to provide corresponding service for the caller.
In some embodiments, the federated learning system may also include a blockchain 930 having one or more nodes 931. The blockchain 930 is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm, and the like. In the block chain system, data blocks can be combined into a chain data structure in a sequential connection mode according to the time sequence, and a distributed ledger which is not falsifiable and counterfeitable is guaranteed in a cryptographic mode. In one or more embodiments of the present disclosure, at least some information related to the training, invocation, etc. of the federated learning model may be recorded in corresponding nodes 931 of blockchain 930 to provide highly reliable credential information for the circulation and evaluation of data values, and distribution of corresponding revenue, etc.
As shown in fig. 3, in an embodiment of the present specification, a method for training a federal learning model is provided, in which training data for training the federal learning model can be provided by a plurality of participants. The training method may comprise performing the following steps by each participant of a plurality of participants locally to the participant, respectively:
step S110, a watermarking training data set of the participant is obtained, wherein the watermarking training data set includes watermarking training data with a watermark label.
In some embodiments, the watermarked training data set may be obtained directly from the participant. Alternatively, in some embodiments, the original training data set provided by the participant may also be watermarked to produce a corresponding watermarked training data set.
As shown in fig. 4, in some embodiments, step S110 may include:
step S111, extracting a second training data set from a first training data set provided by a participant, wherein the second training data set is a non-true subset of the first training data set;
step S113, generating a third training data set according to the second training data set, wherein the feature portion of each piece of training data in the third training data set is generated by performing watermarking processing on the feature portion of the corresponding piece of training data in the second training data set, and the label portion of each piece of training data in the third training data set is generated by modifying the label portion of the corresponding piece of training data in the second training data set into a watermark label; and the number of the first and second groups,
step S115, merging the third training data set and at least a portion of the first training data set into the watermarked training data set of the participant.
In particular, the first training data set may include a plurality of pieces of training data, each of which may include a feature portion and a corresponding label portion. The feature part of the training data can be used as the input of the trained model, corresponding output can be generated after the model performs a series of calculations on the input, and the label part of the training data can be used for comparing with the output generated by the model based on the corresponding feature part, so that the related parameters in the trained model are adjusted according to the comparison result until the model reaches the preset accuracy.
The second training data set extracted from the first training data set may be watermarked to produce a third training data set. In some embodiments, the second training data set may be randomly extracted from the first training data set. Alternatively, in some embodiments, the second training data set may be extracted according to a preset extraction rule.
Further, watermarking the characteristic portion of each piece of training data in the second training data set to generate the corresponding characteristic portion of the training data in the third training data set may include:
and superposing the noise and the characteristic part of the training data in the second training data set, and taking the superposed result as the characteristic part of the corresponding training data in the third training data set.
Wherein the dimensionality of the noise, the dimensionality of the feature portion of the training data in the second training data set, and the dimensionality of the feature portion of the training data in the third training data set are equal to one another to facilitate superposition. For example, if the characteristic portion of a certain training data in the second training data set of a certain participant may be denoted as a2 ═ (ax2, ay2, az2), and the noise superimposed with the characteristic portion of the training data may be denoted as N ═ nx, ny, nz, then the result of the superimposition of the characteristic portion of the corresponding training data in the third training data set may be denoted as A3 ═ ax3, ay3, az3 ═ ax2+ nx, ay2+ ny, az2+ nz), i.e., ax3 ═ ax2+ nx, ay3 ═ ay2+ ny, and az3 ═ az2+ nz. It should be noted that, according to actual requirements, the noise superimposed on the characteristic portions of the training data may be the same as each other, partially the same as each other, or different from each other, and is not limited herein.
In some embodiments, the noise may include noise generated from non-training data. Alternatively, the noise may include noise generated based on an image countermeasure algorithm (FGSM) or the like. Alternatively, the noise may include gaussian noise or the like, where gaussian noise refers to noise that is randomly generated and has a noise value that follows a gaussian distribution, and the noise mean value of gaussian noise may be zero.
In addition, the label portion of each piece of training data in the second training data set may be modified uniformly to be a watermark label as the label portion of the corresponding piece of training data in the third training data set. If the federal learning model is a classification model, the watermark label can be set as a label corresponding to the watermark type, namely a label of a new classification type different from the existing classification type labels in the un-watermarked model; if the federated learning model is a regression model, the watermark label may be set to the label corresponding to the minimum or maximum output value of the federated learning model to distinguish the numerical result that the un-watermarked model may output.
The characteristic part of the training data in the third training data set of a certain participant resulting from the watermarking process may be used as watermark verification data for the participant. As will be described in detail later, during the authentication or voting process prior to model invocation, participants may use the watermark verification data to verify their legitimate identity or as a vote to grant other callers' invocation requests. Thus, in order to match the validation or voting authority of each participant with the amount of data that it contributes during the model training process, the ratio of the number of training data in the second training data set (which is equal to the number of training data in the third training data set) to the number of training data in the first training data set of each participant, among the plurality of participants, may be equal to each other. That is, an equal proportion of the training data provided by each participant can be extracted for watermarking, and thus, in the verification or voting process described later, the participant who provides more training data can have more verification or voting rights than others.
In some embodiments, the ratio of the number of training data in the second training data set of each participant to the number of training data in the first training data set of that participant may be determined by a plurality of participants through a common negotiation. For example, the above ratio may be in the range from 5% to 20%. In a specific example, the above ratio may be 10%.
In merging the third training data set with at least a portion of the first training data set into a watermarked training data set, in some embodiments, to maximize the preservation of training data provided by each participant for training of the model, the third training data set of a participant may be merged with the complete first training data set provided by it, thereby generating the watermarked training data set. Alternatively, in some embodiments, the third training data set and a part of the first training data set may be combined into the watermarked training data set, in order to avoid too large a watermarked training data set resulting in increased training cost, reduced training efficiency, and the like.
Returning to fig. 3, each participant in the plurality of participants also performs the following steps locally at that participant:
step S130, training is performed based on the watermarked training data set to generate a local model of the participant.
In the training process of the model, the linear/nonlinear model can be fitted through the distribution or the label of the data, so that the effect of approximating the true value is achieved. In addition, after training is finished, the same data can be predicted based on the obtained linear/nonlinear model, so that a corresponding prediction result is obtained, and the prediction process can be used for identity verification of the participant, which is described later. The watermark verification data can be identified based on the local model trained by the watermarking training data set, that is, when the watermark verification data is input into the local model, the local model outputs a watermark label for verification or voting in subsequent model calls.
Further, as shown in fig. 3, the training method may further include:
and step S300, aggregating the local models of the multiple participants to generate a federal learning model.
Federal learning is a machine learning mode proposed by google research team in 2016, which is deployed to meet data security laws, and may be distributed machine learning. In federal learning, an aggregation model equivalent to that obtained by training with a full amount of data is generated by training local data and then performing secure aggregation in ciphertext. Federal learning may include horizontal federal learning, vertical federal learning, and migratory federal learning.
In some embodiments, the local models of multiple participants may be aggregated based on a lateral federated learning algorithm. In particular, in lateral federal learning, the features of the training data may be completely coincident, but the samples are substantially independently distributed, not coincident with each other. Thus, the modeling effectiveness of lateral federated learning depends largely on the sample size (number of data in the training dataset) of each participant.
As shown in FIG. 5, in an embodiment, aggregating local models of multiple participants based on a horizontal federated learning algorithm may include:
step S311, selecting one participant from the plurality of participants as an aggregator;
step 313, each participant in the plurality of participants encrypts its local model with its public key respectively to generate a local encryption model of the participant;
step S315, all other participants in the plurality of participants who are not the aggregator respectively transmit the local encryption models to the aggregator;
step S317, the aggregator aggregates all local encryption models of the multiple participants to generate and store an aggregated encryption model as an encrypted federal learning model; and the number of the first and second groups,
step S319, the aggregator returns the aggregated encryption model to all other participants in the multiple participants, so that all other participants can store the aggregated encryption model locally.
Wherein the ciphertext aggregation of the local models of the plurality of participants may be performed by one of the participants. For security reasons, participants that are aggregators may be randomly selected. And each other participant does not directly transmit the local model to the aggregator, but transmits the encrypted local encryption model to the aggregator, and then the aggregator performs aggregation processing. After the aggregation process, each participant may obtain the aggregated cryptographic model in an encrypted state from the aggregator. The aggregation process can well guarantee the safety of data and models and avoid leakage.
As shown in FIG. 6, in another embodiment, aggregating local models of multiple participants based on a lateral federated learning algorithm may include:
step S331, each participant in the plurality of participants encrypts the local model thereof by using the public key thereof respectively to generate the local encryption model of the participant;
step S333, each participant in the multiple participants transmits the local encryption model to the sharing platform;
step S335, the sharing platform aggregates all local encryption models of a plurality of participants to generate an aggregated encryption model as an encrypted federated learning model; and the number of the first and second groups,
step S337, the sharing platform returns the aggregated encryption model to each of the multiple participants, so that each participant stores the aggregated encryption model locally.
Wherein the aggregation of the plurality of local models may also be performed by the shared platform. In order to ensure the safety, each participant does not directly transmit the local model to the sharing platform, but transmits the encrypted local encryption model, then the sharing platform performs the ciphertext aggregation processing of a plurality of local encryption models, and then the generated aggregation encryption model in the encryption state is respectively returned to each participant.
In some embodiments, the public key used for encryption and the private key used for decryption may be generated by a shared platform. Furthermore, to improve security, the matching public and private keys assigned to multiple participants may be different from each other, i.e., one participant does not know the information of the public and private keys of the other participants. In some embodiments, the sharing platform may distribute the generated public keys to the corresponding participants respectively, so that the participants can encrypt the local models of the participants by using the public keys. In addition, a private key that matches the public key that can be used to decrypt the aggregate cryptographic model can be stored in the shared platform. Therefore, when the federated learning model needs to be used, the received aggregation encryption model can be decrypted by using the stored private key in the shared platform to obtain the federated learning model, and the federated learning model is operated in the shared platform, so that a certain participant or caller is prevented from directly contacting the federated learning model, and the security of the federated learning model is better ensured.
In some embodiments, the matching public and private keys for each participant may be generated based on a homomorphic encryption algorithm. Homomorphic encryption algorithms are a class of encryption algorithms with special natural attributes that can achieve the same result when processing homomorphic encrypted data to obtain an output and then decrypting the output as the output obtained by processing unencrypted original data in the same way. That is, homomorphic encryption can achieve not only basic encryption operations, but also various computation functions between ciphertexts, i.e., computation-first and decryption-then-computation can be equivalent to decryption-first and computation-then-decryption. In this way, during the training process of the federal learning model, although the local model is encrypted and then the aggregation encryption model is decrypted, the correct federal learning model can still be obtained.
Further, as shown in fig. 7, in an embodiment of the present specification, the training method may further include:
and step S500, the sharing platform tests and records the watermark identification accuracy of the Federal learning model to the watermark test data with the watermark label.
Specifically, the shared platform may individually test and record the watermark identification accuracy of the federal learning model based on the watermark test data, and the watermark identification accuracy may be used in a calling method of the federal learning model described later. In some embodiments, the watermark test data may comprise characteristic portions of training data in the third training data set of the respective participant.
In the method for training the federal learning model provided in one or more embodiments of the present specification, the federal learning model is trained based on a watermarking training data set with a watermark tag, so that the federal learning model capable of identifying watermark verification data is obtained, which provides a basis for mining, circulation and evaluation of the value of data, and is helpful for better realizing and protecting the values of data and model.
In addition, one or more embodiments of the present specification further provide a method for invoking the federal learning model, where the federal learning model may be configured to be capable of performing watermarking verification, and the watermarking verification may identify whether data to be verified is watermark verification data with a watermark label. As described above, the watermark verification data may be a characteristic portion of the corresponding watermark training data. Alternatively, the watermark verification data may be data obtained in other ways, for example by performing some conversion calculations on the characteristic parts of the watermark training data. In some embodiments, the method of training of the federated learning model described above may be employed to train the generation of such a federated learning model. Alternatively, other ways may be employed to obtain such a federated learning model.
As shown in fig. 8, in an embodiment of the present specification, a method for invoking the federal learning model may include:
step S710, obtaining the calling request information from the caller by the sharing platform;
step S730, the sharing platform performs watermarking verification on data to be verified by using a federal learning model according to the calling request information; and the number of the first and second groups,
and step S750, when the sharing platform determines that the number of the watermark verification data with the watermark labels in the data to be verified is greater than or equal to the preset verification number, determining that the watermark verification is passed, and distributing the calling authority of the federal learning model to the caller so that the caller can call the federal learning model.
The invocation request information may include first invocation request information and second invocation request information, wherein the first invocation request information is used for indicating an invocation request of the federated learning model with a participant identity, and the second invocation request information is used for indicating an invocation request of the federated learning model with a non-participant identity.
In an embodiment, as shown in fig. 9, when the invocation request information is the first invocation request information, the watermarking verification of the data to be verified by the shared platform according to the invocation request information by using the federal learning model may include:
step S731, the sharing platform obtains the aggregation encryption model and the data to be verified from the caller;
step S733, the sharing platform decrypts the aggregation encryption model by using a private key to obtain a federal learning model; and the number of the first and second groups,
in step S735, the sharing platform inputs each piece of data in the to-be-verified data into the federal learning model, so as to determine whether the data is watermark verification data with a watermark label.
That is, when a call request is initiated with the participant identity, a certain call authority to the federal learning model can be obtained as long as the caller can verify the participant identity. For authentication, the participant uploads the aggregated cryptographic model stored locally to the participant and the data to be authenticated provided by the participant, which may be characteristic portions of at least a portion of the training data in the participant's third training data set, to the shared platform.
In some embodiments, the number of data to be verified may be determined by multiple participant negotiations. For example, the number of data to be verified may be at least half of the number of watermark training data of the participant among the plurality of participants who provides the smallest watermarked training data set, or may be at least half of the number of watermark training data of the participant who issued the first invocation request information, or the like.
In some embodiments, when the caller is a participant of the model, the caller may check on the signature through the blockchain node to invoke the federated learning model based on the assigned invocation rights. Therefore, the calling related information can be recorded on the block chain, so that the later inspection is facilitated, and the safety of the model is improved. In addition, the federated learning model may run in a shared platform, and the caller may transmit data to be analyzed to the shared platform and receive results from the shared platform that the federated learning model outputs based on the data to be analyzed. Therefore, the caller does not directly contact the federal learning model in a plaintext form, and the safety of the model can be well guaranteed. Furthermore, as described above, the shared platform may be based on MYTF technology, so that the caller may also confirm that the call to the federal learning model is made in its expected manner, ensuring the reliability of the output result.
In another embodiment, as shown in fig. 10, when the invocation request information is the second invocation request information, the watermarking verification of the data to be verified by the shared platform by using the federal learning model according to the invocation request information may include:
step S732, broadcasting the second call request information to a plurality of participants by the sharing platform;
step S734, when the sharing platform obtains the aggregation encryption model from at least one of the multiple participants, decrypting the aggregation encryption model by using the private key to obtain a federal learning model;
in step S736, when the sharing platform obtains the to-be-verified data from at least some of the multiple participants, each piece of data in the to-be-verified data is respectively input into the federal learning model, so as to determine whether the data is watermark verification data with a watermark label.
That is, when a call request is initiated with a non-participant identity, the participants of the federated learning model are required to vote with their watermark verification data to verify whether the caller's call is approved. The caller may agree to vote for verification by a participant through purchase or the like. In particular, the shared platform may broadcast the second invocation request information to all participants. If the participant agrees to the call, their watermark verification data may be uploaded to the shared platform for voting verification, otherwise their watermark verification data may not be uploaded. When watermark verification data greater than or equal to the preset verification number is identified, the call may be considered to have been agreed by the participant, and thus the caller may call the federal learning model.
In some embodiments, the shared platform may obtain the aggregate cryptographic model from any one or more of the multiple participants. In order to avoid resource occupation caused by repeated uploading of the aggregate encryption model, once the sharing platform acquires an available aggregate encryption model from any participant, the sharing platform can also send a signal to other participants to avoid repeated uploading of the aggregate encryption model by other participants. Alternatively, in some embodiments, the shared platform may obtain the aggregate cryptographic model from only the participant of the plurality of participants that provided the largest watermarked training data set. Thus, calls to the shared platform may only continue if the most training data providing participants approve the call, whereas if the most training data providing participants disagree with the caller's call, the call cannot proceed, i.e. the most training data providing participants have greater rights in deciding whether to approve the call.
In some embodiments, the number of data to be verified may be a common negotiation decision for multiple participants. For example, the number of data to be verified may be at least half of the total number of watermarked training data in the watermarked training data sets of the plurality of participants.
In some embodiments, when the invocation request message is a second invocation request message, the invocation of the federated learning model by the caller may include:
the sharing platform acquires an aggregation encryption model from at least one participant in the multiple participants, and decrypts the aggregation encryption model by using a private key to acquire a federal learning model;
the caller invokes a federated learning model based on the assigned invocation permissions, wherein the federated learning model runs in the shared platform.
In some embodiments, the shared platform may obtain the aggregate cryptographic model from any one or more of the multiple participants. In order to avoid resource occupation caused by repeated uploading of the aggregate encryption model, once the sharing platform acquires an available aggregate encryption model from any participant, the sharing platform can also send a signal to other participants to avoid repeated uploading of the aggregate encryption model by other participants. Alternatively, in some embodiments, the shared platform may also obtain the aggregate encryption model from the participant of the plurality of participants who provided the largest watermarked training data set.
Decryption of the aggregated encryption model and execution of the generated federated learning model may both be performed in the shared platform, and the caller may upload data to be analyzed to the shared platform and receive from the shared platform an output of the federated learning model based on the data to be analyzed. Therefore, neither the caller nor the participant can directly contact the federal learning model, and the security of federal learning is better guaranteed. Furthermore, as described above, the shared platform may be based on MYTF technology, so that the caller may also confirm that the call to the federal learning model is made in its expected manner, ensuring the reliability of the output result.
In some embodiments, the preset number of verifications may be determined based at least on the watermark identification accuracy of the federal learning model. For example, if multiple participants negotiate that at each verification, one or more participants need to provide at least 100 pieces of watermark verification data, and the verification is passed, and the watermark identification accuracy of the federal learning model obtained by the test is 95%, the preset verification number may be set to 100 × 95% to 95, that is, when the federal learning model determines that at least 95 pieces of watermark verification data with watermark labels exist in the data to be verified, the watermarking verification is passed.
In some embodiments, the shared platform may employ intelligent contracts on blockchains for watermarking verification. Smart contracts are a computer protocol intended to propagate, verify or execute contracts in an informational manner that allows trusted transactions to be conducted without third parties, which transactions are traceable and irreversible, thereby increasing the reliability and security of the verification. In some embodiments, the smart contract may count the watermark verification data having the watermark label, and when the count reaches a preset verification number, that is, it is determined that the watermark verification is passed, the next invoking operation may be performed.
In some embodiments, invocation permissions may be limited in order to avoid possible attack risks from frequent invocations of the federated learning system by malicious callers, and/or to help enable customizable transactions to the invocation permissions. For example, the invocation authority may be an authority to invoke the federated learning model a preset number of times within a preset time period after passing the watermarking verification. It will be appreciated that the invocation rights may take other specific forms. If the calling of the federal learning model exceeds the calling authority, the caller who initiates the calling with the participant identity can acquire the new calling authority by verifying the identity again, and the caller who initiates the calling with the non-participant identity can acquire the new calling authority by purchasing again to enable the participant to perform voting verification for the caller. It is understood that the caller may obtain the new call authority by other convention ways, which is not limited herein.
In some embodiments, the calling method may further include:
and recording the model calling information on the block chain after the watermarking verification is passed.
Specifically, the model call information may be recorded on the blockchain immediately after verification by watermarking or may be recorded on the blockchain after completion of the call. The model call information may include identity information of the caller, call time information, call number information, and the like. In addition, in order to save storage space in nodes on the blockchain, data generated in the calling process can be hashed and then stored in the uplink.
In some embodiments, the calling method may further include:
and when the sharing platform determines that the number of the watermark verification data with the watermark labels in the data to be verified is less than the preset verification number, determining that the watermark verification is failed, and recording the calling request information.
By recording the calling request information which does not pass the watermarking verification, the identity and the like of the caller can be conveniently checked, potential risks can be discovered in time, and the safety of data and a model is protected.
In some embodiments, to better distribute the benefits of the data and model, during the training of the federal learning model, the training information for each of the multiple participants may be saved on the blockchain after each training is completed. The training information of the participant may include, among other things, the participant's corresponding tile link point identification information (e.g., node ID), the field of the model involved, and so on. In addition, in order to save storage space on the blockchain, the corresponding blockchain node identification information (for example, node ID) of the participant, fields of the model concerned, and other information may be hashed and then stored in the blockchain.
Accordingly, the calling method may further include:
and after the verification of watermarking is passed, distributing corresponding benefits for each participant according to the model training information of each participant recorded on the block chain.
Based on the method for calling the federated learning model, the caller can call the federated learning model. In the calling process, the caller does not directly contact the federal learning model, so that the safety of data and the model is well guaranteed. In addition, the calling method in one or more embodiments of the present specification well solves the problem that a plaintext model as an important data asset cannot be freely circulated, so that other callers besides the participant can also call the federal learning model, thereby better mining the value of the data and the model, and contributing to the participant to obtain more profits on the premise of ensuring the data security.
One or more embodiments of the present specification further provide a federal learning system, as shown in fig. 1 and 2, where the federal learning system may include a shared platform 910, and the shared platform 910 may include:
a first communication unit 911, which may be configured to acquire call request information from a caller;
the verification unit 912 may be configured to perform watermarking verification on the data to be verified by using a federal learning model according to the call request information, and the verification unit 912 may be further configured to determine that the data to be verified passes watermarking verification when it is determined that the number of watermark verification data with watermark labels in the data to be verified is greater than or equal to a preset verification number, where the federal learning model is configured to be capable of performing watermarking verification, and the watermarking verification identifies whether the data to be verified is watermark verification data with watermark labels;
an assigning unit 913, which may be configured to assign a calling authority of the federated learning model to the caller; and the number of the first and second groups,
the model execution unit 914 may be configured to execute the federated learning model to enable invocation of the federated learning model by a caller.
Further, as shown in fig. 1 and 2, the shared platform may further include at least one of:
a testing unit 915, which may be configured to test the watermark identification accuracy of the federal learning model for watermark test data with watermark labels;
a key unit 916, which may be configured to generate a public key for encrypting the local model to produce a local encryption model, and a private key matching the public key for decrypting the aggregated encryption model to produce a federated learning model; and the number of the first and second groups,
As shown in fig. 1 and 2, the federal learning system may further include a plurality of participant devices 920, each participant device 920 of the plurality of participant devices 920 is provided locally to a participant corresponding to the participant device 920 in a one-to-one correspondence, and each participant device 920 of the plurality of participant devices 920 may include:
a second communication unit 921, which may be configured to obtain a watermarking training data set of the participant, wherein the watermarking training data set includes watermarking training data having a watermark label; and the combination of (a) and (b),
a local training unit 922 may be configured to train based on the watermarked training data set to generate a local model of the participant.
In addition, the federated learning system may further include an aggregation unit 940, which may be disposed on at least one of the plurality of participant devices 920, as shown in fig. 1, or on the shared platform 910, as shown in fig. 2, the aggregation unit 940 may be configured to aggregate the local models of the plurality of participants to generate the federated learning model.
Further, as shown in fig. 1 and fig. 2, the federal learning system may further include a blockchain 930 having one or more nodes 931, wherein the blockchain 930 may include an intelligent contract thereon for performing watermarking verification, and at least one of model training information and model calling information may be recorded in the one or more nodes 931.
One or more embodiments of the present specification also provide a non-transitory computer readable storage medium on which computer instructions may be stored, the computer instructions when executed by a processor may implement the method for training or the method for invoking the federated learning model as described above.
The non-transitory computer readable storage medium in one or more embodiments of the present specification can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. It should be noted that the computer-readable storage media described herein are intended to comprise, without being limited to, these and any other suitable types of memory.
One or more embodiments of the present specification also provide a computer program product that may include instructions that, when executed by a processor, may implement the steps of a method for training or a method for invoking of a federated learning model as described above.
The instructions may be any set of instructions to be executed directly by one or more processors, such as machine code, or indirectly, such as scripts. The terms "instructions," "applications," "processes," "steps," and "programs" herein may be used interchangeably. The instructions may be stored in an object code format for direct processing by one or more processors, or in any other computer language, including scripts or collections of independent source code modules that are interpreted or compiled in advance, as needed. The instructions may include instructions that cause, for example, one or more processors to act as the neural networks herein. The functions, methods, and routines of the instructions are explained in more detail elsewhere herein.
In one or more embodiments of the present description, a federated learning model that is capable of identifying watermark verification data with watermark tags may be generated based on a watermarked training data set; in the process of calling the federal learning model, verification of caller identity or voting verification of participants can be realized by using watermark verification data, the federal learning model is operated in a shared platform after watermarking verification is passed, and the participants or the callers are prevented from directly contacting the federal learning model in a plaintext form, so that free circulation of the model is realized on the premise of avoiding leakage of information which possibly causes safety risks and guaranteeing the safety of the data and the model, the value of the data is fully mined and released, and more benefits are provided for owners of the data and the model. In addition, information related to training, calling, etc. of the model can be stored on the blockchain, thereby ensuring the validity and reliability of the transaction. Accordingly, the federal learning model trained by multiple participants together can be considered a non-homogeneous token (NFT) and circulated according to the corresponding transaction rules on the blockchain.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by user programming of the Device. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a server system. Of course, this application does not exclude that with future developments in computer technology, the computer implementing the functionality of the above described embodiments may be, for example, a personal computer, a laptop computer, a vehicle-mounted human-computer interaction device, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device or a combination of any of these devices.
Although one or more embodiments of the present description provide method operational steps as described in the embodiments or flowcharts, more or fewer operational steps may be included based on conventional or non-inventive approaches. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual apparatus or end product executes, it may execute sequentially or in parallel (e.g., parallel processors or multi-threaded environments, or even distributed data processing environments) according to the method shown in the embodiment or the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in a process, method, article, or apparatus that comprises the recited elements is not excluded. For example, if the terms first, second, etc. are used to denote names, they do not denote any particular order.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, when implementing one or more of the present description, the functions of each module may be implemented in one or more software and/or hardware, or a module implementing the same function may be implemented by a combination of multiple sub-modules or sub-units, etc. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage, graphene storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
As will be appreciated by one skilled in the art, one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
One or more embodiments of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the present specification can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment. In the description of the specification, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the specification. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
The above description is merely exemplary of one or more embodiments of the present disclosure and is not intended to limit the scope of one or more embodiments of the present disclosure. Various modifications and alterations to one or more embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of the present specification should be included in the scope of the claims.
Claims (41)
1. A training method for a federated learning model, wherein training data for training the federated learning model is provided by a plurality of participants, the training method comprising:
performing, by each participant in the plurality of participants, the following steps local to the participant:
acquiring a watermarking training data set of the participant, wherein the watermarking training data set comprises watermarking training data with a watermarking label; and
training based on the watermarked training data set to generate a local model of the participant; and
aggregating the local models of the plurality of participants to produce the federated learning model.
2. The training method of claim 1, wherein obtaining the watermarked training data set for the participant comprises:
extracting a second training data set from a first training data set provided by the participant, wherein the second training data set is a non-true subset of the first training data set;
generating a third training data set from the second training data set, wherein the feature portion of each piece of training data in the third training data set is generated by watermarking the feature portion of the corresponding piece of training data in the second training data set, and the label portion of each piece of training data in the third training data set is generated by modifying the label portion of the corresponding piece of training data in the second training data set to a watermark label; and
merging the third training data set with at least a portion of the first training data set into the watermarked training data set for the participant.
3. The training method of claim 2, wherein, in the plurality of participants, a ratio of the number of training data in the second training data set of each participant to the number of training data in the first training data set of that participant is equal to each other.
4. Training method according to claim 2, wherein the ratio of the number of training data in the second training data set of each participant to the number of training data in the first training data set of that participant is in the range from 5% to 20%.
5. Training method according to claim 2, wherein the ratio of the number of training data in the second training data set of each participant to the number of training data in the first training data set of that participant is 10%.
6. Training method according to claim 2, wherein the second training data set is randomly extracted from the first training data set.
7. The training method of claim 2, wherein the generating of the feature portion of each of the training data in the third training data set by watermarking the feature portion of the corresponding training data in the second training data set comprises:
superposing noise and the characteristic part of the training data in the second training data set, and taking the superposed result as the characteristic part of the corresponding training data in the third training data set;
wherein a dimension of noise, a dimension of a feature portion of the training data in the second training data set, and a dimension of a feature portion of the training data in the third training data set are equal to each other.
8. The training method of claim 7, wherein the noise comprises noise generated from non-training data; or
The noise comprises noise generated based on an image countermeasure algorithm; or
The noise includes gaussian noise.
9. The training method of claim 1, wherein when the federated learning model is a classification model, a watermark label is set to a label corresponding to a watermark type.
10. The training method according to claim 1, wherein when the federal learning model is a regression model, a watermark label is set as a label corresponding to a minimum output value or a maximum output value of the federal learning model.
11. The training method of claim 1, wherein aggregating local models of the plurality of participants to generate the federated learning model comprises:
aggregating the local models of the plurality of participants based on a lateral federated learning algorithm.
12. The training method of claim 11, wherein aggregating the local models of the plurality of participants based on a lateral federated learning algorithm comprises:
selecting a participant from the plurality of participants as an aggregator;
each participant in the plurality of participants encrypts its local model with its public key to generate a local encryption model for the participant;
all other participants in the plurality of participants that are not the aggregator respectively transmit their local encryption models to the aggregator;
the aggregator aggregating all local encryption models of the plurality of participants to generate and store an aggregated encryption model that is an encrypted federated learning model; and
the aggregator respectively returns the aggregated encryption model to all other participants in the plurality of participants for all other participants to respectively store the aggregated encryption model locally thereon.
13. The training method of claim 12, wherein the aggregator is randomly selected from the plurality of participants.
14. The training method of claim 11, wherein aggregating the local models of the plurality of participants based on a lateral federated learning algorithm comprises:
each participant in the plurality of participants encrypts its local model with its public key to generate a local encryption model for the participant;
each participant in the plurality of participants respectively transmits a local encryption model thereof to the sharing platform;
the shared platform aggregating all local cryptographic models of the plurality of participants to produce an aggregated cryptographic model that is an encrypted federated learning model; and
the sharing platform returns the aggregate cryptographic model to each of the plurality of participants separately for each participant to store the aggregate cryptographic model locally thereto.
15. Training method according to claim 12 or 14, wherein the matching public and private key of each participant is generated by a shared platform and the public key is transmitted by the shared platform to the respective participant, the private key being stored in the shared platform.
16. Training method according to claim 12 or 14, wherein the matching public and private key of each participant is generated based on a homomorphic encryption algorithm.
17. The training method of claim 1, after generating the federated learning model, further comprising:
and testing and recording the watermark identification accuracy rate of the federal learning model to the watermark test data with the watermark label by the sharing platform.
18. A method for calling a federated learning model, wherein the federated learning model is configured to be capable of performing watermarking verification that identifies whether data to be verified is watermark verification data with a watermark label, the method comprising:
obtaining calling request information from a caller by a shared platform;
the sharing platform performs watermarking verification on data to be verified by utilizing the federal learning model according to the calling request information; and
when the sharing platform determines that the number of the watermark verification data with the watermark labels in the data to be verified is larger than or equal to a preset verification number, determining that the data to be verified passes watermarking verification, and distributing the calling authority of the federal learning model for the caller to call the federal learning model.
19. The calling method of claim 18, wherein the federated learning model is trained according to the training method of any one of claims 1-17.
20. The calling method of claim 18, wherein the watermark verification data is a characteristic portion of the corresponding watermark training data.
21. The calling method of claim 18, wherein the calling request information is first calling request information when the caller requests to call the federated learning model with a participant identity.
22. The calling method according to claim 21, wherein when the call request information is first call request information, the shared platform watermarking-verifying data to be verified by using the federated learning model according to the call request information includes:
the sharing platform acquires an aggregation encryption model and data to be verified from the caller;
the sharing platform decrypts the aggregation encryption model by using a private key to obtain a federal learning model; and
and the sharing platform respectively inputs each piece of data in the data to be verified into the federal learning model so as to determine whether the data is watermark verification data with a watermark label.
23. The calling method of claim 21, wherein the number of data to be verified is at least half of the number of watermarking training data for the participant of the plurality of participants who provides the smallest set of watermarking training data.
24. The calling method of claim 21, wherein the caller invoking the federated learning model comprises:
the caller is signed by a blockchain node to invoke the federated learning model based on the assigned invocation rights, wherein the federated learning model runs in the shared platform.
25. The calling method of claim 18, wherein the calling request information is a second calling request information when the caller requests to call the federated learning model in a non-participant identity.
26. The calling method according to claim 25, wherein when the call request information is second call request information, the shared platform watermarking-verifies data to be verified by using the federated learning model according to the call request information includes:
the sharing platform broadcasts the second calling request information to the plurality of participants;
when the sharing platform acquires an aggregation encryption model from at least one participant of the multiple participants, decrypting the aggregation encryption model by using a private key to acquire a federal learning model;
when the sharing platform acquires data to be verified from at least part of the participants, inputting each piece of data in the data to be verified into the federal learning model respectively to determine whether the data is watermark verification data with watermark labels.
27. The calling method of claim 26, wherein the shared platform obtains the aggregate cryptographic model only from the participant of the plurality of participants who provided the largest watermarked training data set.
28. The calling method of claim 26, wherein the number of data to be verified is at least half of the total number of watermarked training data in the watermarked training data sets provided by the plurality of participants.
29. The calling method of claim 25, wherein the caller invoking the federated learning model comprises:
the sharing platform acquires an aggregation encryption model from at least one participant in the multiple participants, and decrypts the aggregation encryption model by using a private key to acquire a federal learning model;
the caller invokes the federated learning model based on the assigned invocation permissions, wherein the federated learning model runs in the shared platform.
30. The calling method according to claim 18, wherein the preset number of verifications is determined at least according to a watermark recognition accuracy of the federal learning model.
31. The calling method of claim 18, wherein the shared platform watermarking the data to be verified using the federated learning model according to the call request information comprises:
the shared platform adopts an intelligent contract on a block chain to carry out watermarking verification.
32. The calling method according to claim 18, wherein the calling right is a right to call the federal learning model a preset number of times within a preset time period after passing watermarking verification.
33. The calling method of claim 18, further comprising:
and recording the model calling information on the block chain after the watermarking verification is passed.
34. The calling method of claim 18, further comprising:
and when the sharing platform determines that the number of the watermark verification data with the watermark labels in the data to be verified is less than a preset verification number, determining that the watermark verification is not passed, and recording the calling request information.
35. The calling method of claim 18, wherein during training of the federal learning model, model training information for each of the plurality of participants is saved on a blockchain after each training is completed, the calling method further comprising:
and after the watermarking verification is passed, distributing corresponding benefits for each participant according to the model training information of each participant recorded on the block chain.
36. A federated learning system comprising a shared platform, the shared platform comprising:
a first communication unit configured to acquire call request information from a caller;
the verification unit is configured to perform watermarking verification on data to be verified by using the federated learning model according to the calling request information, and is further configured to determine that the data to be verified passes watermarking verification when the number of watermark verification data with watermark labels in the data to be verified is greater than or equal to a preset verification number, wherein the federated learning model is configured to be capable of executing watermarking verification, and the watermarking verification identifies whether the data to be verified is the watermark verification data with watermark labels;
an allocation unit configured to allocate a calling authority of the federated learning model to the caller; and
a model execution unit configured to execute the federated learning model to enable invocation of the federated learning model by the caller.
37. The federal learning system as in claim 36, the shared platform further comprising at least one of:
a testing unit configured to test the federated learning model for watermark identification accuracy for watermark test data having a watermark label;
a key unit configured to generate a public key for encrypting the local model to produce a local encryption model, and a private key matching the public key for decrypting the aggregated encryption model to produce the federated learning model; and
a storage unit configured to store a private key and/or a recording watermark identification accuracy.
38. The federal learning system of claim 36, further comprising:
a plurality of participant devices, each of the plurality of participant devices being disposed in a one-to-one correspondence with a participant corresponding to the participant device, and each of the plurality of participant devices comprising:
a second communication unit configured to obtain a watermarking training data set of the participant, wherein the watermarking training data set comprises watermarking training data having a watermark label; and
a local training unit configured to train based on the watermarked training data set to generate a local model of the participant; and
an aggregation unit disposed on the shared platform or at least one of the plurality of participant devices, the aggregation unit configured to aggregate local models of the plurality of participants to produce the federated learning model.
39. The federal learning system of claim 36, further comprising a blockchain having one or more nodes, wherein the blockchain includes thereon intelligent contracts for watermarking validation, and wherein at least one of model training information and model invocation information is recorded in the one or more nodes.
40. A non-transitory computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the training method of any one of claims 1 to 17 or the calling method of any one of claims 18 to 35.
41. A computer program product comprising computer instructions which, when executed by a processor, implement the steps of the training method according to any one of claims 1 to 17 or the calling method according to any one of claims 18 to 35.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111411921.3A CN114091690A (en) | 2021-11-25 | 2021-11-25 | Method for training federated learning model, method for calling federated learning model and federated learning system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111411921.3A CN114091690A (en) | 2021-11-25 | 2021-11-25 | Method for training federated learning model, method for calling federated learning model and federated learning system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114091690A true CN114091690A (en) | 2022-02-25 |
Family
ID=80304349
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111411921.3A Pending CN114091690A (en) | 2021-11-25 | 2021-11-25 | Method for training federated learning model, method for calling federated learning model and federated learning system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114091690A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115238250A (en) * | 2022-09-15 | 2022-10-25 | 支付宝(杭州)信息技术有限公司 | Model processing method, device and equipment |
| CN116614273A (en) * | 2023-05-23 | 2023-08-18 | 国网江苏省电力有限公司信息通信分公司 | Federal learning data sharing model in peer-to-peer network based on CP-ABE and construction method thereof |
| CN116881872A (en) * | 2023-09-06 | 2023-10-13 | 南京信息工程大学 | Robust traceable copyright protection method and system for federal learning |
| US12010249B1 (en) | 2022-12-07 | 2024-06-11 | Nanhu Laboratory | Method and device for zero-trust fusion computation of multi-party data |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110428058A (en) * | 2019-08-08 | 2019-11-08 | 深圳前海微众银行股份有限公司 | Federal learning model training method, device, terminal device and storage medium |
| US20190370440A1 (en) * | 2018-06-04 | 2019-12-05 | International Business Machines Corporation | Protecting deep learning models using watermarking |
| CN110601814A (en) * | 2019-09-24 | 2019-12-20 | 深圳前海微众银行股份有限公司 | Federal learning data encryption method, device, equipment and readable storage medium |
| CN111782543A (en) * | 2020-07-20 | 2020-10-16 | 王天宝 | Method, related device and system for evaluating in cloud |
| CN112329010A (en) * | 2020-10-16 | 2021-02-05 | 深圳前海微众银行股份有限公司 | Adaptive data processing method, device, equipment and storage medium based on federal learning |
| CN112383396A (en) * | 2021-01-08 | 2021-02-19 | 索信达(北京)数据技术有限公司 | Method and system for training federated learning model |
| CN112632620A (en) * | 2020-12-30 | 2021-04-09 | 支付宝(杭州)信息技术有限公司 | Federal learning method and system for enhancing privacy protection |
| US20210117792A1 (en) * | 2020-12-23 | 2021-04-22 | Intel Corporation | Methods and apparatus to facilitate continuous learning |
| CN112997195A (en) * | 2018-12-10 | 2021-06-18 | 希侬人工智能公司 | Digital watermarking of machine learning models |
| CN113254943A (en) * | 2021-05-25 | 2021-08-13 | 深圳市洞见智慧科技有限公司 | Model contribution degree evaluation system based on longitudinal federal learning |
| CN113434898A (en) * | 2021-05-22 | 2021-09-24 | 西安电子科技大学 | Non-interactive privacy protection logistic regression federal training method and system |
-
2021
- 2021-11-25 CN CN202111411921.3A patent/CN114091690A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190370440A1 (en) * | 2018-06-04 | 2019-12-05 | International Business Machines Corporation | Protecting deep learning models using watermarking |
| CN112997195A (en) * | 2018-12-10 | 2021-06-18 | 希侬人工智能公司 | Digital watermarking of machine learning models |
| CN110428058A (en) * | 2019-08-08 | 2019-11-08 | 深圳前海微众银行股份有限公司 | Federal learning model training method, device, terminal device and storage medium |
| CN110601814A (en) * | 2019-09-24 | 2019-12-20 | 深圳前海微众银行股份有限公司 | Federal learning data encryption method, device, equipment and readable storage medium |
| CN111782543A (en) * | 2020-07-20 | 2020-10-16 | 王天宝 | Method, related device and system for evaluating in cloud |
| CN112329010A (en) * | 2020-10-16 | 2021-02-05 | 深圳前海微众银行股份有限公司 | Adaptive data processing method, device, equipment and storage medium based on federal learning |
| US20210117792A1 (en) * | 2020-12-23 | 2021-04-22 | Intel Corporation | Methods and apparatus to facilitate continuous learning |
| CN112632620A (en) * | 2020-12-30 | 2021-04-09 | 支付宝(杭州)信息技术有限公司 | Federal learning method and system for enhancing privacy protection |
| CN112383396A (en) * | 2021-01-08 | 2021-02-19 | 索信达(北京)数据技术有限公司 | Method and system for training federated learning model |
| CN113434898A (en) * | 2021-05-22 | 2021-09-24 | 西安电子科技大学 | Non-interactive privacy protection logistic regression federal training method and system |
| CN113254943A (en) * | 2021-05-25 | 2021-08-13 | 深圳市洞见智慧科技有限公司 | Model contribution degree evaluation system based on longitudinal federal learning |
Non-Patent Citations (1)
| Title |
|---|
| 周俊;方国英;吴楠;: "联邦学习安全与隐私保护研究综述", 西华大学学报(自然科学版), no. 04, 10 July 2020 (2020-07-10) * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115238250A (en) * | 2022-09-15 | 2022-10-25 | 支付宝(杭州)信息技术有限公司 | Model processing method, device and equipment |
| US12010249B1 (en) | 2022-12-07 | 2024-06-11 | Nanhu Laboratory | Method and device for zero-trust fusion computation of multi-party data |
| CN116614273A (en) * | 2023-05-23 | 2023-08-18 | 国网江苏省电力有限公司信息通信分公司 | Federal learning data sharing model in peer-to-peer network based on CP-ABE and construction method thereof |
| CN116614273B (en) * | 2023-05-23 | 2024-03-19 | 国网江苏省电力有限公司信息通信分公司 | Federal learning data sharing system and model construction method in peer-to-peer network based on CP-ABE |
| CN116881872A (en) * | 2023-09-06 | 2023-10-13 | 南京信息工程大学 | Robust traceable copyright protection method and system for federal learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10289816B1 (en) | Methods, systems, and devices for an encrypted and obfuscated algorithm in a computing environment | |
| CN108681966B (en) | Information supervision method and device based on block chain | |
| CN108055125B (en) | Method and device for encrypting and decrypting product information | |
| CN114091690A (en) | Method for training federated learning model, method for calling federated learning model and federated learning system | |
| CN113255005B (en) | Block chain-based data asset circulation method, device and equipment | |
| CN114091103A (en) | Method for training federated learning model, method for calling federated learning model and federated learning system | |
| CN112182644A (en) | Data processing method and device and electronic equipment | |
| CN110197082A (en) | Data processing method, data processing equipment and computer system | |
| CN105468940B (en) | Method for protecting software and device | |
| CN113055153A (en) | Data encryption method, system and medium based on fully homomorphic encryption algorithm | |
| CN115296794A (en) | Key management method and device based on block chain | |
| CN114386058A (en) | Model file encryption and decryption method and device | |
| CN107133517B (en) | Data recovery method based on data encryption and calculation in memory | |
| EP2286610B1 (en) | Techniques for peforming symmetric cryptography | |
| CN112182509A (en) | Method, device and equipment for detecting abnormity of compliance data | |
| CN102770869B (en) | The Secure execution of computational resource | |
| CN112948465B (en) | Data processing method and device based on block chain | |
| AU2021100948A4 (en) | Enhancing cyber security using high speed hybrid authentication technique | |
| CN111639353B (en) | Data management method and device, embedded equipment and storage medium | |
| CN114638000A (en) | Data encryption method for privacy calculation and privacy calculation method, device and system | |
| CN113051587A (en) | Privacy protection intelligent transaction recommendation method, system and readable medium | |
| CN114065293A (en) | Training method and calling method of machine learning model and machine learning system | |
| Yuan et al. | Secure integrated circuit design via hybrid cloud | |
| CN116308434B (en) | Insurance fraud identification method and system | |
| CN115396222B (en) | Device instruction execution method, system, electronic device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20240914 Address after: Room 803, floor 8, No. 618 Wai Road, Huangpu District, Shanghai 200010 Applicant after: Ant blockchain Technology (Shanghai) Co.,Ltd. Country or region after: China Address before: 310000 801-11 section B, 8th floor, 556 Xixi Road, Xihu District, Hangzhou City, Zhejiang Province Applicant before: Alipay (Hangzhou) Information Technology Co.,Ltd. Country or region before: China |
|
| TA01 | Transfer of patent application right |