CN114241268A

CN114241268A - Model training method, device and equipment

Info

Publication number: CN114241268A
Application number: CN202111574537.5A
Authority: CN
Inventors: 崔世文; 孟昌华; 李志峰; 王维强
Original assignee: Alipay Hangzhou Information Technology Co Ltd
Current assignee: Alipay Hangzhou Information Technology Co Ltd
Priority date: 2021-12-21
Filing date: 2021-12-21
Publication date: 2022-03-25
Anticipated expiration: 2041-12-21
Also published as: CN114241268B

Abstract

The embodiment of the specification discloses a method, a device and equipment for training a model, wherein the method comprises the following steps: the method comprises the steps of obtaining a first number of first training samples, then selecting a second number of first training samples from the first number of first training samples, adding corresponding noise data into the second number of first training samples respectively to obtain a second number of second training samples, and finally training a target model through a preset gradient-based counterattack algorithm based on the remaining first training samples and the second number of second training samples to obtain the trained target model.

Description

Model training method, device and equipment

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, and a device for training a model.

Background

Aiming at models (such as risk prevention and control models aiming at business safety) involved in many scenes, the problem of model decline is inevitable, the problem of model decline is usually caused by factors such as external environment, corresponding business and black field attack and defense, the model decline can cause the model to change along with time, and the change cannot be predicted and is unknown, so that the performance of the model can be rapidly reduced.

Disclosure of Invention

The embodiment aims to provide a model training scheme capable of remarkably improving the attack resistance and robustness of a model.

In order to implement the above technical solution, the embodiments of the present specification are implemented as follows:

the embodiment of the present specification provides a training method of a model, the method includes: a first number of first training samples is obtained. And selecting a second number of first training samples from the first number of first training samples, and adding corresponding noise data into the second number of first training samples respectively to obtain a second number of second training samples. And training the target model through a preset gradient-based counter attack algorithm based on the remaining first training samples and the second number of second training samples to obtain the trained target model.

The method for training the model provided by the embodiment of the specification is applied to a block chain system, and comprises the following steps: acquiring training rule information of a target model, generating a corresponding intelligent contract by adopting the training rule information of the target model, and deploying the intelligent contract into the block chain system. And calling the intelligent contract to obtain a first number of first training samples. And based on the intelligent contract, selecting a second number of first training samples from the first number of first training samples, and adding corresponding noise data into the second number of first training samples respectively to obtain a second number of second training samples. And based on the intelligent contract, training the target model by using the remaining first training samples and the second training samples in the second quantity through a preset gradient-based counter attack algorithm to obtain the trained target model.

The embodiment of this specification provides a training device of model, the device includes: the sample acquisition module acquires a first number of first training samples. And the sample processing module is used for selecting a second number of first training samples from the first number of first training samples and adding corresponding noise data into the second number of first training samples respectively to obtain a second number of second training samples. And the training module is used for training the target model through a preset anti-attack algorithm based on the remaining first training samples and the second training samples in the second quantity to obtain the trained target model.

The embodiment of the present specification provides a training apparatus for a model, where the apparatus is an apparatus in a blockchain system, and the apparatus includes: and the contract deployment module is used for acquiring the training rule information of the target model, generating a corresponding intelligent contract by adopting the training rule information of the target model, and deploying the intelligent contract into the block chain system. And the sample acquisition module calls the intelligent contract to acquire a first number of first training samples. And the sample processing module is used for selecting a second number of first training samples from the first number of first training samples based on the intelligent contract, and adding corresponding noise data into the second number of first training samples respectively to obtain a second number of second training samples. And the training module is used for training the target model by using the rest first training samples and the second training samples in the second quantity through a preset gradient-based anti-attack algorithm based on the intelligent contract to obtain the trained target model.

The embodiment of this specification provides a training equipment of model, includes: a processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to: a first number of first training samples is obtained. And selecting a second number of first training samples from the first number of first training samples, and adding corresponding noise data into the second number of first training samples respectively to obtain a second number of second training samples. And training the target model through a preset gradient-based counter attack algorithm based on the remaining first training samples and the second number of second training samples to obtain the trained target model.

The training device of the model provided by the embodiment of the present specification is a device in a block chain system, and includes: a processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to: acquiring training rule information of a target model, generating a corresponding intelligent contract by adopting the training rule information of the target model, and deploying the intelligent contract into the block chain system. And calling the intelligent contract to obtain a first number of first training samples. And based on the intelligent contract, selecting a second number of first training samples from the first number of first training samples, and adding corresponding noise data into the second number of first training samples respectively to obtain a second number of second training samples. And based on the intelligent contract, training the target model by using the remaining first training samples and the second training samples in the second quantity through a preset gradient-based counter attack algorithm to obtain the trained target model.

Embodiments of the present specification also provide a storage medium, where the storage medium is used to store computer-executable instructions, and the executable instructions, when executed, implement the following processes: a first number of first training samples is obtained. And selecting a second number of first training samples from the first number of first training samples, and adding corresponding noise data into the second number of first training samples respectively to obtain a second number of second training samples. And training the target model through a preset gradient-based counter attack algorithm based on the remaining first training samples and the second number of second training samples to obtain the trained target model.

Embodiments of the present specification also provide a storage medium, where the storage medium is used to store computer-executable instructions, and the executable instructions, when executed, implement the following processes: acquiring training rule information of a target model, generating a corresponding intelligent contract by adopting the training rule information of the target model, and deploying the intelligent contract into a block chain system. And calling the intelligent contract to obtain a first number of first training samples. And based on the intelligent contract, selecting a second number of first training samples from the first number of first training samples, and adding corresponding noise data into the second number of first training samples respectively to obtain a second number of second training samples. And based on the intelligent contract, training the target model by using the remaining first training samples and the second training samples in the second quantity through a preset gradient-based counter attack algorithm to obtain the trained target model.

Drawings

In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.

FIG. 1 illustrates an embodiment of a model training method of the present disclosure;

FIG. 2 is a schematic diagram of a training correlation interface for a model according to the present disclosure;

FIG. 3 is a diagram of another embodiment of a model training method according to the present disclosure;

FIG. 4 is a schematic diagram of a training process for a model of the present disclosure;

FIG. 5A is a block diagram illustrating an embodiment of a method for training a model according to the present disclosure;

FIG. 5B is a schematic diagram of a training process for another model of the present disclosure;

FIG. 6 is an embodiment of a model training apparatus according to the present disclosure;

FIG. 7 is an embodiment of a training apparatus for another model of the present disclosure;

FIG. 8 is an embodiment of a training apparatus for a model of the present disclosure.

Detailed Description

The embodiment of the specification provides a model training method, a model training device and model training equipment.

In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.

Example one

As shown in fig. 1, an execution subject of the method may be a terminal device or a server, where the terminal device may be a mobile terminal device such as a mobile phone and a tablet computer, or a device such as a personal computer, the server may be an independent server, or a server cluster formed by a plurality of servers, and the server may be a background server of a financial service or an online shopping service, or a background server of an application. The method may be applied to relevant scenes where model training and the like are set, in this embodiment, a server is used as an execution subject to be described in detail, and for the case of the terminal device, the following relevant contents may be referred to, and are not described herein again. The method may specifically comprise the steps of:

in step S102, a first number of first training samples is acquired.

The first number may be set according to an actual situation, specifically 10 tens of thousands or 100 tens of thousands. The first training sample may include multiple types, and may specifically be set according to a model to be trained, for example, the model to be trained is a facial recognition model, the first training sample may be a facial image, and further, for example, the model to be trained is a fingerprint recognition model, the first training sample may be fingerprint data, and for example, the model to be trained is a risk prevention and control model for a certain service (such as an online transaction service), the first training sample may be service data of the service (which may include, for example, related information of both transaction parties, resource information of the transaction, transaction time, transaction location, transaction history data of both transaction parties, and the like).

In implementation, for models (such as risk prevention and control models for business security) involved in many scenarios, the problem of model degradation is inevitably faced, the problem of model degradation is usually caused by factors such as an external environment, corresponding business, black field attack and defense, the model degradation can cause the model to change over time, and the performance of the model can be rapidly reduced due to the change which is unpredictable and unknown. The embodiment of the present specification provides an implementable technical solution, which may specifically include the following contents:

the first training samples of the first number may be obtained in a variety of different manners, for example, an input page of the training samples may be preset, the input page may include a data input box, a determination key, a cancel key, and the like of the training samples, and when a training sample (i.e., the first training sample) needs to be uploaded to the server, the data of the input page may be obtained, and the input page may be displayed. As shown in fig. 2, the user may input data of the first training sample in the data input box of the input page, and after the input is completed, the user may click a determination key in the input page, at this time, the server may obtain the first training sample, and the first training samples of the first number may be obtained through the above manner. Or, the server may record relevant data of a certain service, when a first training sample needs to be obtained, data meeting a specified requirement may be obtained from the relevant data of the service, and the obtained data is used as a first training sample of a first number, and the like.

In step S104, a second number of first training samples are selected from the first number of first training samples, and corresponding noise data is added to the second number of first training samples, respectively, to obtain a second number of second training samples.

The second number may be set according to actual conditions, and the second number is smaller than or equal to the first number, for example, the first number may be 10 ten thousands, the second number may be 5 ten thousands or 4 ten thousands, and the like, which is not limited in this embodiment of the specification. The noise data may be acquired in a plurality of different manners, for example, noise data satisfying a specified condition may be generated by a noise generation mechanism constructed in advance, or random noise data may be acquired in a plurality of different manners, which may be specifically set according to actual situations, and this is not limited in this embodiment of the present specification. In addition, the same noise data may be added to the second number of first training samples, or different noise data may be added to the second number of first training samples, which may be set according to actual situations.

In an implementation, the second number of first training samples may be randomly selected from the first number of first training samples by a random selection. In addition, the noise data to be added to each of the second number of first training samples may be obtained in advance, where the noise data to be added to each of the second number of first training samples may be the same or different, and after the second number of first training samples is selected, the obtained corresponding noise data may be added to each of the second training samples, so that a second training sample obtained by adding the corresponding noise data to each of the first training samples may be obtained, and in this way, the second number of second training samples may be obtained.

In step S106, based on the remaining first training samples and the second number of second training samples, the target model is trained through a preset gradient-based counterattack algorithm to obtain a trained target model.

The gradient-based anti-attack algorithm may be an algorithm that a classifier finally generates a classification error by adding a small disturbance (such as noise data) to input data, for example, a preset disturbance noise is added to a picture so that a classification result finally obtained by the classifier finally generates an error, or a synonym is replaced for some words in a sentence so that a result finally subjected to emotion classification generates an error, and the like, and may be specifically set according to an actual situation. The Gradient-based anti-attack algorithm may include various algorithms, such as FGSM (Fast Gradient signal Method, Fast Gradient Descent algorithm), PGD (Project Gradient Descent), MIM (Momentum Iterative Method), and the like, which may be specifically set according to actual conditions, and this is not limited in the embodiments of this specification. The target model may be any model, for example, the target model may be a facial recognition model, a fingerprint recognition model, or a risk prevention and control model (for example, a risk prevention and control model for fraud risk) constructed for a certain service (for example, financial service, etc.), which may be specifically set according to an actual situation, and this is not limited in the embodiment of the present specification.

In an implementation, after selecting the second number of first training samples from the first number of first training samples in the above manner, the remaining first training samples may be the third number of first training samples, where the third number is a difference between the first number and the second number (i.e., the third number is the first number — the second number), so that the third number of first training samples and the second number of second training samples may be used as samples for model training. In addition, in order to improve the anti-attack capability and stability of the model, an anti-attack algorithm may be preset, and the model is trained through the anti-attack algorithm. Taking a gradient-based counterattack algorithm as an example of the FGSM, a loss function may be set in a training process of the target model, a training sample may be selected from the third number of first training samples or the second number of second training samples, the selected training sample is input into the target model, a corresponding gradient is calculated for the input training sample by using the loss function of the target model, thereby obtaining an antagonistic disturbance, then, the obtained antagonistic disturbance may be added to the selected training sample to generate a countersample, the maximum value of the accurate linearization function is found by linearizing the loss function in the field of the selected training sample and through a specified algorithm, and then a corresponding gradient may be obtained, and parameters in the target model may be updated based on the gradient. Then, corresponding processing can be performed on other training samples through the above method to update the parameters in the target model, and finally, a target function with more accurate and convergent parameters, namely the trained target model, can be obtained.

The embodiment of the present specification provides a method for training a model, which includes obtaining a first number of first training samples, selecting a second number of first training samples from the first number of first training samples, adding corresponding noise data to the second number of first training samples to obtain a second number of second training samples, training a target model through a preset gradient-based anti-attack algorithm based on the remaining first training samples and the second number of second training samples to obtain a trained target model, generating the second training samples by adding a part of the first training samples to the noise data, then, combining the gradient-based anti-attack algorithm based on the first training samples and the second training samples to improve the anti-attack capability of the trained target model and the robustness of the target model, therefore, the performance of the target model is ensured, the probability of model recession can be effectively reduced, and black field attack can be effectively resisted.

Example two

As shown in fig. 3, an execution subject of the method may be a terminal device or a server, where the terminal device may be a mobile terminal device such as a mobile phone and a tablet computer, or a device such as a personal computer, the server may be an independent server, or a server cluster formed by a plurality of servers, and the server may be a background server of a financial service or an online shopping service, or a background server of an application. The method may be applied to relevant scenes where model training and the like are set, in this embodiment, a server is used as an execution subject to be described in detail, and for the case of the terminal device, the following relevant contents may be referred to, and are not described herein again. The method may specifically comprise the steps of:

in step S302, a first number of first training samples is acquired.

In step S304, a second number of first training samples are selected from the first number of first training samples based on a preset sample selection strategy.

Wherein, the sample selection strategy can be to select the training sample meeting the specified condition from a certain number of training samples, the specific condition may be set according to an actual situation, for example, the specific condition may be that a ratio between the number of the selected training samples and the total number of the training samples before selection satisfies a specific proportional relationship, for example, the ratio of the number of the selected training samples to the total number of the training samples before selection is 1:2 or 1:3, etc., which can be set according to the actual situation, alternatively, the specified condition may be to select a training sample containing one or more specific information from among the training samples, or, the specified condition may also be to select a training sample belonging to a specified type (for example, belonging to a type corresponding to a fraud risk, etc.) from the training samples, and may be specifically set according to an actual situation, and this is not limited in this specification. Based on the above, the second number and the first number satisfy a preset proportional relationship.

In implementation, a sample selection policy may be preset according to an actual situation, after a first number of first training samples are obtained, the preset sample selection policy may be obtained, and the content of the sample selection policy may be analyzed, a first training sample that meets the sample selection policy may be selected from the first number of first training samples through policy content related in the sample selection policy, so as to obtain a second number of first training samples, specifically, a certain number of first training samples may be randomly selected from the first number of first training samples, where a ratio between the number of the selected first training samples and the first number is 1:2, so that a second number (i.e., 1/2 of the first number) may be obtained, and a second number of first training samples may be obtained.

In step S306, noise data corresponding to each of the second number of first training samples is respectively obtained.

In implementation, as shown in fig. 4, a noise generation mechanism NoiseMaker may be constructed in advance, and may generate corresponding noise data for each of the second number of first training samples through the noise generation mechanism NoiseMaker, and in practical applications, the process of generating the noise data may be implemented by a noise reduction Auto-encoder (DAE), where the noise reduction Auto-encoder DAE may be a processing mechanism that is set on the basis of an Auto-encoder, adds noise data to data (which may be part of training samples in training samples) input by an input layer of a model in order to prevent an over-fitting problem, and reconstructs input parameters at an output layer of the model, so that the learned encoder has strong robustness, thereby enhancing generalization capability of the model.

The specific processing of step S306 may be various, and the following optional processing manner for the child worker may specifically include the following: noise data is randomly generated for each of a second number of first training samples, respectively.

In implementation, noise data corresponding to each of the first training samples may be randomly generated by a noise generation mechanism NoiseMaker or a noise reduction auto-encoder DAE.

In step S308, based on the acquired noise data, the corresponding noise data is added to each of the second number of first training samples, respectively, to obtain a second number of second training samples.

In step S310, based on the remaining first training samples and the second number of second training samples, the target model is trained through a preset first loss function, so as to obtain a characterization vector corresponding to each training sample and first loss information corresponding to the first loss function, where the training samples include the remaining first training samples and the second number of second training samples.

In implementation, for any training sample (which may be referred to as a target training sample for convenience of subsequent description) in the third number of first training samples and the second number of second training samples, as shown in fig. 4, the target training sample may be vectorized to obtain a characterization vector corresponding to the target training sample, that is, an embedded Embedding vector, and then, the embedded Embedding vector may be input into the target model, and the target training sample may be processed by an encoder in the target model (that is, a hidden layer in the target model, etc.) to obtain a corresponding processing result, and the processing result may be output by a decoder in the target model (that is, an output layer in the target model, etc.) to obtain a corresponding output result, and corresponding loss information (that is, first loss information) may be obtained by linearizing a loss function (that is, a first loss function) in the field of the target training sample, through the above manner, the characterization vector (i.e., the embedded Embedding vector) corresponding to the target training sample and the first loss information corresponding to the first loss function can be obtained.

In step S312, based on the characterization vector corresponding to each training sample and the first loss information corresponding to the first loss function, the target model is trained through a preset gradient-based attack-countermeasure algorithm, so as to obtain a trained target model.

In implementation, a corresponding gradient can be calculated for an input target training sample by using a first loss function of a target model based on a characterization vector corresponding to the target training sample and first loss information corresponding to the first loss function, so as to obtain antagonistic disturbance, then, the obtained antagonistic disturbance can be added to the target training sample to generate an antagonistic sample, the loss function is linearized in the field of the target training sample, a maximum value of an accurate linearized function is found by a specified algorithm, so that a corresponding gradient can be obtained, and parameters in the target model can be updated based on the gradient. Then, corresponding processing can be performed on other training samples through the above method to update the parameters in the target model, and finally, a target function with more accurate and convergent parameters, namely the trained target model, can be obtained.

In practical applications, the gradient-based counter attack algorithm may include a fast gradient-ascending algorithm, and accordingly, the specific processing of step S312 may be implemented as follows:

as shown in fig. 4, after the token vector corresponding to the target training sample and the first loss information corresponding to the first loss function are obtained in the above manner, the above processing procedure may be propagated in the reverse direction to obtain corresponding first gradient information, then, the corresponding antagonistic perturbation may be calculated based on the token vector corresponding to the target training sample, and may be added to the token vector corresponding to the target training sample (i.e., embedded into the Embedding vector) to obtain a corresponding antagonistic sample, the loss information corresponding to the antagonistic sample may be calculated, and then, the opposite direction propagation may be performed to obtain corresponding second gradient information, the second gradient information may be added to the first gradient information, and then, the token vector at this time (i.e., embedded into the Embedding vector) may be restored to the token vector corresponding to the target training sample (i.e., embedded into the Embedding vector), and the corresponding parameters in the target model can be updated according to the first gradient information accumulated with the second gradient information, and then the parameters in the target model can be updated by correspondingly processing other training samples in the above way, so that a target function with more accurate and convergent parameters, namely the trained target model, can be finally obtained.

In practical applications, the specific processing manner of step S312 may be various, and the following alternative processing manner is provided, which may specifically include the following: training the target model through a fast gradient ascent algorithm and a preset second loss function and a third loss function based on the characterization vector corresponding to each training sample and the first loss information corresponding to the first loss function to obtain the trained target model, wherein the second loss function is a loss function corresponding to the training sample obtained by adding corresponding noise data to each training sample, and the third loss function is a loss function corresponding to initial data used for predicting each training sample.

In implementation, as shown in fig. 4, after the token vector corresponding to the target training sample and the first loss information corresponding to the first loss function are obtained in the above manner, the above processing procedure may be propagated in the reverse direction to obtain corresponding first gradient information, then, the corresponding antagonistic perturbation may be calculated based on the token vector corresponding to the target training sample, and may be added to the token vector corresponding to the target training sample (i.e., embedded in the Embedding vector) to obtain a corresponding antagonistic sample, the loss information corresponding to the antagonistic sample may be calculated through the second loss function and the third loss function, respectively, to obtain the loss information corresponding to the training sample obtained after the target training sample is added with the corresponding noise data and the loss information corresponding to the initial data of the predicted target training sample, and then, the target training sample may be propagated in the reverse direction, corresponding second gradient information is obtained, the second gradient information can be accumulated to the first gradient information, then the characterization vector (namely, the embedded Embedding vector) at the moment can be restored to be the characterization vector (namely, the embedded Embedding vector) corresponding to the target training sample, corresponding parameters in the target model can be updated according to the first gradient information accumulated with the second gradient information, then, corresponding processing can be carried out on other training samples through the method so as to update the parameters in the target model, and finally, a target function with accurate and convergent parameters, namely the trained target model, can be obtained.

EXAMPLE III

As shown in fig. 5A and 5B, an execution main body of the method may be a blockchain system, where the blockchain system may be composed of a terminal device and/or a server, where the terminal device may be a mobile terminal device such as a mobile phone and a tablet computer, or may be a device such as a personal computer, the server may be an independent server, or may be a server cluster composed of a plurality of servers, and the server may be a backend server such as a financial service or an online shopping service, or may be a backend server of an application program. The method can be applied to relevant scenes provided with model training and the like, and specifically can comprise the following steps:

in step S502, training rule information of the target model is obtained, a corresponding intelligent contract is generated by using the training rule information of the target model, and the intelligent contract is deployed in the block chain system.

In which a smart contract may be a computer agreement intended to propagate, verify or execute contracts in an informational manner, which allows trusted interactions without third parties, the course of such interactions being traceable and irreversible, and which includes agreements on which contract participants may execute rights and obligations agreed upon by the contract participants.

In implementation, in order to make the traceability of the training process based on the target model better, a specified blockchain system may be created or added, so that the training of the target model may be performed based on the blockchain system, specifically, a corresponding application program may be installed in a blockchain node, an input box and/or a selection box of the training rule information of the target model may be set in the application program, and the corresponding information may be set in the input box and/or the selection box. The blockchain system may then receive training rule information for the target model. The blockchain system can generate a corresponding intelligent contract through the training rule information of the target model, and can deploy the intelligent contract into the blockchain system, so that the training rule information of the target model and the corresponding intelligent contract are stored in the blockchain system, other users cannot tamper with the training rule information of the target model and the corresponding intelligent contract, and the blockchain system executes the training of the target model through the intelligent contract.

In step S504, the smart contract is invoked to obtain a first number of first training samples.

In implementation, relevant rule information for obtaining the first training sample may be set in the intelligent contract, so that the corresponding processing may be implemented based on the rule information in the intelligent contract, which may be specifically referred to the above relevant contents, and is not described herein again.

In step S506, based on the intelligent contract, a second number of first training samples are selected from the first number of first training samples, and corresponding noise data is added to the second number of first training samples, respectively, so as to obtain a second number of second training samples.

And the second quantity and the first quantity meet a preset proportional relation.

In implementation, the intelligent contract may be provided with relevant rule information for selecting a second number of first training samples from the first number of first training samples and adding corresponding noise data to the second number of first training samples, so that the corresponding processing may be implemented based on the rule information in the intelligent contract, which may be referred to in detail for the above description, and is not described herein again.

In practical applications, based on the intelligent contract in step S506, the processing manner of selecting the second number of first training samples from the first number of first training samples may be various, and the following provides an optional processing manner, which may specifically include the following: and based on the intelligent contract, adopting a preset sample selection strategy to select a second number of first training samples from the first number of first training samples.

In practical applications, the processing manner of adding the corresponding noise data to the second number of first training samples respectively based on the smart contract in the step S506 to obtain the second number of second training samples may be various, and an optional processing manner is provided below, and specifically, the processing manner may include the processing of the following step a2 and the processing manner of the following step a 4.

In step a2, noise data corresponding to each of the second number of first training samples is respectively obtained based on the smart contract.

In implementation, the intelligent contract may be provided with relevant rule information for respectively obtaining noise data corresponding to each of the second number of first training samples, so that the corresponding processing may be implemented based on the rule information in the intelligent contract, which may be specifically referred to in the above description, and is not described herein again.

In practical applications, the processing manner of step a2 may be various, and the following provides an alternative processing manner, which may specifically include the following: noise data is randomly generated for each of a second number of first training samples, respectively, based on a smart contract.

In implementation, the intelligent contract may be provided with relevant rule information for randomly generating noise data for each of the second number of first training samples, so that the corresponding processing may be implemented based on the rule information in the intelligent contract, which may be specifically referred to in the above description, and is not described herein again.

In step a4, a second number of second training samples is obtained by adding noise data to each of the second number of first training samples based on the smart contract, respectively, by the obtained noise data.

In implementation, the intelligent contract may be provided with relevant rule information for adding corresponding noise data to each of the second number of first training samples respectively through the acquired noise data, so that the corresponding processing may be implemented based on the rule information in the intelligent contract, which may be specifically referred to in the above description, and is not described herein again.

In step S508, based on the intelligent contract, the target model is trained by using the remaining first training samples and the second training samples in the second number through a preset gradient-based attack-countermeasure algorithm, so as to obtain a trained target model.

In implementation, the intelligent contract may be provided with related rule information for training the target model by using the remaining first training samples and the second training samples in the second number through a preset gradient-based attack-countermeasure algorithm, so that the corresponding processing may be implemented based on the rule information in the intelligent contract, which may be specifically referred to the related contents, and is not described herein again.

In practical applications, the target model may be stored in the blockchain system, or may be stored in another storage device, for the case that the target model is stored in another storage device, considering that the target model may need to be updated periodically or aperiodically, since the blockchain system has a non-falsification characteristic, if the target model is stored in the blockchain system, the target model in the blockchain system needs to be frequently uploaded, deleted, and authenticated by the uploader, so as to increase the processing pressure of the blockchain system, and to improve the processing efficiency and reduce the processing pressure of the blockchain system, the target model may be stored in a designated storage address of the storage device in advance, and the storage address (i.e. index information) may be uploaded to the blockchain system, since the storage address may be fixed and stored in the blockchain system, therefore, the tamper resistance of the data in the block chain system is ensured, and meanwhile, the target model can be updated regularly or irregularly in the storage device.

In practical applications, the processing manner of step S508 may be various, and an optional processing manner is provided below, and the processing may specifically include the following processing of step B2 and step B4.

In step B2, based on the intelligent contract, the target model is trained through a preset first loss function using the remaining first training samples and the second number of second training samples, so as to obtain a characterization vector corresponding to each training sample and first loss information corresponding to the first loss function, where the training samples include the remaining first training samples and the second number of second training samples.

In implementation, the intelligent contract may be provided with relevant rule information for training the target model by using the remaining first training samples and the second training samples of the second number through a preset first loss function, so that the corresponding processing may be implemented based on the rule information in the intelligent contract, which may be specifically referred to the above relevant contents, and is not described herein again.

In step B4, based on the intelligent contract, the characterization vector corresponding to each training sample and the first loss information corresponding to the first loss function are used to train the target model through a preset gradient-based counter attack algorithm, so as to obtain a trained target model.

Wherein the gradient-based counter-attack algorithm comprises a fast gradient ascent algorithm.

In implementation, the intelligent contract may be provided with first loss information corresponding to the first loss function and a characterization vector corresponding to each training sample, and related rule information for training the target model through a preset gradient-based counter attack algorithm, so that the corresponding processing may be implemented based on the rule information in the intelligent contract, which may be specifically referred to above, and is not described herein again.

In practical applications, the processing manner of step B4 may be various, and the following provides an optional processing manner, which may specifically include the following: based on an intelligent contract, training the target model by using a characterization vector corresponding to each training sample and first loss information corresponding to a first loss function through a rapid gradient rise algorithm and a preset second loss function and a third loss function to obtain the trained target model, wherein the second loss function is a loss function corresponding to the training sample obtained by adding corresponding noise data to each training sample, and the third loss function is a loss function corresponding to initial data for predicting each training sample.

In implementation, the intelligent contract may be provided with first loss information corresponding to the first loss function and a characterization vector corresponding to each training sample, and related rule information for training the target model through a fast gradient ascent algorithm and a preset second loss function and a preset third loss function, so that the corresponding processing may be implemented based on the rule information in the intelligent contract, which may be referred to specifically for the above related contents, and is not described herein again.

In practical applications, the processing manner of step S508 may be various, and an alternative processing manner is provided below, and may specifically include the following processing of step C2 and step C4.

In step C2, index information of the target model is obtained from the blockchain system based on the intelligent contract, and the target model is obtained from the target storage device based on the index information.

The index information can be used for recording information such as the position stored by the target model, the corresponding target model can be quickly found through the index information, the content of the data corresponding to the index information cannot be modified after the data is stored in the block chain system, that is, the storage position of the target model corresponding to the index information cannot be changed, and therefore the index information can be prevented from being maliciously tampered.

In implementation, in order to ensure integrity and prevent tampering of the index information of the target model, the index information of the target model may be uploaded to the blockchain system, and specifically, in order to record the target model, the index information of the target model may be set in advance according to actual conditions, for example, a target storage device that the target model can store may be set in advance, and then, the index information and the like may be generated based on the set target storage device. After the index information is set, the index information may be uploaded to the blockchain system.

In step C4, based on the intelligent contract, the target model is trained by a preset gradient-based attack-fighting algorithm using the remaining first training samples and the second training samples of the second number, so as to obtain a trained target model.

The specific processing in the above steps S504 to S508 can refer to the relevant contents in the above first to second embodiments, that is, the various processing involved in the above first to second embodiments can be implemented by corresponding smart contracts.

The embodiment of the specification provides a model training method, which is applied to a block chain system, acquires training rule information of a target model, generates a corresponding intelligent contract by using the training rule information of the target model, deploys the intelligent contract into the block chain system, calls the intelligent contract, acquires a first number of first training samples, selects a second number of first training samples from the first number of first training samples based on the intelligent contract, adds corresponding noise data into the second number of first training samples respectively to obtain a second number of second training samples, and finally trains the target model by using the remaining first training samples and the second number of second training samples based on the intelligent contract through a preset gradient-based countermeasure attack algorithm to obtain the trained target model, so that a part of the first training samples are added into the noise data to generate the second training samples, then, based on the first training sample and the second training sample, and in combination with the gradient-based anti-attack algorithm, the anti-attack capability of the trained target model can be improved, and the robustness of the target model can be improved, so that the performance of the target model can be ensured, the probability of model recession can be effectively reduced, and black-field attack can be effectively resisted.

Example four

Based on the same idea, the above method for training a model provided in the embodiment of the present specification further provides a device for training a model, as shown in fig. 6.

The training device of the model comprises: a sample acquisition module 601, a sample processing module 602, and a training module 603, wherein:

a sample obtaining module 601, configured to obtain a first number of first training samples;

the sample processing module 602 selects a second number of first training samples from the first number of first training samples, and adds corresponding noise data to the second number of first training samples, respectively, to obtain a second number of second training samples;

the training module 603 trains the target model through a preset gradient-based attack resisting algorithm based on the remaining first training samples and the second number of second training samples to obtain the trained target model.

In the embodiments of the present specification, a preset proportional relationship is satisfied between the second number and the first number.

In this embodiment of the present disclosure, the sample processing module 602 selects a second number of first training samples from the first number of first training samples based on a preset sample selection policy.

In this embodiment, the sample processing module 602 includes:

the noise acquisition unit is used for respectively acquiring noise data corresponding to each first training sample in the second number of first training samples;

and the noise adding unit is used for respectively adding corresponding noise data to each first training sample in a second number of first training samples based on the acquired noise data to obtain the second number of second training samples.

In this embodiment, the noise obtaining unit randomly generates noise data for each of the second number of first training samples.

In this embodiment, the training module 603 includes:

the first training unit is used for training a target model through a preset first loss function based on the remaining first training samples and the second number of second training samples to obtain a characterization vector corresponding to each training sample and first loss information corresponding to the first loss function, wherein the training samples comprise the remaining first training samples and the second number of second training samples;

and the second training unit is used for training the target model through a preset gradient-based anti-attack algorithm based on the characterization vector corresponding to each training sample and the first loss information corresponding to the first loss function to obtain the trained target model.

In an embodiment of the present specification, the gradient-based counter-attack algorithm includes a fast gradient-rise algorithm.

In an embodiment of this specification, the second training unit trains a target model through the fast gradient ascent algorithm and a preset second loss function and a third loss function based on the characterization vector corresponding to each training sample and the first loss information corresponding to the first loss function to obtain the trained target model, where the second loss function is a loss function corresponding to a training sample obtained by adding corresponding noise data to each training sample, and the third loss function is a loss function corresponding to initial data used for predicting each training sample.

The embodiment of the present specification provides a training apparatus for a model, which obtains a first number of first training samples, selects a second number of first training samples from the first number of first training samples, and adds corresponding noise data to the second number of first training samples respectively to obtain a second number of second training samples, trains a target model through a preset gradient-based countering attack algorithm based on the remaining first training samples and the second number of second training samples to obtain a trained target model, so that a part of the first training samples are added to the noise data to generate the second training samples, and then combines the countering attack algorithm based on the gradient with the first training samples and the second training samples to finally improve the countering ability of the trained target model and improve the robustness of the target model, therefore, the performance of the target model is ensured, the probability of model recession can be effectively reduced, and black field attack can be effectively resisted.

EXAMPLE five

Based on the same idea, the embodiment of the present specification further provides a training device for a model, which is a device in a blockchain system, as shown in fig. 7.

The training device of the model comprises: a contract deployment module 701, a sample acquisition module 702, a sample processing module 703, and a training module 704, wherein:

the contract deployment module 701 is used for acquiring training rule information of a target model, generating a corresponding intelligent contract by adopting the training rule information of the target model, and deploying the intelligent contract into the block chain system;

a sample obtaining module 702, configured to call the intelligent contract to obtain a first number of first training samples;

the sample processing module 703 is configured to select a second number of first training samples from the first number of first training samples based on the intelligent contract, and add corresponding noise data to the second number of first training samples, respectively, to obtain a second number of second training samples;

and the training module 704 is used for training the target model through a preset gradient-based anti-attack algorithm by using the remaining first training samples and the second number of second training samples based on the intelligent contract to obtain the trained target model.

In this embodiment, the training module 704 includes:

the model obtaining unit is used for obtaining the index information of the target model from the block chain system based on the intelligent contract and obtaining the target model from the target storage equipment based on the index information;

and the training unit is used for training the target model by using the rest first training samples and the second training samples in the second quantity through a preset gradient-based anti-attack algorithm based on the intelligent contract to obtain the trained target model.

In this embodiment of the present specification, the sample processing module 703 selects a second number of first training samples from the first number of first training samples by using a preset sample selection strategy based on the intelligent contract.

In this embodiment, the sample processing module 704 includes:

the noise acquisition unit is used for respectively acquiring noise data corresponding to each first training sample in a second number of first training samples based on the intelligent contract;

and the noise adding unit is used for respectively adding corresponding noise data into each first training sample in a second number of first training samples according to the acquired noise data based on the intelligent contract to obtain the second number of second training samples.

In an embodiment of the present specification, the noise obtaining unit randomly generates noise data for each of the second number of first training samples based on the smart contract.

In this embodiment, the training module 704 includes:

the first training unit is used for training a target model through a preset first loss function by using the remaining first training samples and the second number of second training samples based on the intelligent contract to obtain a characterization vector corresponding to each training sample and first loss information corresponding to the first loss function, wherein the training samples comprise the remaining first training samples and the second number of second training samples;

and the second training unit is used for training a target model through a preset gradient-based counter attack algorithm by using the characterization vector corresponding to each training sample and the first loss information corresponding to the first loss function based on the intelligent contract to obtain the trained target model.

In an embodiment of this specification, based on the intelligent contract, the second training unit trains a target model by using the characterization vector corresponding to each training sample and the first loss information corresponding to the first loss function through the fast gradient ascent algorithm and a preset second loss function and a third loss function to obtain the trained target model, where the second loss function is a loss function corresponding to a training sample obtained by adding corresponding noise data to each training sample, and the third loss function is a loss function corresponding to initial data used for predicting each training sample.

The embodiment of the present specification provides a training apparatus for a model, which obtains training rule information of a target model, generates a corresponding intelligent contract by using the training rule information of the target model, deploys the intelligent contract into a block chain system, calls the intelligent contract, obtains a first number of first training samples, selects a second number of first training samples from the first number of first training samples based on the intelligent contract, and adds corresponding noise data to the second number of first training samples to obtain a second number of second training samples, and finally, trains the target model by using a preset gradient-based countermeasure attack algorithm based on the remaining first training samples and the second number of second training samples based on the intelligent contract to obtain a trained target model, such that a part of the first training samples is added to the noise data to generate the second training samples, then, based on the first training sample and the second training sample, and in combination with the gradient-based anti-attack algorithm, the anti-attack capability of the trained target model can be improved, and the robustness of the target model can be improved, so that the performance of the target model can be ensured, the probability of model recession can be effectively reduced, and black-field attack can be effectively resisted.

EXAMPLE six

Based on the same idea, the above training device for the model provided in the embodiment of the present specification further provides a training apparatus for the model, as shown in fig. 8.

The training device of the model may provide terminal devices, servers, or devices in the blockchain system for the above embodiments.

The training devices of the model may vary significantly depending on configuration or performance, and may include one or more processors 801 and memory 802, where the memory 802 may have one or more stored applications or data stored therein. Wherein the memory 802 may be a transient storage or a persistent storage. The application program stored in memory 802 may include one or more modules (not shown), each of which may include a series of computer-executable instructions in a training apparatus for a model. Still further, the processor 801 may be configured to communicate with the memory 802 to execute a series of computer-executable instructions in the memory 802 on the training device of the model. The training apparatus of the model may also include one or more power supplies 803, one or more wired or wireless network interfaces 804, one or more input-output interfaces 805, one or more keyboards 806.

In particular, in this embodiment, the training apparatus for the model includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the training apparatus for the model, and the one or more programs configured to be executed by the one or more processors include computer-executable instructions for:

obtaining a first number of first training samples;

selecting a second number of first training samples from the first number of first training samples, and adding corresponding noise data into the second number of first training samples respectively to obtain a second number of second training samples;

and training the target model through a preset gradient-based counter attack algorithm based on the remaining first training samples and the second number of second training samples to obtain the trained target model.

In an embodiment of this specification, the selecting a second number of first training samples from the first number of first training samples includes:

and selecting a second number of first training samples from the first number of first training samples based on a preset sample selection strategy.

In this embodiment of the present specification, the adding corresponding noise data to a second number of first training samples to obtain the second number of second training samples respectively includes:

respectively acquiring noise data corresponding to each first training sample in a second number of first training samples;

and respectively adding corresponding noise data to each first training sample in a second number of first training samples based on the acquired noise data to obtain the second number of second training samples.

In an embodiment of this specification, the obtaining noise data corresponding to each of the second number of first training samples respectively includes:

noise data is randomly generated for each of a second number of first training samples, respectively.

In an embodiment of this specification, the training a target model by using a preset gradient-based attack-fighting algorithm based on the remaining first training samples and the second training samples in the second number to obtain a trained target model includes:

training a target model through a preset first loss function based on the remaining first training samples and the second number of second training samples to obtain a characterization vector corresponding to each training sample and first loss information corresponding to the first loss function, wherein the training samples comprise the remaining first training samples and the second number of second training samples;

and training a target model through a preset gradient-based counter attack algorithm based on the characterization vector corresponding to each training sample and the first loss information corresponding to the first loss function to obtain the trained target model.

In an embodiment of this specification, the training a target model by using a preset gradient-based anti-attack algorithm based on the characterization vector corresponding to each training sample and the first loss information corresponding to the first loss function to obtain a trained target model includes:

training a target model through the rapid gradient ascent algorithm and a preset second loss function and a third loss function based on the characterization vector corresponding to each training sample and the first loss information corresponding to the first loss function to obtain the trained target model, wherein the second loss function is a loss function corresponding to the training sample obtained by adding corresponding noise data to each training sample, and the third loss function is a loss function corresponding to initial data used for predicting each training sample.

Further, in particular embodiments, the training apparatus for the model includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the training apparatus for the model, and the one or more programs configured to be executed by the one or more processors include computer-executable instructions for:

acquiring training rule information of a target model, generating a corresponding intelligent contract by adopting the training rule information of the target model, and deploying the intelligent contract into the block chain system;

calling the intelligent contract to obtain a first number of first training samples;

based on the intelligent contract, selecting a second number of first training samples from the first number of first training samples, and respectively adding corresponding noise data into the second number of first training samples to obtain a second number of second training samples;

and based on the intelligent contract, training the target model by using the remaining first training samples and the second training samples in the second quantity through a preset gradient-based counter attack algorithm to obtain the trained target model.

In an embodiment of this specification, the training the target model by using the remaining first training samples and the second training samples of the second number through a preset gradient-based anti-attack algorithm based on the intelligent contract to obtain a trained target model includes:

acquiring index information of the target model from the block chain system based on the intelligent contract, and acquiring the target model from a target storage device based on the index information;

The embodiment of the present specification provides a training device for a model, which obtains a first number of first training samples, selects a second number of first training samples from the first number of first training samples, and adds corresponding noise data to the second number of first training samples to obtain a second number of second training samples, trains a target model through a preset gradient-based countering attack algorithm based on the remaining first training samples and the second number of second training samples to obtain a trained target model, so that a part of the first training samples are added to the noise data to generate the second training samples, and then combines the countering attack algorithm based on the gradient based on the first training samples and the second training samples to improve the countering ability of the trained target model and improve the robustness of the target model, therefore, the performance of the target model is ensured, the probability of model recession can be effectively reduced, and black field attack can be effectively resisted.

EXAMPLE seven

Further, based on the methods shown in fig. 1 to fig. 5B, one or more embodiments of the present specification further provide a storage medium for storing computer-executable instruction information, in a specific embodiment, the storage medium may be a usb disk, an optical disk, a hard disk, and the like, and when the storage medium stores the computer-executable instruction information, the storage medium implements the following processes:

obtaining a first number of first training samples;

In another specific embodiment, the storage medium may be a usb disk, an optical disk, a hard disk, or the like, and when executed by the processor, the storage medium stores computer-executable instruction information that implements the following process:

The embodiment of the present disclosure provides a storage medium, which obtains a first number of first training samples, selects a second number of first training samples from the first number of first training samples, and adds corresponding noise data to the second number of first training samples to obtain a second number of second training samples, trains a target model through a preset gradient-based counter attack algorithm based on the remaining first training samples and the second number of second training samples to obtain a trained target model, so that a part of the first training samples is added with the noise data to generate the second training samples, and then combines the gradient-based counter attack algorithm based on the first training samples and the second training samples to improve the anti-attack capability of the trained target model and the robustness of the target model, therefore, the performance of the target model is ensured, the probability of model recession can be effectively reduced, and black field attack can be effectively resisted.

The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more software and/or hardware implementations in implementing one or more embodiments of the present description.

As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Embodiments of the present description are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable fraud case serial-parallel apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable fraud case serial-parallel apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable fraud case to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable fraud case serial-parallel apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

One or more embodiments of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The above description is only an example of the present specification, and is not intended to limit the present specification. Various modifications and alterations to this description will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present specification should be included in the scope of the claims of the present specification.

Claims

1. A method of training a model, the method comprising:

obtaining a first number of first training samples;

2. The method of claim 1, wherein a predetermined proportional relationship is satisfied between the second amount and the first amount.

3. The method of claim 2, wherein said selecting a second number of first training samples from said first number of first training samples comprises:

4. The method of claim 1, wherein adding respective noise data to a second number of first training samples to obtain the second number of second training samples comprises:

5. The method of claim 4, the separately obtaining noise data corresponding to each of the second number of first training samples, comprising:

6. The method of claim 4, wherein the training the target model based on the remaining first training samples and the second number of second training samples by a preset gradient-based countering attack algorithm to obtain a trained target model comprises:

7. The method of claim 6, the gradient-based counter-attack algorithm comprising a fast gradient ascent algorithm.

8. The method according to claim 7, wherein the training a target model through a preset gradient-based countering attack algorithm based on the characterization vector corresponding to each training sample and the first loss information corresponding to the first loss function to obtain a trained target model, includes:

9. A training method of a model is applied to a block chain system, and comprises the following steps:

10. The method of claim 9, wherein training the target model through a preset gradient-based countering attack algorithm using the remaining first training samples and the second number of second training samples based on the smart contract to obtain a trained target model comprises:

11. An apparatus for training a model, the apparatus comprising:

the device comprises a sample acquisition module, a data acquisition module and a data processing module, wherein the sample acquisition module is used for acquiring a first number of first training samples;

the sample processing module is used for selecting a second number of first training samples from the first number of first training samples, and adding corresponding noise data into the second number of first training samples respectively to obtain a second number of second training samples;

and the training module is used for training the target model through a preset anti-attack algorithm based on the remaining first training samples and the second training samples in the second quantity to obtain the trained target model.

12. A training apparatus for a model, the apparatus being an apparatus in a blockchain system, the apparatus comprising:

the contract deployment module is used for acquiring training rule information of a target model, generating a corresponding intelligent contract by adopting the training rule information of the target model, and deploying the intelligent contract into the block chain system;

the sample acquisition module is used for calling the intelligent contract to acquire a first number of first training samples;

the sample processing module selects a second number of first training samples from the first number of first training samples based on the intelligent contract, and adds corresponding noise data to the second number of first training samples respectively to obtain a second number of second training samples;

and the training module is used for training the target model by using the rest first training samples and the second training samples in the second quantity through a preset gradient-based anti-attack algorithm based on the intelligent contract to obtain the trained target model.

13. A training apparatus for a model, the training apparatus for a model comprising:

a processor; and

a memory arranged to store computer executable instructions that, when executed, cause the processor to:

obtaining a first number of first training samples;

14. An apparatus for training a model, the apparatus being an apparatus in a blockchain system, the apparatus comprising:

a processor; and

15. A storage medium for storing computer-executable instructions, which when executed by a processor implement the following:

obtaining a first number of first training samples;

16. A storage medium for storing computer-executable instructions, which when executed by a processor implement the following:

acquiring training rule information of a target model, generating a corresponding intelligent contract by adopting the training rule information of the target model, and deploying the intelligent contract into a block chain system;