CN114611607A - Model training method and related device - Google Patents

Model training method and related device Download PDF

Info

Publication number
CN114611607A
CN114611607A CN202210248854.6A CN202210248854A CN114611607A CN 114611607 A CN114611607 A CN 114611607A CN 202210248854 A CN202210248854 A CN 202210248854A CN 114611607 A CN114611607 A CN 114611607A
Authority
CN
China
Prior art keywords
training
model
samples
central node
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210248854.6A
Other languages
Chinese (zh)
Inventor
李博
张�杰
徐江河
刘世策
吴双
丁守鸿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shanghai Co Ltd
Original Assignee
Tencent Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shanghai Co Ltd filed Critical Tencent Technology Shanghai Co Ltd
Priority to CN202210248854.6A priority Critical patent/CN114611607A/en
Publication of CN114611607A publication Critical patent/CN114611607A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Physics & Mathematics (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Medical Informatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the application discloses a model training method and a related device, which can be applied to various scenes such as cloud technology, artificial intelligence, intelligent traffic, auxiliary driving and the like. According to the method and the device, through federal learning, not only is the defense rate of all attacks improved, but also the classification accuracy of the original samples which are not attacked is improved. The method comprises the following steps: acquiring training samples, wherein the training samples comprise original samples and countermeasure samples, and the countermeasure samples are obtained by performing countermeasure training processing on the original samples based on a preset countermeasure training model; carrying out weighted processing on the training samples based on the target weight, and training the training samples after weighted processing to obtain a training model of the local nodes; determining gradient information of a training model of a local node; and sending gradient information to the central node, wherein the gradient information is used for updating the training model of the central node by the central node.

Description

Model training method and related device
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to a model training method and a related device.
Background
With the increasing popularity of smart devices, security issues and threats to the privacy of target objects are receiving increasing attention. When target objects do not want to upload personal data to a background server for privacy protection, how to complete model training and iterative update by using data scattered in smart devices of each target object becomes an urgent problem to be solved.
Under the scene of federal learning, because of the steps of communication and model distribution, the model of the central node is easily acquired by illegal objects, so that the central node is attacked by 'white-box' countermeasure, huge potential safety hazards are brought, and the problem that how to improve the countermeasure robustness under the scene of federal learning becomes a hotspot in the industry is solved. In the field of combat defense, combat training has proven to be the most effective way to improve combat robustness. The direct combination of countermeasure training and federal learning is the most commonly adopted scheme in the industry at present, and the only difference between the scheme and ordinary federal learning is that the ordinary model training of local nodes is changed into countermeasure training.
However, in the actual use process, the data is not always in the same independent distribution, and the data is seriously unbalanced among different types. Therefore, the model training mode based on the combination of the countermeasure training and the federal learning technology can greatly reduce the classification accuracy of the model on the original samples which are not attacked, and the safety of the model is guaranteed at the cost of greatly sacrificing the performance, so that the model cannot be accepted in a normal business scene.
Disclosure of Invention
The embodiment of the application provides a model training method and a related device, which not only improve the defense rate of all attacks, but also improve the classification accuracy of original samples which are not attacked, and do not need to sacrifice higher performance cost to guarantee the safety of the model.
In a first aspect, an embodiment of the present application provides a first model training method. The model training method is applied to local nodes. In the model training method, a local node acquires training samples, the training samples comprise original samples and countermeasure samples, and the countermeasure samples are obtained by performing countermeasure training processing on the original samples based on a preset countermeasure training model. Then, the local node performs weight processing on the training sample based on the target weight, and performs countermeasure training on the training sample subjected to the weight processing to obtain a training model of the local node. The local node determines the gradient information of the training model of the local node and sends the gradient information to the central node. The gradient information is used for the central node to update a training model of the central node.
In a second aspect, embodiments of the present application provide a second model training method. The second model training method can be applied to the central node. In the model training method, a central node acquires gradient information of training models of N local nodes, wherein the training model of each local node is obtained by performing weight weighting processing on a training sample by the corresponding local node based on a target weight and training the training sample after the weight weighting processing, the training sample comprises an original sample and an antagonistic sample, the antagonistic sample is obtained by performing antagonistic training processing on the original sample based on a preset antagonistic training model, N is more than or equal to 1, and N is an integer. And then, the central node updates the training model of the central node according to the gradient information of the training models of the N local nodes.
In a third aspect, an embodiment of the present application provides a local node. The local node includes an acquisition unit, a processing unit, and a transmission unit. The acquisition unit is used for acquiring training samples, the training samples comprise original samples and confrontation samples, and the confrontation samples are obtained by carrying out confrontation training processing on the original samples based on a preset confrontation training model. And the processing unit is used for carrying out reweighting processing on the training samples according to the target weight and carrying out countermeasure training on the training samples subjected to the reweighting processing to obtain the training model of the local nodes. The processing unit is configured to determine gradient information of a training model of the local node. And the sending unit is used for sending the gradient information to a central node, and the gradient information is used for updating the training model of the central node by the central node.
In some possible embodiments, the processing unit is configured to: and performing countermeasure training on the training samples subjected to the reweighting treatment through a preset cross entropy loss function to obtain a training model of the local node, wherein the training model of the local node is constrained by the KL divergence value of the training model of the central node.
In other possible embodiments, the target weight is derived based on a distance between the training sample and a classification boundary of the training sample.
In other possible embodiments, the distance between the training sample and the classification boundary of the training sample is obtained based on the number of iterations when the iterative attack performed by the projection gradient descent PGD algorithm is successful.
In other possible embodiments, the obtaining unit is further configured to receive the updated training model of the central node sent by the central node.
In other possible embodiments, the processing unit is further configured to process the test samples based on the updated training model of the central node, and obtain a type of each test sample.
In other possible embodiments, the processing unit is configured to train the training model of the local node according to the training sample, so as to obtain gradient information of the training model of the local node.
In a fourth aspect, an embodiment of the present application provides a central node. The central node comprises an acquisition unit and a processing unit. The acquisition unit is used for acquiring gradient information of training models of N local nodes, wherein the training model of each local node is obtained by performing weight weighting processing on a training sample by the corresponding local node based on a target weight and training the training sample after the weight weighting processing, the training sample comprises an original sample and an antagonistic sample, the antagonistic sample is obtained by performing antagonistic training processing on the original sample based on a preset antagonistic training model, N is more than or equal to 1, and N is an integer. And the processing unit is used for updating the training model of the central node according to the gradient information of the training models of the N local nodes.
In some possible embodiments, the central node further comprises a sending unit. The sending unit is used for sending the updated training models of the central node to the N local nodes respectively, wherein the updated training models of the central node are used for identifying and processing the test samples by each local node to obtain the type of each test sample.
In other possible embodiments, the processing node is configured to generate global information according to the gradient information of the N local nodes, and update the training model of the central node based on the global information.
In other possible embodiments, the processing node is further configured to decrypt the gradient information.
A fifth aspect of the embodiments of the present application provides a model processing apparatus, including: memory, input/output (I/O) interfaces, and memory. The memory is for storing program instructions. The processor is configured to execute the program instructions in the memory to perform the model training method corresponding to the embodiment of the first aspect or the second aspect.
A sixth aspect of the embodiments of the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the computer is caused to execute a method for training a model corresponding to an implementation manner of the first aspect or the second aspect.
A seventh aspect of the embodiments of the present application provides a computer program product including instructions, which when run on a computer or a processor, causes the computer or the processor to execute the above-described model training method corresponding to the implementation manner of the first aspect or the second aspect.
According to the technical scheme, the embodiment of the application has the following advantages:
in the embodiment of the application, the training samples comprise original samples and countermeasure samples, the countermeasure samples are obtained by performing countermeasure training processing on the original samples based on the preset countermeasure training model, and therefore the training samples corresponding to the local nodes are subjected to the re-weighting processing and then the training samples subjected to the re-weighting processing are trained to obtain the training models corresponding to the local nodes. And then, the federal learning is carried out among the training models of the local nodes, so that the data leakage of the local nodes can be effectively prevented in the training process, the defense capability of the local nodes against the attack is improved, the classification accuracy of the models to original samples which are not attacked can be improved, and the safety of the models is guaranteed without sacrificing large performance cost.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 shows a schematic diagram of federal learning;
FIG. 2 is a schematic diagram illustrating a system architecture provided by an embodiment of the present application;
fig. 3 is a schematic diagram illustrating an alternative structure of a distributed system applied to a blockchain system according to an embodiment of the present application;
FIG. 4 is an alternative diagram of a block structure provided by an embodiment of the present application;
FIG. 5 is a flow chart illustrating a method of model training provided by an embodiment of the present application;
FIG. 6 is a schematic diagram illustrating the impact of sample type imbalances on Federal learning training;
FIG. 7 shows a schematic diagram of an alignment between experimental results of various countertraining methods;
FIG. 8 illustrates a schematic diagram of one embodiment of a local node provided in an embodiment of the present application;
FIG. 9 illustrates a schematic diagram of an embodiment of a central node provided in an embodiment of the present application;
fig. 10 shows a schematic structural diagram of a central node and a local node provided in an embodiment of the present application.
Detailed Description
The embodiment of the application provides a model training method and a related device, which not only improve the defense rate of all attacks, but also improve the classification accuracy of original samples which are not attacked, and do not need to sacrifice higher performance cost to guarantee the safety of the model.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Artificial Intelligence (AI) is a theory, method, technique and application system that uses a digital computer or a machine controlled by a digital computer to simulate, extend and expand human intelligence, perceive the environment, acquire knowledge and use the knowledge to obtain the best results. In other words, artificial intelligence is a comprehensive technique of computer science that attempts to understand the essence of intelligence and produce a new intelligent machine that can react in a manner similar to human intelligence. Artificial intelligence is the research of the design principle and the realization method of various intelligent machines, so that the machines have the functions of perception, reasoning and decision making.
The artificial intelligence technology is a comprehensive subject and relates to the field of extensive technology, namely the technology of a hardware level and the technology of a software level. The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.
Machine Learning (ML) is a one-field multi-field cross discipline, and relates to multiple disciplines such as probability theory, statistics, approximation theory, convex analysis and algorithm complexity theory. The special research on how a computer simulates or realizes the learning behavior of human beings so as to acquire new knowledge or skills and reorganize the existing knowledge structure to continuously improve the performance of the computer. Machine learning is the core of artificial intelligence, is the fundamental approach for computers to have intelligence, and is applied to all fields of artificial intelligence. Machine learning and deep learning generally include techniques such as artificial neural networks, belief networks, reinforcement learning, transfer learning, inductive learning, and formal education learning. With the development of machine learning technology, machine learning is applied in more and more scenes, for example, in recognition scenes requiring face brushing verification, identity verification and the like.
With the increasing popularization of intelligent devices, more and more target objects pay attention to whether the privacy of the target objects has a safety problem, and therefore the target objects are reluctant to upload personal data to a central node such as a server for the purpose of privacy protection. Therefore, in the current industry, it appears that by directly combining the federal learning technology with the countermeasure training technology, the training and iterative updating of the model are completed by using data dispersed in the smart devices of each target object, so that the personal data of the target object can be updated without being uploaded to the central node.
It should be understood that federal learning (fed learning) is an artificial intelligence basic technology, and the design goal of the technology is to implement efficient machine learning between multiple parties (such as multiple local nodes) or a central node on the premise of guaranteeing information security and protecting terminal data and personal data privacy during big data exchange. Specifically, the process of federal learning can be defined as the formula:
Figure BDA0003546003790000061
wherein, Fk(w) refers to a model of k local nodes, nkRefers to the data volume of the kth local node, and the weight of different models in federal learning is nkOccupying a proportion of the total amount of data n. Fig. 1 shows a schematic diagram of federal learning. As shown in figure 1 of the drawings, in which,
Figure BDA0003546003790000062
refers to the model parameter corresponding to the center node at the t-th round, and Wi t(i ═ 1, …, n) refers to the model parameters for the n local nodes in round t. In the t-th round, the central node firstly distributes the model to all local nodes, performs countermeasure training by using data stored by the local nodes, encrypts the gradient generated by the countermeasure training and transmits the gradient to the central node, and updates the model based on some optimization methods after decrypting the gradient by the central node to obtain the result
Figure BDA0003546003790000063
Then, the steps of model distribution, local node training, gradient information encryption transmission and model updating are repeated, and iteration is continuously carried out until the model training is converged.
The anti-training is to generate an attack sample by an anti-attack method commonly used in the industry and add the attack sample into a training set of the model so as to train outThe model of (2) has a certain defense capability against attack samples. In particular, the formula
Figure BDA0003546003790000071
In (1)
Figure BDA0003546003790000072
The generation of challenge samples is characterized with the aim of achieving minimization of challenge loss over a training set containing challenge samples.
However, in the actual use process, the data is not always in the same independent distribution, and the data is seriously unbalanced among different types. Therefore, the model training mode based on the combination of the countermeasure training and the federal learning technology can greatly reduce the classification accuracy of the model on the original samples which are not attacked, and the safety of the model is guaranteed at the cost of greatly sacrificing the performance, which cannot be accommodated in the normal business scene.
Therefore, in order to solve the above mentioned technical problem, embodiments of the present application provide a method for model training. The method can be applied to identification scenes such as Unionpay face swiping verification, bus code face swiping verification, entrance guard face verification, campus face swiping payment verification, identity verification and the like. The method can also be applied to various scenes, including but not limited to various scenes such as cloud technology, artificial intelligence, intelligent traffic, driving assistance and the like. Exemplarily, fig. 2 shows a schematic diagram of a system structure provided in an embodiment of the present application. As shown in fig. 2, the system structure includes a central node and N local nodes (e.g., local node 1 to local node N). Wherein N is not less than 1 and is an integer. The central node may perform management control on the N local nodes, such as storing data of the N local nodes, and the like. In the system structure, after the N local nodes respectively obtain their own training samples, the training samples may be subjected to weight weighting processing based on the target weight and then subjected to countermeasure training, so as to train and obtain training models of the respective local nodes. Further, the N local nodes encrypt gradient information of the respective training models and send the gradient information to the central node. Therefore, the central node can update the training model of the central node according to the gradient information of the training models of the N local nodes, and then feeds the training model back to each local node, and each local node carries out type recognition on the test sample based on the updated training model sent by the central node.
In some examples, the above-mentioned central node, N local nodes, may also be deployed in a blockchain scenario. Or, the system related to the embodiment of the present application may also be a distributed system formed by connecting N local nodes and a central node in a network communication manner. Taking a distributed system as an example of a blockchain system, referring to fig. 3, fig. 3 shows an optional structural schematic diagram of the distributed system 100 provided in this embodiment of the present application applied to a blockchain system, which is formed by a plurality of local nodes (computing devices in any form in an access network, such as clients and user terminals) and a central node (e.g., a server, etc.), a peer-to-peer (P2P) network is formed between the nodes, and the P2P protocol is an application layer protocol running on top of a Transmission Control Protocol (TCP). In a distributed system, any machine, such as a server or a terminal, can join to become a node, which includes a hardware layer, an intermediate layer, an operating system layer, and an application layer.
Referring to the functions of each node in the blockchain system shown in fig. 3, the functions involved include:
1) routing, a basic function that a node has, is used to support communication between nodes.
Besides the routing function, the node may also have the following functions:
2) the application is used for being deployed in a block chain, realizing specific services according to actual service requirements, recording data related to the realization functions to form recording data, carrying a digital signature in the recording data to represent a source of task data, and sending the recording data to other nodes in the block chain system, so that the other nodes add the recording data to a temporary block when the source and integrity of the recording data are verified successfully.
For example, the services implemented by the application include:
2.1) wallet, for providing the function of transaction of electronic money, including initiating transaction (i.e. sending the transaction record of current transaction to other nodes in the blockchain system, after the other nodes are successfully verified, storing the record data of transaction in the temporary blocks of the blockchain as the response of confirming the transaction is valid; of course, the wallet also supports the querying of the remaining electronic money in the electronic money address;
and 2.2) sharing the account book, wherein the shared account book is used for providing functions of operations such as storage, query and modification of account data, record data of the operations on the account data are sent to other nodes in the block chain system, and after the other nodes verify the validity, the record data are stored in a temporary block as a response for acknowledging that the account data are valid, and confirmation can be sent to the node initiating the operations.
2.3) Intelligent contracts, computerized agreements, which can enforce the terms of a contract, implemented by codes deployed on a shared ledger for execution when certain conditions are met, for completing automated transactions according to actual business requirement codes, such as querying the logistics status of goods purchased by a buyer, transferring the buyer's electronic money to the merchant's address after the buyer signs for the goods; of course, smart contracts are not limited to executing contracts for trading, but may also execute contracts that process received information.
3) And the Block chain comprises a series of blocks (blocks) which are mutually connected according to the generated chronological order, new blocks cannot be removed once being added into the Block chain, and recorded data submitted by nodes in the Block chain system are recorded in the blocks.
Referring to fig. 4, fig. 4 is an alternative schematic diagram of a Block Structure (Block Structure) provided in the embodiment of the present application. Each block comprises a hash value (hash value of the block) of the block storage transaction record and a hash value of the previous block, and the blocks are connected through the hash values to form a block chain. The block may include information such as a time stamp at the time of block generation. A block chain (Blockchain), which is essentially a decentralized database, is a string of data blocks associated by using cryptography, and each data block contains related information for verifying the validity (anti-counterfeiting) of the information and generating a next block.
It should be noted that the above-described central node can be understood as a background, including but not limited to a server, a central management device, and the like. In addition, the described local nodes may include, but are not limited to, clients, user terminals, and the like. The described user terminal includes but is not limited to a mobile phone, a computer, an intelligent voice interaction device, an intelligent household appliance, a vehicle-mounted terminal, an aircraft and the like. The embodiment of the invention can be applied to various scenes including but not limited to cloud technology, artificial intelligence, intelligent traffic, driving assistance and the like.
Fig. 5 is a flowchart illustrating a method for model training according to an embodiment of the present disclosure. As shown in fig. 5, the method of model training may include the following steps:
501. the local node acquires training samples, the training samples comprise original samples and countermeasure samples, and the countermeasure samples are obtained by performing countermeasure training processing on the original samples based on a preset countermeasure training model.
In this example, the training samples may include data-preprocessed raw samples and countermeasure samples generated based on the data-preprocessed raw samples. For example, in a face-brushing silver union scene, target objects in different banks may be different, and the target objects do not communicate information with each other. In order to protect the privacy of these target objects, the bank typically does not upload the personal data of the respective target object into the background of the provider. Therefore, in the embodiment of the present application, each local node (e.g., a user terminal held by a target object, etc.) may first acquire a plurality of original samples, such as picture samples (including but not limited to facial images, for example), and the like. Then, each local node may perform data preprocessing on a plurality of original samples acquired respectively, and perform training processing on the original samples subjected to data preprocessing by using a preset countermeasure training model to generate countermeasure samples. The preset countermeasure training model may also be referred to as a countermeasure sample generation method, and may include, but is not limited to, a Fast Gradient Sign Method (FGSM), a JSMA (jacobian-based likelihood map attacks) algorithm, a Projected Gradient Descent (PGD) algorithm, and the like, which is not limited in this application. In addition, the described data preprocessing includes data cleaning, data normalization processing, and the like.
502. And the local nodes perform weighted processing on the training samples based on the target weights, and train the training samples after the weighted processing to obtain a training model of the local nodes.
In this example, referring to FIG. 6, FIG. 6 illustrates a graph of the impact of sample type imbalances on Federal learning training. As shown in fig. 6, in a non-independent and equally distributed scenario, imbalance of data categories may have a great influence on model training, and categories with a small data amount have a larger performance gap than categories with a large data amount. If the prior art directly combines the confrontation training with the federal learning technology, the performance gap is further widened, so that a 'biased' classification interface appears in the model training. For example, from Plainly-trained A in FIG. 6cln、AT-trained Acln、AT-trained ArobThe illustrated graph shows that category 2, which has fewer data types, appears to have a significantly larger "biased" classification interface than category 7, which has more data types. Based on this, the local nodes may assign higher training weights to samples with closer classification boundaries.
Illustratively, the above-mentioned target weights are derived based on the distance between the training samples and the classification boundaries of the training samples. Moreover, the distance between the described training sample and the classification boundary of the training sample is obtained based on the iteration times of the PGD algorithm when the iteration attack is successful.
In this example, the local nodes may employ a PGD algorithm to estimate the distance between the training samples to the corresponding classification boundary. In particular, the local nodes may be according to a formula
Figure BDA0003546003790000101
Figure BDA0003546003790000102
The distance between the training samples to the classification boundary is calculated. That is to say, the local node sends the corresponding training sample to the model for forward calculation in the ith round based on the PGD algorithm to obtain the loss function, and calculates the gradient of the loss function to the training sample. Then, the local node carries out iterative update on an attack sample based on the step length alpha in the reverse direction of the gradient to obtain
Figure BDA0003546003790000103
Until the sample attack is successful. And the corresponding iteration turn i when the attack is successful is an index for evaluating the distance between the training sample and the classification boundary. Thus, training samples in a given batch { (x)j,yj)},j∈[1,m]In this case, in the batch of training samples, the target weight corresponding to the training sample may be based on a formula
Figure BDA0003546003790000104
And (4) calculating. Wherein d isjRepresenting the distance of the training sample j to the classification boundary.
Therefore, after the local node determines the current weight, the training sample can be weighted according to the target weight, and the training sample after the weighting processing is trained to obtain the training model of the local node.
In some examples, the local nodes train the training samples after the re-weighting processing, so as to obtain a training model of the local nodes. The following may be used, namely: and training the weighted training samples by the local nodes through a preset cross entropy loss function to obtain a training model of the local nodes. It should be noted that the training model of the local node is constrained by the KL variance (kullback-leibler divergence) of the training model of the central node.
In this example, since the central node collects information of all local nodes, the training model corresponding to the central node can be considered to have better accuracy and robustness. Based on this, the local nodes can utilize the model output of the central node as the regular constraint in the process of model training. In particular, the local node may be the rootAccording to the formula minice(ρ·floc(xadv),y)+β·lkl(floc(xadv),fglo(x) Carry out the weighted confrontation training, wherein y is the label of the training sample and β is the preset coefficient.
That is, it is understood that local nodes may pass through β · lkl(floc(xadv),fglo(x) Computing a KL divergence value and using the KL divergence value as a constraint on the model output for the center node. And based on a cross entropy loss function minlce(ρ·floc(xadv) Y) implement a heavily weighted confrontation training of the training samples. It should be noted that, in practical applications, other knowledge distillation methods may also be used to implement the constraint on the input of the training model of the central node, and the present application is not limited in particular.
503. The local nodes determine gradient information of the training model.
In this example, after the local nodes are trained to obtain the corresponding training models, the gradient information of the corresponding training models can be calculated. For example, after the local node trains the re-weighted training samples to obtain a training model of the local node, a loss function of the training model may be determined. Then, the local node performs derivation calculation on the loss function, so that gradient information of the training model can be determined.
504. The local node sends the gradient information to the central node.
In this example, the local nodes may not send the training models obtained by training themselves to the central node, but send the gradient information to the central node after determining the gradient information of the respective training models. For example, the local node may encrypt the gradient information based on the public key and then send the encrypted gradient information to the central node.
505. The central node updates a training model of the central node according to the gradient information sent by the N local nodes, wherein N is more than or equal to 1 and is an integer.
In this example, after receiving and decrypting the gradient information of the training models respectively sent by the N local nodes, the central node may update the parameters of the training models based on the gradient information of the training models of the N local nodes.
Illustratively, the central node may generate global information according to the gradient information of the training models of the N local nodes, and then update the training model of the central node according to the global information. The mentioned global information can be understood as information obtained by integrating the gradient information sent by the N local nodes.
506. And the central node respectively sends the updated training model of the central node to the N local nodes.
In this example, after the central node updates the training model of the central node based on the gradient information sent by the N local nodes, the updated training model of the central node may be distributed to the N local nodes. Illustratively, the central node may send the updated training model of the central node to the N local nodes through wired communication, wireless communication, or the like.
In addition, in other examples, after obtaining the updated training model, the central node may encrypt the training model of the central node using the public key, and then send the encrypted training model of the central node to the N local nodes, thereby reducing the risk of model leakage.
507. And the local node identifies the test sample based on the updated training model of the central node sent by the central node.
In this example, after the central node completes updating its own training model, the central node may further send the updated training model to the N local nodes. In this way, the N local nodes can perform type recognition on the test sample based on the updated training model, so as to implement classification of the test sample such as an image.
In other optional examples, after receiving the encrypted updated training model of the central node, the local node may also decrypt the encrypted training model using the private key and then perform type recognition on the test sample according to the updated training model.
In the embodiment of the application, the local node performs the weight weighting processing on the training sample according to the target weight, and performs the confrontation training on the training sample after the weight weighting processing to obtain the training model of the local node. And then the local node determines the gradient information of the training model and sends the corresponding gradient information to the central node. In this way, the central node can update the training model of the central node based on the corresponding gradient information after acquiring the gradient information of the training model respectively sent by the N local nodes. In other words, the training model corresponding to the local node is obtained by performing the re-weighting processing on the training sample corresponding to each local node and then training the training sample after the re-weighting processing. And then, the federal learning is carried out among the training models of the local nodes, so that the data leakage of the local nodes can be effectively prevented in the training process, the defense capability of the local nodes against the attack is improved, and the classification accuracy of the models to original samples which are not attacked can be improved. Figure 7 shows a schematic of the alignment between the experimental results of various countertraining methods. As shown in fig. 7, the model training method provided in the present application and the model training methods commonly used in the industry (e.g., pain, PGD _ AT, ALP, trases, AVMixup) can be used to process data of Independent and Identically Distributed (IID) and data of non-independent and identically distributed (non-IID). It is obvious from fig. 7 that the adoption of the model training method of the present application not only improves the defense rate of all attacks, but also improves the classification accuracy of the original samples which are not attacked. Therefore, under multiple scenes such as face-brushing authentication of Unionpay, Internet finance verification and the like, a stable, safe and high-performance federal learning scheme can be provided by using the model training method provided by the embodiment of the application, and guarantee is provided for companies to expand the business field and gain the trust of customers.
The scheme provided by the embodiment of the application is mainly introduced from the perspective of a method. It is to be understood that the hardware structure and/or software modules for performing the respective functions are included to realize the above functions. Those of skill in the art will readily appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, functional modules of the apparatus may be divided according to the above method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
Next, a local node in the embodiment of the present application is described in detail, and fig. 8 is a schematic diagram of an embodiment of the local node provided in the embodiment of the present application. As shown in fig. 8, the local node may include an acquisition unit 801, a processing unit 802, and a transmission unit 803.
The obtaining unit 801 is configured to obtain training samples, where the training samples include original samples and countermeasure samples, and the countermeasure samples are obtained by performing countermeasure training processing on the original samples based on a preset countermeasure training model. The processing unit 802 is configured to perform reweighting on the training samples according to the target weight, and perform countermeasure training on the training samples after the reweighing, so as to obtain a training model of the local node. The processing unit 802 is configured to determine gradient information of a training model of a local node. The sending unit 803 is configured to send gradient information to the central node, where the gradient information is used by the central node to update the training model of the central node.
In one possible implementation, the processing unit 802 is configured to: and performing countermeasure training on the training samples subjected to the weighting processing through a preset cross entropy loss function to obtain a training model of the local nodes, wherein the training model of the local nodes is constrained by the KL divergence value of the training model of the central node.
In another possible implementation, the target weights are derived based on the distance between the training samples and the classification boundaries of the training samples.
In another possible implementation manner, the distance between the training sample and the classification boundary of the training sample is obtained based on the iteration number of the PGD algorithm when the iterative attack is successful.
In another possible embodiment, the obtaining unit 801 is further configured to receive an updated training model of the central node sent by the central node.
The local nodes are described above primarily from the perspective of the functional modules. Next, a detailed description is given of the central node in the embodiment of the present application, and fig. 9 is a schematic view of an embodiment of the central node provided in the embodiment of the present application. As shown in fig. 9, the central node may comprise an acquisition unit 901 and a processing unit 902. In some examples, the central node may further include a transmitting unit 903.
The obtaining unit 901 is configured to obtain gradient information of training models of N local nodes, where the training model of each local node is obtained by performing weight weighting processing on a training sample by a corresponding local node based on a target weight and training the training sample after the weight weighting processing, the training sample includes an original sample and an antagonistic sample, the antagonistic sample is obtained by performing antagonistic training processing on the original sample based on a preset antagonistic training model, N is greater than or equal to 1, and N is an integer. The processing unit 902 is configured to update the training model of the central node according to the gradient information of the training models of the N local nodes.
In some possible embodiments, the sending unit 903 is configured to send the updated training model of the central node to the N local nodes, respectively.
The central node and the local node in the embodiment of the present application are described above from the perspective of the modular functional entity, and the central node and the local node in the embodiment of the present application are described below from the perspective of hardware processing. Fig. 10 is a schematic structural diagram of a central node and a local node according to an embodiment of the present application. The central node and the local nodes may differ significantly due to configuration or performance differences. The central node and local nodes may include at least one processor 1001, communication lines 1007, memory 1003 and at least one communication interface 1004.
The processor 1001 may be a general-purpose Central Processing Unit (CPU), a microprocessor, an application-specific integrated circuit (server IC), or one or more ICs for controlling the execution of programs in accordance with the present disclosure.
The communication line 1007 may include a path for transmitting information between the aforementioned components.
Communication interface 1004, which may be any device such as a transceiver, may be used to communicate with other devices or communication networks, such as an ethernet, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), etc.
The memory 1003 may be a read-only memory (ROM) or other type of static storage device that may store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, which may be separate and coupled to the processor via communication link 1007. The memory may also be integral to the processor.
The memory 1003 is used for storing computer-executable instructions for executing the present application, and is controlled by the processor 1001 to execute the instructions. The processor 1001 is configured to execute computer-executable instructions stored in the memory 1003, so as to implement the model training method provided by the above-described embodiment of the present application.
Optionally, the computer-executable instructions in the embodiments of the present application may also be referred to as application program codes, which are not specifically limited in the embodiments of the present application.
In particular implementations, the computer device may include multiple processors, such as processor 1001 and processor 1002 of fig. 10, for one embodiment. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
In particular implementations, the computer device may also include an output device 1005 and an input device 1006, as one embodiment. The output device 1005 communicates with the processor 1001 and may display information in a variety of ways. The input device 1006 is in communication with the processor 1001 and may receive input from a target object in a variety of ways. For example, the input device 1006 may be a mouse, a touch screen device, or a sensing device, among others.
The computer apparatus described above may be a general-purpose device or a special-purpose device. In particular implementations, the computer device may be a server, a terminal, etc. or an apparatus having a similar structure as in fig. 10. The embodiment of the application does not limit the type of the computer equipment.
It should be noted that the processor 1001 in fig. 10 may execute the instructions by calling a computer stored in the memory 1003, so that the central node and the local nodes execute the method in the method embodiment corresponding to fig. 5.
Specifically, the functions/implementation procedures of the processing unit 802 in fig. 8 and the processing unit 902 in fig. 9 may be implemented by the processor 1001 in fig. 10 calling a computer stored in the memory 1003 to execute instructions. The functions/implementation procedures of the acquisition unit 801 and the transmission unit 803 in fig. 8, and the acquisition unit 901 and the transmission unit 903 in fig. 9 can be realized by the communication interface 1004 in fig. 10.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above-described embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof, and when implemented using software, may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. The processes or functions according to the embodiments of the present application are generated in whole or in part when the computer-executable instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, e.g., the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. Computer-readable storage media can be any available media that a computer can store or a data storage device, such as a server, data center, etc., that includes one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., SSD)), among others.
It is understood that in the specific implementation of the present application, related data such as user information, personal data of the user, etc. when the above embodiments of the present application are applied to specific products or technologies, user permission or consent needs to be obtained, and the collection, use and processing of the related data need to comply with relevant laws and regulations and standards of relevant countries and regions.
The above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (11)

1. A model training method is applied to local nodes, and comprises the following steps:
obtaining training samples, wherein the training samples comprise original samples and countermeasure samples, and the countermeasure samples are obtained by performing countermeasure training processing on the original samples based on a preset countermeasure training model;
performing reweighting processing on the training samples based on target weight, and training the training samples after the reweighting processing to obtain a training model of the local nodes;
determining gradient information of a training model of the local node;
and sending the gradient information to a central node, wherein the gradient information is used for updating a training model of the central node by the central node.
2. The model training method according to claim 1, wherein performing the countermeasure training on the training samples subjected to the re-weighting processing to obtain the training model of the local node comprises:
and training the training samples after the re-weighting treatment through a preset cross entropy loss function to obtain a training model of the local nodes, wherein the training model of the local nodes is constrained by the KL divergence value of the training model of the central node.
3. The model training method according to claim 1 or 2, wherein the target weight is obtained based on a distance between the training sample and a classification boundary of the training sample.
4. The model training method according to claim 3, wherein the distance between the training sample and the classification boundary of the training sample is obtained based on the number of iterations when the iterative attack is successfully performed by the projection gradient descent PGD algorithm.
5. The model training method according to any one of claims 1-4, further comprising:
and receiving the updated training model of the central node sent by the central node.
6. A model training method is applied to a central node, and comprises the following steps:
obtaining gradient information of training models of N local nodes, wherein the training model of each local node is obtained by performing weight weighting processing on a training sample by the corresponding local node based on a target weight and training the training sample after the weight weighting processing, the training sample comprises an original sample and an antagonistic sample, the antagonistic sample is obtained by performing antagonistic training processing on the original sample based on a preset antagonistic training model, N is more than or equal to 1, and N is an integer;
and updating the training model of the central node according to the gradient information of the training models of the N local nodes.
7. The model training method of claim 6, further comprising:
and respectively sending the updated training model of the central node to the N local nodes.
8. A local node, comprising:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring training samples, the training samples comprise original samples and antagonistic samples, and the antagonistic samples are obtained by performing antagonistic training treatment on the original samples based on a preset antagonistic training model;
the processing unit is used for carrying out reweighting processing on the training samples according to the target weight and training the training samples subjected to the reweighting processing to obtain a training model of the local nodes;
the processing unit is used for determining gradient information of a training model of the local node;
and the sending unit is used for sending the gradient information to a central node, and the gradient information is used for updating the training model of the central node by the central node.
9. A model training apparatus, characterized in that the model training apparatus comprises: an input/output (I/O) interface, a processor, and a memory having program instructions stored therein;
the processor is configured to execute program instructions stored in the memory to perform the model training method of any of claims 1 to 5, or 6 to 7.
10. A computer-readable storage medium comprising instructions that, when executed on a computer device, cause the computer device to perform the model training method of any one of claims 1 to 5, or 6 to 7.
11. A computer program product, characterized in that it comprises instructions which, when run on a computer device, cause the computer device to carry out the model training method according to any one of claims 1 to 5, or 6 to 7.
CN202210248854.6A 2022-03-14 2022-03-14 Model training method and related device Pending CN114611607A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210248854.6A CN114611607A (en) 2022-03-14 2022-03-14 Model training method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210248854.6A CN114611607A (en) 2022-03-14 2022-03-14 Model training method and related device

Publications (1)

Publication Number Publication Date
CN114611607A true CN114611607A (en) 2022-06-10

Family

ID=81863500

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210248854.6A Pending CN114611607A (en) 2022-03-14 2022-03-14 Model training method and related device

Country Status (1)

Country Link
CN (1) CN114611607A (en)

Similar Documents

Publication Publication Date Title
Aggarwal et al. Blockchain for smart communities: Applications, challenges and opportunities
CN110084377B (en) Method and device for constructing decision tree
US20170250796A1 (en) Trans Vernam Cryptography: Round One
US20160162897A1 (en) System and method for user authentication using crypto-currency transactions as access tokens
CN109669986A (en) Blacklist sharing method, device, equipment and storage medium based on block chain
CN111081337B (en) Collaborative task prediction method and computer readable storage medium
CN111428887B (en) Model training control method, device and system based on multiple computing nodes
CN110519297A (en) A kind of data processing method and equipment based on block chain private key
CN112132198A (en) Data processing method, device and system and server
CN105635168B (en) A kind of application method of offline transaction device and its security key
Masuduzzaman et al. UAV-based MEC-assisted automated traffic management scheme using blockchain
CN112784823B (en) Face image recognition method, face image recognition device, computing equipment and medium
WO2022156594A1 (en) Federated model training method and apparatus, electronic device, computer program product, and computer-readable storage medium
CN112600830B (en) Service data processing method and device, electronic equipment and storage medium
WO2022237175A1 (en) Graph data processing method and apparatus, device, storage medium, and program product
CN114175028A (en) Cryptographic pseudonym mapping method, computer system, computer program and computer-readable medium
Zhu et al. Blockchain technology in internet of things
CN111553443A (en) Training method and device for referee document processing model and electronic equipment
CN108737435A (en) A kind of account initial method and device
CN108093000A (en) A kind of information query method based on eID authentications, apparatus and system
Kiruthika et al. Fusion of IoT, blockchain and artificial intelligence for developing smart cities
CN112380404B (en) Data filtering method, device and system
CN111784337A (en) Authority verification method and system
Gomathi et al. Rain drop service and biometric verification based blockchain technology for securing the bank transactions from cyber crimes using weighted fair blockchain (WFB) algorithm
CN108900310A (en) Block chain signature processing method and block chain signature processing unit

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination