CN115204374A

CN115204374A - System, method and device for federated learning and prediction based on segmented neural networks

Info

Publication number: CN115204374A
Application number: CN202210996006.3A
Authority: CN
Inventors: 刘巍然; 彭立; 王嘉义; 张磊
Original assignee: Alibaba China Co Ltd
Current assignee: Alibaba China Co Ltd
Priority date: 2022-08-18
Filing date: 2022-08-18
Publication date: 2022-10-18

Abstract

The application provides a system, a method and equipment for federal learning and prediction based on a segmented neural network. According to the method, before the first end sends the intermediate parameter to the second end, the first end carries out difference privacy processing on the intermediate parameter to introduce noise, so that the safety and privacy of the intermediate parameter are enhanced, a noise reduction processing process is added at the first end or the second end, the noise reduction processing is carried out on the intermediate parameter subjected to the difference privacy processing, so that the noise in the intermediate parameter is reduced, subsequent federal learning is carried out on the basis of the intermediate parameter subjected to the noise reduction processing, the training accuracy of joint learning can be greatly improved while the data privacy is protected, and the accuracy of the model is improved.

Description

System, method and device for federated learning and prediction based on segmented neural networks

Technical Field

The present application relates to federated learning technologies, and in particular, to a system, method, and apparatus for federated learning and prediction based on a segmented neural network.

Background

Federal learning is a distributed machine learning technology, and aims to realize multi-party combined modeling on the basis of ensuring data privacy safety and legal compliance.

Segmented neural networks (SplitNN) are a federal learning scheme for training deep neural network models. In a federated learning scheme based on SplitNN, a participant with characteristics serves as a client, a party with label data serves as a server, splitNN is divided into two parts of neural networks which are respectively deployed at the client and the server, and the client inputs local data characteristics into one part of the locally deployed neural networks to generate intermediate parameters during forward propagation and sends the intermediate parameters to the server. The server side continuously transmits forward on the basis of the other part of the neural network to obtain a prediction result, and then returns intermediate parameters to the client side in the backward transmission process to complete parameter iteration of one round of training process. Both sides do not exchange original data in the whole process, so that data privacy is protected to a certain extent. However, more and more work has shown that intermediate parameters also contain some hidden information about the data, which may reveal data privacy. In order to enhance privacy, a split nn scheme based on differential privacy technology has emerged to further protect data privacy by adding differential privacy noise before sending intermediate parameters.

However, the main disadvantage of these schemes is that large differential privacy noise needs to be added to the data to ensure the security of the data, and this affects the modeling accuracy, resulting in reduced accuracy and usability of the model.

Disclosure of Invention

The application provides a system, a method and equipment for federal learning and prediction based on a segmented neural network, which are used for solving the problem that the accuracy and the usability of a model are reduced due to introduction of differential privacy noise in the federal learning based on the segmented neural network.

In a first aspect, the present application provides a federated learning method based on a split neural network, where a participant in federated learning includes a first end and a second end, one of the first end and the second end is a client end and the other is a server end, the split neural network is split into two parts, namely a first sub-network deployed at the first end and a second sub-network deployed at the second end, and the method includes:

in the federal learning process of a segmented neural network, before a first end sends intermediate parameters generated through a first sub-network to a second end, the first end carries out differential privacy processing on the intermediate parameters to obtain intermediate parameters containing noise;

and performing noise reduction processing on the intermediate parameters containing the noise, and sending the intermediate parameters after the noise reduction processing to the second end, so that the second end performs subsequent federal learning on the basis of a second sub-network according to the intermediate parameters after the noise reduction processing.

In a second aspect, the present application provides a federated learning method based on a split neural network, where the participants in the federated learning include a first end and a second end, one of the first end and the second end is a client end and the other is a server end, the split neural network is split into two parts, namely a first sub-network deployed at the first end and a second sub-network deployed at the second end, and the method includes:

in the federal learning process based on the segmented neural network, a second end receives intermediate parameters which are sent by a first end and are subjected to differential privacy processing, wherein the intermediate parameters which are subjected to the differential privacy processing are obtained by the first end after the intermediate parameters which are generated by a first sub-network are subjected to the differential privacy processing;

the second end carries out noise reduction processing on the intermediate parameter subjected to the differential privacy processing;

and the second terminal performs subsequent federal learning based on the second sub-network by using the intermediate parameters after the noise reduction processing.

In a third aspect, the present application provides a federated learning system based on a segmented neural network, including: a first end and a second end participating in federal learning, wherein one end of the first end and the second end is a client end, the other end is a server end, the split neural network is split into a first sub-network and a second sub-network, the first sub-network is deployed at the first end, the second sub-network is deployed at the second end,

in the federal learning process of segmenting a neural network, a first end generates intermediate parameters through a first sub-network, and performs differential privacy processing on the intermediate parameters to obtain intermediate parameters containing noise;

the first end carries out noise reduction processing on the intermediate parameter containing the noise and sends the intermediate parameter after the noise reduction processing to the second end;

and the second terminal performs subsequent federal learning based on the second sub-network according to the intermediate parameters which are sent by the first terminal and subjected to the noise reduction processing.

In a fourth aspect, the present application provides a federated learning system based on a split neural network, including: the client and the server participate in federated learning, one of the first end and the second end is the client, the other end is the server, the split neural network is split into two parts, namely a first sub-network and a second sub-network, the first sub-network is deployed at the first end, the second sub-network is deployed at the second end,

in the federal learning process of the segmented neural network, a first end generates intermediate parameters through a first sub-network, performs differential privacy processing on the generated intermediate parameters, and sends the intermediate parameters subjected to the differential privacy processing to a second end;

and the second end performs noise reduction on the intermediate parameters subjected to the differential privacy processing, and performs subsequent federal learning based on a second sub-network by using the intermediate parameters subjected to the noise reduction processing.

In a fifth aspect, the present application provides a prediction system based on a segmented neural network, comprising: the client and the server participate in the federal learning, the split neural network is split into a third sub-network stored in the client and a fourth sub-network stored in the server,

in response to the prediction task of the target object, the client inputs the data characteristics of the target object into a local third sub-network for forward propagation calculation, performs differential privacy processing on the obtained intermediate parameters to obtain intermediate parameters containing noise, performs noise reduction processing on the intermediate parameters containing the noise, and sends the intermediate parameters after the noise reduction processing to the server;

and the server side inputs the intermediate parameters after noise reduction treatment sent by the client side into a fourth sub-network for forward propagation calculation to obtain a prediction result.

In a sixth aspect, the present application provides a prediction system based on a segmented neural network, including: the client and the server participate in the federal learning, the split neural network is split into a third sub-network stored in the client and a fourth sub-network stored in the server,

in response to the prediction task of the target object, the client inputs the data characteristics of the target object into a local third sub-network for forward propagation calculation, performs differential privacy processing on the obtained intermediate parameters to obtain intermediate parameters containing noise, and sends the intermediate parameters containing the noise to the server;

and the server performs noise reduction on the intermediate parameters containing the noise, and inputs the intermediate parameters subjected to the noise reduction into a fourth sub-network for forward propagation calculation to obtain a prediction result.

In a seventh aspect, the present application provides a federated learning apparatus based on a split neural network, where the participants in the federated learning include a first end and a second end, one of the first end and the second end is a client end and the other is a server end, the split neural network is split into two parts, namely a first sub-network deployed at the first end and a second sub-network deployed at the second end, and the apparatus includes:

the differential privacy protection module is used for carrying out differential privacy processing on the intermediate parameters before the first end sends the intermediate parameters generated by the first sub-network to the second end in the federal learning process of the segmented neural network to obtain the intermediate parameters containing noise;

and the noise reduction module is used for carrying out noise reduction processing on the intermediate parameter containing the noise and sending the intermediate parameter after the noise reduction processing to the second end so that the second end carries out subsequent federal learning on the basis of the second sub-network according to the intermediate parameter after the noise reduction processing.

In an eighth aspect, the present application provides a federated learning device based on a split neural network, where a participant of federated learning includes a first end and a second end, one of the first end and the second end is a client end and the other is a server end, the split neural network is split into two parts, namely a first sub-network deployed at the first end and a second sub-network deployed at the second end, the device includes:

the noise reduction module is used for receiving the intermediate parameters subjected to the differential privacy processing and sent by the first end by the second end in the federal learning process based on the segmented neural network and carrying out noise reduction processing on the intermediate parameters subjected to the differential privacy processing, wherein the intermediate parameters subjected to the differential privacy processing are obtained by carrying out differential privacy processing on the intermediate parameters generated by the first sub-network by the first end;

and the federal learning module is used for carrying out subsequent federal learning on the second end by utilizing the intermediate parameters after the noise reduction processing based on the second sub-network.

In a ninth aspect, the present application provides an electronic device comprising: a processor, and a memory communicatively coupled to the processor;

the memory stores computer-executable instructions;

the processor executes computer-executable instructions stored by the memory to implement the method of the first or second aspect.

In a tenth aspect, the present application provides a computer-readable storage medium having stored thereon computer-executable instructions for implementing the method of the first or second aspect when executed by a processor.

In an eleventh aspect, the present application provides a computer program product comprising a computer program that, when executed by a processor, implements the method of the first or second aspect.

The utility model provides a system, method and equipment based on segmentation neural network's federal study and prediction, before first end sends the intermediate parameter to the second end, carry out difference privacy processing by the first end to the intermediate parameter and introduce the noise, in order to strengthen the security and the privacy of intermediate parameter, and increase noise reduction process at first end or second end, carry out noise reduction processing to the intermediate parameter through difference privacy processing, in order to reduce the noise in the intermediate parameter, carry out subsequent federal study based on the intermediate parameter after noise reduction processing, can protect data privacy, the training accuracy of joint study is greatly improved, thereby improve the degree of accuracy of model.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.

FIG. 1 is an exemplary diagram of a typical deep neural network architecture provided herein;

FIG. 2 provides an exemplary diagram of a typical differential privacy-based SplitNN network architecture;

FIG. 3 is a flowchart of a federated learning method based on a segmented neural network provided in an exemplary embodiment of the present application;

fig. 4 is a block diagram of a federal learning system having a noise reduction module at a transmitting end according to an exemplary embodiment of the present application;

fig. 5 is a block diagram of a forward propagation process with a noise reduction module at a transmitting end according to an exemplary embodiment of the present application;

fig. 6 is a block diagram of a backward propagation process with a noise reduction module at a transmitting end according to an exemplary embodiment of the present application;

FIG. 7 is a flowchart of a method for a segmented neural network based prediction system according to an exemplary embodiment of the present application;

FIG. 8 is a flowchart of a federated learning method based on a segmented neural network provided in another example embodiment of the present application;

fig. 9 is a block diagram of a federated learning system with a noise reduction module at the receiving end according to an exemplary embodiment of the present application;

fig. 10 is a block diagram of a forward propagation process with a noise reduction module at a receiving end according to an exemplary embodiment of the present application;

fig. 11 is a block diagram of a backward propagation process with a noise reduction module at a receiving end according to an exemplary embodiment of the present application;

FIG. 12 is a flowchart of a method for a segmented neural network based prediction system according to another exemplary embodiment of the present application;

fig. 13 is a schematic structural diagram of a federated learning apparatus based on a segmented neural network according to an exemplary embodiment of the present application;

fig. 14 is a schematic structural diagram of a federated learning apparatus based on a segmented neural network according to another exemplary embodiment of the present application;

fig. 15 is a schematic structural diagram of an electronic device according to an example embodiment of the present application.

Specific embodiments of the present application have been shown by way of example in the drawings and will be described in more detail below. The drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the concepts of the application by those skilled in the art with reference to specific embodiments.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.

The terms referred to in this application are explained first:

the neural network is a calculation mode which is constructed by mutually associating a large number of nodes and simulates the structure of an animal neuron. Neural networks are generally composed of an input layer, a hidden layer, and an output layer, each layer containing a plurality of nodes. The shallow neural network only comprises a hidden layer and can only perform simpler calculation. A Deep Neural Network (DNN) is one of the common modes of Deep learning.

The deep neural network is similar to the shallow neural network, and can provide a higher abstraction level for the model besides providing a model for a complex nonlinear system, so that the capability of the model is improved. A typical deep neural network architecture is shown in fig. 1, and includes an input layer, a hidden layer (including more than two hidden layers), and an output layer.

The training process of the deep neural network model is divided into a forward propagation process and a backward propagation (i.e., back propagation) process. The forward propagation process starts from an input layer, data features are input into the deep neural network, and a final output result is obtained through calculation and conduction among all nodes. And the backward propagation process starts from the output layer, calculates the error value of each node and conducts reversely, updates the weight of each connection, and finishes to the input layer to finish one round of parameter iteration. The predictive reasoning process is a forward propagation process.

Compared with the traditional machine learning algorithm (such as linear regression and the like), the deep neural network has the advantages of strong characterization capability, strong nonlinear relation fitting capability and the like, and is applied to the actual service fields (such as wind control anti-fraud, recommendation systems and the like) of a large number of electric power providers. Under the current big data scene, the data middleboxes and various brand merchants have started to have the appeal of federal learning, namely, the data of both parties are combined to realize joint modeling and prediction under the condition of meeting the data security and privacy protection.

Federal learning is a distributed machine learning technology, and aims to realize multi-party combined modeling on the basis of ensuring data privacy safety and legal compliance. According to the difference of data distribution among multiple parties participating in the joint modeling, the federal learning is divided into three categories: horizontal federal learning, vertical federal learning, and federal migratory learning. The federal migration learning is mainly suitable for a scene using a deep neural network as a base model and is not considered in the scope of the patent.

The essence of horizontal federal learning is sample union, which is suitable for scenes with the same business state among participants but different clients, i.e. more overlapped features and less overlapped users, such as banks in different regions, which have similar business (i.e. similar features) but different users (i.e. different samples).

The essence of the longitudinal federal learning is the combination of features, which is suitable for the scenes that users overlap more and less, such as business supermarkets and banks in the same region, and the users who they reach are all residents in the region (i.e. the samples are the same) but the businesses are different (i.e. the features are different).

The deep neural network is one of modeling algorithms commonly used by customers, and under the circumstance of federal learning, how to complete the combined modeling of the deep neural network without revealing original data is a demand to be solved urgently.

Partitioned neural network (SplitNN) is a federal learning scheme for training deep neural network models. In a federated learning scheme based on SplitNN, a participant with characteristics serves as a client, a party with label data serves as a server, splitNN is divided into two parts of neural networks which are respectively deployed at the client and the server, and the client inputs local data characteristics into one part of the locally deployed neural networks to generate intermediate parameters during forward propagation and sends the intermediate parameters to the server. And the server side continues to forward propagate on the basis of the other part of the neural network to obtain a prediction result, and then returns the intermediate parameters to the client side in the backward propagation process to complete parameter iteration of one round of training process. Both sides do not exchange original data in the whole process, so that data privacy is protected to a certain extent. However, more and more work has shown that intermediate parameters also contain some hidden information of the data, which may reveal the privacy of the data.

In order to enhance privacy, a split nn scheme based on differential privacy technology has emerged to further protect data privacy by adding differential privacy noise before sending intermediate parameters.

Differential Privacy (Differential Privacy) is a Privacy protection mechanism that protects individual Privacy under conditions that allow the data owner to publish relatively accurate aggregated data by adding a degree of noise to the aggregated data, reducing the impact of individual data on the aggregated result. Data set D is formed assuming that the data owner holds the true data for each individual. Let M be the (noisy) mechanism for publishing aggregated data results on dataset D, let Pr [ M (D) ∈ S ] denote that the data results published by M under dataset D are in set S.

If for any two adjacent data sets D and D ' (i.e., the two data sets differ by only one individual ' S data), there is Pr [ M (D) ∈ S ] ≦ e ^ ε Pr [ M (D ') ∈ S ] for any set S, then the mechanism M is said to satisfy ε -differential privacy.

Illustratively, fig. 2 provides an exemplary diagram of a typical differential privacy based split nn network architecture. As shown in fig. 2, splitNN is split into two parts, which are respectively deployed at a client and a server, and in a forward propagation process, for example, a noise adding layer is added after a hidden layer of a partial sub-network deployed at the client, so as to perform differential privacy processing on an intermediate parameter output by the hidden layer, and add differential privacy noise to the intermediate parameter, thereby enhancing the privacy of the intermediate parameter. In addition, in the backward propagation or prediction reasoning process, the privacy and the safety of the intermediate parameters can be enhanced by adding a differential privacy mechanism.

Although the safety and the privacy of the data can be further enhanced by adding the differential privacy noise into the intermediate parameters, the accuracy of modeling is affected by adding the larger differential privacy noise into the data, and the accuracy and the usability of the model are reduced.

In order to solve the technical problems, the application provides a federated learning method and system based on a segmented neural network, noise reduction processing is performed on received intermediate parameters which contain noise after differential privacy processing at a receiving end of the intermediate parameters (which may be a client or a server in the federated learning based on split nn) to reduce the noise scale in the intermediate parameters, and subsequent federated learning is continued based on the intermediate parameters after the noise reduction processing, so that the accuracy of a model can be greatly improved.

In addition, the methods and systems provided herein support the application of both forward and/or backward propagation processes as well as predictive inference processes applied to the training process.

For example, in practical application, a financial service platform, an internet service platform, a network operator and the like have feature data of different aspects of a user, and in order to better integrate multi-party feature data to train a target model, label information of the user in a certain aspect is predicted based on the target model, so that the capabilities of mining potential customer groups, accurate information recommendation and the like can be realized.

Assuming that a financial service platform needs to mine high-value customers, the financial service platform can be used as a service end to provide tag data, the financial service platform also serves as a client end for federal learning to provide data characteristics, and other internet service platforms/network operators serve as clients for federal learning to provide data characteristics. Because data sets cannot be directly shared among different platforms, based on the scheme provided by the application, the target model is a split neural network and is split into a first sub-network and a second sub-network, one part of the split neural network is deployed at the client, the other part of the split neural network is deployed at the server, and the client device and the server device perform combined modeling on the premise of not revealing metadata, so that the training of the target model is realized. During the prediction reasoning, each participant performs forward propagation calculation in the same way to complete the output of the prediction result.

Compared with unilateral training of the financial service platform, the value of data of other internet service platforms and network operators can be input into the model of the financial service platform after federal study, the accuracy of the model is greatly improved, and the service effect of the financial service platform is improved.

The following describes the technical solutions of the present application and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.

Fig. 3 is a flowchart of a federated learning method based on a segmented neural network according to an exemplary embodiment of the present application. The split neural network is divided into two parts, namely a first sub-network and a second sub-network, wherein the first sub-network is deployed at the first end, and the second sub-network is deployed at the second end. One end of the first end and the second end is a client end, and the other end of the first end and the second end is a server end. The main execution body of the method provided by the embodiment is the first end.

As shown in fig. 3, the method comprises the following specific steps:

step S301, in the federal learning process of the segmented neural network, before the first end sends the intermediate parameters generated by the first sub-network to the second end, the first end performs differential privacy processing on the intermediate parameters to obtain intermediate parameters containing noise.

In this embodiment, the first end refers to a sending end of the intermediate parameter, and the first subnetwork refers to a part of the neural network deployed by the first end. The second end refers to the receiving end of the intermediate parameter and the second sub-network refers to the part of the neural network deployed by the second end.

Specifically, in the federal learning of the segmented neural network, in the forward propagation process, the first end refers to a client, and the second end refers to a server. In the back propagation process, the first end refers to a server and the second end refers to a client. In the process of predictive reasoning by using the segmented neural network, a first end refers to a client, and a second end refers to a server.

At a sending end of the intermediate parameter, after the first end generates the intermediate parameter through a local first sub-network, the differential privacy processing is performed on the intermediate parameter to obtain the intermediate parameter containing noise, so that the security and privacy of the intermediate parameter are enhanced.

Illustratively, when the intermediate parameter is subjected to differential privacy processing, the intermediate parameter can be subjected to differential privacy protection by adding gaussian noise disturbance to the intermediate parameter. The intensity of the disturbance is determined by the intensity of the gaussian noise, specifically, the intensity of the gaussian noise can be represented by a standard deviation σ of the gaussian noise, and can be set by a technician according to the requirements of an actual application scenario, which is not specifically limited herein.

And S302, performing noise reduction processing on the intermediate parameters containing the noise, and sending the intermediate parameters after the noise reduction processing to the second end, so that the second end performs subsequent federal learning on the basis of the second sub-network according to the intermediate parameters after the noise reduction processing.

Considering that the training accuracy of the joint learning is reduced due to the fact that a large difference privacy noise is added to the intermediate parameter in a difference privacy mode, so that the model accuracy is low, in this embodiment, the first end further performs noise reduction processing on the intermediate parameter which is obtained through the difference privacy processing and contains the noise, so as to reduce the noise in the intermediate parameter. Further, the first end sends the intermediate parameters after the noise reduction processing to the second end. And the second terminal performs subsequent federal learning based on the second sub-network according to the intermediate parameters after the noise reduction processing. The method has the advantages that the data privacy is protected, and meanwhile, the training accuracy of the joint learning is greatly improved, so that the accuracy of the model is improved.

Exemplarily, an original intermediate parameter, that is, an intermediate parameter generated by the first end through the first sub-network is represented by a = (a _1, a _2, …, a _ k), an intermediate parameter after adding the differential privacy noise is represented by B = (B _1, B _2, …, B _ k), and an intermediate parameter after the noise reduction processing is represented by C = (C _1, C _2, …, C _ k), where k represents a dimension of the intermediate parameter. In this embodiment, after generating the original intermediate parameter a, the first end performs differential privacy processing on a, adds differential privacy noise to a to obtain B, so as to enhance the security and privacy of data, performs noise reduction processing on B to obtain C, so as to reduce noise in C, and sends C to the second end. The second end performs subsequent joint training based on C.

Illustratively, for the forward propagation process, the first end is a client, the second end is a server, before the client sends the intermediate parameter to the server, the difference privacy and the noise reduction processing on the intermediate parameter are added, and the intermediate parameter after the noise reduction processing is sent to the server. And the server performs subsequent federal learning on the intermediate parameters after the noise reduction processing.

Illustratively, for the backward propagation process, the first end is a server, the second end is a client, before the server sends the intermediate parameter to the client, the difference privacy and the noise reduction processing on the intermediate parameter are added, and the intermediate parameter after the noise reduction processing is sent to the server. And the server performs subsequent federal learning on the basis of the intermediate parameters after the noise reduction processing.

Illustratively, for the prediction inference process, the first end is a client, the second end is a server, before the client sends the intermediate parameter to the server, the difference privacy and the noise reduction processing on the intermediate parameter are added to reduce the noise in the intermediate parameter, and the intermediate parameter after the noise reduction processing is sent to the server. And the server performs subsequent forward propagation calculation on the intermediate parameters after the noise reduction processing to obtain a prediction result.

The scheme is easy to understand and realize, original SplitNN does not need to be reconstructed, and only one noise reduction treatment is added after the differential privacy treatment is completed, so that the reconstruction difficulty is low, and the method is easy to realize.

In practical applications, after noise is added to the intermediate parameter by using the differential privacy, the training accuracy of the joint learning is reduced, and the degree of the reduction is mainly dependent on the variance of the added noise.

Assuming that the intermediate parameter A is a k-dimensional vector, the original value range of the median value A is (-1,1), after the differential privacy noise is added to A, the value range of the median value B exceeds (-1,1) after B is obtained, the distribution of B is more discrete, the variance is increased, and the training accuracy is reduced.

In an optional embodiment, when performing noise reduction processing on the intermediate parameter containing noise obtained through the differential privacy processing, reduction processing may be specifically performed on the intermediate parameter containing noise to reduce the variance of noise in the intermediate parameter, so as to improve the accuracy of the model.

Specifically, the reduction processing is performed on the intermediate parameter B after the differential privacy noise is added, as follows:

setting the value range of the parameter lambda as (0,1), reducing B by lambda times, namely calculating C = lambda B, so that B is pulled back to the range of (-1,1), the variance of C is smaller relative to B, and the accuracy of the model can be improved by performing joint learning based on C.

In an optional embodiment, when the noise reduction processing is performed on the intermediate parameter containing noise obtained through the differential privacy processing, a random masking method may be specifically adopted to perform the noise reduction processing on the intermediate parameter containing noise, so as to reduce the overall variance of the noise in the intermediate parameter, thereby improving the accuracy of the model.

Specifically, the intermediate parameter B after the differential privacy noise is added is subjected to random masking processing in the following manner:

let R _ p be a random vector containing only 0,1, where the 0,1 probability for each position independently obeys a Bernoulli distribution with probability p. R _ p is the same dimension as B, defining a new vector C such that: when R _ p _ i =1, C _ i = B _ i; when R _ p _ i =0, C _ i =0. That is, the randomness of R _ p determines which values in B are retained. And for values that are not reserved, the position will be set directly to 0. All the positions set to 0 lose this part of the parameter information, but the negative effect of noise on accuracy is eliminated, and the overall variance of noise becomes small. By setting a suitable probability p (e.g. setting p =0.6 when the standard deviation σ =0.5 of the added gaussian noise), the overall accuracy of the model can be improved. The value of the probability p may be set by a technician according to experimental data and experience in an actual application scenario, and is not specifically limited herein.

In addition, experimental data show that in the federal learning process based on the segmented neural network, noise reduction processing is carried out on the intermediate parameters containing noise by using a random covering method, so that the model has the capability of resisting characteristic space hijack attack, and the safety of the model is further enhanced.

In the scheme provided by the application, the noise amount is controlled by setting the differential privacy parameters, the safety and the usability can be balanced, the noise reduction process is controlled by controlling the random masking parameter p or the scaling coefficient lambda, the model effect is improved, the flexibility is high, and the method can adapt to various different data scenes. And the method can be simultaneously used for the forward propagation and backward propagation processes of the neural network training process and the prediction reasoning process to realize the data protection of the whole process.

Fig. 4 is a system framework diagram of a noise reduction module at a sending end in a federated learning system based on a split neural network according to an exemplary embodiment of the present application, and as shown in fig. 4, the federated learning system includes a client and a server that participate in federated learning, and the split neural network is split into two parts of neural networks, that is, two sub-networks.

In this embodiment, one of the first end and the second end refers to a client and the other refers to a server. A first subnetwork is deployed at the first end and a second subnetwork is deployed at the second end.

In the federal learning process of the segmented neural network, when the first end sends the intermediate parameters to the second end, a noise adding module (such as a noise adding layer shown in fig. 4) and a noise reducing module (such as a noise reducing layer shown in fig. 4) are added to the first end. The first end generates intermediate parameters through the first sub-network, and performs differential privacy processing on the intermediate parameters through the noise adding module to obtain intermediate parameters containing noise.

The first end carries out noise reduction processing on the intermediate parameters containing noise through the noise reduction module, and the intermediate parameters after the noise reduction processing are sent to the second end.

In this embodiment, the implementation manner of performing the noise reduction processing on the intermediate parameter including the noise is consistent with the implementation manner in the foregoing method embodiment, and specifically, the reduction processing on the intermediate parameter including the noise may be performed, or the noise reduction processing on the intermediate parameter including the noise may be performed by using a random masking method, which is specifically referred to the foregoing method embodiment, and is not described herein again.

Illustratively, for the forward propagation process, the first end is a client, the second end is a server, a noise adding layer is added to the client as a noise adding module, and a noise reducing layer is added to the client as a noise reducing module.

Illustratively, for the backward propagation process, the first end is a server, the second end is a client, a noise adding layer is added to the server to serve as a noise adding module, and a noise reducing layer is added to serve as a noise reducing module.

Illustratively, for the prediction inference process, the first end is a client, the second end is a server, a noise adding layer is added to the client to serve as a noise adding module, and a noise reducing layer is added to serve as a noise reducing module.

In the application, when the intermediate parameter is transmitted between the client and the server, the differential privacy protection and the noise reduction processing on the intermediate parameter can be independently applied to any one of the forward propagation process, the backward propagation process and the prediction inference process, and can also be applied to a plurality of processes of the forward propagation process, the backward propagation process and the prediction inference process.

In an example embodiment, fig. 5 is a frame diagram of a forward propagation process in a federated learning system with a noise reduction module at a transmitting end based on a split neural network according to another example embodiment of the present application, where participants of the federated learning include a client and a server, the client has data features, and the server has data tags. When the federation learning based on the segmented neural network is carried out, namely the neural network training is carried out, the differential privacy protection and the noise reduction processing of the intermediate parameters can be carried out in the forward propagation process. Specifically, the client serves as a first end for sending the intermediate parameters, and the server serves as a second end for receiving the intermediate parameters. As shown in fig. 5, the client inputs local data characteristics X1= (X _1, X _2, …, X _ n) from the input layer node into the locally deployed partial subnetwork, and performs forward propagation calculation. When the last layer node of the hidden layer of the locally deployed partial sub-network is reached, the hidden layer outputs the intermediate parameter A1= (a _1, a _2, …, a _ k). The method comprises the steps of adding a noise adding layer at a client, inputting an intermediate parameter A1 output by a hidden layer into the noise adding layer, adding differential privacy noise into the intermediate parameter through the noise adding layer, enabling the intermediate parameter to obtain differential privacy protection, and obtaining an intermediate parameter B1= (B _1, B _2, …, B _ k) containing noise. Further, a noise reduction layer is added at the client, and the intermediate parameter B1 containing noise is input into the noise reduction layer for noise reduction processing, so as to obtain the intermediate parameter C1= (C _1, C _2, …, C _ k) after noise reduction. The noise reduction process does not sacrifice the safety of the scheme, and the accuracy of model training is improved by reducing the noise scale. And the client side sends the intermediate parameter C after the noise reduction processing to the server side. And the server inputs the intermediate parameter C of the noise reduction processing into a hidden layer of the other part of locally deployed sub-networks, continues subsequent forward propagation calculation, and finally obtains a prediction result Y1= (Y _1, Y _2, …, Y _ m) output by an output layer. Where n represents the dimension of the input data features and m represents the dimension of the output prediction. Further, the server side can perform a back propagation process according to the prediction result Y1 and the owned data label to complete a round of model training iteration.

In an example embodiment, fig. 6 is a frame diagram of a backward propagation process in a federated learning system with a noise reduction module at a transmitting end based on a split neural network according to another example embodiment of the present application, and when performing federated learning based on the split neural network, that is, training the neural network, differential privacy protection and noise reduction processing on an intermediate parameter may be performed in the backward propagation process, so as to protect tag information from being leaked. Specifically, in the backward propagation process, the server serves as a first end for sending the intermediate parameters, and the client serves as a second end for receiving the intermediate parameters. As shown in fig. 6, the server calculates an error according to the prediction result and the local tag data, performs backward propagation from the output layer, and obtains a backward propagation intermediate parameter A2 when the error is backward propagated to the last layer of the hidden layer of another part of the sub-network local to the server. And adding a noise adding layer at the server, adding the intermediate parameter A2 into the differential privacy noise through the noise adding layer, and obtaining an intermediate parameter B2 containing noise. And adding a noise reduction layer at the server, and inputting the intermediate parameter B2 containing noise into the noise reduction layer for noise reduction processing to obtain the intermediate parameter C2 after noise reduction. And the server side sends the intermediate parameter C2 after the noise reduction processing to the client side. And the client side reversely propagates from the last layer of the hidden layer of the locally deployed partial sub-network to the output layer based on the intermediate parameter C2 of the noise reduction processing to update the model parameters, and a round of model training iteration is completed.

Fig. 7 is a flowchart of a method of a prediction system based on a segmented neural network according to an exemplary embodiment of the present application. The prediction system based on the segmented neural network comprises: the split neural network is divided into a third sub-network stored in the client and a fourth sub-network stored in the server. As shown in fig. 7, the prediction process of the prediction system based on the segmented neural network includes the following specific steps:

step S701, responding to the prediction task of the target object, and inputting the data characteristics of the target object into a local third sub-network by the client for forward propagation calculation to obtain an intermediate parameter.

Illustratively, the target object's prediction task may be a tag prediction task for a target population of people for which the client owns the data characteristics.

The intermediate parameter may be an output result obtained by performing forward propagation calculation on the data feature by using the third subnetwork.

Step S702, the client performs differential privacy processing on the obtained intermediate parameter to obtain an intermediate parameter containing noise.

Illustratively, when the intermediate parameter is subjected to differential privacy processing, the intermediate parameter can be subjected to differential privacy protection by adding gaussian noise disturbance to the intermediate parameter. The intensity of the disturbance is determined by the intensity of the gaussian noise, specifically, the intensity of the gaussian noise can be represented by a standard deviation σ of the gaussian noise, and can be set by a technician according to the requirement of an actual application scenario, which is not specifically limited herein.

And step S703, the client performs noise reduction processing on the intermediate parameters containing the noise.

Step S704, the client sends the intermediate parameters after the noise reduction processing to the server.

Step S705, the server side inputs the intermediate parameters after the noise reduction processing sent by the client side into a fourth sub-network for forward propagation calculation, and a prediction result is obtained.

Illustratively, the server side uses the fourth sub-network to continue forward propagation calculation, so as to obtain a prediction result.

In practical applications, after noise is added to the intermediate parameter by using differential privacy, the training accuracy of the joint learning is reduced, and the degree of the reduction is mainly determined by the variance of the added noise.

In an optional embodiment, when performing noise reduction processing on the intermediate parameter containing noise obtained through the differential privacy processing, reduction processing may be specifically performed on the intermediate parameter containing noise to reduce a variance of noise in the intermediate parameter, so as to improve accuracy of the model.

setting the value range of the parameter lambda as (0,1), reducing B by lambda times, namely calculating C = lambda B, so that B is pulled back to the range of (-1,1), the variance of B and C is smaller relative to B, and the accuracy of the model can be improved by performing joint learning based on C.

let R _ p be a random vector containing only 0,1, where the 0,1 probability for each location independently obeys a Bernoulli distribution with probability p. R _ p is the same dimension as B, defining a new vector C such that: when R _ p _ i =1, C _ i = B _ i; when R _ p _ i =0, C _ i =0. That is, the randomness of R _ p determines which values in B are retained. And for values that are not reserved, the position will be set directly to 0. All the positions set to 0 lose this part of the parameter information, but the negative effect of noise on accuracy is eliminated, and the overall variance of noise becomes small. By setting a suitable probability p (e.g. setting p =0.6 when the standard deviation σ =0.5 of the added gaussian noise), the overall accuracy of the model can be improved. The value of the probability p may be set by a technician according to experimental data and experience in an actual application scenario, and is not specifically limited herein.

Fig. 8 is a flowchart of a federated learning method based on a segmented neural network according to another exemplary embodiment of the present application. The split neural network is divided into two parts, namely a first sub-network and a second sub-network, wherein the first sub-network is deployed at the first end, and the second sub-network is deployed at the second end. One end of the first end and the second end is a client end, and the other end of the first end and the second end is a server end. The main body of the method provided by the embodiment is the second end.

As shown in fig. 8, the method comprises the following specific steps:

step S801, in the federal learning process based on the split neural network, the second terminal receives the intermediate parameter subjected to the differential privacy processing and transmitted by the first terminal, wherein the intermediate parameter subjected to the differential privacy processing is obtained by the first terminal by performing the differential privacy processing on the intermediate parameter generated by the first subnetwork.

In this embodiment, the first end refers to a transmitting end of the intermediate parameter, and the first subnetwork refers to a part of the neural network deployed at the first end. The second end refers to the receiving end of the intermediate parameter, and the second subnetwork refers to the part of the neural network deployed by the second end.

Specifically, in the federal learning of the segmented neural network, in the forward propagation process, the first end refers to a client, and the second end refers to a server. In the back propagation process, the first end refers to a server and the second end refers to a client. In the process of the predictive reasoning by using the segmented neural network, a first end refers to a client, and a second end refers to a server.

At a transmitting end of the intermediate parameter, after the first end generates the intermediate parameter through a local first sub-network, differential privacy processing is performed on the intermediate parameter to obtain the intermediate parameter containing noise, so that the security and privacy of the intermediate parameter are enhanced.

And S802, the second end carries out noise reduction processing on the intermediate parameter subjected to the differential privacy processing.

And step S803, the second terminal performs subsequent federal learning based on the second sub-network by using the intermediate parameters after the noise reduction processing.

In this embodiment, considering that the training accuracy of the joint learning is reduced by adding a large differential privacy noise to the intermediate parameter in a differential privacy mode, so as to reduce the accuracy of the model. Further, the second terminal performs subsequent federal learning based on the second sub-network according to the intermediate parameters after the noise reduction processing. The data privacy is protected, and meanwhile, the training accuracy of the joint learning is greatly improved, so that the accuracy of the model is improved.

Illustratively, a = (a _1, a _2, …, a _ k) represents the original intermediate parameter, that is, the intermediate parameter generated by the first end through the first sub-network, B = (B _1, B _2, …, B _ k) represents the intermediate parameter after adding the differential privacy noise, and C = (C _1, C _2, …, C _ k) represents the intermediate parameter after the noise reduction processing, where k represents the dimension of the intermediate parameter. In this embodiment, after generating an original intermediate parameter a, the first end performs differential privacy processing on a, adds differential privacy noise to a to obtain B, so as to enhance the security and privacy of data, and sends B to the second end. And the second end performs noise reduction processing on the B to obtain C so as to reduce noise in the C, and performs subsequent joint training based on the C so as to improve the accuracy of the obtained model of the joint training.

Illustratively, for the forward propagation process, the first end is a client, the second end is a server, before the client sends the intermediate parameter to the server, differential privacy processing on the intermediate parameter is added, and the intermediate parameter containing noise after the differential privacy processing is sent to the server. After the server receives the intermediate parameters after the client is subjected to the differential privacy processing, the server performs noise reduction processing on the intermediate parameters after the differential privacy processing so as to reduce noise in the intermediate parameters, and performs subsequent federal learning based on the intermediate parameters after the noise reduction processing.

Illustratively, for the backward propagation process, the first end is a server, the second end is a client, before the server sends the intermediate parameter to the client, differential privacy processing on the intermediate parameter is added, and the intermediate parameter containing noise after the differential privacy processing is sent to the client. After the client receives the intermediate parameters subjected to the differential privacy processing by the server, the client performs noise reduction processing on the intermediate parameters subjected to the differential privacy processing to reduce noise in the intermediate parameters, and performs subsequent federal learning based on the intermediate parameters subjected to the noise reduction processing.

Illustratively, for the prediction inference process, the first end is a client, the second end is a server, before the client sends the intermediate parameter to the server, differential privacy processing on the intermediate parameter is added, and the intermediate parameter containing noise after the differential privacy processing is sent to the server. After the server receives the intermediate parameters after the client is subjected to the differential privacy processing, the server performs noise reduction processing on the intermediate parameters after the differential privacy processing so as to reduce noise in the intermediate parameters, and performs forward propagation calculation based on the intermediate parameters after the noise reduction processing to obtain a prediction result.

In an optional embodiment, when the second end needs to send the intermediate parameter to the first end, the second end performs differential privacy processing on the intermediate parameter to be sent, and sends the intermediate parameter subjected to the differential privacy processing to the first end. And after receiving the intermediate parameters subjected to the differential privacy processing, the first end performs noise reduction processing on the intermediate parameters subjected to the differential privacy processing, and performs subsequent federal learning based on the first sub-network by using the intermediate parameters subjected to the noise reduction processing.

In addition, experimental data show that in the federal learning process based on the segmented neural network, noise reduction processing is performed on the noise-containing intermediate parameters by using a random covering method, so that the model has the capability of resisting the hijack attack of the characteristic space, and the safety of the model is further enhanced.

Fig. 9 is a system framework diagram of a receiving end with a noise reduction module in a federated learning system based on a split neural network according to another exemplary embodiment of the present application, as shown in fig. 9, the federated learning system includes a client and a server that participate in federated learning, and the split neural network is split into two parts of neural networks, that is, two sub-networks.

In the federal learning process of the segmented neural network, a first end is provided with a noise adding module (such as a noise adding layer shown in fig. 9), the first end generates intermediate parameters through a first sub-network, and before the intermediate parameters are sent to a second end, the intermediate parameters are subjected to differential privacy processing through the noise adding module, so that the intermediate parameters containing noise are obtained. And the first end sends the intermediate parameters subjected to the differential privacy processing to the second end.

A noise reduction module (such as a noise reduction layer shown in fig. 9) is added at the second end, the second end inputs the intermediate parameters subjected to the difference privacy processing into the noise reduction module for noise reduction processing, and subsequent federal learning is performed based on the second sub-network by using the intermediate parameters subjected to the noise reduction processing.

In this embodiment, an implementation manner of performing noise reduction processing on the intermediate parameter including noise is consistent with that in the above method embodiment, and specifically, reduction processing may be performed on the intermediate parameter including noise, or noise reduction processing may be performed on the intermediate parameter including noise by using a random masking method, which is specifically referred to the above method embodiment and is not described herein again.

Illustratively, for the forward propagation process, the first end is a client, the second end is a server, a noise adding layer is added to the client to serve as a noise adding module, and a noise reducing layer is added to the server to serve as a noise reducing module.

Illustratively, for the backward propagation process, the first end is a server, the second end is a client, a noise adding layer is added to the server to serve as a noise adding module, and a noise reducing layer is added to the client to serve as a noise reducing module.

Illustratively, for the prediction inference process, the first end is a client, the second end is a server, a noise adding layer is added to the client to serve as a noise adding module, and a noise reducing layer is added to the server to serve as a noise reducing module.

In an example embodiment, fig. 10 is a frame diagram of a forward propagation process in a federated learning system with a noise reduction module at a receiving end based on a split neural network according to another example embodiment of the present application, where the participants of federated learning include a client and a server, the client possesses data features, and the server possesses data tags. When the federal study based on the segmented neural network is carried out, namely the neural network training is carried out, the differential privacy protection and the noise reduction processing of the intermediate parameters can be carried out in the forward propagation process.

Specifically, the client serves as a first end for sending the intermediate parameters, and the server serves as a second end for receiving the intermediate parameters. As shown in fig. 10, the client inputs local data characteristics X2= (X _1, X _2, …, X _ n) from the input layer node into the locally deployed partial subnetwork, and performs forward propagation calculation. When the last layer node of the hidden layer of the locally deployed partial sub-network is reached, the hidden layer outputs the intermediate parameter A3= (a _1, a _2, …, a _ k). Adding a noise adding layer at a client, inputting the intermediate parameter A3 output by the hidden layer into the noise adding layer, adding differential privacy noise into the intermediate parameter through the noise adding layer, so that the intermediate parameter obtains differential privacy protection, and obtaining an intermediate parameter B3= (B _1, B _2, …, B _ k) containing noise. The client sends the intermediate parameter B3 containing the noise to the server.

Further, the server adds a noise reduction layer, and inputs the intermediate parameter B3 containing noise into the noise reduction layer to perform noise reduction processing, so as to obtain the intermediate parameter C3= (C _1, C _2, …, C _ k) after noise reduction. The noise reduction process does not sacrifice the safety of the scheme, but improves the accuracy of model training by reducing the noise scale. And the server inputs the intermediate parameter C3 of the noise reduction processing into a hidden layer of the other part of locally deployed sub-network, continues subsequent forward propagation calculation, and finally obtains a prediction result Y2= (Y _1, Y _2, …, Y _ m) output by the output layer. Where n represents the dimension of the input data features and m represents the dimension of the output prediction. Further, the server side can perform a back propagation process according to the prediction result Y2 and the owned data label to complete a round of model training iteration.

In an example embodiment, fig. 11 is a diagram illustrating a backward propagation process in a federated learning system with a noise reduction module at a receiving end based on a split neural network according to another example embodiment of the present application, and when performing federated learning based on the split neural network, that is, training the neural network, differential privacy protection and noise reduction processing on an intermediate parameter may be performed in the backward propagation process, so as to protect tag information from being leaked.

Specifically, as shown in fig. 11, the server calculates an error according to the prediction result and the local tag data, performs backward propagation from the output layer, and obtains a backward propagation intermediate parameter A4 when the error is propagated backward to the last layer of the hidden layer of another part of the sub-network local to the server. And adding a noise adding layer to the server, and adding the difference privacy noise to the intermediate parameter A4 through the noise adding layer to obtain an intermediate parameter B4 containing noise. The server side sends the intermediate parameter B4 containing the noise to the client side. And adding a noise reduction layer at the client, and inputting the intermediate parameter B4 containing noise into the noise reduction layer by the client for noise reduction processing to obtain the intermediate parameter C4 after noise reduction. The client side reversely propagates from the last layer of the hidden layer of the locally deployed partial sub-network to the output layer based on the intermediate parameter C4 of the noise reduction processing so as to update the model parameters and complete a round of model training iteration.

Fig. 12 is a flowchart of a method of a prediction system based on a segmented neural network according to another exemplary embodiment of the present application. The prediction system based on the segmented neural network comprises: the client and the server participating in the federal learning divide the neural network into a third sub-network stored in the client and a fourth sub-network stored in the server. As shown in fig. 12, the prediction process of the prediction system based on the segmented neural network includes the following specific steps:

step S1201, responding to the prediction task of the target object, the client inputs the data characteristics of the target object into a local third sub-network for forward propagation calculation to obtain an intermediate parameter.

Illustratively, the prediction task of the target object may be a tag prediction task for a target group of people, the client possessing data characteristics of the target group of people.

The intermediate parameter may be an output vector obtained by performing forward propagation calculation on the data feature by using the third subnetwork.

Step S1202, the client performs difference privacy processing on the obtained intermediate parameter to obtain an intermediate parameter including noise.

In step S1203, the client sends the intermediate parameter containing the noise to the server.

Step S1204, the server performs noise reduction processing on the intermediate parameter containing the noise.

And S1205, the server inputs the noise-reduced intermediate parameters sent by the client into a fourth sub-network for forward propagation calculation to obtain a prediction result.

Illustratively, the server side continues to perform forward propagation calculation by using the fourth sub-network to obtain the prediction result.

Fig. 13 is a schematic structural diagram of a federated learning apparatus based on a segmented neural network according to an exemplary embodiment of the present application. The participator of the federal learning comprises a first end and a second end, wherein one end of the first end and the second end is a client end, the other end of the first end and the second end is a server end, the split neural network is divided into a first sub-network and a second sub-network, the first sub-network is deployed at the first end, and the second sub-network is deployed at the second end. The device provided by the present embodiment is applied to the above-mentioned first terminal. As shown in fig. 13, the split neural network-based federal learning device 130 includes: a differential privacy protection module 1301 and a noise reduction module 1302.

The differential privacy protection module 1301 is configured to, in a federal learning process of a split neural network, perform differential privacy processing on an intermediate parameter before a first end sends the intermediate parameter generated by a first sub-network to a second end, so as to obtain the intermediate parameter including noise.

The denoising module 1302 is configured to perform denoising processing on the intermediate parameter including noise, and send the denoised intermediate parameter to the second end, so that the second end performs subsequent federal learning based on the second sub-network according to the denoised intermediate parameter.

In an alternative embodiment, when implementing the denoising process for the intermediate parameter containing noise, the denoising module 1302 is further configured to:

carrying out noise reduction treatment on the intermediate parameters containing noise by adopting a random covering method; alternatively, the reduction processing is performed on the intermediate parameter including the noise.

The apparatus provided in this embodiment may be specifically configured to execute the federal learning scheme provided based on any embodiment of fig. 3, and specific functions and technical effects that can be achieved are not described herein again.

Fig. 14 is a schematic structural diagram of a federated learning apparatus based on a segmented neural network according to another exemplary embodiment of the present application. The participator of the federal learning comprises a first end and a second end, wherein one end of the first end and the second end is a client end, the other end of the first end and the second end is a server end, the split neural network is divided into a first sub-network and a second sub-network, the first sub-network is deployed at the first end, and the second sub-network is deployed at the second end. The device provided by the present embodiment is applied to the second end mentioned above. As shown in fig. 14, the split neural network-based federal learning device 140 includes: a noise reduction module 1401 and a federal learning module 1402.

The noise reduction module 1401 is configured to, in a federal learning process based on a segmented neural network, receive, by a second end, the intermediate parameter subjected to the differential privacy processing and sent by a first end, and perform noise reduction processing on the intermediate parameter subjected to the differential privacy processing, where the intermediate parameter subjected to the differential privacy processing is obtained by performing the differential privacy processing on the intermediate parameter generated by the first sub-network by the first end.

The federal learning module 1402 is used by the second end to perform subsequent federal learning based on the second sub-network by using the intermediate parameters after the noise reduction processing.

In an alternative embodiment, the split neural network-based federated learning device 140 may also include a differential privacy processing module. The differential privacy processing module is used for: when the intermediate parameter needs to be sent to the first end, the second end carries out differential privacy processing on the intermediate parameter to be sent, and the intermediate parameter after the differential privacy processing is sent to the first end.

In an optional embodiment, when implementing the noise reduction processing on the intermediate parameter subjected to the differential privacy processing, the noise reduction module 1401 is further configured to:

carrying out noise reduction processing on the intermediate parameters subjected to the differential privacy processing by adopting a random covering method; alternatively, the intermediate parameter subjected to the difference privacy processing is subjected to reduction processing.

The apparatus provided in this embodiment may be specifically configured to execute the federal learning scheme provided based on any embodiment of fig. 8, and specific functions and technical effects that can be achieved are not described herein again.

Fig. 15 is a schematic structural diagram of an electronic device according to an example embodiment of the present application. As shown in fig. 15, the electronic device 150 includes: a processor 1501, and a memory 1502 communicatively coupled to the processor 1501, the memory 1502 storing computer-executable instructions.

The processor executes the computer execution instruction stored in the memory to implement the processing procedure executed by the client or the server in any of the above method embodiments, and the specific functions and the technical effects that can be achieved are not described herein again.

An embodiment of the present application further provides a computer-readable storage medium, where a computer-executable instruction is stored in the computer-readable storage medium, and the computer-executable instruction is used by a processor to implement a processing procedure executed by a client or a server in any one of the method embodiments, and specific functions and technical effects that can be achieved are not described herein again.

An embodiment of the present application further provides a computer program product, where the computer program product includes: the computer program is stored in the readable storage medium, at least one processor of the electronic device may read the computer program from the readable storage medium, and the at least one processor executes the computer program, so that the electronic device executes the processing procedure executed by the client or the server in any of the method embodiments, where specific functions and technical effects that can be achieved are not described herein again.

In addition, in some of the flows described in the above embodiments and the drawings, a plurality of operations are included in a certain order, but it should be clearly understood that the operations may be executed out of the order presented herein or in parallel, and only for distinguishing between different operations, and the sequence number itself does not represent any execution order. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different. The meaning of "a plurality" is two or more unless specifically limited otherwise.

Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.

It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims

1. A federated learning method based on a split neural network, wherein the participants of federated learning include a first end and a second end, one of the first end and the second end is a client end, and the other end is a server end, the split neural network is split into two parts, namely a first sub-network deployed at the first end and a second sub-network deployed at the second end, and the method comprises:

in the federal learning process of a segmented neural network, before a first end sends intermediate parameters generated through a first sub-network to a second end, differential privacy processing is carried out on the intermediate parameters to obtain intermediate parameters containing noise;

and performing noise reduction processing on the intermediate parameter containing the noise, and sending the intermediate parameter after the noise reduction processing to the second end, so that the second end performs subsequent federal learning on the basis of the second sub-network according to the intermediate parameter after the noise reduction processing.

2. The method according to claim 1, wherein the denoising the intermediate parameter containing noise comprises:

carrying out noise reduction treatment on the intermediate parameter containing the noise by adopting a random covering method;

alternatively, the first and second electrodes may be,

and carrying out reduction processing on the intermediate parameters containing the noise.

3. A federated learning method based on a split neural network, wherein the participants of federated learning include a first end and a second end, one of the first end and the second end is a client end, and the other end is a server end, the split neural network is split into two parts, namely a first sub-network deployed at the first end and a second sub-network deployed at the second end, and the method comprises:

4. The method of claim 3, further comprising:

when the intermediate parameter needs to be sent to the first end, the second end carries out differential privacy processing on the intermediate parameter to be sent, and the intermediate parameter subjected to the differential privacy processing is sent to the first end.

5. The method according to claim 3 or 4, wherein the performing noise reduction processing on the differential privacy processed intermediate parameters comprises:

carrying out noise reduction processing on the intermediate parameter subjected to the differential privacy processing by adopting a random covering method;

alternatively, the first and second electrodes may be,

and carrying out reduction processing on the intermediate parameter subjected to the difference privacy processing.

6. A split neural network-based federated learning system, comprising: a first end and a second end participating in federal learning, wherein one end of the first end and the second end is a client end, and the other end is a server end, the split neural network is split into a first sub-network and a second sub-network, the first sub-network is deployed at the first end, the second sub-network is deployed at the second end,

7. A split neural network-based federated learning system, comprising: a first end and a second end participating in federal learning, wherein one end of the first end and the second end is a client end, and the other end is a server end, the split neural network is split into a first sub-network and a second sub-network, the first sub-network is deployed at the first end, the second sub-network is deployed at the second end,

and the second end carries out noise reduction processing on the intermediate parameter subjected to the difference privacy processing, and carries out subsequent federal learning on the basis of a second sub-network by using the intermediate parameter subjected to the noise reduction processing.

8. A prediction system based on a segmented neural network, comprising: the client and the server participate in the federal learning, the split neural network is split into a third sub-network stored in the client and a fourth sub-network stored in the server,

and the server side inputs the intermediate parameters after the noise reduction treatment sent by the client side into a fourth sub-network for forward propagation calculation to obtain a prediction result.

9. A prediction system based on a partitioned neural network, comprising: the client and the server participate in the federal learning, the split neural network is split into a third sub-network stored in the client and a fourth sub-network stored in the server,

10. A federated learning apparatus based on a split neural network, wherein the participants of the federated learning include a first end and a second end, one of the first end and the second end is a client end, and the other end is a server end, the split neural network is split into two parts, namely a first sub-network deployed at the first end and a second sub-network deployed at the second end, the apparatus comprises:

11. A federated learning apparatus based on a split neural network, wherein the participants of the federated learning include a first end and a second end, one of the first end and the second end is a client end, and the other end is a server end, the split neural network is split into two parts, namely a first sub-network deployed at the first end and a second sub-network deployed at the second end, the apparatus comprises:

12. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;

the memory stores computer-executable instructions;

the processor executes computer-executable instructions stored by the memory to implement the method of any of claims 1-5.

13. A computer-readable storage medium having computer-executable instructions stored therein, which when executed by a processor, are configured to implement the method of any one of claims 1-5.

14. A computer program product, characterized in that it comprises a computer program which, when being executed by a processor, carries out the method of any one of claims 1-5.