CN117474118A - A federated learning privacy protection method based on improved diffusion model - Google Patents

Abstract

The present invention relates to the protection of users' personal privacy information, and discloses a federated learning privacy protection method based on an improved diffusion model, which realizes data protection of client local models and includes the following steps: Step 1: Each client receiving center Data distributed by the server; Step 2: The data undergoes all T update iterations on N clients to obtain the updated model; Step 3: Update the model on the client The deep neural network of the improved Diffusion Model is used for encryption and encoding to obtain the forward encryption model. Step 4: Upload the encrypted model to the central server, sample and decode the encrypted model on the central server, aggregate and update the model, obtain a new round of global model, and deliver the model to the client for downloading. A round of updated iterations of the federated learning model. The invention is mainly used in privacy protection situations of federated learning communication, and at the same time, it also greatly improves the efficiency of federated learning communication.

Description

A federated learning privacy protection method based on improved diffusion model

Technical field

This invention relates to the protection of users' personal privacy information, and in particular to the protection of communication privacy in current federated learning. It adopts the latest deep neural network algorithm with an improved diffusion model, which improves the degree of client privacy protection in federated learning and greatly improves the protection level. Improve communication efficiency.

Background technique

With the increasing number of current IoT devices, more and more distributed data are beginning to appear, and deep learning has been successfully applied in smart devices. The transmission and reception of data in mobile devices are becoming increasingly close, and many operators are also Beginning to pay attention to the deep learning framework of user mobile device terminals, many mobile terminal frameworks have appeared this year, such as: TensorFlow Lite, PyTorch Mobile, Caffe2, NCNN, MNN, etc.

In a distributed data system, data is usually divided into multiple small blocks, and each small block is stored on a different node. These nodes communicate with each other through the network to coordinate data reading, writing, backup, recovery and other operations. At the same time, distributed data systems usually provide a variety of data consistency and fault-tolerance mechanisms to ensure the correctness and reliability of data. Distributed data can be applied to various fields, such as Internet search engines, large-scale data analysis, distributed storage systems, blockchain, etc. It can help enterprises and organizations better manage and process data and improve the efficiency and quality of data processing. It can also reduce data storage and maintenance costs and improve the scalability and reliability of the system.

Currently, federated learning can significantly improve the speed and efficiency of machine learning. Although the storage or transmission of distributed data on mobile devices is threatened and challenged, however, with the widespread application of mobile devices and Internet of Things technology, distribution The demand for traditional machine learning is also increasing. In this case, how to ensure data privacy and security on mobile devices has become an important issue. Because during the transmission process, the data may be hacked or stolen, thereby leaking the user's private information. Therefore, the traditional federated learning framework has huge loopholes in privacy protection. The specific framework of traditional federated learning is as follows:

Step 1: Select participants: Select several participants from the data holders who will participate in the training process.

Step 2: Model initialization: Before starting training, a global model needs to be initialized.

Step 3: Participant training: Each participant uses local data to train the model. This can be based on traditional machine learning algorithms or deep learning algorithms.

Step 4: Model aggregation: After a certain round of local training, participants upload their model parameters to the central server, and then perform model aggregation. Common aggregation methods include weighted averaging and gradient averaging.

Step 5: Update the global model: Use the aggregated model parameters to update the global model.

Step 6: Repeat iteration: Repeat the above steps until the predetermined convergence condition or number of iterations is reached.

Therefore, there are currently a large number of research methods to improve the loopholes in privacy protection and communication efficiency in federated learning. WANG et al. used Generative Adversarial Networks (GAN) to deploy the multi-task generative adversarial network mGAN-AI on the server to determine the authenticity, category and user belonging of the data, and use the updated values to reconstruct the typical data of the participants. Zhu et al. found that malicious attackers can steal original training data based on partially updated gradient information. Therefore, related schemes have been proposed to protect gradient confidentiality based on technologies such as Differential Privacy (DP), Secure Multi-Party Computation (SMC) and Homomorphic Encryption (HE).

Contents of the invention

Among the privacy protection loopholes and communication efficiency problems existing in the existing federated learning, the present invention aims to adopt the latest improved diffusion model deep neural network algorithm, and adopt a Markov-like decision-making process in the encrypted data model stage, specifically the receiving center Data distributed by the server; the data undergoes all T update iterations on the local client to obtain the updated model. Update the model obtained by the client/> The deep neural network of the improved diffusion model is used for encryption and encoding. When using encryption and encoding, the logarithmic maximum likelihood method is used to obtain the forward encryption model/> Upload the encrypted model to the central server, sample and decode the encrypted model on the central server, aggregate and update the model to obtain a new round of global model, and send the model to the client for the next round of federation Update iterations of the learned model.

In order to achieve the above-mentioned efficient communication and privacy protection of federated learning, the present invention includes the following steps:

Step 1: Each client receives central server data: the initial central server initializes the global model w ₀ and broadcasts the global model to N clients. The number of client local update iterations is r, and the number of global overall training is T. times, the number of encryption layers of the improved diffusion model deep neural network (IDMN) is S layer.

Step 2: Client updates model data: Each client will perform r update iterations locally from the model accepted by the central server. For N clients, the central server broadcasts m global models, and for the Nth client After iteration, the local model updated by the terminal is

Step 3: Use the improved diffusion model deep neural network (IDMN) encryption model: Set the number of diffusion model layers of IDMN to S layer, given a data distribution x ₀ ~ q (x ₀ ), define a forward noise process q, It generates the latency x _S ~ N (0, 1) to x _S by adding Gaussian noise with variance β _s ∈ (0, 1) at time s. Then the original diffusion model is as follows:

Given a sufficiently large S and a well-performing β _s schedule, the potential x _S is almost isotropically Gaussian. Therefore, if the exact inverse distribution q(x _s-1 |x _s ) is known, one can sample x _S ~N(0,1) and run the process in reverse to obtain samples from q(x ₀ ). Since q(x _s-1 |x _s ) depends on the entire data distribution, it is approximated using a neural network as follows:

p _θ (x _s-1 |x _s ):=N(x _s-1 ;μ _θ (x _s ,s),∑ _θ (x _s ,s)) (3)

The combination of q and p is a variational autoencoder, so the variational lower bound (VLB) can be written as follows:

L _vlb :＝L ₀ +L ₁ +...+L _S-1 +L _S (4)

L ₀ :＝－logp _θ (x ₀ |x ₁ ) (5)

L _s-1 :＝D _KL (q(x _s-1 |x _s ,x ₀ )||pθ(x _s-1 |x _s )) (6)

L _S :＝D _KL (q(x _S |x ₀ )||p(x _S )) (7)

With the exception of _L0 , each term of Equation 4 is the KL divergence between two Gaussian distributions and can therefore be evaluated in closed form. To evaluate L ₀ of the model, the central server is broadcast to 300 clients, and p _θ (x ₀ |x ₁ ) is calculated.

The noise processing defined in Equation 2 allows sampling of arbitrary steps of noise latency directly conditioned on the input x ₀ . When α _s :=1-β _t and When , the marginal distribution can be written as:

Also use Bayes' theorem to check q(x _s-1 |x _s ,x ₀ ) after calculation, using and to express which is defined as follows:

Here is a detailed description of the improved algorithm of maximum likelihood used by IDMN in the present invention to improve the privacy protection performance of federated learning and the communication efficiency of federated learning. The noise ε added to x ₀ can be predicted through this deep neural network, as shown below:

After combining with the reweighted loss function, a new loss function L _simple is defined:

This loss function can be viewed as a reweighted form of L _vlb . The results obtained by optimizing this reweighted objective are much more accurate than directly optimizing L _vlb . In addition, IDMN changes the number of diffusion steps compared to the original diffusion model, which greatly reduces the time required to encrypt the model.

Because adding noise in the first few steps of the diffusion model plays a decisive role in the variational lower bound, the learning effect quantity Σ _θ (x _s , s) is defined here to improve the log likelihood, where v is used as the model prediction Interpolation is calculated as follows:

Because the loss function L _hybrid in the above formula 13 is not affected by ∑ _θ (x _s , s), a loss function L _hybrid is defined again here, and λ=0.001 is set to reduce the impact of L _vlb . The calculation method is as follows :

L _hybrid =L _simple +λL _vlb (15)

In addition, a better noise schedule is constructed on this basis, and the cosine function is used to set the relevant noise parameters under the conditions of more flexible optimization of the objective function. The sum function f(s) is calculated as follows:

Step 4: Upload the model encrypted by IDMN to the central server. First, sample and decode on the central server. The specific method is as follows:

Because in step 3, the variance β _s is defined by Formula 16, and the value of the variance β _s should not exceed 0.999 to avoid singular points when spreading near s=S. The calculation method of the variance β _s is as follows:

Because in the model encryption stage, the method adopted by the present invention not only ensures the privacy protection of the federated learning model, but also improves the communication efficiency of federated learning by reducing the number of encryption layers S of the diffusion model. Then, in the reverse sampling decoding stage, for A model trained with S diffusion steps will typically use the same sequence of s values (1, 2,...S) used in training. However, it is also possible to sample using any subsequence A of s values. Given training noise schedule For a given sequence A, a sampled noise schedule can be obtained/> You can then use sampled noise scheduling/> To obtain the corresponding sampling variance/> and The specific calculation method is as follows:

After the above calculation and reverse sampling decoding, the central server aggregates and updates the models w _i uploaded by all clients, thereby generating a new round of global models on the central server, and then delivers the global model and broadcasts it to each The client performs the next round of iterative updates of the federated learning data model, which means repeating the calculations of the above steps.

Therefore, the present invention shortens the number of encryption layers of the diffusion model from the original S steps to A steps through the above calculations. Whether it is the forward encryption model process or the reverse sampling decoding process, the number of diffusion layers is greatly shortened. This also shows that The privacy protection method of federated learning of the present invention not only ensures client privacy protection, but also improves the communication efficiency of federated learning.

Most of the current federated learning privacy protection technologies only consider the unilateral protection of client data, but lack the improvement of communication efficiency, which is important for federated learning. Therefore, the present invention adopts IDMN, an improved deep neural network algorithm. , by improving the traditional method of adding noise and variance, improving the logarithmic maximum likelihood in noisy data, making relevant improvements to the loss function of the traditional diffusion model, controlling the variational lower bound loss function, and the model training The learning method reduces the number of steps for model encryption and reverse sampling decryption, thereby improving the communication efficiency of federated learning's privacy protection, and establishing a privacy-protecting model for federated learning to prevent acquisition due to gradient backpropagation derivation. The model information is passed in the federated learning network.

Description of the drawings

Figure 1 is a framework diagram of a federated learning privacy protection method based on an improved diffusion model.

Figure 2 is a model training flow chart of a federated learning privacy protection method based on an improved diffusion model.

Figure 3 shows the comparison of the FedIDMN algorithm of the present invention with the traditional federated learning algorithm FedAvg algorithm under the conditions of independent synchronous distribution (IID) and non-independent and identical distribution (no-IID) of the data model, respectively in the CIFAR-10 data set and MNIST data. The accuracy of the model after training in the set.

Detailed ways

The present invention proposes an improved diffusion model federated learning privacy protection method and adopts the IDMN algorithm of the diffusion model encryption model, which has greater advantages than the traditional federated learning privacy protection algorithm. Not only on the basis of the traditional federated learning algorithm It improves privacy protection performance and speeds up the most important communication efficiency in federated learning. In addition, because most traditional federated learning algorithms have too many limitations, model data privacy is protected by adding noise interference and gradient backpropagation, but it cannot be restored with higher accuracy during the decoding process. The original model data also affects the accuracy of the data model in federated learning. It is impossible to improve the communication efficiency of federated learning and at the same time better protect the privacy of the data model. It is difficult to completely balance it. . Therefore, taking into account various factors in federated learning, the present invention combines these influencing factors and proposes a federated learning privacy protection method with an improved diffusion model as the core of the IDMN algorithm.

This invention uses the CIFAR-10 data set and the MNIST data set when training the model of the IDMN algorithm, uses 60,000 data to divide it into 200 groups of data slices with a size of 300, and then divides the data slices for each client, and takes into account the federation In the case of non-independent and identically distributed data during learning, the data slices are divided randomly to ensure that the present invention is applied in the actual privacy protection scenario of federated learning.

The specific implementation steps are as follows:

Step 1: Each client receives central server data: the initial central server initializes the global model w ₀ and broadcasts the global model to N clients. The number of client local update iterations is r, and the number of global overall training is T. times, the number of encryption layers of the improved diffusion model deep neural network (IDMN) is S layer.

Step 2: Client updates model data: Each client will perform r update iterations locally from the model accepted by the central server. For N clients, the central server broadcasts m global models, and for the Nth client After iteration, the local model updated by the terminal is

Step 3: Use the improved diffusion model deep neural network (IDMN) encryption model: Set the number of diffusion model layers of IDMN to S layer, given a data distribution x ₀ ~ q (x ₀ ), define a forward noise process q, It generates the latency x _S ~ N (0, 1) to x _S by adding Gaussian noise with variance β _s ∈ (0, 1) at time s. Then the original diffusion model is as follows:

Given a sufficiently large S and a well-performing β _s schedule, the potential x _S is almost isotropically Gaussian. Therefore, if the exact inverse distribution q(x _s-1 |x _s ) is known, one can sample x _S ~N(0,1) and run the process in reverse to obtain samples from q(x ₀ ). Since q(x _s-1 |x _s ) depends on the entire data distribution, it is approximated using a neural network as follows:

p _θ (x _s-1 |x _s ):=N(x _s-1 ;μ _θ (x _s ,s),∑ _θ (x _s ,s)) (3)

The combination of q and p is a variational autoencoder, so the variational lower bound (VLB) can be written as follows:

L _vlb :＝L ₀ +L ₁ +...+L _S-1 +L _S (4)

L ₀ :＝－logp _θ (x ₀ |x ₁ ) (5)

L _s-1 :＝D _KL (q(x _s-1 |x _s ,x ₀ )||pθ(x _s-1 |x _s )) (6)

L _S :＝D _KL (q(x _S |x ₀ )||p(x _S )) (7)

With the exception of _L0 , each term of Equation 4 is the KL divergence between two Gaussian distributions and can therefore be evaluated in closed form. To evaluate L ₀ of the model, the central server is broadcast to 300 clients, and p _θ (x ₀ |x ₁ ) is calculated.

The noise processing defined in Equation 2 allows sampling of arbitrary steps of noise latency directly conditioned on the input x ₀ . When α _s :=1-β _t and When , the marginal distribution can be written as:

Also use Bayes' theorem to check q(x _s-1 |x _s ,x ₀ ) after calculation, using and to express which is defined as follows:

Here is a detailed description of the improved algorithm of maximum likelihood used by IDMN in the present invention to improve the privacy protection performance of federated learning and the communication efficiency of federated learning. The noise ε added to x ₀ can be predicted through this deep neural network, as shown below:

After combining with the reweighted loss function, a new loss function L _simple is defined:

This loss function can be viewed as a reweighted form of L _vlb . The results obtained by optimizing this reweighted objective are much more accurate than directly optimizing L _vlb . In addition, IDMN changes the number of diffusion steps compared to the original diffusion model, which greatly reduces the time required to encrypt the model.

Because adding noise in the first few steps of the diffusion model plays a decisive role in the variational lower bound, the learning effect quantity Σ _θ (x _s , s) is defined here to improve the log likelihood, where v is used as the model prediction Interpolation is calculated as follows:

Because the loss function L _hybrid in the above formula 13 is not affected by ∑ _θ (x _s , s), a loss function L _hybrid is defined again here, and λ=0.001 is set to reduce the impact of L _vlb . The calculation method is as follows :

L _hybrid =L _simple +λL _vlb (15)

In addition, a better noise schedule is constructed on this basis, and the cosine function is used to set the relevant noise parameters under the conditions of more flexible optimization of the objective function. The sum function f(s) is calculated as follows:

Step 4: Upload the model encrypted by IDMN to the central server. First, sample and decode on the central server. The specific method is as follows:

Because in step 3, the variance β _s is defined by Formula 16, and the value of the variance β _s should not exceed 0.999 to avoid singular points when spreading near s=S. The calculation method of the variance β _s is as follows:

Because in the model encryption stage, the method adopted by the present invention not only ensures the privacy protection of the federated learning model, but also improves the communication efficiency of federated learning by reducing the number of encryption layers S of the diffusion model. Then, in the reverse sampling decoding stage, for A model trained with S diffusion steps will typically use the same sequence of s values (1, 2,...S) used in training. However, it is also possible to sample using any subsequence A of s values. Given training noise schedule For a given sequence A, a sampled noise schedule can be obtained/> You can then use sampled noise scheduling/> To obtain the corresponding sampling variance/> and The specific calculation method is as follows:

After the above calculation and reverse sampling decoding, the central server aggregates and updates the models w _i uploaded by all clients, thereby generating a new round of global models on the central server, and then delivers the global model and broadcasts it to each The client performs the next round of iterative updates of the federated learning data model, which means repeating the calculations of the above steps.

Claims (2)

1. The federal learning privacy protection method based on the improved diffusion model is characterized by comprising the following steps of: in order to realize the efficient communication and privacy protection of the federal study, the invention comprises the following steps:

step one: each client receives central server data: the origin center server initializes the global model w ₀ Broadcasting the global model to N clients, wherein the local updating iteration times of the clients are r times, the global overall training times are T times, and the encryption layer number of an improved diffusion model deep neural network (IDMN) is S;

step two: the client updates the model data: each client performs r updating iterations locally on the model received from the central server, and for N clients, the central server broadcasts m global models, and for N clients, the local model updated by the central server is

Step three: an improved diffusion model deep neural network (IDMN) encryption model is used: setting the diffusion model layer number of the IDMN as an S layer, and giving a data distribution x ₀ ～q(x ₀ ) Defining a forward noise process q by adding a variance beta at time s _s Gaussian noise of e (0, 1) to generate latency x _S -N (0, 1) to x _S Then the original diffusion model is as follows:

given a sufficiently large S and a well behaved beta _s Scheduling, potential x _S Is an almost isotropic gaussian distribution, so if the exact inverse distribution q (x _s-1 |x _s ) Can be relative to x _S N (0, 1) and run the process in reverse to go from q (x) ₀ ) Samples are obtained, since q (x _s-1 |x _s ) Depending on the overall data distribution, it is approximated using a neural network, as follows:

p _θ (x _s-1 |x _s ):＝N(x _s-1 ；μ _θ (x _s ,s),∑ _θ (x _s ,s)) (3)

the combination of q and p is a variant automatic encoder, so the Variant Lower Bound (VLB) can be written as follows:

L _vlb :＝L ₀ +L ₁ +...+L _S-1 +L _S (4)

L ₀ :＝-log p _θ (x ₀ |x ₁ ) (5)

L _s-1 :＝D _KL (q(x _s-1 |x _s ,x ₀ )||p _θ (x _s-1 |x _s )) (6)

L _S :＝D _KL (q(x _S |x ₀ )||p(x _S )) (7)

in addition to L ₀ Besides, each term of equation 4 is the KL divergence between two Gaussian distributions, and thus can be evaluated in a closed form, in order to evaluate the L of the model ₀ Broadcasting a central server to 300 clients and calculating p _θ (x ₀ |x ₁ )；

The noise processing defined in equation 2 allows direct input of x ₀ Sampling is performed for any step of conditional noise latency, when alpha _s :＝1-β _t AndWhen the edge distribution can be written as:

while using bayesian theorem, q (x _s-1 |x _s ,x ₀ ) By usingAnd->To represent the following definitions therein:

the improved algorithm for improving the privacy protection performance of the federal learning and the communication efficiency of the federal learning by using the maximum likelihood of the IDMN in the invention is specifically described herein, and can be added to x through the deep neural network prediction ₀ Is shown below:

in combination with the re-weighted loss function, a new loss function L is defined _simple ：

This loss function may beTo be regarded as L _vlb Directly optimizing L by optimizing this re-weighted target ratio _vlb The result accuracy of (2) is much higher, in addition, the IDMN changes the step number of diffusion compared with the original diffusion model, so that the time required by the encryption model is greatly reduced;

since the first few steps of noise addition in the diffusion model play a decisive role in the lower bound of variation, the learning effect amount Σ is defined here _θ (x _s S) to improve the log likelihood, where v is interpolated as model prediction, the calculation method is as follows:

because of the loss function L in the above equation 13 _hybrid Is not subjected to sigma _θ (x _s S), a loss function L is thus defined again _hybrid And λ=0.001 is set to reduce L _vlb The influence calculation method is as follows:

L _hybrid ＝L _simple +λL _vlb (15)

in addition, a noise time table with better effect is constructed on the basis, and relevant noise parameters are set by using a cosine function under the condition of more flexible optimization of an objective functionThe sum function f(s) is calculated as follows:

step four: uploading the model encrypted by the IDMN to a central server, and firstly, sampling and decoding at the central server side, wherein the specific mode is as follows:

because in step three the variance β is defined by equation 16 _s Let the variance beta at the same time _s The value of (2) is not more than 0.999, singular points are avoided when diffusion is carried out near s=s, and the variance beta is avoided _s The calculation method is as follows:

because the method adopted by the invention improves the communication efficiency of federal learning in a mode of reducing the diffusion model encryption layer number S while ensuring the privacy protection of the federal learning model in the model encryption stage, the same S value sequence (1, 2, … S) is usually used in training for the model trained by S diffusion steps in the reverse sampling decoding stage, however, any subsequence A of S values can also be used for sampling, and the training noise scheduling is givenFor a given sequence A, a sampling noise schedule can be obtained>Sampling noise scheduling can then be used>To obtain the corresponding sampling variance->And->The specific calculation mode is as follows:

after the above-mentioned calculation and inverse sampling decoding, the central server uploads the model w to all clients _i Performing aggregation update to generate a new round of global model at the central server, further issuing the global model, broadcasting the global model to each client, performing iterative update of the federal learning data model of the next round,i.e. the calculation of repeating the above steps.

2. A federal learning privacy protection method based on an improved diffusion model as claimed in claim 1, wherein in the IDMN algorithm of the present invention, step one: each client receives data distributed by a central server;

step two: the data is subjected to all T updating iterations in N clients to obtain an updated model

Step three: updating the client with the obtained modelEncryption coding is carried out by adopting a depth neural network of an improved diffusion model, so that a forward encryption model is obtained>

Step four: uploading the encrypted model to a central server, sampling and decoding the encrypted model at the central server, aggregating and updating the model to obtain a new round of global model, and transmitting the model to a client to perform updating iteration of the model of the next round of federal learning.