CN118333145A

CN118333145A - Method and device for using tree model

Info

Publication number: CN118333145A
Application number: CN202410546319.8A
Authority: CN
Inventors: 王二梅; 吴行行; 魏长征; 闫莺; 王维
Original assignee: Ant Blockchain Technology Shanghai Co Ltd
Current assignee: Ant Blockchain Technology Shanghai Co Ltd
Priority date: 2024-04-30
Filing date: 2024-04-30
Publication date: 2024-07-12

Abstract

A method and apparatus for using a tree model, the method comprising: transmitting a plurality of secret tree models corresponding to the tree models to a data party, wherein the secret tree models comprise a first secret tree model and a second secret tree model, the first secret tree model comprises a first secret tree, the second secret tree model comprises a second secret tree, the first secret tree is generated by adding a disturbance value to the value of each leaf node of the decision tree, and the second secret tree is generated based on the first secret tree; receiving from a data party a plurality of dense state model scores output by a plurality of dense state tree models for feature data of a target object; acquiring a first dense state model score corresponding to the first dense state tree model from the plurality of dense state model scores based on the indication information; and processing the first dense state model score based on the disturbance information to obtain a prediction result of the tree model.

Description

Method and device for using tree model

Technical Field

The embodiment of the specification belongs to the technical field of computers, and particularly relates to a method and a device for using a tree model.

Background

In the field of machine learning techniques, a wide variety of tree models are included. Tree models, which generally refer to a class of algorithms that use tree structures for data segmentation and decision making, are often used to solve classification, regression, and other predictive problems. In a tree model usage scenario, a model holder (e.g., transaction platform, paymate, etc.) of a tree model owns data of the model, including model parameters, model architecture, etc., and a customer of the model holder owns feature data, which is the data holder. The model holder wishes to predict the customer's data using his own tree model to get a prediction tag, however, the customer does not wish to reveal his own data. In this case, the model holder is required to provide the model to the client for model prediction, and therefore, the model holder needs to protect the model when the model is provided to the client.

Disclosure of Invention

The invention aims to provide a method for using a tree model to protect a model of a model party.

A first aspect of the present specification provides a method performed by a model party using a tree model, the tree model comprising a decision tree therein, the method comprising:

Transmitting a plurality of secret tree models corresponding to a tree model to a data party, wherein the plurality of secret tree models comprise a first secret tree model and a second secret tree model, the first secret tree model comprises a first secret tree, the second secret tree model comprises a second secret tree, the first secret tree is generated by adding a disturbance value to the value of each leaf node of the decision tree, the second secret tree is generated based on the first secret tree, the model party records indication information and disturbance information corresponding to the disturbance value, and the indication information is used for indicating a secret model score corresponding to the first secret tree model in a plurality of secret model scores output by the plurality of secret tree models;

Receiving from the data party a plurality of dense state model scores output by the plurality of dense state tree models for feature data of a target object;

based on the indication information, acquiring a first secret model score corresponding to the first secret tree model from the plurality of secret model scores;

And processing the first dense state model score based on the disturbance information to obtain a prediction result of the tree model.

A second aspect of the present specification provides an apparatus for deployment on a model side using a tree model, the tree model including a decision tree therein, the apparatus comprising:

A transmitting unit configured to transmit, to a data party, a plurality of secret tree models corresponding to a tree model, the plurality of secret tree models including a first secret tree model including a first secret tree and a second secret tree model including a second secret tree, the first secret tree being generated by adding a disturbance value to a value of each leaf node of the decision tree, the second secret tree being generated based on the first secret tree, the model party having recorded therein instruction information indicating a secret model score corresponding to the first secret tree model among a plurality of secret model scores output by the plurality of secret tree models and disturbance information corresponding to the disturbance value;

a receiving unit configured to receive, from the data side, a plurality of secret model scores output by the plurality of secret tree models for feature data of a target object;

An obtaining unit, configured to obtain a first secret model score corresponding to the first secret tree model from the plurality of secret model scores based on the instruction information;

and the processing unit is used for processing the first dense state model score based on the disturbance information to obtain a prediction result of the tree model.

A third aspect of the present description provides a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first aspect.

A fourth aspect of the present specification provides a computing device comprising a memory having executable code stored therein and a processor which when executing the executable code implements the method of the first aspect.

A fifth aspect of the present description provides a computer program product comprising computer programs/instructions which when executed by a processor implement the steps of the method of the first aspect.

In the scheme provided by the embodiment of the specification, the value of the leaf node in the decision tree of the tree model is disturbed to obtain a first secret tree, the first secret tree model is generated based on the first secret tree to protect the leaf node of the tree model, and the second secret tree model comprising the second secret tree is newly added to protect the intermediate node in the tree model. The data party predicts based on the plurality of secret state tree models, any data of the tree models cannot be known, the data party sends the plurality of secret state scores output by the plurality of secret state tree models to the model party, and the model party can obtain real prediction results of the tree models based on the plurality of secret state scores.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic view of a scenario in an embodiment of the present description using a tree model;

FIG. 2 is a flow chart of a method of using a tree model in an embodiment of the present disclosure;

FIG. 3 is a schematic diagram of a tree model owned by a model party in an embodiment of the present disclosure;

FIG. 4 is a schematic diagram of a plurality of dense tree models according to an embodiment of the present disclosure;

Fig. 5 is a device architecture diagram using a tree model in an embodiment of the present disclosure.

Detailed Description

In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.

The present embodiments relate to the use of tree models, and more particularly to the use of regression-type tree models. The tree model in the embodiment of the present disclosure may also be a tree model of a classification type, in which an activation layer is included in the tree model of the classification type, and the leaf node layer thereof still outputs a score of an object to be predicted, and the classification of the object to be predicted is obtained by processing the score based on the activation layer.

The tree model includes any of the following types of tree models: decision Trees (Decision Trees), commonly referred to as a single tree model; a random forest (Random Forests) comprising a plurality of decision trees, wherein each tree in the random forest is typically independently trained based on a different subset of data samples, and wherein the predictive results of all trees can be integrated in the random forest by means of wrapping (bagging), e.g., averaging the predictive scores of all trees to obtain a predictive result of the model; lifting Trees (lifting Trees), such as gradient lifting Trees (Gradient Boosting Trees), XGBoost, and the like, wherein the models comprise a plurality of Trees added sequentially, each tree corrects the prediction errors of the previously added Trees, and gradually improves the model performance, wherein the prediction results of the plurality of Trees are integrated in the lifting tree in a lifting (lifting) manner, for example, the prediction values of the plurality of Trees are added to obtain the prediction results of the model.

In the above tree model, intermediate nodes and leaf nodes may be included in one tree. The intermediate node represents a decision point, where a condition determination is made based on a certain splitting condition, for example, the splitting condition corresponding to a certain intermediate node is "registration time is less than 10? "wherein" registration time "may be referred to as a split characteristic of the intermediate node and" 10 "may be referred to as a split value of the intermediate node. Each intermediate node connects two or more sub-nodes, each sub-node corresponding to a sub-interval of the split characteristic of the intermediate node.

Leaf node: the leaf nodes are end nodes in the tree model, and in the regression tree, the values of the leaf nodes are one continuous number.

To train the tree model, a preset number of training samples may be first acquired, where the training samples include feature data and tag data. Intermediate nodes of the tree model are then stepped based on the training samples to segment the training samples. At the intermediate node, preset parameter values obtained by dividing the training sample by using each preset split feature may be obtained, where the parameters include information gain, base purity, information gain ratio, mean square error, and the like, and the split feature and split value corresponding to the intermediate node may be determined based on the parameter values corresponding to each split feature. In the training of the tree model, the above-mentioned segmentation process is continued until a specific stopping criterion is met, for example, the tree reaches a preset maximum depth, the number of samples in the node is smaller than a certain threshold, or further segmentation cannot significantly improve the prediction accuracy, etc.

After stopping the segmentation, the plurality of training samples fall into each leaf node, and then the value of each leaf node can be obtained based on the label value of the training sample in each leaf node.

When the tree model is used for model prediction, feature data of an object to be predicted can be obtained, the feature is input into the tree model, the object to be predicted is enabled to fall into one leaf node in the tree model based on the feature data, and a predicted value of the object to be predicted is obtained based on a value of the leaf node.

In the related art, a model holder (hereinafter referred to as a model side) may provide split features corresponding to respective intermediate nodes of a tree model to a data holder, and the data holder (hereinafter referred to as a data side) may perform model prediction based on the split features corresponding to respective intermediate nodes of the tree model.

In this related art, the split features of each intermediate node of the tree model cannot be hidden from the data side, and thus the model data cannot be comprehensively protected.

The embodiment of the specification provides a method for using a tree model, which is characterized in that a first secret tree is obtained by perturbing values of leaf nodes in a decision tree of the tree model, a first secret tree model is generated based on the first secret tree to protect the leaf nodes of the tree model, and a second secret tree model comprising a second secret tree is newly added to protect intermediate nodes in the tree model, wherein the second secret tree is generated based on the first secret tree. In the embodiment of the present specification, "secret" does not refer to ciphertext obtained by performing encryption processing, but refers to hiding effect on real data, for example, by perturbing values of leaf nodes in a tree model to obtain a first secret tree, and by additionally generating a decision tree for confusing the first secret tree as a second secret tree, where the first secret tree and the second secret tree are still decision trees of plaintext.

In the embodiment of the present disclosure, the first secret tree represents a secret tree obtained by perturbing leaf nodes of the real tree, and the second secret tree represents a secret tree newly added by a value based on the first secret tree, which may be referred to as a perturbation tree for perturbing intermediate nodes included in the tree model. The first dense state tree model represents a dense state tree model comprising one or more first dense state trees, i.e. the first dense state tree model corresponds to a real tree. The second dense state tree model represents a dense state tree model that includes one or more second dense state trees.

The data party predicts based on the first secret tree model and the second secret tree model, any data of the tree model cannot be known, the data party sends a plurality of secret scores of the secret tree models to the model party, the model party can determine the secret score of the first secret tree model based on the pre-recorded indication information, and the secret score is processed based on the pre-recorded disturbance information to obtain a real prediction result of the tree model. Thereby protecting the data of the tree model while obtaining the high-precision prediction result.

Fig. 1 is a schematic view of a scenario in an embodiment of the present specification using a tree model. As shown in fig. 1, a model party and a data party are included in the scene. Model side training results in a tree model, for example, encapsulated in the form of a PMML file, and including one or more decision trees (one decision tree is shown in fig. 1 as an example), for example. In the decision tree, intermediate nodes are represented by white circular nodes and leaf nodes are represented by white diamond nodes, wherein each intermediate node corresponds to a split condition and each leaf node comprises a node value. The model may generate a first dense state tree model based on the first dense state tree by perturbing values of leaf nodes in the tree model, as shown in a "first dense state tree model" in the right side of fig. 1, with intermediate nodes in the first dense state tree represented by white circular nodes for indicating that the intermediate nodes in the first dense state tree have the same attribute as those in the decision tree in the tree model, and with leaf nodes in the first dense state tree represented by gray diamond for indicating that the leaf nodes in the first dense state tree have different values from the decision tree in the tree model. The model party may also generate a second dense state tree based on the first dense state tree and generate a second dense state tree model based on the second dense state tree. The former may record relevant perturbation information, which may include perturbation values for perturbing leaf nodes, and the former may record indication information for indicating an output score of the first dense tree model, and transmit a plurality of dense tree models including the first dense tree model and the second dense tree model to the former.

The data party predicts the object to be predicted by using a plurality of secret state tree models, a plurality of secret state scores output by the plurality of secret state tree models can be obtained, the data party returns the plurality of secret state scores to the model party, and the model party can obtain a prediction result of the object to be predicted by the tree model based on the plurality of secret state scores based on the indication information and the disturbance information.

FIG. 2 is a flow chart of a method of using a tree model in an embodiment of the present disclosure.

As shown in fig. 2, first, in step S201, a model party adds a disturbance value to a value of each leaf node of a tree model to obtain a first secret tree, generates a second secret tree based on the first secret tree, generates a first secret tree model based on the first secret tree, generates a second secret tree model based on the second secret tree, and records disturbance information and instruction information for instructing an output score of the first secret tree model.

In one embodiment, n decision trees (n > 1) may be included in the tree model of the model side, e.g., 5 decision trees Tr 1-Tr 5 are included in the tree model as shown in FIG. 3.

Fig. 3 is a schematic structural diagram of a tree model owned by a model side in the embodiment of the present specification. The tree model shown in fig. 3 is a tree model for classification that may include three layers of code modules, a predictive layer, a computational layer, and an activation layer. The prediction layer may include n decision trees for prediction (tree Tr1 to tree Tr5 are shown in fig. 3 as an example), specifically, the prediction layer includes data such as a node structure of each decision tree, split features and split values corresponding to each intermediate node, and node values of each leaf node. The tree model may be a random forest or a gradient-lifted tree, etc., which is not limited.

Taking gradient lifting tree as an example, the tree model is used for predicting the credit level of a merchant of a transaction platform, the splitting characteristics of the intermediate nodes in the tree Tr1 comprise characteristics such as transaction amount, platform registration time, platform transaction times, user scores, number of users and the like, the scores of the leaf nodes of the tree Tr1 are used for indicating partial credit values, the splitting characteristics of the intermediate nodes in the tree Tr2 comprise characteristics such as delivery time, refund time and the like, and the scores of the leaf nodes of the tree Tr2 are used for indicating partial credit values. By analogy, the scores of the leaf nodes of trees Tr 3-Tr 5 are also used to indicate partial credit values.

When the tree model is used for model prediction of a specific merchant, feature data of the merchant is acquired, wherein the feature data can comprise values of the following features of the merchant: transaction amount, platform registration time, number of platform transactions, user score, number of users, shipping time, refund time, etc. The characteristic data of the merchant may be input into trees Tr1 to Tr5 in the prediction layer, respectively. Specifically, taking the tree Tr1 as an example, for each intermediate node in the tree Tr1, comparing feature data of a merchant corresponding to a split feature of the intermediate node with a split condition of the intermediate node, and determining child nodes into which the merchant should split, thereby determining a predicted path of the merchant in the tree Tr1 and a leaf node that falls into the path, and obtaining a score1 output by the tree Tr1 for the merchant based on a value of the leaf node that falls into the path. Similarly, by inputting feature data of a merchant into trees Tr2 to Tr5, score2 to score5 output by trees Tr2 to Tr5 for the merchant can be obtained. Typically, the tree model has the form of a PMML file, and the score of the tree model output has a 16-bit significance since the output of the model in the form of a PMML file is in the form of a floating point number.

The calculation layer in the tree model is used for summarizing scores of multiple trees output by the prediction layer, and it is understood that the calculation layer is not needed in the case that the prediction layer comprises a single tree. The calculation layer receives the scores output by the decision trees from the prediction layer, and performs corresponding calculation according to the structure type of the tree model. For example, when the tree model is a random forest model, the calculation layer calculates the average value of Score1 to Score5 as the output Score of the tree model. When the tree model is a gradient-up model, the calculation layer calculates the sum of Score1 to Score5 as the output Score of the calculation layer.

The activation layer in the tree model may then determine a credit rating of the merchant based on the output score of the calculation layer, including, for example, trustworthiness and unreliability, or a probability of a preset number of credit ratings of the merchant. The activation layer uses, for example, a Sigmoid function for calculating based on the score output by the calculation layer, thereby determining the credit rating of the merchant. It will be appreciated that where the tree model is a regression model, the activation layer may not be included and the tree model will calculate the output score of the layer as the output of the tree model.

For the above tree model comprising n decision trees, to convert the tree model into a dense state tree model, first, the model party may perturb the value of the leaf node of each tree in the prediction layer of the tree model to hide the leaf node of the tree model for the data party. For example, if the tree model includes n trees, n random numbers corresponding to the n trees may be generated, and the value of the leaf node of each tree is increased by the random number corresponding thereto, to obtain n first secret trees. Wherein the n random numbers are selected within a numerical range [ min (score), max (score) ] assuming that the tree model includes a leaf node having a maximum value range [ min (score), max (score) ] (i.e., a range between a minimum value and a maximum value of the leaf node included in the tree model), wherein score is a set of values of all the leaf nodes of the tree model.

For example, for the prediction layer shown in fig. 3, the model side may generate random numbers v1 to v5 with respect to the trees Tr1 to Tr5, respectively, process the trees Tr3 to Tr5 by adding a value v1 to each leaf node of the tree Tr1, adding a value v2 to each leaf node of the tree Tr2, and so on. Wherein v 1-v 5 are randomly selected between the minimum and maximum values of the leaf node values comprised by the numbers Tr 1-Tr 5. After the disturbance processing, the trees Tr1 to Tr5 are encrypted into first encrypted trees. It will be appreciated that the first, dense state tree is still a decision tree in plaintext, with the split feature and split value of its intermediate nodes both in plaintext and identical to the intermediate nodes in its corresponding decision tree, with the values of its leaf nodes being different than the values of its corresponding decision tree, but still being the values of plaintext.

In addition, the model side calculates the sum1 of n random numbers, for example, for the tree model shown in fig. 3, calculates sum 1=v1+v2+ … v5, and records the sum1 of random numbers for subsequent recovery processing of the secret fraction.

The model party can consider the n first secret trees obtained as a group of trees, and generate a first secret tree model based on the group of first secret trees. One or more sets of second dense state trees are then generated based on the n first dense state trees, and one or more second dense state models are generated based on the one or more sets of second dense state trees.

The split features of the intermediate nodes in the newly added second dense tree may be randomly selected based on the occurrence frequency of the split features included in the tree model. For example, the true split feature a1 appears 7 times, the true split feature a2 appears 2 times, the true split feature a3 appears 1 time, and when constructing the second dense tree, the probability of 0.7 for a split feature is a1, the probability of 0.2 is a2, and the probability of 0.1 is a3 for an intermediate node. It will be appreciated that split features not found in the tree model may also be included in the second dense tree. After determining the split feature of the intermediate node in the second dense tree, if the split feature is a split feature included in the tree model, the split value of the split feature of the intermediate node may be randomly selected within a range of the maximum value of the split feature in the tree model (i.e., a range before the minimum and maximum values of the split feature), and if the split feature does not appear in the tree model, the split value of the split feature may be randomly selected within the range (0, 1).

The depth of the second dense tree may be randomly selected based on the depth of the decision tree included in the tree model and its frequency of occurrence.

The values of the leaf nodes in the second secret tree may be randomly selected within the range of the maximum values of the leaf nodes of the n first secret trees [ min (score '), max (score ') ], where score ' is a set of values of the leaf nodes of the first secret tree. The split features, split values, and leaf node values of the intermediate nodes in each of the second dense state trees are also plaintext. That is, the first and second dense tree models are both tree models in plaintext.

Or the model may divide the n first dense trees into multiple groups (e.g., g groups). In one embodiment, if n can be divided by g, each group can include n/g of the first dense tree; if n cannot divide g completely, assuming that the quotient of n/g is k, then in the g group, there is a partial group including k first secret trees and a partial group including k+1 first secret trees. For example, for the tree model shown in FIG. 3, the model may divide the 5 first dense state trees corresponding to trees Tr 1-Tr 5 into two groups, one group including 2 first dense state trees and the other group including 3 first dense state trees.

The model party may then generate g first dense state tree models based on the g sets of first dense state trees. The model may then generate m sets of second secret trees based on the n first secret trees, and generate m second secret tree models based on the m sets of second secret trees, similar to that described above. Wherein the number of second secret trees in the m groups of second secret trees may be determined based on the number of first secret trees in the g groups, e.g. may comprise k or k+1 second secret trees.

Fig. 4 is a schematic structural diagram of a plurality of dense tree models in an embodiment of the present disclosure. As shown in fig. 4, for the tree model shown in fig. 3, the model party may generate a first dense tree model EM1, a second dense tree model EM2, a first dense tree model EM3, and a second dense tree model EM4. Each dense state tree model comprises a prediction layer and a calculation layer, the prediction layer comprises a plurality of dense state trees, the calculation layer is similar to the calculation layer shown in fig. 3 and is used for summarizing the dense state tree scores output by the plurality of dense state trees to obtain dense state model scores. Wherein the first dense state tree model EM1, the second dense state tree model EM2, the first dense state tree model EM3 and the second dense state tree model EM4 are randomly determined after generating the plurality of first dense state models and the plurality of second dense state models as described above.

Specifically, the first dense tree model EM1 includes a first dense tree Etr11 corresponding to the decision tree Tr1 and a first dense tree Etr12 corresponding to the decision tree Tr2, and the third dense tree model EM3 includes a first dense tree Etr33 corresponding to the decision tree Tr3, a first dense tree Etr34 corresponding to the decision tree Tr4, and a first dense tree Etr35 corresponding to the decision tree Tr 5.

The second secret tree model EM2 includes a newly added second secret tree Etr21, second secret tree Etr22, and second secret tree Etr23, and the fourth secret tree model EM4 includes a newly added second secret tree Etr41 and second secret tree Etr42.

It is to be understood that while the tree shapes (i.e., the depth of the tree, the number of intermediate nodes, the number of leaf nodes, the connection structure between nodes, etc.) of the respective first dense state trees are the same, the tree shapes of the respective second dense state trees are the same in fig. 4, it is to be understood that this is merely exemplary, and in practice, the respective first dense state trees may have different tree shapes, and the respective second dense state trees may have different tree shapes.

After generating the plurality of dense tree models as shown in fig. 4, the model party may record indication information for indicating an output score of a first dense tree model of the plurality of dense tree models. In one embodiment, the modeler may record an identification of a first dense tree model of the plurality of dense tree models, such as "EM1, EM3". In another embodiment, the model side may record a vector corresponding to a specific arrangement order of numbers in the dense tree model identifier, for example, (1, 0,1, 0), the vector corresponding to an order from small to large of numbers in the dense tree model identifier, 1 being used to represent that the corresponding dense tree model is the first dense tree model, and 0 being used to represent that the corresponding dense tree model is the second dense tree model.

In another embodiment, as shown in fig. 1, a decision tree may be included in the tree model of the model side, and the model side may add different disturbance values to each leaf node of the tree model, or add the same disturbance value, to obtain a first dense state tree, and record information of the disturbance value, for example, in a case that different leaf nodes add different disturbance values, a recorded disturbance value may correspond to an identifier of each leaf node. The modeler may then generate a first dense tree model based on the first dense tree, as shown on the right side of FIG. 1.

The model may then add one or more second dense trees similar to that described above. And generating a second dense state tree model based on the one or more second dense state trees. In this case, in contrast to the dense state tree model shown in fig. 4, there is no need to include a computation layer in the dense state tree model in this embodiment. The model party may record indication information for indicating an output score of a first of the plurality of dense tree models, accordingly.

It will be appreciated that the former may prepare a dense tree model corresponding to the tree model in advance for use by a plurality of data parties through the above-described process, and thus this step S201 is not an essential step in performing model prediction.

In step S203, the model transmits a plurality of dense tree models to the data side.

Referring to the description above, in one embodiment, any of the following may be included in the plurality of dense tree models sent by the model to the data party:

A first dense tree model and a second dense tree model;

A first dense tree model and a plurality of second dense tree models; and

A plurality of first dense tree models and a plurality of second dense tree models.

Wherein, the first dense state tree model can comprise one or more first dense state trees, and the second dense state tree model can comprise one or more second dense state trees.

The identifiers of the first dense state tree model and the second dense state tree model in the plurality of dense state tree models have the same format, such as EM1, EM2 and the like, and the identifiers of the first dense state tree model and the second dense state tree model are randomly determined.

In addition, when the model side transmits the plurality of the secret tree models to the data side, the transmission order or the arrangement order of the plurality of the secret tree models is randomly determined.

In step S205, the data party predicts based on a plurality of dense tree models to obtain a plurality of dense model scores.

In one embodiment, referring to fig. 4, after receiving the dense state tree models, the data party, for example, inputs the characteristic data of the merchant to each of the dense state trees in the prediction layers in the respective dense state tree models, respectively, to obtain the dense state tree score output by each of the dense state trees. Specifically, in the first dense tree model EM1, the first dense tree Etr11 outputs the dense tree score Escore with respect to the feature data, and the first dense tree Etr12 outputs the dense tree score Escore with respect to the feature data. The computation layer in the first dense tree model EM1 summarizes the dense tree scores Escore and Escore as described above, resulting in a dense model score Escore. Similarly, in the second dense tree model EM2, each second dense tree outputs the dense tree scores Escore to Escore, respectively. The computation layer in the second dense tree model EM1 summarizes the dense tree scores to obtain the dense model score Escore2. In the first dense tree model EM3, each first dense tree outputs dense tree scores Escore to Escore, respectively. The calculation layer in the first dense tree model EM3 summarizes the dense tree scores to obtain a dense model score Escore. In the second dense tree model EM4, each of the second dense trees outputs dense tree scores Escore to Escore, respectively. The computation layer in the second dense tree model EM4 summarizes the dense tree scores to obtain the dense model score Escore4.

In step S207, the data party transmits the plurality of dense state model scores to the model party.

In one embodiment, the data party may arrange the cryptographic model scores of each of the cryptographic models in the order of the numbers of the plurality of cryptographic models, and send the plurality of cryptographic model scores arranged in the order to the model party. For example, the data side transmits Escore1, escore2, escore3, and Escore4, which are arranged in the following order, to the model side.

In one embodiment, the parties may send the identity of the cryptographic model and its corresponding cryptographic model score to the model party. For example, the data party may send to the model party: EM1: escore1, EM2: escore2, EM3: escore3 and EM4: escore4

In step S209, the model side acquires a dense state model score output by the first dense state tree model from the plurality of dense state model scores based on the instruction information; and processing the dense state model score based on the disturbance information to obtain a prediction score of the tree model.

In one embodiment, the data party arranges the secret model scores (Escore 1, escore, escore3 and Escore 4) of the secret tree models in the order of the numbers of the plurality of secret tree models, the indication information recorded by the model party is a vector (1, 0,1, 0) corresponding to the order of the numbers of the plurality of secret tree models, and the model party can perform inner product on the vector formed by the secret model scores and the disturbance information vector, so as to obtain the score of the first secret tree model from the plurality of secret model scores and add the score to obtain Escore < 1> + Escore3. The model party pair Escore1+ Escore3 subtracts perturbation information, such as sum1 described above, so that the prediction Score of the tree model can be obtained.

In another embodiment, the plurality of secret model scores includes a secret model score output by the first secret tree model, and the model party obtains the secret model score output by the first secret tree model from the plurality of secret model scores according to the indication information, and enters a corresponding disturbance value for the secret model score, so as to obtain the prediction score of the tree model.

In the case where an activation layer is included in the tree model as shown in FIG. 2, the model may run the sigmoid functionThus, the two-class prediction result is obtained according to the value of y.

In the scheme using the tree model in the embodiment of the specification, the tree model is converted into a plurality of dense tree models, and the dense tree models are sent to a data party for model prediction, so that the intermediate nodes and the leaf nodes of the tree model are comprehensively protected, and the safety of the model is protected.

Further, in the case of converting the tree model into a plurality of first dense tree models and a plurality of second dense tree models, the model side cannot learn the score of each tree in the tree model, and user privacy is protected.

In addition, by keeping the dense state tree model in the standard PMML format in the embodiments of the present disclosure, the data party can directly use the dense state tree model for model prediction without further modification. In addition, in the embodiment of the present disclosure, only a plurality of dense tree models (i.e., a plurality of PMML files) are used for prediction, so that a sufficiently large accuracy of the prediction result is ensured.

FIG. 5 is an apparatus for using a tree model, deployed on a model side, including a decision tree, according to an embodiment of the present disclosure, the apparatus comprising:

A transmitting unit 51 configured to transmit, to a data party, a plurality of secret tree models corresponding to a tree model, the plurality of secret tree models including a first secret tree and a second secret tree model, the first secret tree model including a first secret tree, the second secret tree being generated by adding a disturbance value to a value of each leaf node of the decision tree, the second secret tree being generated based on the first secret tree, the model party having recorded therein instruction information indicating a secret model score corresponding to the first secret tree model among a plurality of secret model scores output by the plurality of secret tree models and disturbance information corresponding to the disturbance value;

a receiving unit 52 for receiving, from the data side, a plurality of secret model scores outputted by the plurality of secret tree models for feature data of a target object;

an acquisition unit 53 for acquiring a first dense state model score corresponding to the first dense state tree model from the plurality of dense state model scores based on the instruction information;

And the processing unit 54 is configured to process the first dense model score based on the disturbance information to obtain a prediction result of the tree model.

The present description also provides a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method as shown in fig. 2.

Embodiments of the present disclosure also provide a computing device including a memory having executable code stored therein and a processor that, when executing the executable code, implements the method shown in fig. 2.

Embodiments of the present description provide a computer program product comprising a computer program/instructions which, when executed by a processor, implement the steps of the method as shown in fig. 2.

In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable GATE ARRAY, FPGA)) is an integrated circuit whose logic functions are determined by user programming of the device. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented with "logic compiler (logic compiler)" software, which is similar to the software compiler used in program development and writing, and the original code before being compiled is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but HDL is not just one, but a plurality of kinds, such as ABEL(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language), and VHDL (Very-High-SPEED INTEGRATED Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application SPECIFIC INTEGRATED Circuits (ASICs), programmable logic controllers, and embedded microcontrollers, examples of controllers include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.

The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation device is a server system. Of course, the application does not exclude that as future computer technology advances, the computer implementing the functions of the above-described embodiments may be, for example, a personal computer, a laptop computer, a car-mounted human-computer interaction device, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

Although one or more embodiments of the present description provide method operational steps as described in the embodiments or flowcharts, more or fewer operational steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When implemented in an actual device or end product, the instructions may be executed sequentially or in parallel (e.g., in a parallel processor or multi-threaded processing environment, or even in a distributed data processing environment) as illustrated by the embodiments or by the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, it is not excluded that additional identical or equivalent elements may be present in a process, method, article, or apparatus that comprises a described element. For example, if first, second, etc. words are used to indicate a name, but not any particular order.

For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, when one or more of the present description is implemented, the functions of each module may be implemented in the same piece or pieces of software and/or hardware, or a module that implements the same function may be implemented by a plurality of sub-modules or a combination of sub-units, or the like. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage, graphene storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

One skilled in the relevant art will recognize that one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Moreover, one or more embodiments of the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

One or more embodiments of the present specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the present description may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments. In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present specification. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.

The foregoing is merely an example of one or more embodiments of the present specification and is not intended to limit the one or more embodiments of the present specification. Various modifications and alterations to one or more embodiments of this description will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, or the like, which is within the spirit and principles of the present specification, should be included in the scope of the claims.

Claims

1. A method for using a tree model, performed by a model party, the tree model including a decision tree therein, the method comprising:

2. The method of claim 1, the tree model comprising n decision trees, the perturbation information comprising a sum of n random numbers, the n random numbers corresponding to the n decision trees, respectively;

the plurality of secret tree models comprise g first secret tree models, the first secret tree models comprise one or more first secret trees, and the plurality of secret model scores comprise g first secret model scores;

the processing the dense state model score based on the disturbance information to obtain a prediction result of the tree model comprises the following steps: and calculating the sum of the g first secret model scores, and subtracting the sum of the n random numbers from the sum of the g first secret model scores to obtain the prediction score of the tree model.

3. The method according to claim 1 or 2, wherein the perturbation value has a value range that is greater than or equal to a first value, which is the smallest value among the values of all leaf nodes included in the tree model, and less than or equal to a second value, which is the largest value among the values of all leaf nodes included in the tree model.

4. The method of claim 2, wherein the range of values of the leaf nodes of the second dense tree is greater than or equal to a third value, which is the smallest of the perturbed values of all the leaf nodes included in the tree model, and less than or equal to a fourth value, which is the largest of the perturbed values of all the leaf nodes included in the tree model.

5. The method of claim 5, wherein the split features included in the second dense tree are determined based on the split features included in the n decision trees and the number of occurrences thereof, and the split value of each split feature in the second dense tree is selected based on the range of split values for that split feature in the n decision trees.

6. The method of claim 2, comprising k first secret trees or k+1 first secret trees in each first secret tree model, the k being determined based on n and g, and comprising k or k+1 second secret trees in each second secret tree model.

7. The method of claim 2, the plurality of dense state tree models including m second dense state tree models, the plurality of dense state tree models being arranged based on a randomly determined order, the indication information including a sequence of indication values corresponding to the order.

8. The method of claim 2, wherein the tree model includes an activation layer for classifying based on a score of the decision tree output,

The processing the secret fraction based on the disturbance information to obtain a prediction result of the tree model comprises the following steps: and inputting the prediction score into the activation layer to obtain a classification result of the target object.

9. The method of claim 1, further comprising: adding a disturbance value to the value of each leaf node of the decision tree to obtain a first secret state tree, generating a second secret state tree based on the first secret state tree, generating a first secret state tree model based on the first secret state tree, generating a second secret state tree model based on the second secret state tree, and recording disturbance information and the indication information corresponding to the disturbance value.

10. An apparatus for using a tree model deployed on a model side, the tree model including a decision tree therein, the apparatus comprising:

11. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the method of any of claims 1-9.

12. A computing device comprising a memory having executable code stored therein and a processor, which when executing the executable code, implements the method of any of claims 1-9.