EP4229559A1 - Systèmes et procédés de fourniture fonction de perte modifiée dans un apprentissage fédéré/divisé - Google Patents
Systèmes et procédés de fourniture fonction de perte modifiée dans un apprentissage fédéré/diviséInfo
- Publication number
- EP4229559A1 EP4229559A1 EP21880886.3A EP21880886A EP4229559A1 EP 4229559 A1 EP4229559 A1 EP 4229559A1 EP 21880886 A EP21880886 A EP 21880886A EP 4229559 A1 EP4229559 A1 EP 4229559A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- client
- client system
- server
- model
- server system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006870 function Effects 0.000 title claims abstract description 164
- 238000000034 method Methods 0.000 title claims abstract description 151
- 238000012549 training Methods 0.000 claims abstract description 56
- 238000013135 deep learning Methods 0.000 claims abstract description 36
- 230000001902 propagating effect Effects 0.000 claims abstract description 23
- 238000012935 Averaging Methods 0.000 claims description 64
- 230000004913 activation Effects 0.000 claims description 14
- 238000001994 activation Methods 0.000 claims description 14
- 238000009826 distribution Methods 0.000 claims description 10
- 230000000873 masking effect Effects 0.000 claims description 3
- 239000010410 layer Substances 0.000 description 195
- 230000008569 process Effects 0.000 description 55
- 238000013459 approach Methods 0.000 description 38
- 238000004422 calculation algorithm Methods 0.000 description 35
- 238000013528 artificial neural network Methods 0.000 description 24
- 238000012545 processing Methods 0.000 description 13
- 238000004891 communication Methods 0.000 description 11
- 230000008901 benefit Effects 0.000 description 9
- 230000015654 memory Effects 0.000 description 9
- 239000000203 mixture Substances 0.000 description 6
- 239000013598 vector Substances 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 239000003086 colorant Substances 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000003062 neural network model Methods 0.000 description 3
- 235000009499 Vanilla fragrans Nutrition 0.000 description 2
- 244000263375 Vanilla tahitensis Species 0.000 description 2
- 235000012036 Vanilla tahitensis Nutrition 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013527 convolutional neural network Methods 0.000 description 2
- 238000013136 deep learning model Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000003058 natural language processing Methods 0.000 description 2
- 230000002441 reversible effect Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011985 exploratory data analysis Methods 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000001537 neural effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000036961 partial effect Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- APTZNLHMIGJTEW-UHFFFAOYSA-N pyraflufen-ethyl Chemical compound C1=C(Cl)C(OCC(=O)OCC)=CC(C=2C(=C(OC(F)F)N(C)N=2)Cl)=C1F APTZNLHMIGJTEW-UHFFFAOYSA-N 0.000 description 1
- 230000000306 recurrent effect Effects 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000002356 single layer Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/098—Distributed learning, e.g. federated learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/46—Secure multiparty computation, e.g. millionaire problem
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
Definitions
- the present disclosure generally relates to training neural networks and introduces new techniques for training and deploying neural networks or other trained models in ways which protect the training data from various sources from being discoverable and which involve a modified loss function used for further privacy.
- Another aspect of this disclosure involves a blind-learning approach to generating, by a model-averaging component, an average client-side model from a group of encrypted client-side models in which the averaging component cannot view or access the data of any of the respective client-side models as it performs its averaging operation.
- split learning for different settings/topologies of collaboration such as that of vertical partitioned distributed learning, learning without sharing labels, multi-hop split learning like TOR (named after Tor Syverson), learning with client weight synchronization and so forth.
- TOR named after Tor Syverson
- the TOR multi-hop split learning involves multiple clients training partial networks in sequence where each client trains up to a cut layer and transmits its outputs to the next client. The final client then sends its activations from its cut layer to a server to complete the training.
- improvements to these training models however than can further improve privacy of data and further prevent leaking.
- FIG. 1A illustrates an example training approach and deep learning structure
- FIG. IB illustrates a split and distribute approach followed by the averaging of the loss function and distribution of the average loss function to various clients;
- FIG. 1C illustrates a secure multi-party computation technique for generating an average of a group of client-side models
- FIG. ID illustrates an approach to receiving and averaging various client-side models and distributing a weighted average client-side model back to the various clients for further batch processing;
- FIG. 2A illustrates an example method associated with calculating a weighted loss function
- FIG. 2B illustrates an example method from the standpoint of the server or the algorithm provider
- FIG. 2C illustrates a method of providing a secure multi-party computation technique in the context of a split-federated learning environment
- FIG. 3 illustrates a secure multi-party computation approach
- FIGs. 4A-4B illustrate example methods related to the use of a secure multi-party computation approach
- FIG. 5 illustrates an example system or device according to some aspects of this disclosure.
- split learning requires much less synchronization and is more resource efficient when training deep learning neural networks.
- This technique can be called federated-split learning or blind learning and is described in the patent applications incorporated herein by reference above. Described herein is a training process in the context of federated-split learning.
- the basic idea in any form of split learning is to split the total deep learning architecture that needs to be trained at one or more layers such that a respective client or node has only access to its share of layers before what are called split layer(s).
- the split layer to some degree defines the last layer of a respective client or node with the remaining layers of the architecture being configured on a different device, such as a server or generally on another node.
- the server only has access to the rest of the layers of the network after the split layer.
- the server’s split layers are generally of a single copy, while the clients can have replicated copies (or can be different architectures) of their own layers before the split layer. Therefore the server layers are a shared resource up to an extent.
- FIG. 1A illustrates this approach and will be described in more detail below.
- the approach disclosed below involves calculating an average loss value.
- the new approach differs from the prior systems which simply compute a loss gradient at a final layer of the server system and back propagates the loss function to refresh weights. In other words, there is no storing of loss functions in a queue and no averaging, at the server system, the plurality of respective weighted client loss functions to yield an average loss value.
- the disclosed solution addresses a problem rooted in how deep neural networks operate with respect to loss function propagation and proposes a solution that improves the functioning and operation of a neural network in a federated split-learning context.
- An example method can include training, at a client system of a plurality of client systems, a part of a deep learning network up to a split layer of the client system. Based on an output of the split layer of the client system, the method can include completing, at a server system, training of the deep learning network by asynchronously forward propagating the output received at a split layer of the server system to a last layer of the server system.
- the server can calculate a weighted loss function for the client system at the last layer of the server system to yield a calculated loss function for the client system and store the calculated loss function for the client system in a queue.
- the method can further include, after each respective client system of the plurality of client systems has a respective loss function stored in the queue to yield a plurality of respective weighted client loss functions, averaging, at the server system, the plurality of respective weighted client loss functions to yield an average loss value.
- the server back propagates gradients based on the average loss value from the last layer of the server system to the split layer of the server system to yield server system split layer gradients.
- the server then can transmit just the server system split layer gradients to the client system(s).
- no weights are shared across different client systems of the plurality of client systems. This is possible because of the averaging that is done at the server side across the plurality of respective weighted client loss functions.
- a new system a platform, compute environment, cloud environment, marketplace, or any other characterization of the system that will enable an improved approach to training neural networks.
- the approach is called a federated-split leaning approach that combines features from known approaches but that provides a training process that maintains privacy for data used to train the model from various client devices.
- FIG. 1A illustrates an example system 100 that trains a deep learning system using a modified loss function.
- a deep neural network is an artificial neural network (ANN) with multiple layers between the input and output layers.
- the DNN finds the correct mathematical manipulation to turn the input into the output, whether it be a linear relationship or a non-linear relationship.
- the network moves through the layers calculating the probability of each output. For example, a DNN that is trained to recognize certain trees will go over the given image and calculate the probability that the tree in the image is a certain type. The user can review the results and select which probabilities the network should display (above a certain threshold, etc.) and return the proposed label.
- FIG. 1A illustrates various layers of a neural network 100 that are separated between clients 102 and a server 104 and the approach disclosed herein improves privacy of data between claim 1 and claim 2 as party of a group of clients 102 and the server 104 by modifying a loss function used in the context of federate-split learning amongst the layers as shown in FIG. 1 A.
- each of client 1 and client 2 can be referred to as a client system and the group of client systems can be called a plurality of client systems 102. There can be more than two client systems in the plurality of client systems 102.
- DNNs can model complex non-linear relationships.
- DNN architectures generate compositional models where the object is expressed as a layered composition of primitives.
- the extra layers enable composition of features from lower layers, potentially modeling complex data with fewer units than a similarly performing shallow network.
- DNNs are typically feedforward networks in which data flows from the input layer to the output layer without looping back.
- the DNN creates a map of virtual neurons and assigns random numerical values, or "weights", to connections between them. The weights and inputs are multiplied and return an output between 0 and 1. If the network did not accurately recognize a particular pattern, an algorithm would adjust the weights. That way the algorithm can make certain parameters more influential, until it determines the correct mathematical manipulation to fully process the data.
- RNNs Recurrent neural networks
- CNNs in which data can flow in any direction, are used for applications such as language modeling. Long short-term memory is particularly effective for this use.
- Convolutional deep neural networks (CNNs) are used in computer vision.
- CNNs also have been applied to acoustic modeling for automatic speech recognition (ASR).
- ASR automatic speech recognition
- the principles disclosed herein with respect to a modification of the loss function in the context of federated-split learning does not have to apply to a specific type of neural network or type of classification task such as image recognition.
- a deep learning model is split across at least two processors, which can be physically separate or can be two virtual machines in the cloud.
- One processor can be, for example, client 1 and/or client 2 as shown in FIG. 1A, or a "data provider” in general, and the other processor can be a server 104 or the "algorithm server". While client 1 and client 2 are disclosed in FIG. 1 A as part of a group of clients 102, this disclosure can cover any “n” number of client devices or data providers.
- the group of clients 102 can also be described generally as a “data provider” 102 that runs the bottom half of a deep net architecture training run, and the algorithm server 104 can run the top half.
- Each of clients 1 and 2 can also individually be a data provider 102 as well. Generally, this approach keeps the data private (since it stays on the data provider 102) and the algorithm (the deep net architecture on the server 104) private since it is "split" across the two virtual machines or two nodes.
- An example will make the point of how the DNNs operate.
- the client 1 will initialize weights for its input data 106 and use forward propagation of the data across multiple layers 108 to a split layer 110 on the client.
- Client 1 then sends the split layer 110 output to the split layer 120 of the server 104.
- the server 104 propagates its data from the split layer 120 through its layers 122, 124 to the last layer 126 and compute a loss gradient or loss function that is backpropagated through its layers 124, 122 to the split layer 120 and then transmitted to the split layer 110 of the client 1.
- This disclosure focuses on new approaches with respect to the use of the loss function as well as new concepts regarding how to provide further privacy for the models by generating a weighted average of various client-side models and distributing the new weighted average of the client-side model to each of a plurality of clients.
- the first concept disclosed herein related to how to improve the use of the loss function is described first.
- a "loss function” that is used to communicate from "n" data providers 102 to the algorithm server 104.
- the loss function provides a mechanism that can inject "noise” into the loss function - which adds another layer of "data privacy” for the underlying data.
- the noise added to the loss function can yield or generate a new loss function.
- the injection of noise can occur through the averaging step disclosed herein or other approaches to adding noise to the loss values which can be considered an approach to encryption.
- An example training process 100 in federated-split learning is disclosed herein.
- split learning The basic idea in any form of split learning is to split the total deep learning architecture that needs to be trained at one or more layers such that any client 102 (such as Client 1 and Client 2 in FIG. 1 A) has only access to its share of layers before the split layer(s) 110, 116.
- client 1 only has access to an input data layer 106, another layer 108 and its split layer 110.
- Client 2 only has access to its input layer 112, additional layer 114 by way of example, and its split layer 116.
- the server 104 has access to the rest of the layers of the network after the split layer 110, 116.
- the server’s split layer 120 is generally of a single copy while the group of clients 102 can have replicated layers (or can be different architectures) of their own layers before the split layer 120.
- the server 104 is shown with its split layer 120, additional layers 122, 124, and its last layer 126.
- the server’s layers 120, 122, 124, 126 are a shared resource up to an extent.
- An example training process in federated-split learning is as follows.
- each of client 1 and client 2 performs a forward propagation step up to its respective split layer 110, 116.
- the outputs of the split layer 110, 116 are then used to asynchronously forward propagate the layers of the server 120, 122, 124, 126 after the split layer 110, 116.
- the loss function (classification objective function) achieved at the last layer 126 of the server 104 by each of client 1 and client 2 is populated in a queue 128.
- the server 104 then averages the loss function to obtain a single real -value for the loss.
- the process can be described is providing a modified loss function.
- the server 104 then back- propagates its layers 122, 124 up to the server’s split layer 120 and then transmits the gradients just from this layer 120 to client 1 and client 2 based on this averaged loss.
- Each of client 1 and client 2 now performs backpropagation on its own respective layers 110, 108, 106, 116, 114, 112 based on the gradients received from the server 104.
- the advantage of this approach is that it is relatively more asynchronous than vanilla split learning (see the paper incorporated by reference above). It is also way more communication efficient as there is no peer-to-peer weight sharing across the clients 118.
- backpropagation refers to an algorithm in training feedforward neural networks for supervised learning.
- Generalizations of backpropagation exist for other artificial neural networks (ANNs), and for functions generally - a class of algorithms referred to generically as "backpropagation".
- backpropagation computes the gradient of the loss function with respect to the weights of the network for a single input-output example, and does so efficiently, unlike a naive direct computation of the gradient with respect to each weight individually. This efficiency makes it feasible to use gradient methods for training multilayer networks, updating weights to minimize loss.
- Gradient descent, or variants such as stochastic gradient descent can be used as well.
- the backpropagation algorithm works by computing the gradient of the loss function with respect to each weight by the chain rule, computing the gradient one layer at a time, iterating backward from the last layer to avoid redundant calculations of intermediate terms in the chain rule.
- the term backpropagation in one aspect refers only to the algorithm for computing the gradient, not how the gradient is used.
- Backpropagation generalizes the gradient computation in the delta rule, which is the single-layer version of backpropagation, and is in turn generalized by automatic differentiation, where backpropagation is a special case of reverse accumulation (or "reverse mode").
- the modified loss function benefits are described next.
- the proposed modification to the loss function used for federated-split learning can be implemented to achieve a better level of privacy.
- the loss function that is computed at the server 104 can be modified as the average of losses induced by each of client 1 and client 2, where each of client 1 and client 2 has a loss that is a weighted combination of minimizing a statistical distance between i) the distributions of the activations communicated by any client 102 to the server 104 from just the split layer 110, 116 and ii) the classification loss such as categorical cross-entropy or crossentropy.
- the loss function is an average of weighted loss functions. This can remove the requirements for weight sharing 118 or synchronization while increasing privacy.
- FIG. IB illustrates another variation on the structure shown in FIG. 1A with the addition of the algorithm provider 104 in step 1 as splitting the model or algorithm into a serverside model 142 and a client-side model 144 A.
- the algorithm provider or server 104 will distribute the client-side model 144 A to one or more clients 102 and the distributed client-side model 144B has its respective split layers 110, 116, 117.
- the serer side model has its last layer or output layer 126 and the client side model 144A is shown with the input layer 106, 112.
- Step 2 is shown for training, averaging the loss function, redistributing the gradients and repeating the process.
- the batch data at each client 102 is processed through the client-side models 144B to generate the smashed data 158 which is transmitted to the split layer 120 of the server-side model 142 on the server.
- the “smashed data” 158 represents the data, models or vectors transmitted to the split layer 120 of the server 104 from the various clients 102.
- the calculation of the average loss 152 is shown as well as the forward propagation process 154 is shown on the server 104 based on the received smashed data 158 and the backward propagation 156 is shown as well.
- the averaged loss 152 can be generated from these two different loss data values and can be used to generate the gradients of the smashed data 160 or can be the gradients that are transmitted back through back propagation.
- the gradients of the smashed data 160 represent the data that is transmitted back from the server 104 to the split layers 110, 116, 117 of the various clients 102.
- the various clients can then update their client-side models as they propagate the gradients through their various layers.
- the processing of smashed data from the various clients at the deep neural network server-side model 142 is typically done in parallel.
- FIG. 1C illustrates yet another example framework 170 which includes a third step of the process and which related to generating or processing a group of client-side models to obtain an average or a weighted average and then distributing the new weighted average client- side model to each of the clients 102.
- This approach can be called a blind training approach in that in one aspect, the various client-side models are transmitted to an averaging component 174 in an encrypted manner with rubbish data included. In some manner, which can vary, the client-side models are modified, encrypted, or changed such that the averaging component 174 has not mechanisms of viewing the data of any respective client-side model.
- the process described above relative to FIGs. 1A and IB is maintained in that batches of data are processed through the client-side models 144B, to the server-side model 142, where individual losses are identified for each set of smashed data and then averaged to generate a set of gradients that are then back propagated through the server side network 142 to the individual clients 102 for updating the client-side deep neural network models 144B.
- An addition process is introduced next with respect to how to further maintain the privacy of the client-side models.
- a new process is introduced to receive each client-side model, process it to generate a weighted average, and return to each client the weighted averaged model for the next epoch to proceed.
- the process of averaging the models can occur after each epoch, after a group of epochs, or based on some dynamic trigger such as a threshold value that indicates most much a respective model or models have changed over each epoch.
- each model is a matrix which can be received and averaged. Each matrix may have 1 or more numbers contained therein.
- the entity that performs the averaging of the models might be the server 104 if it can be trusted, but in another scenario, a separate entity can provide a secure multi-party computation (SMPC) to generate the average model to be distributed back to the clients 102.
- SMPC secure multi-party computation
- the process includes processing of the client-side models via either averaging or secure multi-party computation (SMPC) 174 of client-side models such that anew model is generated and transmitted back to the clients 102 prior to transmitting new smashed data to the split layer 120 of the server 104.
- the server-side model 172 will receive smashed data processed by an average new client-side model generated from a secure multiparty computation (SMPC) component 174 operating on a set of client-side models to generate and distribute a new client-side model to each client 102 which can be a single model which is the average, for example, of two or more client models received from respective split layers (e.g., 110, 116, 117) from respective clients 102.
- SMPC secure multiparty computation
- the server-side model 172 can in one case be essentially the same server-side model 142 shown in FIG. IB.
- the serverside model can be modified to accommodate or take into account the fact that in FIG. 1C, the client-side models are received and averaged by the averaging component 174 and thus will provide their respective smashed data in new epochs using such updated models.
- the secure multi-party computation component 174 is part of all computational parties (server and clients) that do not trust each other. They jointly compute the average client- side model without 'seeing' each others' data by exchanging several encrypted messages about their models, which on their own represent rubbish data that cannot be decrypted into anything useful. When the entire protocol (process) completes, it can then reveal the final averaged client-side model.
- the forward propagation 154 and backward propagation 156 can proceed in the standard way with or without the need to average the loss functions 152 in that the various models are already averaged 174 prior to being received at the split layer 120 of the server 104.
- the averaging type can be a weighted average or any type of averaging approach.
- This averaging method can be done either in plain text or an encrypted space (SMPC) as shown in FIG. 1C.
- the new weighted average client-side model of the various client-side models can be generated after each epoch or round of processing all of the batches of all of the clients 102 through the transmission of smashed data to the server 104 and the receipt of gradients from the server 104 at each client to update the respective client models.
- each model is encrypted and sent to the server 104 (or other entity) as an encrypted model and the processing or averaging of the encrypted models is done in an encrypted way to maintain privacy.
- the entire model in one aspect is not sent to each server.
- Some “rubbish data” is included and the server 104 has only a part of the model. The server cannot decrypt, they cannot steal or see what is inside of the data in this approach. It is impossible in this sense for the server 104 to see into any of the data of the “model” transmitted to the averaging component 174. This process is more secure in that it prevents the averaging component 174 from being able to see the data of the models.
- a first client has a model with value 3
- a second client has a model with a value 4
- a third client has a model with value 5.
- These models can be averaged as shown in FIG. 1C to produce anew client-side model with a value of (3+4+5)/3 or the value of 4.
- This new averaged model then is distributed back to each of the three clients.
- This approach improves both accuracy and privacy.
- the data of the various clients 102 can be synchronized in a way of integrating the various models such that someone seeking to identify the data of any particular model cannot determine what that respective data is.
- the weighted averaging method performed at component 174 can use the following formula:
- W is the final aggregated client-side model
- n is the number of clients
- Xi is the respective client
- model is the number of data samples at the respective client
- the denominator can represent the total number of training samples from all the clients combined or some other value as well.
- the data (vector, model, etc.) from each client may have the same number of parameters but in some cases the number of parameters might differ across different clients.
- all clients 102 start the training process by submitting the total number of training samples they have locally, which will be used to train the final model. This version of the protocol is explained in the following algorithm.
- the client-side computations on lines 1-9 operate over an epoch which involves the processing of each batch of data.
- a batch of data might be two images or two pieces of data.
- One client might have 3 batches to process and another client might have 4 or 5 batches to process.
- An epoch involves completing the processing of all the data through an iteration of the client models and through the server 104 such that forward propagation and backward propagation on each batch of data is complete.
- the data providers can be clients 1 and 2 (the group of clients 102) and can receive a respective client model (line 3 of the pseudo code above).
- Each client can have data the run through the models in batches 182, 184, 186, 188.
- each batch can have two images to be processed.
- client 1 has two batches 182, 184 and client 2 has two batches 186, 188.
- Client 1 processes its batches through its layers of its neural network model 192
- the server 104 receives each batch (lines 13-14 of the pseudocode) or smashed data associated with that batch and processes the smashed data through its layers using the server model.
- Client 2 processes its batches through the layers of its neural network model 194 (M2) and generates smashed data 158 that is transmitted to the split layer 120 of the server 104 or algorithm provider.
- the clients 102 can also generate a privacy loss value associated with the smashed data and send the smashed data and privacy _loss data to the server 104.
- the privacy Joss can be used in averaging the loss functions as described herein.
- the server 104 processes the smashed data through its layers as well.
- the data from the various clients 180 is provided to the loss averaging component 152 that averages the loss as described herein (lines 15-16 of the pseudocode) and returns the gradients 182 (lines 17-18 of the pseudo code) through the server’s layers for backward propagation 156 as shown in FIG. IB.
- the gradients of the smashed data 160 are returned to client 1 and client 2 (line 18 of the pseudocode) such that continued back propagation through the respective layers can be finalized and respective update client-side models can be generated. Line 8 of the pseudo code described updating the client models based on the received gradients.
- model Ml 192 of client 1 and the model M2 194 of client 2 are the updated client model described in line 8 of the pseudo code.
- the clients each send their (updated) client model Ml, M2 and/or the total number of samples to the processing component 174 that can average the models or generated a weighted average model and/or perform SMPC on the various models and return the updated model such as updated model M3 196 to client 1 and updated model M4 198 to client 2.
- M3 and M4 will be the same updated average model but in some cases they could have some differences based on one or more parameters.
- Line 19 of the pseudocode indicates the operation of sending the weighted average of the client models to the various clients. This averaging method can be done either in plain text or an encrypted space (secure MPC).
- FIG. 2C illustrates an example method for the use of the secure multiparty computation technique shown in FIG. 1C.
- FIG. 2A illustrates a method example.
- a method 200 can include one or more of the following steps in any order. The method in this case includes steps performs by both client 1, client 2 (the plurality of client systems 102) and the server 104.
- the method can include training, at a client system of a plurality of client systems 102, a part of a deep learning network up to a split layer 110, 116 of the client system (202), based on an output of the split layer 110, 116 of the client system, completing, at a server system 104, training of the deep learning network by asynchronously forward propagating the output received at a split layer of the server system 120 to a last layer 126 of the server system 104 (204).
- the output received at the split layer 120 of the server system 104 is the output of the split lay er 110, 116 of the client system 102.
- the method can include calculating a weighted loss function for the client system 102 (for each of client 1 and client 2) at the last layer of the server system 126 to yield a calculated loss function for the client system 102 (206) and storing the calculated loss function for the client system in a queue 128 (208). This process can occur for multiple clients such that the queue receives a plurality of respective calculated loss function values.
- the method can further include, after each respective client system of the plurality of client systems 102 has a respective loss function stored in the queue 128 to yield a plurality of respective weighted client loss functions, averaging, at the server system 104, the plurality of respective weighted client loss functions to yield an average loss value (210), back propagating gradients based on the average loss value from the last layer 126 of the server system 104 to the split layer 120 of the server system 104 to yield server system split layer gradients (212) and transmitting just the server system split layer gradients to the plurality of client systems 102 (to client 1 and client 2), wherein no weights are shared 118 across different client systems of the plurality of client systems 102 (214).
- the weighted loss function can further involve a minimizing of a statistical distance between (1) a distribution of activations communicated by the client system 102 to the server system 104 from just the split layer 110, 116 of the client system 102 and (2) a classification loss.
- the classification loss can include a categorical cross-entropy or a crossentropy.
- Cross-entropy loss, or log loss measures the performance of a classification model whose output is a probability value between 0 and 1.
- Cross-entropy loss increases as the predicted probability diverges from the actual label.
- a sigmoid function forces a vector into a range from 0 to 1 and is applied independently to each element of (s), s i .
- a Softmax function forces a vector into the range of 0 and 1 and all the resulting elements add up to 1. It is applied to the output scores (s) and cannot be applied independently to each Si, since it depends on all the elements of (s). For a given class si, the Softmax function can be computed as:
- storing the calculated loss function for the client system (client 1 and client 2) in the queue 128 further can include storing a respective calculated loss function for each respective client system of the plurality of client systems 102.
- storing a respective calculated loss function for each respective client system of the plurality of client systems 102 can be performed asynchronously on a first-come-first-stored manner.
- transmitting just the server system split layer gradients to the client system 102 further can include transmitting just the server system split layer gradients to each client system (client 1 and client 2) of the plurality of client systems 102.
- Another step of the method disclosed above can include back propagating, at the client system 102 and from the split layer 110, 116 of the client system 102 to an input layer 106, 112 of the client system 102, the server system split layer gradients to complete a training epoch of the deep learning network.
- An epoch is where an entire dataset is passed forward and backward through a neural network once.
- Another aspect of this disclosure relates to a scheduler.
- the choice of every client's individual weights can be data and task dependent.
- a scheduler is proposed to prevent leakage of privacy.
- the scheduler can be a software module operating on one or both of a client 102 and/or a server 104 or may be configured as a separate device.
- the scheduler ensures the weight for the privacy during the early epochs is very high and it reduces gradually up to a specified point, as the epochs go by, and then stagnates and makes sure it doesn't fall below a specific value, to ensure the privacy weight is not too low to induce leakage.
- a simulated reconstruction attack can be performed on the client system 102 before releasing any activations to the server 104 at the split layer 110, 116 of the client system 102.
- the accuracy weight can gradually be increased and tuned by the server 104, followed by the simulation of the reconstruction attack, prior to transmitting the activations from the split layer 110, 116 to the server 104.
- the following is some example code which can be deployed by a scheduler:
- def decayScheduler(epoch, Ir, maxLR, totalEpochs): decay Ir / totalEpochs if epoch ⁇ 3: return Ir else: return max(lr * 1/(1 + decay * epoch), maxLR).
- a variation of FIG. 2A can include the steps performed either just by the server 104 or by one or more of the client 102.
- the method can include receiving, at a server system and from a client system of a plurality of client systems, smashed data associated with the client system, completing, at the server system, training of a deep learning network by asynchronously forward propagating the smashed data received at a split layer of the server system to a last layer of the server system, calculating a weighted loss function for the client system at the last layer of the server system to yield a calculated loss function for the client system and storing the calculated loss function for the client system in a queue.
- the server 104 can perform the operations of averaging, at the server system, the plurality of respective weighted client loss functions to yield an average loss value, back propagating gradients based on the average loss value from the last layer of the server system to the split layer of the server system to yield server system split layer gradients and transmitting, from the server system, the server system split layer gradients to the plurality of client systems, wherein no weights are shared across different client systems of the plurality of client systems.
- the method can be performed from the standpoint of a client 102 in which the smashed data 158 is transmitted to the split layer 120 of the server 104.
- the server 104 performs the operations described herein to generate the gradients that include the averaged loss function 152.
- Each respective client receives the gradients 160 and updates its respective model 144B based on the received gradients 160.
- the processing can occur such that each batch of data input to the respective client-side model 144B is processed for all the clients 102 both for both forward and backward propagation through the neural network to achieve an “epoch”, at which point the other processing can occur which is described below to perform a blind learning process of receiving the various updated client-side models 144B at a secure multi-party calculation (SMPC) component 174 to generate in a secure manner an average of the client-side models.
- the SMPC component 174 can then redistribute the weighted average of the client-side models 196, 198 to each respective client 102.
- FIG. 2B illustrates an example method performs by just the server 102. The method
- 220 in this example includes one or more steps in any order of receiving, at a split layer 120 of a server system 104, a first output of a first split layer 110 of a first client system and a second output of a second split layer 116 of a second client system (220), completing, at a server system 104, training of the deep learning network by asynchronously forward propagating the first output and the second output to a last layer 126 of the server system 104 (224), calculating a first weighted loss function for the first client to yield a first calculated loss function and a second weighted loss function for the second client to yield a second calculated loss function (226) and storing the first calculated loss function and the second calculated loss function in a queue 128 (228).
- the method can further include averaging the first calculated loss function and the second calculated loss function to yield an average loss function (230), back propagating gradients through the server system 104 based on the average loss function to the split layer 120 of the server system 104 (232) and transmitting split layer gradients based on the average loss function to each of the first client and the second client (234).
- a similar method could be provided with steps just performed by client 1 and/or client 2.
- FIG. 2C illustrates the secure multi-party computation (SPMC) technique shown in FIG. 1C.
- the method 240 can include one or more steps of receiving a first model from a first client and a second model from a second client (242), generating an average of the first model and the second model to yield an average model (244) and providing the average model to each of the first client and the second client as an updated model (246). Then, the clients can proceed to another epoch with new batches of data using the new model which they have each received.
- the benefit of this approach is that it can improve the security and privacy of the model.
- Secure MPC is not performed by the server 104 alone. In one aspect, by definition, it can't be performed by a trusted party as there are no trusted parties.
- Secure MPC is performed jointly between the server 104 and the clients 102 by exchanging parts of their models encrypted using SMPC.
- the parts of the models alone cannot yield or reveal any information about the individual client-side models 144B, but after the entire process is completed, an averaged client-side model will be revealed.
- the server 104 (or some other node) coordinates this process. Note that the coordination can be different from the actual process of averaging though. If the averaging was happening in plain text, then this process would need to be performed by a trusted party.
- More than two client models can be received and averaged and there can be various algorithms for generating the average.
- the use of weighted average approach can help to maintain the privacy and security of the data from the various clients 102 or data providers.
- the method can include transmitting a modified version of each client-side model such that the modified model to be processed or averaged includes some rubbish data, a portion of the full data of the client-side model, and can be encrypted.
- the portion of the data of each client-side model for example, can represent less than all of the available data of each client-side model.
- Which portion is transmitted to the averaging component 174 and which portion is not can be determined based on a percentage, which part of the model data should be kept back, or based on some other parameter(s) to determine how to select the portion of the client-side data in the client-side model to use for the averaging process.
- the process above involves how to train a new model on decentralized data in a privacy -learning way in a blind-learning approach.
- the averaging component 174 does not see or cannot view the various client-side models 144B that it receives because they are sent to the averaging component 174 in such a way so as to preserver privacy.
- the client-side models can be processed such that they are one or more of encrypted, inclusive of some rubbish data, a portion of each respective client-side model or a combination of these and other ways in which the respective client-side models can be modified such that as they are processed by the averaging component 174, the respective data of each model is kept private and unsearchable. This is because typically the averaging component 174 is part of the server 104 and not trusted or generally is not trusted and needs to perform its processing without being able to probe into the data associated with the respective client-side model.
- Receiving a first model from a first client and a second model from a second client can occur after an epoch in which all batches of data for the first client and the second client are processed by respectively by each of the first client, the second client, and a server-side model 142 to generate gradients received at the first client and the second client to update their respective models to yield the first model and the second model, which are then averaged by the averaging component 174.
- the process can also in one example be performed from the clients 102.
- the clients 102 transmit their respective smashed data to the server 104 and receive gradients back from the server 104.
- the clients 102 then update their respective models based on the gradients received from the server 104. This can conclude one epoch.
- the gradients may or may not include the averaged loss function described above.
- the clients 102 then each send their updated client-side models to an averaging component 174 which may or may not be part of the server 104.
- the client-side models might be encrypted or modified such that not all of the model data is transmitted.
- the client-side models can include some rubbish data as well.
- the averaging component 174 generates in a secure way a weighted average client-side model and each client of the clients 102 receives the weighted average client-side model from the averaging component 174.
- FIG. 3 illustrates an architecture 300 for orchestrating a secure multi-party communication.
- Federated learning (FL) and blind Learning (BL) are two deep learning paradigms to learn from decentralized datasets without transferring the data to a centralized location.
- a centralized server 104 manages the training process.
- the server 104 receives and averages the local models 192, 194 trained at each client to generate a global model.
- FL and BL can preserve some data privacy by not transferring it to the server 104
- a malicious server can exploit the clients’ models during the averaging process to extract some sensitive information from the models’ weights.
- the secure averaging function is introduced that prevents the server 104 from “seeing” the clients’ models 192, 194 in plain text.
- the secure averaging 174 encrypts the model of each client before sending it to the server 104/174, which then (the server) averages the encrypted models to generate the global model 196, 198.
- the global model 196, 198 is then distributed to the clients 102. In this way, the server 104 cannot exploit sensitive data from any specific client’s model 192, 194.
- the architecture 300 makes it possible and convenient for two or more parties (318, 314) To participate in a variety of collaborative activities involving data at an algorithm and processes. Part of the novelty of the system is the orchestration technique which allows this to occur between the different parties (318, 314).
- the components shown in FIG. 3 includes an access point 302 associated with the data owner or client or other entity 318.
- the access point 302 can include the software component such as a docker instance which runs on the infrastructure for that party.
- Another access point 304 can be associated with a service provider or server 314.
- This access point can also include a software component such as a docker instance that runs on the infrastructure for that party.
- Router 312 can provide a centralized system that allows browsing of shared assets, coordination, orchestration and validation of joint operations. It also allows for the auditing of operations. See notes 1, 2 and 3 in FIG. 3. Note that the router 312 can be represented by any node and could also have its operations performed by the server 104 or a third party compute node.
- the parties 318, 314 can represent any individual or organization or the computer or server associated with that party.
- the data asset can be an asset representing data records, such as database rows, image files, or other digital representations of information.
- An algorithmic asset is an asset that represents an operation which can be performed on a data asset. An algorithm could be trained to machine learning model, a procedural program or other types of operation. “Permission” as used herein can represent the affirmative approval of one party to another allowing the use of an asset owned by one of the parties. Note that in one example, the assets that are processed can be the same type of asset (both models 316 or both data 320) or in another example they can be of different types (data 320 and model/ algorithm 316).
- An “agreement” is a codification of rules which can be used to determine whether a usage of assets should be granted permission.
- the router 312, per item 2 in FIG. 3, enforces permissions as part of the process.
- a secure multi-party computation application programming interface (API) 310 can be used to communicate between the various parties 318, 314 through a respective firewall 303, 308.
- a software development kit (SDK) 322 can provide instructions and libraries to the respective access points 302, 304, to interface with the API 310.
- Each party 318, 314 can independently register the existence of assets which are stored behind their access point 302, 304.
- the registration creates an entry in the router 312 and creates a unique asset identifier (ID) from which the owner and location of the asset can be determined.
- ID asset identifier
- Any node can be used for storing or registering the assets.
- the router or other node 312 can provide both graphical and programmatic mechanisms for finding and obtaining information about the registered assets. The unique identifier for each asset is thus available. However, the exact content of the asset remains hidden behind respective access point 302, 304.
- the asset owners 318, 314 can provide or expose metadata information about the respective assets such as a name, a textual description, various types of summaries such as an exploratory data analysis and/or a pseudo sample of the asset.
- the system initiates the operation of secure multi-party computation.
- One party will identify the assets involved in the operation. Typically, this will be a data asset 320 from the data owner 318 and an algorithm asset 316 from the service provider 314. However, this could also be two models 316 that are to be averaged or processed in some way together.
- the specifics of the proposed operation are bundled and submitted to the router 312.
- the assets can each be different models from different systems such as different clients 102.
- a validation of operation occurs next.
- the router 312 can verify the existence of the assets, and then will confirm that permission exists to use them per step 2 of FIG. 3. Any existing agreements will be first checked to see if the proposed use matches the agreement parameters. For example, an agreement might be stored that party A will allow party B to perform the specific algorithm on the specific data asset at any time. If a match is found, then permission is granted. If no matching agreement is found for any of the assets, the owner of the asset is notified of a request to utilize their assets in the operation. The owning party can accept or reject the usage request.
- the operation will not begin execution.
- the router 312 contacts the initiating party’s access point 302, 304 to notify it that the operation can begin. That access point 302, 304 will reach out to the other party’s access point 302, 304 to create a temporary connection for the operation.
- the other access point 302, 304 will verify the identity of the initiator of the operation and the specific operation with the router 312 before accepting the connection.
- the operation is executed. The computation can now begin between the access points 302, 304 of the parties 314, 318.
- portions of the one-way encrypted version of both the data and the algorithm are exchanged.
- both of the assets might be an algorithm or a model 316.
- the SMPC process might involve receiving a first model from a first entity 318 and receiving a second model from a second entity 314 and utilizing the approach described above, performing a secure multi-party computation which can involve exchanging portions (i. e. , less than the full amount of) a respective one-way encrypted version of respective models from the model providers (see clients 102 in FIG.
- the computational resources can be provided by one or more of the clients 102, the access points 302, 304, the entities 314, 318, the server 104 and/or athird party.
- FIG. 4A illustrates an example method 400 for performing a secure multi-party communication.
- the method 400 can include one or more of the following steps: registering, at a node, a first asset from a first entity and a second asset from a second entity (402), creating a first unique asset identification for the first asset and a second unique asset identification for the second asset (404), maintaining hidden first content of the first asset behind a first access point of the first entity and maintaining hidden second content of the second asset behind a second access point of the second entity (406), receiving first metadata associated with the first asset and receiving second metadata associated with the second asset (408).
- the assets might be of the same type (data or models) or might be of different types as well.
- the method can further include confirming, at the node, that permission exists for using the first asset and the second asset to yield a confirmation (410), contacting at least one of the first entity or the second entity to notify that the operation is beginning (412), establishing a temporary connection for the operation between the first entity and the second entity (414), receiving a portion of the first asset at the node from the first entity and receiving a portion of the second asset at the node from the second entity (416), exchanging intermediate one-way encrypted state data based on an operation on the portion of the first asset and the portion of the second asset (418), completing the operation by generating anew asset based on the first asset and the second asset (420) and transmitting the new asset to one or both of the first entity and the second entity (422).
- the new asset emerges un-encrypted and this stored as a new asset behind the initiating party’s access point 302, 304.
- the new asset represents an average of the models 316 provided to the node or to the operation from different entities such as different clients 102.
- the new asset or new version of the model is distributed to each respective client that provided an initial model for the model averaging operation. Note that the example above involves the use of two different assets or models in this case but the model averaging could also occur with more than two entities providing assets (models, algorithms or data).
- the SMPC process can be applicable to the scenario of not just having algorithms operate on data, but on two models being processed or averaged.
- the SMPC process can also be used to enable n parties (clients 102) to securely average their models 192, 194 with the server 104 without peer-to-peer socket communication.
- the system or clients 102 can encrypt each model using a Diffie-Hellman key.
- the server 104 or averaging component 174 acts as the communication channel for the key exchange using Diffie Hellman. It is proven that the Diffie Hellman is secure in case of the corrupted communication channel; so clearly, the server 104 does not learn the actual key.
- the process begins by having the two parties, Alice and Bob, publicly agree on an arbitrary starting color that does not need to be kept secret.
- the color is yellow.
- Each person also selects a secret color that they keep to themselves - in this case, red and blue-green.
- An important part of the process is that Alice and Bob each mix their own secret color together with their mutually shared color, resulting in orange-tan and light-blue mixtures respectively, and then publicly exchange the two mixed colors. Finally, each of them mixes the color they received from the partner with their own private color. The result is a final color mixture (yellow-brown in this case) that is identical to the partner's final color mixture.
- the method 430 includes the server 104 selecting a generator and a prime number g, p for the Diffie Hellman (or other) protocol and sending them to each client 102 (432).
- g is a public base prime number
- p is a public prime modulus and both can be selected by the server 104.
- the server 104 sends all the received keys ki to each client 102 (436).
- the server sends the shares to each corresponding client (446).
- the steps of the SMPC process can be performed as part of the overall larger process of averaging the loss function, the process can also be separately claimed assuming primarily that there are two assets (data, models, algorithms, etc.) that need to be kept private but that might need to be averaged or combined in some way.
- the SMPC process can be a stand-alone process independent of other processes disclosed herein.
- FIG. 5 illustrates an example computer system 500 for implementing a part of the instant disclosure.
- the example computer system 500 may execute a client application for performing the instant disclosure.
- the example computer system 500 includes a processor 505, a memory 510, a graphical device 515, a network device 520, interface 525, and a storage device 530 that are connected to operate via a bus 535.
- the processor 505 reads causes machine instructions (e.g., reduced instruction set (RISC), complex instruction set (CISC), etc.) that are loaded into the memory 510 via a bootstrapping process and executes an operating system (OS) for executing application within frameworks provided by the OS.
- OS operating system
- the processor 505 may execute an application that executes an application provided by a graphical framework such as Winforms, Windows Presentation Foundation (WPF), Windows User Interface (WinUI), or a cross platform user interface such as Xamarin or QT.
- the processor 505 may execute an application that is written for a sandbox environment such as a web browser.
- the processor 505 controls the memory 510 to store instructions, user data, operating system content, and other content that cannot be stored within the processor 505 internally (e.g., within the various caches).
- the processor 505 may also control a graphical device 515 (e.g., a graphical processor) that outputs graphical content to a display 540.
- the graphical device 515 may be integral within the processor 505.
- the display 540 may be integral with the computer system 500 (e.g., a laptop, a tablet, a phone, etc.).
- the memory can be a non-transitory memory in that it is not the air interface that can “store” electromagnetic signals but would be a man-made storage device such as random access memory (RAM), read-only memory (ROM), a hard drive, or some other hardware, physical memory component.
- RAM random access memory
- ROM read-only memory
- hard drive or some other hardware, physical memory component.
- Such a memory or combination of different memory components can store computer instructions which cause the processor to perform various operations as described herein.
- the graphical device 515 may be optimized to perform floating point operations such as graphical computations, and may be configured to execute other operations in place of the processor 505. For example, controlled by instructions to perform mathematical operations optimized for floating point math. For example, the processor 505 may allocate instructions to the graphical device 515 for operations that are optimized for the graphical device 515.
- the graphical device 515 may execute operations related to artificial intelligence (Al), natural language processing (NLP), vector math. The results may be returned to the processor 505.
- the application executing in the processor 505 may provide instructions to cause the processor 505 to request the graphical device 515 to perform the operations.
- the graphical device 515 may return the processing results to another computer system (i.e, distributed computing).
- the processor 505 may also control a network device 520 for transmits and receives data using a plurality of wireless channels 545 and at least one communication standard (e.g., Wi-Fi (i.e., 802.1 lax, 802. lie, etc.), Bluetooth®, various standards provided by the 3rd Generation Partnership Project (e.g., 3G, 4G, 5G), or a satellite communication network (e.g., Starlink).
- the network device 520 may wirelessly connect to a network 550 to connect to servers 555 or other service providers.
- the network device 520 may also be connected to the network 550 via a physical (i. e. , circuit) connection.
- the network device 520 may also directly connect to local electronic device 560 using a point-to-point (P2P) or a short range radio connection.
- P2P point-to-point
- the processor 505 may also control an interface 525 that connects with an external device 570 for bidirectional or unidirectional communication.
- the interface 525 is any suitable interface that forms a circuit connection and can be implemented by any suitable interface (e.g., universal serial bus (USB), Thunderbolt, and so forth).
- USB universal serial bus
- Thunderbolt Thunderbolt
- the external device 565 is able to receive data from the interface 525 to process the data or perform functions for different applications executing in the processor 505.
- the external device 565 may be another display device, a musical instrument, a computer interface device (e.g., a keyboard, a mouse, etc.), an audio device (e.g., an analog-to-digital converter (ADC), a digital-to-analog converter (DAC)), a storage device for storing content, an authentication device, an external network interface (e.g., a 5G hotspot), a printer, and so forth.
- ADC analog-to-digital converter
- DAC digital-to-analog converter
- the steps disclosed herein can be practiced by a “system.”
- the system can include the server and one or more clients together, or might just be functionality performed by the server.
- the system could also be a client or a group of clients, such as clients in a particular geographic area or clients groups in some manner that are performing the client-based functions disclosed herein.
- Claims can be included which outline the steps that occur from the standpoint of any device disclosed herein. For example, the steps of transmission, calculation, and receiving of data can be claimed from the standpoint of a server device, a client device, or group of client devices depending on which embodiment is being covered. All such communication from the standpoint of an individual component or device can be included as within the scope of a particular embodiment focusing on that device.
- the system can include a platform as disclosed in the patent applications incorporated by reference also performing steps in coordination with the concept disclosed above. Therefore, the platform as used to provide the federated-split learning process described herein is also an embodiment of this disclosure and steps can be recited in connection with the use of that platform for training models in a manner that maintains privacy of the data as described herein.
- Claim language reciting "at least one of' a set indicates that one member of the set or multiple members of the set satisfy the claim.
- claim language reciting “at least one of A and B” means A, B, or A and B.
- a method comprising: training, at a client system of a plurality of client systems, a part of a deep learning network up to a split layer of the client system; based on an output of the split layer of the client system, completing, at a server system, training of the deep learning network by asynchronously forward propagating the output received at a split layer of the server system to a last layer of the server system; calculating a weighted loss function for the client system at the last layer of the server system to yield a calculated loss function for the client system; storing the calculated loss function for the client system in a queue; after each respective client system of the plurality of client systems has a respective loss function stored in the queue to yield a plurality of respective weighted client loss functions, averaging, at the server system, the plurality of respective weighted client loss functions to yield an average loss value; back propagating gradients based on the average loss value from the last layer of the server system to the split layer of the server system to yield server system split layer gradients;
- Statement 2 The method of Statement 1, wherein the weighted loss function comprises a minimizing of a statistical distance between (1) a distribution of activations communicated by the client system to the server system from just the split layer of the client system and (2) a classification loss.
- Statement 3 The method of any preceding Statement, wherein the classification loss comprises a categorical cross-entropy or a cross-entropy.
- Statement 4 The method of any preceding Statement, wherein storing the calculated loss function for the client system in the queue further comprises storing respective calculated loss function for each respective client system of the plurality of client systems.
- Statement 7 The method of any preceding Statement, further comprising: back propagating, at the client system and from the split layer of the client system to an input layer of the client system, the server system split layer gradients to complete a training epoch of the deep learning network.
- a system comprising: a storage configured to store instructions; one or more processors configured to execute the instructions and cause the one or more processors to: train, at a client system of a plurality of client systems, a part of a deep learning network up to a split layer of the client system; based on an output of the split layer of the client system, complete, at a server system, training of the deep learning network by asynchronously forward propagate the output received at a split layer of the server system to a last layer of the server system; calculate a weighted loss function for the client system at the last layer of the server system to yield a calculated loss function for the client system; store the calculated loss function for the client system in a queue; after each respective client system of the plurality of client systems has a respective loss function stored in the queue to yield a plurality of respective weighted client loss functions, average, at the server system, the plurality of respective weighted client loss functions to yield an average loss value; back propagate gradients based on the average loss value from the
- Statement 10 The system of any preceding Statement, wherein the classification loss comprises a categorical cross-entropy or a cross-entropy.
- Statement 14 The system of any preceding Statement, further comprising:
- a non-transitory computer readable medium comprising instructions, the instructions, when executed by a computing system, cause the computing system to: train, at a client system of a plurality of client systems, a part of a deep learning network up to a split layer of the client system; based on an output of the split layer of the client system, complete, at a server system, training of the deep learning network by asynchronously forward propagate the output received at a split layer of the server system to a last layer of the server system; calculate a weighted loss function for the client system at the last layer of the server system to yield a calculated loss function for the client system; store the calculated loss function for the client system in a queue; after each respective client system of the plurality of client systems has a respective loss function stored in the queue to yield a plurality of respective weighted client loss functions, average, at the server system, the plurality of respective weighted client loss functions to yield an average loss value; back propagate gradients based on the average loss value from the last layer
- Statement 16 The computer readable medium of Statement 15, wherein the weighted loss function comprises a minimizing of a statistical distance between (1) a distribution of activations communicated by the client system to the server system from just the split layer of the client system and (2) a classification loss.
- Statement 17 The computer readable medium of any preceding Statement, wherein the classification loss comprises a categorical cross-entropy or a cross-entropy.
- Statement 18 The computer readable medium of any preceding Statement, wherein storing the calculated loss function for the client system in the queue further comprises storing respective calculated loss function for each respective client system of the plurality of client systems.
- Statement 19 The computer readable medium of any preceding Statement, wherein storing respective calculated loss function for each respective client system of the plurality of client systems is performed asynchronously on a first-come-first-stored manner.
- Statement 21 A method comprising: receiving a first model from a first client and a second model from a second client; generating an average of the first model and the second model to yield an average model; and providing the average model to each of the first client and the second client as an updated model.
- Statement 22 The method of any preceding Statement, further comprising: receiving the first model and the second model in an encrypted state.
- Statement 23 The method of any preceding Statement, wherein the first model from the first client and the second model from the second client each are encrypted and have at least a portion of its data being rubbish data.
- Statement 23 The method of any preceding Statement, wherein the first model from the first client and the second model from the second client each represent a respective portion of all the available data associated with the first model from the first client and the second model.
- a system comprising: a processor; and a computer-readable storage device storing instructions which, when executed by the processor, cause the processor to perform operations comprising: receiving a first model from a first client and a second model from a second client; generating an average of the first model and the second model to yield an average model; and providing the average model to each of the first client and the second client as an updated model.
- Statement 22 The system of any preceding Statement, further comprising: receiving the first model and the second model in an encrypted state.
- Statement 23 The system of any preceding Statement, wherein the first model from the first client and the second model from the second client each are encrypted and have at least a portion of its data being rubbish data.
- Statement 23 The system of any preceding Statement, wherein the first model from the first client and the second model from the second client each represent a respective portion of all the available data associated with the first model from the first client and the second model.
- Statement 24 The system of any preceding Statement, wherein receiving a first model from a first client and a second model from a second client occurs after an epoch in which all batches of data for the first client and the second client are processed by respectively by each of the first client, the second client, and a server-side model to generate gradients received at the first client and the second client to update their respective models to yield the first model and the second model.
- Statement 25 A method comprising: transmitting smashed data, generated from a client-side model, to a server for training a server-side model and to generate gradients based on the smashed data; receiving the gradients back from the server; updating the client-side model based on the gradients received from the server to yield an updated client-side model; sending the updated client-side model to an averaging component which generates in a weighted average client-side model; and receiving the weighted average client-side model from the averaging component.
- Statement 26 The method of Statement 25, wherein the updated client-side model is encrypted or modified such that not all of the updated client-side model data is sent to the averaging component.
- a system comprising: a processor; and a computer-readable storage device storing instructions which, when executed by the processor, cause the processor to perform operations comprising: transmitting smashed data, generated from a client-side model, to a server for training a server-side model and to generate gradients based on the smashed data; receiving the gradients back from the server; updating the client-side model based on the gradients received from the server to yield an updated client-side model; sending the updated client-side model to an averaging component which generates in a weighted average client-side model; and receiving the weighted average client-side model from the averaging component.
- Statement 29 The sytem of Statement 28, wherein the updated client-side model is encrypted or modified such that not all of the updated client-side model data is sent to the averaging component.
- Statement 30 The method of any preceding Statement, wherein the updated client- side model includes some rubbish data and/or does not include all of the available data of the updated client-side model.
- a method comprising: receiving, at a server system and from a client system of a plurality of client systems, smashed data associated with the client system; completing, at the server system, training of a deep learning network by asynchronously forward propagating the smashed data received at a split layer of the server system to a last layer of the server system; calculating a weighted loss function for the client system at the last layer of the server system to yield a calculated loss function for the client system; storing the calculated loss function for the client system in a queue; after each respective client system of the plurality of client systems has a respective loss function stored in the queue to yield a plurality of respective weighted client loss functions, averaging, at the server system, the plurality of respective weighted client loss functions to yield an average loss value; back propagating gradients, based on the average loss value, from the last layer of the server system to the split layer of the server system to yield server system split layer gradients; and transmitting, from the server system, split layer gradient
- Statement 35 The method of Statement 35, wherein the weighted loss function comprises a minimizing of a statistical distance between (1) a distribution of activations communicated by the client system to the server system from just the split layer of the client system and (2) a classification loss.
- Statement 36 The method of any preceding Statement, wherein the classification loss comprises a categorical cross-entropy or a cross-entropy.
- Statement 37 The method of any preceding Statement, wherein storing the calculated loss function for the client system in the queue further comprises storing respective calculated loss function for each respective client system of the plurality of client systems.
- Statement 38 The method of any preceding Statement, wherein storing respective calculated loss function for each respective client system of the plurality of client systems is performed asynchronously on a first-come-first-stored manner.
- Statement 39 The method of any preceding Statement, wherein transmitting just the server system split layer gradients to the plurality of client systems further comprises transmitting just the server system split layer gradients to each client system of the plurality of client systems.
- Statement 40 The method of any preceding Statement, further comprising: back propagating, at the client system and from the split layer of the client system to an input layer of the client system, the server system split layer gradients to complete a training epoch of the deep learning network.
- a method comprising: transmitting, to a server system and from a client system of a plurality of client systems, smashed data associated with the client system, wherein the server system completes training of a deep learning network by asynchronously forward propagating the smashed data received at a split layer of the server system to a last layer of the server system, calculates a weighted loss function for the client system at the last layer of the server system to yield a calculated loss function for the client system, stores the calculated loss function for the client system in a queue, after each respective client system of the plurality of client systems has a respective loss function stored in the queue to yield a plurality of respective weighted client loss functions, averages, at the server system, the plurality of respective weighted client loss functions to yield an average loss value and back propagating gradients based on the average loss value from the last layer of the server system to the split layer of the server system to yield server system split layer gradients; and receiving, from the server system and at the plurality of client systems,
- Statement 42 The method of Statement 41, wherein the weighted loss function comprises a minimizing of a statistical distance between (1) a distribution of activations communicated by the client system to the server system from just the split layer of the client system and (2) a classification loss.
- Statement 43 The method of any preceding Statement, wherein the classification loss comprises a categorical cross-entropy or a cross-entropy.
- Statement 44 The method of any preceding Statement, wherein storing the calculated loss function for the client system in the queue further comprises storing respective calculated loss function for each respective client system of the plurality of client systems.
- Statement 45 The method of any preceding Statement, wherein storing respective calculated loss function for each respective client system of the plurality of client systems is performed asynchronously on a first-come-first-stored manner.
- Statement 46 The method of any preceding Statement, wherein transmitting just the server system split layer gradients to the plurality of client systems further comprises transmitting just the server system split layer gradients to each client system of the plurality of client systems.
- Statement 47 The method of any preceding Statement, further comprising: back propagating, at the client system and from the split layer of the client system to an input layer of the client system, the server system split layer gradients to complete a training epoch of the deep learning network.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
Abstract
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US202063090904P | 2020-10-13 | 2020-10-13 | |
US202163226135P | 2021-07-27 | 2021-07-27 | |
PCT/US2021/054518 WO2022081539A1 (fr) | 2020-10-13 | 2021-10-12 | Systèmes et procédés de fourniture fonction de perte modifiée dans un apprentissage fédéré/divisé |
Publications (2)
Publication Number | Publication Date |
---|---|
EP4229559A1 true EP4229559A1 (fr) | 2023-08-23 |
EP4229559A4 EP4229559A4 (fr) | 2024-04-17 |
Family
ID=87264196
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP21880886.3A Pending EP4229559A4 (fr) | 2020-10-13 | 2021-10-12 | Systèmes et procédés de fourniture fonction de perte modifiée dans un apprentissage fédéré/divisé |
Country Status (1)
Country | Link |
---|---|
EP (1) | EP4229559A4 (fr) |
-
2021
- 2021-10-12 EP EP21880886.3A patent/EP4229559A4/fr active Pending
Also Published As
Publication number | Publication date |
---|---|
EP4229559A4 (fr) | 2024-04-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11431688B2 (en) | Systems and methods for providing a modified loss function in federated-split learning | |
US20220021662A1 (en) | Operating system for blockchain iot devices | |
US12073387B2 (en) | System and method of multi-round token distribution using a blockchain network | |
TWI770022B (zh) | 電腦實施之控制方法、系統及控制系統 | |
US11991156B2 (en) | Systems and methods for secure averaging of models for federated learning and blind learning using secure multi-party computation | |
Cao et al. | A federated deep learning framework for privacy preservation and communication efficiency | |
Liang et al. | Co-maintained database based on blockchain for idss: A lifetime learning framework | |
Zhang et al. | SABlockFL: a blockchain-based smart agent system architecture and its application in federated learning | |
CN116167868A (zh) | 基于隐私计算的风险识别方法、装置、设备以及存储介质 | |
WO2022081539A1 (fr) | Systèmes et procédés de fourniture fonction de perte modifiée dans un apprentissage fédéré/divisé | |
Khodaiemehr et al. | Navigating the quantum computing threat landscape for blockchains: A comprehensive survey | |
US10795658B2 (en) | Updatable random functions | |
EP4229559A1 (fr) | Systèmes et procédés de fourniture fonction de perte modifiée dans un apprentissage fédéré/divisé | |
CN115361196A (zh) | 一种基于区块链网络的业务交互方法 | |
CN115759248A (zh) | 基于去中心混合联邦学习的金融系统分析方法及存储介质 | |
CN115130568A (zh) | 支持多参与方的纵向联邦Softmax回归方法及系统 | |
Sekhar et al. | An integrated secure scalable blockchain framework for iot communications | |
Sengupta et al. | Blockchain-Enabled Verifiable Collaborative Learning for Industrial IoT | |
Xu | Functional encryption based approaches for practical privacy-preserving machine learning | |
Hwang et al. | Quantum entanglement establishment between two strangers | |
Hong et al. | A designated private set based trapdoor authentication scheme for privacy preserving trust management in decentralized systems | |
Zheng et al. | Security issues of federated learning in real-life applications | |
Pancholi | A Robust PPML Framework for Three Servers |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20230508 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Free format text: PREVIOUS MAIN CLASS: G06N0003080000 Ipc: G06N0003098000 |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20240319 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 9/08 20060101ALN20240313BHEP Ipc: G06N 3/084 20230101ALI20240313BHEP Ipc: G06N 3/045 20230101ALI20240313BHEP Ipc: G06N 3/08 20060101ALI20240313BHEP Ipc: G06N 3/098 20230101AFI20240313BHEP |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: TRIPLEBLIND HOLDINGS, INC. |