JP2018097467A - Privacy protection data providing system and privacy protection data providing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To acquire an accurate, suitable and anonymous deep layer learning model, regardless of types of data, when acquiring the anonymous deep layer learning model.SOLUTION: An error based on a Laplace distribution is given to a parameter value in a deep layer learning model in which a deep layer learning has been performed and when each parameter to which the error has been given on the basis of the Laplace distribution exceeds a range of thresholds indicated as a maximum value and a minimum value, each parameter is caused to be limited within the range of the thresholds for anonymization. Or an error based on the Laplace distribution is given to a parameter value used in a calculation at the time of the calculation to obtain the deep layer learning model, and when each parameter to which the error has been given on the basis of the Laplace distribution exceeds the range of the thresholds indicated as the maximum value and the minimum value, it is caused to be limited within the range of the thresholds for anonymization.SELECTED DRAWING: Figure 3

Description

  The present invention relates to a privacy protection data providing system and a privacy protection data providing method.

  In recent years, when publishing data that requires privacy protection, such as personal data, a process called differential privacy has been applied to ensure the privacy of individual data and to enable appropriate data analysis. Things have been proposed.

  When differential privacy processing is performed on data, the privacy protection level is indicated by a privacy index indicated by “ε”. The closer the value of the privacy index “ε” is to 0, the higher the data protection level is. The larger the value of the privacy index “ε” is, the lower the data protection level is.

  Specifically, when there is an anonymous learning algorithm A that anonymizes a certain database D and performs differential privacy processing, the anonymous learning algorithm A is an algorithm including a stochastic element. That is, when the database D is anonymized by the anonymous learning algorithm A including the probabilistic element, the anonymized data s1, s2,. It is done. Here, a database D and a database D ′ that is different from the database D by one record are prepared, and specific data si of the set S of the databases D and D ′ (the data si is the data s1 to sn). The anonymous learning algorithm A is an algorithm that satisfies the difference privacy when the ratio of the probability of becoming any one is equal to or less than exp (ε) using the privacy index “ε”.

  The points satisfying this differential privacy will be described in a more easy-to-understand manner. For example, a database D ′ is obtained by adding (or deleting) data of an arbitrary person to a specific database D composed of a large number of personal information. Here, the result of anonymizing the database D with the anonymous learning algorithm A and the anonymization of the database D is almost the same as the result of anonymizing the database D ′ with the anonymous learning algorithm A and the difference privacy processing. Sometimes (that is, when the above-described threshold exp (ε) is not exceeded), it can be said that the database D has been released in a state where privacy is protected.

This can be regarded as a state in which privacy is protected because the results are almost the same regardless of the presence or absence of each person's data when viewed from the individual specified by each data constituting the database D. In other words, it means that the result is the same for either database D or database D ′.
Patent Document 1 describes an example of a method for totaling data while satisfying differential privacy.

Japanese Patent Laid-Open No. 2006-12074

  As described above, it is possible to anonymize data by creating an anonymous learning algorithm that performs differential privacy processing. Actually, however, the ratio of probabilities is exp ( There is a problem that it is difficult to create an anonymous learning algorithm that performs machine learning that satisfies the condition of [epsilon]) and that increases the accuracy of the neural model.

  The present invention provides a privacy protection data providing system and privacy protection data that can provide a highly accurate and suitable anonymized deep learning model for any data when forming an anonymized deep learning model An object is to provide a providing method.

A privacy protection data providing system according to an aspect of the present invention includes a deep learning processing unit that obtains a deep learning model by applying a deep learning algorithm to raw data in a database, and deep learning obtained by the deep learning processing unit. A privacy protection data providing system including an anonymization processing unit that obtains an anonymous model by performing anonymization processing based on differential privacy for a model.
Here, the anonymization processing unit gives an error based on the Laplace distribution to each parameter value for the weight parameter and the bias parameter included in the deep learning model, and each parameter that gives an error based on the Laplace distribution. However, when the threshold value range indicated by the maximum value and the minimum value is exceeded, the threshold value range is limited.

In addition, the privacy protection data providing system according to another aspect of the present invention applies a deep learning algorithm to a deeply learned anonymous model while performing anonymization processing based on differential privacy for raw data in a database. A privacy protection data providing system including a deep learning processing unit.
Here, the deep learning processing unit gives an error based on the Laplace distribution to each parameter value and gives an error based on the Laplace distribution to the weight parameter and the bias parameter used in the calculation for obtaining the deep learning model. When each parameter exceeds the threshold range indicated by the maximum value and the minimum value, the parameter is limited to the threshold range.

The privacy protection data providing method according to one aspect of the present invention includes a deep learning processing procedure for obtaining a deep learning model by applying a deep learning algorithm to raw data in a database, and a deep layer obtained by the deep learning processing procedure. An anonymization processing procedure for performing an anonymization processing based on differential privacy for the learning model.
Here, the anonymization processing procedure gives each parameter value an error based on the Laplace distribution for each of the weight parameter and the bias parameter included in the deep learning model, and each parameter that gives the error based on the Laplace distribution. However, when the threshold value range indicated by the maximum value and the minimum value is exceeded, the threshold value range is limited.

The privacy protection data providing method according to another aspect of the present invention provides a deep learning anonymous model by applying a deep learning algorithm to a raw data in a database while applying anonymization processing based on differential privacy. Includes a learning procedure.
Here, in the deep learning processing procedure, an error based on the Laplace distribution is given to each parameter value and an error is given based on the Laplace distribution to the weight parameter and the bias parameter used at the time of obtaining the deep learning model. When each parameter exceeds the threshold range indicated by the maximum value and the minimum value, the parameter is limited to the threshold range.

  According to the present invention, when each parameter that gives an error based on the Laplace distribution exceeds the threshold range indicated by the maximum value and the minimum value, the error is given by limiting to the threshold range. Even if data anonymization is performed, the data fluctuation range can be limited to an appropriate range, and appropriate anonymization can be performed. As a result, the accuracy degradation of the deep learning model due to anonymization can be reduced.

It is a block diagram which shows the structural example of the processing system by the 1st Example of this invention. It is a block diagram which shows the structural example which gives the error based on the Laplace distribution within the anonymization process part by the 1st Example of this invention. It is a flowchart which shows the example of the flow of the process by the 1st Example of this invention. It is explanatory drawing which shows the outline | summary of the deep learning by the 1st Example of this invention. It is explanatory drawing which shows the experiment example by the 1st Example of this invention. It is a block diagram which shows the structural example of the processing system by the 2nd Example of this invention. It is a flowchart which shows the example of the flow of the process by the 2nd Example of this invention. It is explanatory drawing which shows the experiment example by the 2nd Embodiment of this invention. It is explanatory drawing which shows the outline of the example (Example 1) of the provision of the error by each Example of this invention, and the restriction | limiting to a threshold value. It is explanatory drawing which shows the outline of the restriction | limiting example (Example 2) of the provision of the error by each embodiment of this invention, and a threshold value.

<1. First Embodiment>
Hereinafter, a first embodiment of the present invention will be described with reference to FIGS.

[Entire system configuration]
FIG. 1 shows a configuration of a privacy protection data providing system according to the first embodiment.
A large amount of raw data including personal information is stored in the database 1, and the raw data stored in the database 1 is supplied to the deep learning processing unit 2. The deep learning processing unit 2 performs a calculation using a deep learning algorithm prepared in advance, and obtains a deep learning model 3 obtained by deep learning of raw data.

  Then, the deep learning model 3 obtained by the deep learning processing unit 2 is supplied to the anonymization processing unit 10. The anonymization processing unit 10 performs anonymization processing based on differential privacy on the supplied deep learning model 3 and anonymized deep learning model 4 (hereinafter referred to as “anonymization model 4”). obtain.

When the anonymization processing unit 10 obtains the anonymization model 4 based on differential privacy, an error based on the Laplace distribution is added to each parameter value for the weight parameter and the bias parameter included in the deep learning model 3. Given, the processing of differential privacy is performed. However, when an error based on the Laplace distribution is given to each parameter value, the error is limited by a threshold value indicating the maximum value and the minimum value.
Giving an error based on the Laplace distribution means that the parameter value giving the error becomes a value including a stochastic element, and as a result, the anonymization model 4 in which anonymization is performed is obtained.

[Ε-differential privacy processing configuration]
FIG. 2 is a block diagram illustrating functions of the anonymization processing unit 10.
As shown in FIG. 2, the anonymization processing unit 10 includes a data input unit 11, an ε input unit 12, a parameter structure determination unit 13, a parameter initial value determination unit 14, a threshold value determination unit 15, a threshold value excess determination unit 16, and a threshold value calculation. The unit 17 is provided. Furthermore, the anonymization processing unit 10 includes an anonymization calculation unit 18 and a data output unit 19.

  Data of the deep learning model is input to the data input unit 11, and this data is supplied to the anonymization calculation unit 18. The index “ε” used when the differential privacy processing is performed is input to the ε input unit 12, and the index “ε” is supplied to the anonymization calculation unit 18.

  The parameter structure determination unit 13 has a function of determining the parameter structure of the deep learning model 3, and the parameter structure of the deep learning model 3 determined by the parameter structure determination unit 13 is supplied to the anonymization calculation unit 18. The parameter structure determined by the parameter structure determination unit 13 includes at least a weight parameter and a bias parameter. Then, the anonymization calculation unit 18 performs a process of giving an error to these weight parameters and bias parameters.

  The parameter initial value determination unit 14 determines parameter initial values of the above-described weight parameter and bias parameter. The parameter initial value is supplied to the anonymization calculation unit 18, and the anonymization calculation unit 18 determines the initial value of the parameter structure determined by the parameter structure determination unit 13 using the parameter initial value.

The threshold value determination unit 15 determines a threshold value for limiting the maximum value and the minimum value when setting the error obtained based on the Laplace distribution. When the threshold value is determined by the threshold value determination unit 15, the calculation result of the threshold value calculation unit 17 described later is used.
Whether the error value determined by the parameter structure determination unit 13 exceeds the threshold (maximum value or minimum value) determined by the threshold determination unit 15 when the anonymization calculation unit 18 performs the calculation. Determine whether.

The threshold calculation unit 17 performs calculation for setting the threshold and supplies the calculation result to the anonymization calculation unit 18.
The anonymization calculation unit 18 performs processing using the threshold value as an error value when the determination result in the threshold value excess determination unit 16 exceeds the threshold value. The result calculated by the anonymization calculation unit 18 is output from the data output unit 19.

[Overall process flow]
FIG. 3 is a flowchart showing a flow of processing in the privacy protection data providing system of the first exemplary embodiment.
First, the deep learning processing unit 2 acquires raw data from the database 1 (step S11). Then, the deep learning processing unit 2 performs deep learning on the acquired raw data by applying a deep learning algorithm prepared in advance (step S12), and acquires a deep learned model as a result of the deep learning processing. (Step S13).

Next, the anonymization processing unit 10 performs anonymization processing on the deeply learned model acquired in step S13 (step S14). When this anonymization process is performed, an error is given based on the Laplace distribution after setting a limit based on a threshold.
In step S14, the threshold value used for the restriction of the anonymization process is the threshold value indicating the maximum value and the minimum value of the variation amount of the weight parameter in the anonymization processing unit 10, the maximum value of the variation amount of the bias parameter, and This is a threshold value indicating the minimum value. Details of the threshold generation processing (step S20) will be described later using mathematical expressions.
And anonymization model is acquired by execution of the anonymization process by step S14 by the anonymization process part 10 (step S15), and the obtained anonymization model is output from the data output part 19. FIG.

[Details of deep learning]
Next, details of each processing of steps S12 to S15 described so far will be described.
First, an example in which deep learning is performed will be described with reference to FIG.
In FIG. 4, H ^(l) indicates the first layer of deep learning. FIG. 4 shows an example of L = 3, and has L + 1 layers as a whole. The input layer is H ⁽⁰⁾ and the output layer is H ^(L) . Each layer has a plurality (or one) of nodes. Node _N ^{i (l)} represents the i-th node in layer ^{H (l), n (l} ) is the number of nodes in layer ^{H (l).} In the layer H ^(l), there are nodes N ₁ ^(l) , N ₂ ^(l) ,..., N _{n (l)} ^(l) .

In FIG. 4, w _ij ^(l) represents a weight parameter between the node N _i ^(l−1) and the node N _j ^(l) . b _j ^(l) represents a bias parameter to the node N _j ^(l) . F ^(l) represents the activation function of the layer H ^(l) . x _i ^(l) represents the input to node N _i ^(l) and y _i ^(l) represents the output from node N _i ^(l) .
These input / output values are calculated by the following equations.

Here, t _i represents a target output value of the node N _i ^(L) , and M represents an error function. The error function M takes y _i ^(L) and t _i as inputs and returns the error value.
The learning data is divided into batches called batches. The following process is performed for each batch.

For each record in the batch, y _i ^(L) is calculated by a deep learning algorithm (i = 1,..., N ^(L) ).
Next, an error signal (denoted as δ _i ^{(l) ) at} each node N _i ^(l ) is calculated by a deep learning algorithm. When l = L, δ _i ^(L) is calculated as in the following [Equation 2].

For l = 1,..., L−1, δ _i ^(l) is calculated as in the following [Equation 3].

Then, δ _i ^(l) is calculated for each record in the batch by the deep learning algorithm, and the sum is newly set as δ _i ^(l) .
Next, the fluctuation amount Δw _ij ^(l) is defined as follows.

Finally, each weight parameter w _ij ^(l) for l = 1,..., L, i = 1,..., N ^(l−1) , and j = 1,. , N ^(l) is updated as in the following [Equation 5].

Here, the learning rate α and the regular term λ are determined in advance.
The bias parameter is updated as follows.

Here, Δb _j ^(l) = δ _j ^(l) .
The processes of [Expression 1] to [Expression 6] are performed for all batches.
This process is repeated several times. This number of repetitions is called the epoch number. The number of epochs is determined prior to deep learning, with prior citations or while learning is in progress.

[Details of ε-differential privacy]
Next, ε-differential privacy will be described.
For example, it is assumed that the database D and the database D ′ differ by a maximum of one record. The random mechanism A realizes ε-difference privacy for all sets Y of outputs when the condition of the following [Equation 7] is satisfied.

  The database D and the database D ′ are considered to be different databases by one record. Let Q be the set of all theoretically possible databases as the input database. At this time, let f be a function of f: Q → R. Here, when the following [Equation 8] is established for all the databases D and D ′, Δf is defined as the global sensitivity of f, that is, the range that the value of f can take.

Next, an anonymization mechanism that satisfies the ε-differential privacy, called a Laplace mechanism, will be described.
Let Lap (v) be a function that outputs a random error based on a Laplace distribution with an average of 0 and a scale of v. At this time, when the random mechanism A outputs f (D) + Lap (Δf / ε) for a certain function f, the random mechanism A satisfies ε−differential privacy.

  Here, the maximum value of the range of values that can vary depending on the presence or absence of one piece of data for the error b is set as d. The maximum value d here is not an actual value, but is calculated from a range of values that can be assumed as a database before anonymization. Then, an error b = d / ε is set. That is, the larger the maximum value d and the smaller ε, the larger the error b and the larger the given error.

There are a plurality of deep learning weight parameters and bias parameters. Although the ε-differential privacy can be satisfied for the set of parameters, in the present embodiment, the ε-differential privacy is individually satisfied for each parameter.
In this way, when satisfying ε-difference privacy individually for each parameter, the random mechanism A has the following formula for all sets Y of outputs in each parameter, and On the other hand, ε-differential privacy is satisfied individually. Note that the database D and the database D ′ differ by a maximum of one record.

[Threshold setting example for each parameter]
Next, processing for setting a threshold value for the weight parameter w _ij ^(l) and the bias parameter b _j ^(l) will be described. This process corresponds to the process of step S20 in FIG.
This processing is performed in order to reduce the error given to the parameter by reducing the theoretical maximum value (global sensitivity) of the value that can change when only one record differs. As a result, it is possible to reduce a decrease in accuracy of the deep learning model, that is, to improve accuracy.

Here, the maximum value of the weight parameter w _ij ^(l) is set to w _max and the minimum value is set to w _min . In addition, the maximum value of the bias parameter b _j ^(l) is b _max , and the minimum value is b _min .
In this embodiment, a threshold is also set for an input value (learning data) for deep learning. Here, the threshold value of the input value is [0, 1]. Here, the threshold value [0, 1] means that the minimum value is “0” and the maximum value is “1”, so that the threshold value is limited to “0” or more and “1” or less.

In the present embodiment, the anonymization processing unit 10 gives an error to the learned weight parameter w _ij ^(l) after performing deep learning. That is, w _ij ^(l) + Lap (w _max −w _min / ε) is calculated for all i, j, and l (see FIG. 3) during deep learning. Let this calculation result be r _ij ^(l) . If the value of the calculation result r _ij ^(l) exceeds the maximum value w _max , the value of the weight parameter w _ij ^(l) is corrected to the maximum value (threshold value) w _max .
Similarly, if the value of the calculation result r _ij ^(l) falls below the minimum value w _min , the value of the weight parameter w _ij ^(l) is corrected to the minimum value (threshold value) w _min .

Further, the process of limiting the maximum value and the minimum value is also performed on the bias parameter b _j ^(l) . That is, the calculation result of the bias parameter b _j ^(l) is set to min (b _max , max (b _min , b _j ^(l) + Lap ((b _max −b _min ) / ε))).

[Explanation of satisfying ε-differential privacy when a threshold is set]
Next, it will be described that the parameter when the error is limited by the threshold (maximum value, minimum value) satisfies ε-difference privacy.
As described above, in the present embodiment, the theoretical maximum width of the weight parameter w _ij ^(l) is used as the weight parameter w _ij ^(l) and the bias parameter b _j ^(l) (see FIG. 4 ⁾ during deep learning. (Global sensitivity) is (w _max −w _min ), and the theoretical maximum width (global sensitivity ⁾ of the bias parameter b _j ^(l ) is (b _max −b _min ). As will be described next, the calculation result of the learned weight parameter w _j ^{(l) is} expressed as min (w _max , max (w _min , b _j ^(l) + Lap ((w _max −w _min ) / ε))). And the calculation result of the learned bias parameter b _j ^(l) is set to min (b _max , max (b _min , b _j ^(l) + Lap ((b _max −b _min ) / ε))). Thus, ε-differential privacy can be satisfied.

When the random mechanism A outputs min (f _min , max (f _max , f (D) + Lap (Δf / ε))), the random mechanism A realizes ε-differential privacy. Here, f _max and f _min are the theoretical maximum and minimum values that f (D) can take.
Here, a database D and a database D ′ different from the database D by one record are set.
Further, F (D) = f (D) + Lap (Δf / ε) is set. When the value of F (D) falls within the range of [f _min , f _max ], [Formula 7] is established.

Next, consider a case where the value of F (D) is _less than f _min . At this time, the output value of A (D) is f _min . The probability that the output of A (D) will be f _min is expressed by the following [Equation 9].

In the formula [9], Lap (v, u) represents the value of the probability density function of the Laplace distribution in which the scale parameter is v and the difference from the average is u.
Similarly, the probability that the output value of A (D ′) is f _min is expressed by the following [Equation 10].

  The ratio of the value of [Formula 9] and the value of [Formula 10] is represented by [Formula 11] at the maximum.

  Here, since | f (D) −f (D ′) | ≦ Δf, the value of the equation [11] is not more than exp (ε). Therefore, ε-differential privacy is satisfied.

Next, consider a case where the value of F (D) is greater than or equal to f _max . At this time, the output value of A (D) is limited to f _max . The probability that the output of A (D) will be f _max is expressed by the following [Equation 12].

Similarly, the probability that the output value of A (D ′) is f _max is expressed by the following [Equation 13].

The ratio of the value of [Expression 12] and the value of [Expression 13] is expressed by [Expression 14] at the maximum.

Here, since | f (D) −f (D ′) | ≦ Δf, the value of the equation (14) is not more than exp (ε). Therefore, ε-differential privacy is satisfied.
In this way, limiting the error to the threshold value of the maximum value and the minimum value satisfies the ε-difference privacy for all parameters. Therefore, ε-difference privacy is established by limiting the error of each parameter with a threshold as in the present embodiment.

FIG. 9 shows an outline of the processing for limiting the error to the threshold value of the maximum value and the minimum value, which has been described so far by using mathematical expressions. As shown in FIG. 9, for example, it is assumed that the range of values that a certain parameter can take is “0” or more and “1” or less, and the parameter value at a certain time point is 0.8 (the global sensitivity is the maximum value). Difference between “1” and minimum value “0”). When an error is given to the parameter value “0.8” and the parameter value with the error given becomes “1.1”, the parameter value is limited to “1” which is the upper limit value of the threshold range. Processing is performed.
Note that the example shown in FIG. 9 shows a very simplified outline of limiting parameters with thresholds, and the process of limiting to actual thresholds is based on the various conditions described above with reference to mathematical expressions. It is done with consideration.

[Examples evaluated with actual data]
FIG. 5 shows an example when the processing of the present embodiment is performed on a data set for evaluation. Here, as an evaluation data set, [Adult data set], which is widely used in the field of privacy protection data mining, is used. [Adult data set] is composed of 15 types of attributes (age, gender, race, annual income, etc.), and is composed of 45,222 records excluding records containing missing values. The attribute of annual income takes a binary value indicating whether the annual income of the person in each record exceeds 50,000 dollars.
Then, a deep learning system that predicts whether the annual income exceeds $ 50,000 is constructed from the 14 attributes excluding the annual income.

  First, a preliminary experiment was performed on the raw data without anonymization satisfying the differential privacy, and the structure of the deep learning algorithm was determined so that the accuracy of the deep learning model was increased. The learning rate is 0.01, the batch size is 50, the epoch number is 500, the regular term is 0.001, and the number of intermediate layers is 4 (5 layers in total including the input and output layers). did.

  Here, an anonymization model in the case of performing an anonymization satisfying the difference privacy by performing a 10-fold cross-validation and performing a process of limiting the maximum value and the minimum value of the error to a threshold value when performing the anonymization. The accuracy of was measured. In this example, the method [accuracy] and the method [f-measure] are used as methods for evaluating accuracy. In the 10-fold cross-validation, the data set is divided into two at a ratio of 9: 1, the data of the ratio 9 is used as training data, and the data of ratio 1 is used as test data. That is, learning is performed using the training data of the ratio 9, and 14 types of attributes excluding the salary are input to the learned deep learning model from the test data of the ratio 1, and the salary is predicted. Then, the evaluation result is compared with the actual value for evaluation. This evaluation is performed 10 times so that each record is included in the test data once.

The two evaluation index values (the vertical axis in FIG. 5) of the method [accuracy] and the method [f-measure] are values from 0 to 1, and the closer to 1, the higher the accuracy. The horizontal axis of FIG. 5 shows the number of data sets (batch size), and FIGS. 5A, 5B, and 5C show cases where ε = 1, ε = 10, and ε = 100, respectively.
For example, in the example illustrated in FIG. 5C, the evaluation index value in the method [accuracy] is 0.85, and the evaluation index value in the method [f-measure] is 0.79, both of which ensure good accuracy. I understand.

<2. Second Embodiment>
Next, a second embodiment of the present invention will be described with reference to FIGS. 6 to 8 for explaining the second embodiment, the same components and processes as those in FIGS. 1 to 5 explained in the first embodiment are denoted by the same reference numerals, and detailed description will be given. Is omitted.

[Entire system configuration]
FIG. 6 shows the configuration of a privacy protection data providing system according to the second embodiment.
A large amount of raw data including personal information is stored in the database 1, and the raw data stored in the database 1 is supplied to the deep learning processing unit 20. The deep learning processing unit 20 is a deep learning model that has been anonymized by performing an operation applying a deep learning algorithm prepared in advance and performing anonymization processing based on differential privacy at the time of deep learning operation. Anonymization model 4 is obtained.

When the deep learning processing unit 20 obtains the anonymization model 4 based on differential privacy, the variation amount of each parameter value is based on the Laplace distribution for the weight parameter and bias parameter used in the deep learning algorithm. An error is given and differential privacy processing is performed. However, when an error based on the Laplace distribution is given to the fluctuation amount of each parameter value, the error is limited by a threshold value indicating the maximum value and the minimum value.
Giving an error based on the Laplace distribution means that the parameter value giving the error becomes a value including a stochastic element, and as a result, the anonymization model 4 in which anonymization is performed is obtained.
The generation of an error for the deep learning processing unit 20 to obtain the anonymization model 4 based on differential privacy during deep learning is realized with the same configuration as the processing in the anonymization processing unit 10 shown in FIG.

[Overall process flow]
FIG. 7 is a flowchart showing a flow of processing in the privacy protection data providing system of the second exemplary embodiment.
First, the deep learning processing unit 20 acquires raw data from the database 1 (step S31). Then, the deep learning processing unit 20 applies a deep learning algorithm prepared in advance while assigning an error based on a Laplace distribution in which a restriction by global sensitivity is set to the fluctuation amount of the parameter of the acquired raw data. Then, deep learning is performed (step S32). At this time, the global sensitivity of the parameter variation is calculated sequentially while performing deep learning. By calculating the global sensitivity of the parameter variation, the Laplace distribution is determined from the global sensitivity and the privacy index “ε”, and anonymization is performed by giving an error in the Laplace distribution. Then, an anonymization model is acquired as a result of the deep learning process (step S33), and the obtained anonymization model is output from the data output unit 19.

  In step S32, the threshold values used for the restriction of the anonymization process are the threshold value indicating the maximum value and the minimum value of the variation amount of the weight parameter in the deep learning processing unit 20, and the maximum value and minimum value of the variation amount of the bias parameter It is a threshold which shows.

[Details of deep learning]
Next, details of each processing of steps S31 to S33 described so far will be described.
In the present embodiment, an activation function and an error function are determined in advance, and anonymized deep learning is performed.
For example, ReLU defined by f (x) = max (0; x) is widely used as an activation function excluding the final layer of deep learning.
For the purpose of using deep learning, in the case of category classification, the activation function (F (L)) of the final layer
A softmax function is widely used, and a cross-entropy error function is widely used as an error function.
The softmax function is defined as in the following [Equation 15].

  The cross entropy error function is defined as the following [Equation 16].

Here, when anonymized deep learning is performed, each layer except the final layer that performs deep learning has an activation function ReLU, a softmax function as an activation function of the final layer, and a cross-entropy error function as an error function. Use.
When the activation function of the final layer is a softmax function and the error function is a cross-entropy error function, the value of the error signal δ _j (L) for j = 1,..., N ^(L) is This is calculated as shown in [Equation 17].

In Equation 17, y _j ^(L) represents the output value of the node N _j ^(L) , and t _j ^(L) represents the target output value of the node N _j ^(L) .
When the activation function ReLU is used in a layer other than the final layer, error signals δ _j ^(l) = 1,..., L−1 of each node other than the final layer are calculated by the following [Equation 18]. The

The possible range for the value of x _j ⁽¹⁾ is [b _j ⁽¹⁾ + Σ _i min (wi _{, j} ⁽¹⁾ , 0), b _j ⁽¹⁾ + Σ _i max (wi _{, j} ⁽¹⁾ , 0)]. Further, the range that can be taken as the value of x _j ⁽²⁾ is [b _j ⁽²⁾ + Σ _i (b _i ⁽¹⁾ + Σ _k max (w _{k, i} ⁽¹⁾ , 0)) min (w _{i, j} ⁽²⁾ , 0), b _j ⁽²⁾ + Σ _i (b _i ⁽¹⁾ + Σ _k max (w _{k, i} ⁽¹⁾ , 0)) max (w _{i, j} ⁽²⁾ , 0)] . In deep learning, x _j ^(l) for l = 1,..., L is calculated by the following [Equation 19].

Here, min (y _i ⁽⁰⁾ ) = 0 and max (y _i ⁽⁰⁾ ) = 1. This is because the input value to the first layer of deep learning is normalized to a range of 0 or more and 1 or less. In addition, since the activation function ReLU is used in the layers other than the final layer, y _j ^(l) is calculated by the following [Equation 20] at l = 1,..., L−1. .

This shows that the value of max (y _j ^(l) ) is always 0 or more.
Next, a range of possible values of the error signal δ _j ^(l) is calculated. Since the range of the output value of the deep learning model is from −1 to 1, it is defined as the following [Expression 21].

Further, l = 1,..., L−1 is expressed by the following [Equation 22]. Here, for all j and l, min (δ _j ^(l) ) and max (δ _j ^(l) ) ≧ 0.

  Ultimately, the following [Equation 23] is obtained.

b _j ^(l) is expressed by the following [Equation 24].

  Further, l = 1,..., L−1 is expressed by the following [Equation 25].

As already described, the weighting parameter and the biasing parameter are expressed by the following [Equation 5] and [Equation 6] based on the weighting parameter variation Δw _ij ^(l) and the bias parameter variation Δb _j ^(l) . Update with That is, the weight parameter and the bias parameter are updated every time data is input.
Here, in the present embodiment, an error based on the Laplace distribution is given to the fluctuation amount at this time. A threshold value is also set for the fluctuation amount Δw _ij ^(l) of the weight parameter and the fluctuation amount Δb _j ^(l) of the bias parameter.

Here, Δw _max and Δw _min are the maximum value and the minimum value of the variation amount Δw _ij ^(l) of the weight parameter. Also, Δb _max and Δb _min are the maximum and minimum values of the bias parameter Δb _j ^(l) .

Also, let E be the epoch number for deep learning. When learning is performed for each batch, the weight parameter fluctuation amount Δw _ij ^(l) is set to min (Δw _max , min (Δw _max , ⁾ for each w _ij ^(l) and b _j ^(l) . w _ij ^(l) + Lap ((Δw _max −Δw _min ) · E / ε))). The bias parameter variation Δb _j ^{(l) is set} to min (Δb _max , max (Δb _min , b _j ^(l) + Lap ((Δb _max −Δb _min ) · E / ε))).

[Explanation of satisfying ε-differential privacy when a threshold is set]
Next, it will be described that the anonymous model in which the error is limited by the threshold value (maximum value, minimum value) when the deep learning is performed satisfies the ε-difference privacy.
Each weight parameter and bias parameter are updated based on [Formula 5] and [Formula 6]. In [Expression 5] and [Expression 6], the weight parameter variation Δw _ij ^(l) and the bias parameter variation Δb _j ^(l) vary depending on the learning input value, but other values are used. Does not depend on the input value. Accordingly, in the first embodiment, Δw _ij ^{(l) is changed} to min (Δw _max , max (Δw _min , w _ij ^{( )} , as in the case where it is proved that ε-differential privacy is satisfied when the threshold is set. ^l) + Lap ((Δw _max −Δw _min ) · E / ε))), and Δb _j ^{(l) is set} to min (Δb _max , max (Δb _min , b _j ^(l) + Lap ((Δb _max) −Δb _min ) · E / ε))), each epoch iteration satisfies the parameter base (ε / E) −differential privacy.
Since there are E epochs as a whole, the ε-differential privacy is finally satisfied from the proof described below.

The random mechanism A is composed of d random mechanisms A ₁ ,..., A _d , and this is performed continuously once. Here, when i ≧ 2, A _i takes an output value of A _i−1 as an input. The output value of _Ad becomes the output value of A.
Each A _i shall satisfy the parameter base ε _i -differential privacy. At this time, A realizes a parameter-based (Σ _{i = 1} ^d ε _i ) differential privacy.

The random mechanism A is composed of d random mechanisms A ₁ ,..., A _d , and this is performed continuously once. For i ≧ 2, A _i takes the output value of A _i−1 as an input. The output value of _Ad becomes the output value of A. Here, it is assumed that each A _i satisfies ε _i -difference privacy. At this time, the random mechanism A realizes (Σ _{i = 1} ^d ε _i ) −differential privacy.
Since this process is executed for each parameter, the random mechanism A here realizes a parameter base (Σ _{i = 1} ^d ε _i ) -differential privacy.

FIG. 10 shows an outline of the process for limiting the error to the threshold values of the maximum value and the minimum value in the second embodiment. As shown in FIG. 10, for example, it is assumed that the maximum range that can be taken as a variation amount of a certain parameter is “0” or more and “1” or less, and the variation amount at a certain time is 0.6. Then, it is assumed that the range of threshold values sequentially calculated while learning is “0.3” or more and “0.7” or less (the global sensitivity in this case is 0.7−0.3 = 0). .4). The Laplace distribution is determined from this threshold range (global sensitivity) and the privacy index “ε”. A process of giving an error with a Laplace distribution is performed. Note that the global sensitivity (Δf) is calculated by the equation [8] already described.
Here, as shown in FIG. 10, when an error is given to the parameter variation “0.5” and the parameter variation with the error added becomes “0.1”, the threshold value at that time The process of limiting to “0.3” which is the lower limit value of the range is performed. Since the Laplace distribution is calculated from the global sensitivity and the privacy index “ε”, the error of the Laplace distribution can be reduced by reducing the global sensitivity value (that is, the threshold width), and deep learning Leads to improved accuracy.
As in the example of FIG. 9, the example shown in FIG. 10 also shows a very simplified outline of limiting the amount of parameter fluctuation with a threshold value. This is performed in consideration of various conditions described with reference to FIG.
Even in the case of the second embodiment, when the global sensitivity (Δf) matches the maximum range that can be taken as the amount of parameter fluctuation, the threshold is limited in the state shown in FIG. It will be.

[Examples evaluated with actual data]
FIG. 8 shows an example when the processing of the present embodiment is performed on a data set for evaluation. The example of FIG. 8 is performed under the same conditions as the evaluation in FIG. 5 described in the first embodiment.
The horizontal axis of FIG. 8 shows the number of data sets (batch size), and FIGS. 8A, 8B, and 8C show cases where ε = 1, ε = 10, and ε = 100, respectively.
As shown in FIGS. 8A, 8B, and 8C, it can be seen that good accuracy is ensured in any case. Here, as can be seen by comparing FIG. 5 (first embodiment) and FIG. 8 (second embodiment), when the value of ε is small, the first embodiment. The higher accuracy is obtained. On the other hand, when the value of ε is large, the second embodiment can obtain higher accuracy. However, this result varies depending on the data set to be used, and which embodiment is preferably applied differs depending on the data set to be used.

In the evaluation examples shown in FIGS. 5 and 8, the number of times when the predicted annual income is less than $ 50,000 and the actual annual income is less than $ 50,000 is TN, and the predicted annual income is less than $ 50,000 and is actually FN is the number of times that the annual income exceeds $ 50,000. Also, if the predicted annual income is over 50,000 dollars and the actual annual income is over 50,000 dollars, TP, the predicted annual income is over 50,000 dollars, and the actual annual income is under 50,000 dollars The number of times in some cases was defined as FP.
At this time, in the method [accuracy], evaluation is performed using the formula [26]. In the method [f-measure], the evaluation is performed using the equation [27].

  As described above, according to each embodiment of the present invention, when anonymization is performed by giving an error based on the Laplace distribution, the maximum value and the minimum value of the error are limited by a threshold value. The error given when anonymizing can be limited to a certain range, and appropriate anonymization with little error can be performed. As a result, it is possible to reduce a decrease in accuracy of the deep learning model.

  The mathematical formulas described so far show a suitable example in the case of applying each embodiment of the present invention, and the present invention is not limited to the processing described with these mathematical formulas.

  DESCRIPTION OF SYMBOLS 1 ... Database (raw data), 2 ... Deep learning processing part, 3 ... Deep learning model, 4 ... Anonymization model (anonymized deep learning model), 10 ... Anonymization processing part (difference privacy application with threshold limitation) , 11 ... Data input section, 12 ... ε input section, 13 ... Parameter structure determination section, 14 ... Parameter initial value determination section, 15 ... Threshold determination section, 16 ... Threshold exceedance determination section, 17 ... Threshold calculation section, 18 ... Anonymous Calculation unit, 19 ... data output unit, 20 ... machine learning processing unit (difference privacy applied)

Claims (6)

A deep learning processing unit that applies a deep learning algorithm to the raw data in the database to obtain a deep learning model;
An anonymization processing unit that obtains an anonymous model by performing anonymization processing based on differential privacy for the deep learning model obtained by the deep learning processing unit, and a privacy protection data providing system comprising:
The anonymization processing unit gives an error based on the Laplace distribution to each parameter value for the weight parameter and the bias parameter included in the deep learning model, and each parameter giving an error based on the Laplace distribution A privacy protection data providing system characterized in that when the threshold value range indicated by the maximum value and the minimum value is exceeded, the threshold value range is limited. It is a privacy protection data providing system including a deep learning processing unit that obtains an anonymous model that has been deeply learned by applying a deep learning algorithm while performing anonymization processing based on differential privacy for raw data in a database,
The deep learning processing unit gives each parameter value an error based on the Laplace distribution and gives an error based on the Laplace distribution to the weight parameter and the bias parameter used at the time of calculating the deep learning model. A privacy protection data providing system characterized in that when a parameter exceeds a threshold range indicated by a maximum value and a minimum value, the parameter is limited to the threshold range. When the deep learning processing unit obtains a deep learning model, it sequentially calculates global sensitivity, performs processing to acquire the Laplace distribution based on the calculated global sensitivity,
The privacy protection data providing system according to claim 2, wherein an error based on the sequentially acquired Laplace distribution is given. Deep learning processing procedure to obtain deep learning model by applying deep learning algorithm to raw data in database,
Anonymization processing procedure for performing anonymization processing based on differential privacy for the deep learning model obtained in the deep learning processing procedure,
The anonymization processing procedure gives an error based on the Laplace distribution to each parameter value for the weight parameter and the bias parameter included in the deep learning model, and each parameter that gives an error based on the Laplace distribution A privacy protection data providing method, characterized in that, when the range of the threshold value indicated by the maximum value and the minimum value is exceeded, the range is limited to the threshold value range. Including deep learning processing procedure to obtain deep learning learned anonymous model by applying deep learning algorithm while performing anonymization processing based on differential privacy for raw data in database,
The deep learning processing procedure gives each parameter value an error based on the Laplace distribution and an error based on the Laplace distribution for each of the weight parameter and the bias parameter used in the calculation for obtaining the deep learning model. A privacy protection data providing method, characterized in that, when a parameter exceeds a threshold range indicated by a maximum value and a minimum value, the parameter is limited to the threshold range. When obtaining a deep learning model in the deep learning processing procedure, sequentially calculate global sensitivity, obtain the Laplace distribution based on the calculated global sensitivity,
The privacy protection data providing method according to claim 5, wherein an error based on the sequentially acquired Laplace distribution is given.

Images