JP2019053542A - Information processing apparatus, information processing method and program - Google Patents

Abstract

To provide a learning model that can identify a source.SOLUTION: In an information processing apparatus 1, a weight update unit 22 updates weight of each layer of a neural network comprising a plurality of layers on the basis of training data for learning an objective task. A weight vector generation unit 23 generates a weight vector which is a vector having at least a portion of weight of weight of a layer selected from among layers constituting the neural network as a component. An embedded data generation unit 24 generates embedded data that is data for embedding in a weight vector and that is obtained by adding addition information to a watermark label. A vector conversion unit 25 linearly converts the weight vector to generate an embedding vector. Here, the weight update unit 22 updates the weight on the basis of a loss function which is obtained by adding a second loss function defined using the embedding vector and the embedded data to a first loss function set for learning the objective task.SELECTED DRAWING: Figure 6

Description

  The present invention relates to an information processing apparatus, an information processing method, and a program.

  In recent years, the speed of CPU (Central Processing Unit) and GPU (Graphics Processing Unit), the capacity of memory, and machine learning technology have been rapidly advanced. For this reason, machine learning using learning data in the order of hundreds of thousands to millions is possible, and highly accurate identification techniques and classification techniques are being established (see Non-Patent Document 1).

Yangqing Jia, Evan Shelhamer, Jeff Donahue, Sergey Karayev, Jonathan Long, Ross Girshick, Sergio Guadarrama, and Trevor Darrell.Caffe: Convolutional architecture for fast feature embedding.In Proceedings of the 22nd ACM international conference on Multimedia (pp. 675-678 ACM.

  In order to execute machine learning based on a large amount of learning data, a large amount of calculation cost is required. In addition, enormous effort is required for preparing a large amount of learning data and preprocessing for processing the prepared learning data for use in machine learning. On the other hand, the learning model generated by machine learning is digital data, and its replication is easy. Furthermore, it is generally difficult to infer learning data used for generating a learning model from the learning model itself.

  For this reason, it is difficult for the person who generated the learning model to prove fraud even if the learning model is illegally used by a third party. The collected learning data and the learning model generated based on the learning data are valuable values acquired with effort, and it is desired to protect the learning model from unauthorized use.

  The present invention has been made in view of these points, and an object thereof is to provide a learning model that can specify the source.

  A first aspect of the present invention is an information processing apparatus. The apparatus includes a weight updating unit that updates weights of each layer of a neural network including a plurality of layers based on training data for learning target tasks, and weights of layers selected from the layers constituting the neural network. A weight vector generation unit that generates a weight vector that is a vector having at least a part of the weights as components, and data for embedding in the weight vector, and generating embedded data in which additional information is added to the watermark label An embedded data generation unit; and a vector conversion unit that linearly converts the weight vector to generate an embedding vector. Here, the weight updating unit adds a second loss function determined by using the embedding vector and the embedding data to a first loss function set for the target task learning to a loss function. Based on this, the weight is updated.

  The embedded data generation unit may add an error correction code for correcting an error in the watermark label as the additional information to the watermark label.

  When the layer selected by the weight vector generation unit is a layer close to the input layer of the neural network, the embedded data generation unit is configured to add additional information to be added to the watermark label as compared with a case where the layer is a distant layer. The size may be reduced.

  The information processing apparatus may further include a variation recording unit that records the variation of the weight of each layer by updating the weight of each layer of the neural network in advance based on the training data for learning the target task, The weight vector generation unit may select a weight having a small variation as a component of the weight vector in preference to a weight having a large variation.

  The embedded data generation unit may add the additional information to a watermark label that is binary data obtained by encoding a predetermined character string.

  The vector conversion unit may generate an embedding vector by multiplying the weight vector by a Hadamard matrix.

  The second aspect of the present invention is an information processing method. In this method, the processor generates a weight vector that is a vector having at least some of the weights of the layers selected from the layers constituting the neural network having a plurality of layers as a component, and Data for embedding in a vector, the step of generating embedded data in which additional information is added to a watermark label, the step of linearly converting the weight vector to generate an embedding vector, and a task task learning Based on the training data and a loss function obtained by adding a second loss function determined using the embedding vector and the embedding data to the first loss function set for target task learning, Updating the weight of each layer of the neural network.

  The third aspect of the present invention is a program. This program has a function of generating a weight vector, which is a vector having at least a part of the weights of layers selected from layers constituting a neural network having a plurality of layers as a component, and the weight Data for embedding in a vector, a function for generating embedded data with additional information added to a watermark label, a function for linearly converting the weight vector to generate an embedding vector, and a target task learning Based on the training data and a loss function obtained by adding a second loss function determined using the embedding vector and the embedding data to the first loss function set for target task learning, And a function of updating the weight of each layer of the neural network.

  ADVANTAGE OF THE INVENTION According to this invention, the learning model which can specify an origin can be provided.

It is a figure which shows typically the general functional structure of a convolution neural network. It is a figure for demonstrating the relationship of the convolution of input data and a feature map. It is a figure for demonstrating the production | generation of the feature map using a weight filter. It is a figure for demonstrating the relationship between N weight filters and the feature map of N steps. It is a schematic diagram for demonstrating the outline | summary of the learning process which the information processing apparatus which concerns on embodiment performs. It is a figure which shows typically the function structure of the information processing apparatus which concerns on embodiment. It is a figure which shows typically an example of the fluctuation | variation of the weight in a learning process. It is a flowchart for demonstrating the flow of the information processing which the information processing apparatus which concerns on embodiment performs.

<Convolution neural network>
The information processing apparatus according to the embodiment is an apparatus for embedding watermark information in a model parameter of a convolutional neural network (CNN) among neural networks. Therefore, first, a convolutional neural network will be briefly described as a prerequisite technology of the information processing apparatus according to the embodiment.

FIG. 1 is a diagram schematically showing a general functional configuration of a convolutional neural network.
Currently, various types of neural networks have been proposed, but these basic configurations are common. The basic configuration of the neural network is expressed by superposition (or graph structure) of a plurality of types of layers. The neural network learns model parameters so that the output result for the input data becomes an appropriate value. In other words, the neural network learns the model parameters so as to minimize the loss function defined so that the output result for the input data becomes an appropriate value.

  In FIG. 1, a forward-propagating neural network is composed of three layers, an input layer, a hidden layer, and an output layer, from the input layer to the output layer. Propagate in one direction. The hidden layer can be composed of a plurality of layers in a graph. Each layer has a plurality of units (neurons). In each layer, the parameter of the function connected from the unit in the front layer to the unit in the rear layer is referred to as “weight”. Learning in this specification means calculating an appropriate “weight” as a parameter of this function.

  FIG. 1 illustrates a convolutional neural network. The convolutional neural network includes an input layer, a convolutional layer, a pooling layer, a full-connected layer, and an output layer. In a convolutional neural network, only certain units in the front layer are coupled to units in the back layer. That is, in a convolutional neural network, not all units in the front layer are connected to units in the rear layer. In FIG. 1, the first layer L1 is an input layer, and the second layer L2 is a convolution layer. Similarly, the mth layer Lm is an output layer.

  Learning in the neural network according to the present embodiment means that the weight of each layer is optimally updated using an error between the output value from the output layer for the training data and the label of the training data. In order to calculate the error, a “loss function” is defined. The error propagates one after another from the output layer side to the input layer side by the “error back propagation method”, and the weight of each layer is updated little by little. Finally, a convergence calculation is performed to adjust the weight of each layer to an appropriate value so as to reduce the error. Specifically, the model parameter is updated by the gradient in which the error is propagated back in the learning in the neural network (that is, the generation stage of the new model parameter).

FIG. 2 is a diagram for explaining a convolution relationship between input data and a feature map. The process in FIG. 2 is performed by a convolution layer and a fully connected layer. In the example shown in FIG. 2, the feature map is generated by applying one weight filter to the input data. In FIG. 2, the sizes of the input data, weight filter, and feature map are as follows.
Input data: 32 x 32 x 3 elements Weight filter: 5 x 5 x 3 elements (model parameters)
Feature map: 28 x 28 elements

  N weight filters are prepared (N is an integer of 1 or more), and this is a model parameter. That is, “weight” means N weight filters. However, the bias term is not considered here.

FIG. 3 is a diagram for explaining generation of a feature map using a weight filter.
In the example shown in FIG. 3, one weight filter composed of 5 × 5 × 3 elements is applied to the input data, and the sum of the products of the elements is used as the value of one element of the feature map. Then, by moving the same weight filter with respect to the input data, one feature map is generated. Here, the number of elements (movement amount) for moving the weight filter is referred to as “stride”. A zero-padding region in which element 0 is filled is provided at the peripheral edge (edge) of the input data. As a result, the same number of weight filters can be applied to the edge elements of the input data.

  FIG. 4 is a diagram for explaining the relationship between N weight filters and N-stage feature maps. In the example shown in FIG. 4, the number of weight filters is N. 2 and 3 show an example in which one feature map generated by one weight filter is generated. On the other hand, the example shown in FIG. 4 shows an example in which an N-stage feature map is generated by N weighting filters. In neural network learning, a feature map in one layer becomes input data in the next layer. By executing the learning of the neural network, errors based on the loss function propagate one after another from the output layer side to the input layer side, and the weight of each layer is updated by a known error back propagation method.

<Outline of the embodiment>
Based on the above, an outline of the embodiment will be described.
An information processing apparatus according to an embodiment is an apparatus for generating a learning model for achieving a target task using a neural network and simultaneously embedding an electronic watermark in the learning model.

  The information processing apparatus according to the embodiment includes a processor such as a CPU or GPU, a working memory such as a DRAM (Dynamic Random Access Memory), and a mass storage device such as an HDD (Hard Disk Drive) or an SSD (Solid State Drive). Composed. The information processing apparatus according to the embodiment may be a single apparatus such as a PC (Personal Computer), a workstation, or a server, or may be configured from a plurality of apparatuses such as a cloud server.

  FIG. 5 is a schematic diagram for explaining an outline of a learning process executed by the information processing apparatus according to the embodiment. As in the conventional neural network, the information processing apparatus according to the embodiment includes a first neural network N1 having a plurality of layers L based on training data including target task learning data D and target task label T1. The weight of each layer L is updated. For example, when there are a plurality of target tasks such as “cat detection”, “mountain detection”, and “car detection”, each of the target task learning data D for each target task and each target task learning data D A data set to which a different target task label T1 is assigned becomes training data.

  The information processing apparatus according to the embodiment also includes a second neural network N2 configured from one or more layers L selected from the layers L configuring the first neural network N1. The information processing apparatus according to the embodiment updates the weight of the layer L in the second neural network N2 based on the watermark label T2 for watermark detection.

  FIG. 5 shows an example in which the second layer L2 in the first neural network N1 is selected as a weight update target in the second neural network N2. Hereinafter, in the present specification, when the first neural network N1 and the second neural network N2 are not distinguished, they are simply referred to as a neural network N.

  Although details will be described later, the information processing apparatus according to the embodiment generates the weight vector W based on the layer L selected from the first neural network N1. The information processing apparatus according to the embodiment sets a vector obtained by linearly transforming the generated weight vector W as a second output O2 that is an output of the second neural network N2. That is, in the information processing apparatus according to the embodiment, the watermark vector obtained by multiplying the weight vector W by the matrix is the second output O2 that is the output of the second neural network N2. In the information processing apparatus according to the embodiment, the second output O2 is binarized by binarization processing using a sigmoid function or the like. That is, the second output O2 is binary data.

  In this sense, in this specification, a watermark vector obtained by multiplying the weight vector W by a matrix may be referred to as a watermark vector O2. The information processing apparatus according to the embodiment updates the weight vector W based on the second error E2 between the watermark vector O2 and the watermark label T2.

  The information processing apparatus according to the embodiment generates embedded data by adding additional information to the watermark label T2. The information processing apparatus according to the embodiment updates the weight vector W so that the watermark vector O2 obtained by multiplying the weight vector W by the matrix becomes the embedded data.

  Here, the additional information added to the watermark label T2 by the information processing apparatus according to the embodiment is information for making the watermark label T2 redundant. As a specific example, the additional information added to the watermark label T2 by the information processing apparatus according to the embodiment is an error correction code that is information for correcting an error in the watermark label T2.

  Thus, even if the attacker attempts to scramble the watermark label T2 by fine tuning the learning model generated by the information processing apparatus according to the embodiment, the information processing apparatus uses the additional information to perform the watermark label T2 It is possible to increase the probability that can be reproduced. As a result, the administrator of the learning model can verify whether or not the learning model whose source is unknown is the same learning model as the learning model managed by the administrator.

  The information processing apparatus according to the embodiment is similar to the conventional neural network in that the first output O1 that is the output of the mth layer Lm, which is the final layer of the first neural network N1, and the target task label T1. Basically, the weight of each layer L is updated on the basis of the first error E1 that is the error of. However, the information processing apparatus according to the embodiment updates the weight based on the first error E1 and the second error E2 for the second layer L2 selected as the weight configuring the second neural network N2. Thereby, the information processing apparatus according to the embodiment can simultaneously realize learning for the target task and learning for watermark embedding.

<Functional Configuration of Information Processing Device According to Embodiment>
Hereinafter, the information processing apparatus according to the embodiment will be described in more detail.
FIG. 6 is a diagram schematically illustrating a functional configuration of the information processing apparatus 1 according to the embodiment. The information processing apparatus 1 includes a storage unit 10 and a control unit 20. The control unit 20 includes a training data acquisition unit 21, a weight update unit 22, a weight vector generation unit 23, an embedded data generation unit 24, an embedded data generation unit 24, and a variation recording unit 26.

  The storage unit 10 includes a ROM (Read Only Memory) that stores a BIOS (Basic Input Output System) of a computer that implements the information processing apparatus 1, a RAM (Random Access Memory) that is a work area of the information processing apparatus 1, an OS ( Operating system), application programs, and mass storage devices such as HDDs and SSDs that store various types of information that are referred to when the application programs are executed.

  The control unit 20 is a processor such as a CPU or a GPU of the information processing apparatus 1 and executes a training data acquisition unit 21, a weight update unit 22, a weight vector generation unit 23, an embedded unit by executing a program stored in the storage unit 10. It functions as an embedded data generation unit 24, an embedded data generation unit 24, and a fluctuation recording unit 26.

  The training data acquisition unit 21 acquires training data for target task learning and a watermark label T2. The training data acquired by the training data acquisition unit 21 includes target task learning data D and target task label T1. The weight update unit 22 updates the weight of each layer of the neural network N having a plurality of layers based on the training data acquired by the training data acquisition unit 21. As described above, the neural network N includes the first neural network N1 that is the news for learning the target task, and the second neural network N2 that is the neural network for embedding the watermark label.

  The weight vector generation unit 23 generates a weight vector W that is a vector having at least a part of the weights of the layers selected from the layers constituting the first neural network N1 as components. The vector conversion unit 25 multiplies the weight vector W generated by the weight vector generation unit 23 by a matrix and converts it into a watermark vector. The matrix used by the weight vector generation unit 23 may be a regular matrix whose row and column lengths are equal to the length of the weight vector W, for example, a Hadamard matrix.

  Each row of the Hadamard matrix is orthogonal to each other. For this reason, if the weight vector generation unit 23 uses a Hadamard matrix to generate a watermark vector, even if different watermark labels are embedded in the same watermark label T2, for example, the watermark labels are prevented from affecting each other when embedded. it can.

  The embedded data generation unit 24 generates data to be embedded in the weight vector W, and includes embedded data in which additional information is added to the watermark label T2. Based on a loss function obtained by adding a second loss function determined by using the watermark vector O2 and the watermark label T2 to the first loss function set for target task learning, the weight update unit 22 Update the weight of N. The weight vector generation unit 23 may configure the second loss function using, for example, a known cross entropy.

  Here, the matrix by which the embedded data generation unit 24 multiplies the weight vector W is a matrix that serves as a secret key used to specify the origin of the learning model generated by the information processing apparatus 1. For this reason, the matrix used when the information processing apparatus 1 learns is managed only by some persons such as the administrator of the learning model and is kept secret from a third party. Moreover, it is also kept secret which weight vector generation part 23 used to comprise the weight vector W among the weights which comprise the information processing apparatus 1. FIG.

  Therefore, an attacker who attempts to modify or remove the watermark label T2 needs to first determine which weight among the weights constituting the information processing apparatus 1 is used to configure the weight vector W. Also, even if the attacker finds the watermark vector O2, it is difficult to calculate the watermark label T2 from the watermark vector O2 if the attacker does not know the matrix used for learning or the opposite both columns.

  Thus, the learning model generated by the information processing apparatus 1 can specify the source. Moreover, since additional information for increasing the redundancy of the watermark label T2 is added to the watermark label T2, the robustness of the information indicating the origin can be ensured.

  As described above, the additional information added by the embedded data generation unit 24 to the watermark label T2 is information for making the watermark label T2 redundant. Specifically, the embedded data generation unit 24 adds an error correction code for correcting an error in the watermark label T2 to the watermark label T2 as additional information. The embedded data generation unit 24 may add an error detection code as additional information to the watermark label T2 instead of or in addition to the error correction code for correcting the error of the watermark label T2.

  The embedded data generation unit 24 can use a Hamming code or a Reed-Solomon code as an error correction code. Further, the embedded data generation unit 24 can use a checksum such as CRC (Cyclic Redundancy Check) or other known hash functions as the error detection code.

  As described above, the embedded data generation unit 24 adds the additional information to the watermark label T2, so that the attack resistance from the attacker against the watermark label T2 can be increased. As a result, the learning model generated by the information processing apparatus 1 The robustness of the information indicating the origin of the information can be improved.

  As described above, the information processing apparatus 1 embeds the watermark label T2 in the weight vector W created by using a part of the weight of the layer L that constitutes the first neural network N1, so that the information that can identify the source in the learning model is obtained. Explained about embedding. Next, with regard to the watermark label T2 embedded in the learning model, selection of weights for enhancing resistance to a modification or removal attack from a third party will be described.

  The number of layers of the convolutional neural network used by the information processing apparatus 1 according to the embodiment is on the order of several tens to 100 layers. In general, in such a multilayer neural network, a layer close to the input layer is considered to have a lower risk of modification by an attacker than a layer close to the output layer. Fine tuning performed for the purpose of improving or modifying an existing learning model is generally performed for a layer close to the output layer. This is because the closer to the input layer the layer that starts re-learning is, the closer it is to start learning again.

  Therefore, the embedded data generation unit 24 adds the weight vector W selected by the weight vector generation unit 23 to the watermark label T2 when the layer is close to the input layer of the neural network N as compared with the case where it is a far layer. Reduce the size of additional information. This may reduce the robustness of the watermark label T2 against attack, but the robustness is enhanced by the fact that the weight vector W is composed of layer weights close to the input layer of the neural network N. In general, the smaller the size of the additional information added to the watermark label T2, the faster the learning converges. Thereby, it is possible to balance the learning time and the robustness of the watermark label T2.

  The number of layers of the convolutional neural network used by the information processing apparatus 1 according to the embodiment is on the order of several tens to 100 layers. In general, the weights constituting such a multilayer neural network are redundant, and not all weights contribute to learning equally. A weight having a large contribution in learning is considered to have a larger variation in the learning process than a weight having a small contribution. In other words, a weight having a large contribution in learning is considered to be activated more than a weight having a small contribution.

  Moreover, even if the degree of contribution related to learning is the same weight, it is considered that the manner of variation in the learning process changes depending on the quality of information carried by the weight. For example, when the target task is cat image detection, the information processing apparatus 1 causes the neural network N to learn a large number of cat images as training data. At this time, it is considered that the weight that bears a component common to many cat images (generally, the low-frequency component of the image) is less likely to change once learning is stabilized. On the other hand, since the weight for absorbing variations of many cats reacts sensitively to differences between cats, it is considered that the weight varies greatly by fine tuning.

  Here, by setting the weight constituting the weight vector W for embedding the watermark label T2 to a weight with little fluctuation in the learning process, it is possible to increase the resistance to attacks from the attacker of the watermark label T2. This is because even if the attacker tries to scramble the watermark label T2 by re-learning the learning model, the weight constituting the weight vector W in which the watermark label T2 is embedded has little variation in the learning process, so the degree of scrambling is also low. This is because it becomes smaller.

  Therefore, the information processing apparatus 1 includes a variation recording unit 26 that records the variation of the weight of each layer L by updating the weight of each layer of the neural network N in advance based on the training data for target task learning.

  FIG. 7 is a diagram schematically illustrating an example of weight variation in the learning process, and illustrates an example of weight variation recorded by the variation recording unit 26. In FIG. 7, fluctuations of four weights of weight W1, weight W2, weight W3, and weight W4 are illustrated. In FIG. 7, the horizontal axis indicates the number of learning iterations, and the vertical axis indicates the weight value.

  In FIG. 7, the weight W1 and the weight W4 have a larger variation in the learning process than the weight W2 and the weight W3. Further, the weight W3 has a smaller variation in the learning process than the weight W2. In the example illustrated in FIG. 7, W1≈W4> W2> W3 when arranged in the order of the magnitude of the weight variation in the learning process. Therefore, when the weight vector W is employed as the weight constituting the weight vector W, the order of high attack resistance is W3> W2> W1≈W4.

  The weight vector generation unit 23 selects a weight having a small variation in the learning process as a component of the weight vector W in preference to a weight having a large variation. As a result, even if an attacker tries to scramble the watermark label T2 by fine tuning, the weight vector W employs a weight with a small variation due to learning, so that the influence of the scramble can be suppressed.

  In the foregoing, the description has been given of increasing the attack resistance of the watermark label T2 by adding additional information to the watermark label T2. Instead of this, or in addition to this, the watermark label T2 itself may have redundancy.

  As described above, the watermark label T2 is binary data. Here, the information processing apparatus 1 employs, as the watermark label T2, binary data obtained by encoding a character string (for example, a manager's name or identification number) for identifying the manager of the learning model. In general, the string itself has redundancy. For example, when the watermark label T2 taken out from unknown learning data is returned to a character string, it is assumed that it is a character string “pinepuppm”. In this case, if it is assumed that the watermark label T2 is a meaningful character string, there is a high probability that it was “pineapple”. Thus, by providing redundancy to the watermark label T2 itself, the attack resistance of the watermark label T2 can be further enhanced.

<Processing flow of information processing executed by information processing apparatus 1>
FIG. 8 is a flowchart for explaining the flow of information processing executed by the information processing apparatus 1 according to the embodiment. The process in this flowchart starts when the information processing apparatus 1 is activated, for example.

  The training data acquisition unit 21 acquires training data for target task learning including the target task learning data D and the target task label T1 and the watermark label T2 (S2). The weight vector generation unit 23 generates a weight vector W that is a vector having at least a part of the weights of the layer L selected from the layers L constituting the neural network N including the plurality of layers L as a component. (S4).

  The embedded data generation unit 24 adds the additional information to the watermark label T2 to generate embedded data (S6). The embedded data generating unit 24 generates an embedding vector by multiplying the weight vector W by a matrix (S8). The weight update unit 22 includes training data and a loss function obtained by adding a second loss function determined using the watermark vector O2 and the watermark label T2 to the first loss function set for target task learning. Based on this, the weight of each layer L of the neural network N is updated (S10).

<Effects of information processing apparatus 1 according to the embodiment>
As described above, according to the information processing apparatus 1 according to the embodiment, a learning model that can specify the source can be provided. In particular, since the information processing apparatus 1 according to the embodiment embeds additional information for making the watermark label T2 redundant in the watermark label T2, it is possible to increase resistance to a scramble attack of the watermark label T2 by an attacker.

  As mentioned above, although this invention was demonstrated using embodiment, the technical scope of this invention is not limited to the range as described in the said embodiment. It will be apparent to those skilled in the art that various modifications or improvements can be added to the above embodiment. In particular, the specific embodiments of the distribution / integration of the devices are not limited to those illustrated above, and all or a part thereof may be in arbitrary units according to various additions or according to functional loads. Can be configured to be functionally or physically distributed and integrated.

  For example, the embedded data generation unit 24 derives a correlation between each bit constituting the watermark vector O2 and the weight of the layer L constituting the first neural network N1, and among the watermark vector O2, the embedded data of the layer L is derived. Additional information may be embedded in bits having a low correlation with the weight. For example, the information processing apparatus 1 first learns appropriately generated learning data to generate a learning model. The information processing apparatus 1 may record the embedded bits in the watermark label T2 that has been changed by learning, and obtain the correlation by repeating the number of times sufficiently within a range where this can be realized. By embedding additional information in bits having a low correlation with the weight of the layer L in the watermark vector O2, the attack resistance of the watermark label T2 can be further increased.

DESCRIPTION OF SYMBOLS 1 ... Information processing apparatus 10 ... Memory | storage part 20 ... Control part 21 ... Training data acquisition part 22 ... Weight update part 23 ... Weight vector generation part 24 ... Embedded data generation Unit 25... Vector conversion unit 26.

Claims (8)

A weight updating unit that updates the weight of each layer of the neural network including a plurality of layers based on the training data for learning the target task;
A weight vector generating unit that generates a weight vector that is a vector having at least some of the weights of the layers selected from the layers constituting the neural network as components, and
Embedded data generation unit for generating embedded data that is embedded in the weight vector and has additional information added to a watermark label;
A vector conversion unit that linearly converts the weight vector to generate an embedding vector, and
The weight update unit is based on a loss function obtained by adding a second loss function determined using the embedding vector and the embedding data to the first loss function set for the target task learning. Update the weight,
Information processing device. The embedded data generation unit adds an error correction code for correcting an error of the watermark label as the additional information to the watermark label.
The information processing apparatus according to claim 1. When the layer selected by the weight vector generation unit is a layer close to the input layer of the neural network, the embedded data generation unit is configured to add additional information to be added to the watermark label as compared with a case where the layer is a distant layer. Reduce the size,
The information processing apparatus according to claim 1 or 2. Based on the training data for the target task learning, further comprising a fluctuation recording unit that records the fluctuation of the weight of each layer by updating the weight of each layer of the neural network in advance,
The weight vector generation unit selects a weight with a small variation as a component of the weight vector in preference to a weight with a large variation.
The information processing apparatus according to any one of claims 1 to 3. The embedded data generation unit adds the additional information to a watermark label that is binary data obtained by encoding a predetermined character string.
The information processing apparatus according to any one of claims 1 to 4. The vector conversion unit multiplies the weight vector by a Hadamard matrix to generate an embedding vector.
The information processing apparatus according to any one of claims 1 to 5. Processor
Generating a weight vector that is a vector having at least some of the weights of the layers selected from the layers constituting the neural network having a plurality of layers as components;
Generating embedded data in which additional information is added to a watermark label, which is data to be embedded in the weight vector;
Linearly transforming the weight vector to generate an embedding vector;
Training data for target task learning; a loss function obtained by adding a second loss function determined using the embedding vector and the embedding data to a first loss function set for target task learning; Updating the weight of each layer of the neural network based on
Run the
Information processing method. On the computer,
A function of generating a weight vector that is a vector having at least some of the weights of the layers selected from the layers constituting the neural network having a plurality of layers as components,
Data for embedding in the weight vector, and a function for generating embedded data in which additional information is added to a watermark label;
A function of linearly converting the weight vector to generate an embedding vector;
Training data for target task learning; a loss function obtained by adding a second loss function determined using the embedding vector and the embedding data to a first loss function set for target task learning; Based on the function of updating the weight of each layer of the neural network;
To realize,
program.