JP6778670B2 - Information processing device, information processing method, and program - Google Patents

Description

The present invention relates to an information processing device, an information processing method, and a program.

In recent years, the speed of CPU (Central Processing Unit) and GPU (Graphics Processing Unit) has been increased, the capacity of memory has been increased, and machine learning technology has been rapidly advanced. For this reason, machine learning using learning data on the order of hundreds of thousands to millions has become possible, and highly accurate identification technology and classification technology are being established (see Non-Patent Document 1).

Yangqing Jia, Evan Shelhamer, Jeff Donahue, Sergey Karayev, Jonathan Long, Ross Girshick, Sergio Guadarrama, and Trevor Darrell. Caffe: Convolutional architecture for fast feature embedding. In Proceedings of the 22nd ACM international conference on Multimedia (pp. 675-678) ). ACM.

A large amount of computational cost is required to perform machine learning based on a large amount of learning data. In addition, a huge amount of labor is required for preparing a large amount of learning data and preprocessing for processing the prepared learning data for use in machine learning. On the other hand, the learning model generated by machine learning is digital data, and its duplication is easy. Furthermore, it is difficult to infer the learning data generally used for learning model generation from the learning model itself.

Therefore, it is difficult for the person who generated the learning model to prove the fraud even if the learning model is fraudulently used by a third party. The collected learning data and the learning model generated based on the learning data are valuable ones acquired by effort, and it is desired to protect the learning model from unauthorized use.

The present invention has been made in view of these points, and an object of the present invention is to provide a learning model capable of identifying the source.

The first aspect of the present invention is an information processing device. This device includes a training data acquisition unit that acquires training data and a watermark label for learning a target task, a weight update unit that updates the weight of each layer of a neural network having a plurality of layers based on the training data, and a weight update unit. A weight vector generator that generates a weight vector, which is a vector whose components are at least a part of the weights of the layers selected from the layers constituting the neural network, and a Hadamard matrix are multiplied by the weight vector to open a watermark. It is provided with a vector conversion unit for converting to a vector for use. Here, the weight update unit is based on a loss function obtained by adding a second loss function determined by using the watermark vector and the watermark label to the first loss function set for the target task learning. Then, the weight is updated.

The information processing apparatus has a matrix selection unit for selecting a Hadamard matrix having a row length equal to or longer than the length of the watermark label, and the length of the watermark label having the same length as the row length of the selected Hadamard matrix. A size adjusting unit for padding the watermark label may be further provided so as to be.

The weight vector generation unit may generate the weight vector by selecting the same number of weights as the row length in the Hadamard matrix from the weights of the layers selected from the layers constituting the neural network. ..

The information processing apparatus may further include a watermark label generation unit that connects a plurality of different labels to generate the watermark label.

The information processing device may further include a fluctuation recording unit that records fluctuations in the weights of each layer by updating the weights of each layer of the neural network in advance based on the training data for learning the target task. The weight vector generation unit may select the weight having a small fluctuation as a component of the weight vector in preference to the weight having a large fluctuation.

A second aspect of the present invention is an information processing method. In this method, the processor obtains training data and a watermark label for learning the target task, and at least a part of the weights of the layers selected from the layers constituting the neural network having a plurality of layers. A step of generating a weight vector which is a vector having the above as a component, a step of converting an Adamard matrix into a watermark vector obtained by multiplying the weight vector, the training data, and a first set for learning the target task. 1 A loss function obtained by adding a second loss function determined by using the watermark vector and the watermark label to the loss function, and a step of updating the weight of each layer of the neural network based on the loss function are executed. ..

A third aspect of the present invention is a program. This program has a function to acquire training data and watermark labels for learning the target task on a computer, and weights of at least a part of the layers selected from the layers constituting the neural network having multiple layers. A function of generating a weight vector which is a vector having the above as a component, a function of converting an Adamard matrix into a watermark vector obtained by multiplying the weight vector, the training data, and a third set for the objective task learning. A loss function obtained by adding a second loss function determined by using the watermark vector and the watermark label to one loss function, and a function of updating the weight of each layer of the neural network based on the loss function are realized. ..

According to the present invention, it is possible to provide a learning model capable of identifying the source.

It is a figure which shows typically the general functional structure of a convolutional neural network. It is a figure for demonstrating the relationship of the convolution of the input data and a feature map. It is a figure for demonstrating the generation of a feature map using a weighting filter. It is a figure for demonstrating the relationship between N weight filters and N-stage feature map. It is a schematic diagram for demonstrating the outline of the learning process executed by the information processing apparatus which concerns on embodiment. It is a figure which shows typically the functional structure of the information processing apparatus which concerns on embodiment. It is a figure for demonstrating the relationship between the size of the Hadamard matrix, the weight vector, the watermark label, and the watermark vector. It is a figure for demonstrating the structure of the watermark label created by the watermark label generation part which concerns on embodiment. It is a figure which shows an example of the fluctuation of weight in a learning process schematically. It is a flowchart for demonstrating the flow of the information processing executed by the information processing apparatus which concerns on embodiment.

<Convolutional neural network>
The information processing device according to the embodiment is a device for embedding watermark information in a model parameter of a convolutional neural network (CNN) among neural networks. Therefore, as a prerequisite technique of the information processing apparatus according to the embodiment, first, a convolutional neural network will be briefly described.

FIG. 1 is a diagram schematically showing a general functional configuration of a convolutional neural network.
Currently, neural networks with various configurations have been proposed, but these basic configurations are common. The basic configuration of a neural network is represented by a superposition (or graph structure) of a plurality of types of layers. The neural network learns the model parameters so that the output result for the input data is an appropriate value. In other words, the neural network learns the model parameters to minimize the loss function defined so that the output result for the input data is an appropriate value.

In FIG. 1, as a feedforward neural network, it is composed of three layers, an input layer, a hidden layer, and an output layer, from the input layer to the output layer. Propagate in one direction. The hidden layer can be composed of a plurality of layers in a graph shape. Each layer has multiple units (neurons). In each layer, the parameter of the function that connects the unit in the front layer to the unit in the rear layer is called "weight". Learning in the present specification is to calculate an appropriate "weight" as a parameter of this function.

FIG. 1 illustrates a convolutional neural network. A convolutional neural network is composed of an input layer, a convolutional layer, a pooling layer, a full-connected layer, and an output layer. In a convolutional neural network, only specific units in the anterior layer are connected to units in the posterior layer. That is, in the convolutional neural network, not all the units in the front layer are connected to the units in the rear layer. In FIG. 1, the first layer L1 is an input layer, and the second layer L2 is a convolutional layer. Similarly, the m-th layer Lm is the output layer.

The learning in the neural network according to the present embodiment means that the weight of each layer is optimally updated by using the error between the output value from the output layer and the label of the training data with respect to the training data. A "loss function" is defined to calculate the error. The error is propagated one after another from the output layer side to the input layer side by the "error back propagation method", and the weight of each layer is updated little by little. Finally, a convergence calculation is performed that adjusts the weights of each layer to the appropriate values so that the error is small. Specifically, in learning in a neural network (that is, in the generation stage of a new model parameter), the model parameter is updated by the gradient in which the error is back-propagated.

FIG. 2 is a diagram for explaining the convolutional relationship between the input data and the feature map. The process in FIG. 2 is performed by the convolutional layer and the fully connected layer. In the example shown in FIG. 2, a feature map is generated by applying one weight filter to the input data. In FIG. 2, the sizes of the input data, the weight filter, and the feature map are as follows.
Input data: 32 x 32 x 3 elements Weight filter: 5 x 5 x 3 elements (model parameters)
Feature map: 28 x 28 elements

N weight filters (N is an integer of 1 or more) are prepared, and these are model parameters. That is, "weight" means N weight filters. However, the bias term is not considered here.

FIG. 3 is a diagram for explaining the generation of the feature map using the weight filter.
In the example shown in FIG. 3, one weight filter composed of 5 × 5 × 3 elements is applied to the input data, and the sum of the products of the elements is used as the value of one element of the feature map. Then, by moving the same weight filter with respect to the input data, one feature map is generated. Here, the number of elements (movement amount) for moving the weight filter is referred to as "stride". A zero-padding area in which element 0 is filled is provided at the peripheral edge of the input data. As a result, the same number of weight filters can be applied to the edge elements of the input data.

FIG. 4 is a diagram for explaining the relationship between the N weight filters and the N-stage feature map. In the example shown in FIG. 4, the number of weight filters is N. 2 and 3 show an example in which one feature map generated by one weight filter is generated. On the other hand, the example shown in FIG. 4 shows an example in which an N-stage feature map is generated by N weight filters. In neural network learning, the feature map in one layer becomes the input data in the next layer. By executing the training of the neural network, the error based on the loss function is propagated one after another from the output layer side to the input layer side, and the weight of each layer is updated by the known error back propagation method.

<Outline of the embodiment>
On the premise of the above, the outline of the embodiment will be described.
The information processing device according to the embodiment is a device for generating a learning model for achieving a target task by using a neural network and at the same time embedding an electronic watermark in the learning model.

The information processing device according to the embodiment uses a processor such as a CPU or GPU, a work memory such as a DRAM (Dynamic Random Access Memory), and a large-capacity storage device such as an HDD (Hard Disk Drive) or SSD (Solid State Drive). It is composed. The information processing device according to the embodiment may be a single device such as a PC (Personal Computer), a workstation, or a server, or may be composed of a plurality of devices such as a cloud server.

FIG. 5 is a schematic diagram for explaining an outline of the learning process executed by the information processing apparatus according to the embodiment. The information processing apparatus according to the embodiment is the first neural network N1 having a plurality of layers L based on the training data including the target task learning data D and the target task label T1, similarly to the conventional neural network. The weight of each layer L is updated. For example, when there are a plurality of target tasks such as "cat detection", "mountain detection", and "automobile detection", the target task learning data D for each target task and the target task learning data D for each purpose task are assigned to each. The data set to which the label T1 for a different purpose task is assigned becomes the training data.

The information processing apparatus according to the embodiment also includes a second neural network N2 composed of one or more layers L selected from the layers L constituting the first neural network N1. The information processing apparatus according to the embodiment updates the weight of the layer L in the second neural network N2 based on the watermark label T2 for watermark detection.

Note that FIG. 5 shows an example in which the second layer L2 in the first neural network N1 is selected as the weight update target in the second neural network N2. Hereinafter, in the present specification, when the first neural network N1 and the second neural network N2 are not distinguished, they are simply described as the neural network N.

Although the details will be described later, the information processing apparatus according to the embodiment generates the weight vector W based on the layer L selected from the first neural network N1. The information processing apparatus according to the embodiment uses the vector obtained by multiplying the generated weight vector W by the Hadamard matrix as the second output O2, which is the output of the second neural network N2. That is, in the information processing apparatus according to the embodiment, the watermark vector obtained by multiplying the weight vector W by the Hadamard matrix becomes the second output O2 which is the output of the second neural network N2.

In this sense, in the present specification, the watermark vector obtained by multiplying the weight vector W by the Hadamard matrix may be described as the watermark vector O2. The information processing apparatus according to the embodiment updates the weight vector W based on the second error E2 between the watermark vector O2 and the watermark label T2.

The Adamar matrix is a square matrix in which each row is composed of orthogonal codes called Walsh codes, and the length of the rows and columns is 2 ^m (m is a natural number of 0 or more). Since the component of the Walsh code is +1 or -1, the component of the Hadamard matrix is also either +1 or -1. Correspondingly, the components of the watermark label T2 and the watermark vector O2 are also set to either +1 or -1. Therefore, after the weight vector W is Hadamard transformed, binarization processing by a sigmoid function or the like is also performed.

Here, the Hadamard matrix is both a real symmetric matrix and an orthogonal matrix. Therefore, among the learning models generated by the information processing apparatus according to the embodiment, when the weight vector W generated from the weights used for embedding the watermark label T2 is multiplied by the Hadamard matrix used in the learning, the watermark label T2 or similar to it. The label to be processed is reproduced.

When the training model administrator obtains a training model of unknown source, the obtained vector obtained by multiplying the weight vector W generated from the weight used for embedding the watermark label T2 by the Hadamard matrix matches the watermark label T2. Check if it is. As a result, when the obtained vector matches or resembles the watermark label T2, the manager of the learning model asks whether the learning model of unknown source is a learning model of the same source as the learning model managed by the manager himself. It can be verified whether or not.

The information processing apparatus according to the embodiment includes a first output O1 which is an output of the mth layer Lm which is the final layer of the first neural network N1 and a label T1 for a target task, similarly to the conventional neural network. Basically, the weight of each layer L is updated based on the first error E1 which is the error of. However, the information processing apparatus according to the embodiment updates the weights of the second layer L2 selected as the weights constituting the second neural network N2 based on the first error E1 and the second error E2. As a result, the information processing apparatus according to the embodiment can simultaneously realize learning for the target task and learning for watermark embedding.

<Functional configuration of information processing device according to the embodiment>
Hereinafter, the information processing apparatus according to the embodiment will be described in more detail.
FIG. 6 is a diagram schematically showing a functional configuration of the information processing device 1 according to the embodiment. The information processing device 1 includes a storage unit 10 and a control unit 20. The control unit 20 includes a training data acquisition unit 21, a weight update unit 22, a weight vector generation unit 23, a vector conversion unit 24, a matrix selection unit 25, a size adjustment unit 26, a watermark label generation unit 27, and a fluctuation recording unit 28. ..

The storage unit 10 includes a ROM (Read Only Memory) for storing the BIOS (Basic Input Output System) of the computer that realizes the information processing device 1, a RAM (Random Access Memory) that serves as a work area for the information processing device 1, and an OS (OS). An operating system), an application program, and a large-capacity storage device such as an HDD or SSD that stores various information referred to when the application program is executed.

The control unit 20 is a processor such as a CPU or GPU of the information processing device 1, and by executing a program stored in the storage unit 10, the training data acquisition unit 21, the weight update unit 22, the weight vector generation unit 23, and the vector It functions as a conversion unit 24, a matrix selection unit 25, a size adjustment unit 26, a watermark label generation unit 27, and a fluctuation recording unit 28.

The training data acquisition unit 21 acquires the training data for learning the target task and the watermark label T2 from the storage unit 10. The training data acquired by the training data acquisition unit 21 includes the target task learning data D and the target task label T1. The weight updating unit 22 updates the weight of each layer of the neural network N including a plurality of layers based on the training data acquired by the training data acquisition unit 21. As described above, the neural network N includes a first neural network N1 which is news for learning a target task and a second neural network N2 which is a neural network for embedding a watermark label.

The weight vector generation unit 23 generates a weight vector W, which is a vector having at least a part of the weights of the layers selected from the layers constituting the first neural network N1 as components. The vector conversion unit 24 multiplies the weight vector W generated by the weight vector generation unit 23 by the Hadamard matrix and converts it into a watermark vector.

The weight update unit 22 is a neural network based on a loss function obtained by adding a second loss function determined by using the watermark vector O2 and the watermark label T2 to the first loss function set for learning the target task. Update the weight of N. The weight vector generation unit 23 may construct the second loss function using, for example, known cross entropy.

Here, the Hadamard matrix is a matrix that serves as a secret key used to identify the source of the learning model generated by the information processing apparatus 1. Therefore, the Hadamard matrix used when the information processing apparatus 1 learns is managed only by some persons such as the administrator of the learning model and is kept secret from a third party. Further, among the weights constituting the information processing apparatus 1, which weight is used by the weight vector generation unit 23 to form the weight vector W is also concealed.

The Hadamard transform can also be regarded as a special Fourier transform. That is, it is considered that the vector conversion unit 24 converts the watermark label T2 using the Hadamard matrix, so that the information of the watermark label T2 is dispersed and embedded in the frequency space.

Therefore, an attacker who attempts to modify or remove the watermark label T2 must first determine which of the weights constituting the information processing apparatus 1 is used to form the weight vector W. Further, even if the attacker finds the watermark vector O2, it is difficult to calculate the watermark label T2 from the watermark vector O2 without knowing the Hadamard matrix used for learning.

In this way, the learning model generated by the information processing device 1 can specify the source, and can ensure the robustness of the information indicating the source.

As described above, the Hadamard matrix used for learning by the information processing apparatus 1 is not defined with an arbitrary size, and the size is discrete. Specifically, the Hadamard matrix is a square matrix with row and column lengths of 2 ^m (m is a positive integer).

FIG. 7 is a diagram for explaining the size relationship between the Hadamard matrix, the weight vector W, the watermark label T2, and the watermark vector O2. Since the watermark label T2 is information to be used for determining the source of the learning model, its length can be arbitrarily determined by the manager of the learning model who created the learning model using the information processing device 1. For this reason, it is generally not guaranteed that the length of the watermark label T2 matches the power of 2.

Therefore, the matrix selection unit 25 selects a Hadamard matrix having a row length equal to or greater than the length L of the watermark label T2. In FIG. 7, the length of the watermark label T2 is L, and it is assumed that 2 ^m-1 <L ≦ 2 ^m . In this case, the matrix selection unit 25 selects the Hadamard matrix having a row length of 2 ^m . Since the Hadamard matrix is a square matrix, the size of the column of the Hadamard matrix selected by the matrix selection unit 25 is also 2 ^m .

Since the vector generated by the vector conversion unit 24 by multiplying the weight vector W by the Hadamard matrix is the watermark vector O2, when L <2 ^m , the lengths of the watermark label T2 and the watermark vector O2 are different. Become. Therefore, the size adjusting unit 26 padding the watermark label T2 so that the length of the watermark label T2 is the same as the length of the row of the Hadamard matrix selected by the matrix selection unit 25.

Here, "padding" refers to a process of adding appropriate data before or after the data to adjust the length. As described above, since the component of the watermark vector O2 is either +1 or -1, the size adjusting unit 26 adds either +1 or -1 to the watermark label T2 to add the watermark label T2 to the Hadamard matrix. The length is the same as the length of the line. In the example shown in FIG. 7, the area indicated by the diagonal line at the end of the watermark label T2 is the area padded by the size adjusting unit 26. As a result, the information processing apparatus 1 can embed the watermark label T2 having an arbitrary length in the learning model.

The weight vector generation unit 23 selects the same number of weights as the row length in the Hadamard matrix selected by the matrix selection unit 25 among the weights of the layer L selected from the layers L constituting the first neural network N1. To generate the weight vector W. In this way, even when the Hadamard matrix whose row length is restricted to the power of 2 is used by generating the weight vector W by the weight vector generation unit 23 according to the size of the Hadamard matrix, information processing is performed. The device 1 can embed the watermark label T2 in the learning model.

As described above, the information processing apparatus 1 can embed the watermark label T2 having an arbitrary length in the learning model, but the watermark label T2 embedded in the learning model by the information processing apparatus 1 does not have to be one type. Specifically, the watermark label T2 may be data generated by concatenating a plurality of different labels.

For example, it is assumed that a plurality of creators are involved in the generation of the learning model generated by the information processing device 1. When assigning different labels to each of the plurality of creators and managing them, it is convenient if the information processing apparatus 1 can embed a plurality of different labels in the learning model. Therefore, the watermark label generation unit 27 generates the watermark label T2 by concatenating a plurality of different labels.

8 (a)-(b) are diagrams for explaining the structure of the watermark label T2 created by the watermark label generation unit 27 according to the embodiment. Specifically, FIG. 8A illustrates a watermark label T2 composed of three different labels: a first watermark label T2a, a second watermark label T2b, and a third watermark label T2c. In FIG. 8A, the black-painted square indicates “-1” and the white square indicates “+1”. As shown in FIG. 8A, the first watermark label T2a, the second watermark label T2b, and the third watermark label T2c have different patterns, and the watermark label T2 is the data in which the labels are connected in series. It has become.

FIG. 8B is a diagram schematically showing an operation for extracting each watermark label from the watermark label T2. As shown in FIG. 8B, the information processing apparatus 1 can take out each watermark label by multiplying the watermark label T2 by the Hadamard matrix. As shown in FIG. 8B, the information of the first watermark label T2a, the second watermark label T2b, and the third watermark label T2c is embedded in the common watermark label T2, respectively. Each watermark label can then be retrieved by multiplying the watermark label T2 by the corresponding row of the Hadamard matrix.

Here, the rows of the Hadamard matrix are orthogonal to each other. Therefore, according to the information processing apparatus 1 according to the embodiment, even if different watermark labels are embedded in the same watermark label T2, it is possible to reduce the influence of the watermark labels on each other at the time of embedding.

As described above, the information processing apparatus 1 embeds the watermark label T2 in the weight vector W created by using a part of the weights of the layer L constituting the first neural network N1 to provide information whose source can be specified in the learning model. I explained about embedding. Next, the selection of weights for the watermark label T2 embedded in the learning model to increase the resistance to the attack of modification or removal from a third party will be described.

The number of layers of the convolutional neural network used by the information processing apparatus 1 according to the embodiment is on the order of several tens to 100 layers. Therefore, the number of weights constituting the layers of the convolutional neural network becomes enormous. In general, the weights that make up such a multi-layer neural network are redundant, and not all weights contribute equally to learning. Weights with a large degree of contribution in learning are considered to have a large variation in the learning process as compared with weights with a small degree of contribution. In other words, weights with a high degree of contribution in learning are considered to be more active than weights with a low degree of contribution.

Moreover, even if the degree of contribution to learning has the same weight, it is considered that the way of fluctuation in the learning process changes depending on the quality of the information carried by the weight. For example, when the target task is cat image detection, the information processing device 1 causes the neural network N to learn a large number of cat images as training data. At this time, it is considered that the weight, which bears a component (generally a low frequency component) common to many cat images, is less likely to fluctuate once learning is stable. On the other hand, the weight for absorbing many cat variations is considered to fluctuate greatly depending on fine tuning because it reacts sensitively to differences between cats.

Here, by setting the weights constituting the weight vector W for embedding the watermark label T2 to be weights with little fluctuation in the learning process, the resistance of the attack from the attacker of the watermark label T2 can be increased. This is because even if the attacker attempts to scramble the watermark label T2 by re-learning the learning model, the weights constituting the weight vector W in which the watermark label T2 is embedded have a small variation in the learning process, so that the degree of scramble is also high. Because it becomes smaller.

Therefore, the information processing device 1 includes a variation recording unit 28 that records the variation of the weight of each layer L by updating the weight of each layer of the neural network N in advance based on the training data for learning the target task.

FIG. 9 is a diagram schematically showing an example of weight fluctuation in the learning process, and is a diagram showing an example of weight fluctuation recorded by the fluctuation recording unit 28. FIG. 9 illustrates the variation of four weights, the weight W1, the weight W2, the weight W3, and the weight W4. In FIG. 9, the horizontal axis represents the number of learning iterations, and the vertical axis represents the weight value.

In FIG. 9, the weights W1 and W4 have a large variation in the learning process as compared with the weights W2 and W3. Further, the weight W3 has a smaller variation in the learning process than the weight W2. In the example shown in FIG. 9, W1 ≈ W4> W2> W3 when arranged in the order of the magnitude of the change in weight in the learning process. Therefore, when adopted as the weights constituting the weight vector W, the order of high attack resistance is W3> W2> W1 ≈ W4.

The weight vector generation unit 23 selects a weight having a small fluctuation in the learning process as a component of the weight vector W in preference to a weight having a large fluctuation. As a result, even if an attacker attempts to scramble the watermark label T2 by fine tuning, the weight vector W adopts a weight with a small fluctuation due to learning, so that the influence of scrambling can be suppressed.

<Processing flow of information processing executed by information processing device 1>
FIG. 10 is a flowchart for explaining the flow of information processing executed by the information processing apparatus 1 according to the embodiment. The process in this flowchart starts, for example, when the information processing device 1 is activated.

The training data acquisition unit 21 acquires the training data for target task learning including the target task learning data D and the target task label T1 and the watermark label T2 (S2). The weight vector generation unit 23 generates a weight vector W which is a vector having at least a part of the weights of the layer L selected from the layers L constituting the neural network N including the plurality of layers L as components. (S4).

The vector conversion unit 24 converts the Hadamard matrix into the watermark vector O2 obtained by multiplying the weight vector W (S6). The weight update unit 22 adds the training data and the second loss function determined by using the watermark vector O2 and the watermark label T2 to the first loss function set for learning the target task. Based on this, the weight of each layer L of the neural network N is updated (S8).

<Effects of the information processing device 1 according to the embodiment>
As described above, according to the information processing apparatus 1 according to the embodiment, it is possible to provide a learning model capable of specifying the source. In particular, since the information processing device 1 according to the embodiment embeds the watermark label T2 by multiplying the weight vector W by the Hadamard matrix, it is possible to increase the resistance to the scramble attack of the watermark label T2 by the attacker.

Although the present invention has been described above using the embodiments, the technical scope of the present invention is not limited to the scope described in the above embodiments. It will be apparent to those skilled in the art that various changes or improvements can be made to the above embodiments. In particular, the specific embodiment of the distribution / integration of the device is not limited to the one shown above, and any unit thereof may be used in whole or in part according to various additions or functional loads. It can be functionally or physically distributed and integrated.

1 ... Information processing device 10 ... Storage unit 20 ... Control unit 21 ... Training data acquisition unit 22 ... Weight update unit 23 ... Weight vector generation unit 24 ... Vector conversion unit 25 ... Matrix selection unit 26 ... Size adjustment unit 27 ... Watermark label generation unit 28 ... Fluctuation recording unit

Claims (6)

A training data acquisition unit that acquires training data and watermark labels for objective task learning,
Based on the training data for learning the target task, a fluctuation recording unit that records the fluctuation of the weight of each layer by updating the weight of each layer of the neural network having a plurality of layers in advance.
A weight update unit that updates the weight of each layer of the neural network based on the training data,
A weight vector generation unit that generates a weight vector that is a vector having at least a part of the weights of the layers selected from the layers constituting the neural network.
It is provided with a vector conversion unit that multiplies the Hadamard matrix by the weight vector and converts it into a watermark vector.
The weight update unit is based on a loss function obtained by adding a second loss function determined by using the watermark vector and the watermark label to the first loss function set for learning the target task. Update the weights
The weight vector generation unit selects the weight having a small variation as a component of the weight vector in preference to the weight having a large variation.
Information processing device. A matrix selection unit that selects a Hadamard matrix having a row length greater than or equal to the length of the watermark label, and
A size adjuster for padding the watermark label so that the length of the watermark label is the same as the row length of the selected Hadamard matrix.
The information processing apparatus according to claim 1, further comprising. The weight vector generation unit generates the weight vector by selecting the same number of weights as the row length in the Hadamard matrix from the weights of the layers selected from the layers constituting the neural network.
The information processing device according to claim 1 or 2. A watermark label generation unit that concatenates a plurality of different labels to generate the watermark label is further provided.
The information processing device according to any one of claims 1 to 3. The processor
Steps to acquire training data and watermark label for purpose task learning,
A step of recording the fluctuation of the weight of each layer by updating the weight of each layer of the neural network having a plurality of layers in advance based on the training data for learning the target task.
A step of generating a weight vector which is a vector having at least a part of the weights of the layers selected from the layers constituting the neural network as components.
A step of converting the Hadamard matrix into a watermark vector obtained by multiplying the weight vector,
Based on the training data and a loss function obtained by adding a second loss function determined by using the watermark vector and the watermark label to the first loss function set for learning the target task. Steps to update the weights of each layer of the neural network,
And run
In the step of generating the weight vector, the weight having a small variation is selected as a component of the weight vector in preference to the weight having a large variation.
Information processing method. On the computer
Ability to acquire training data and watermark labels for objective task learning,
A function of recording the fluctuation of the weight of each layer by updating the weight of each layer of the neural network having a plurality of layers in advance based on the training data for learning the target task.
A function to generate a weight vector which is a vector having at least a part of the weights of the layers selected from the layers constituting the neural network as components, and
A function to convert the Hadamard matrix into a watermark vector obtained by multiplying the weight vector,
Based on the training data and a loss function obtained by adding a second loss function determined by using the watermark vector and the watermark label to the first loss function set for learning the target task. The ability to update the weights of each layer of the neural network,
Realized,
The function of generating the weight vector causes the weight having a small variation to be selected as a component of the weight vector in preference to the weight having a large variation.
program.