JP6835559B2 - Privacy protection data provision system - Google Patents

Description

The present invention relates to the privacy protection data providing system.

In recent years, when publishing data that requires privacy protection, such as personal data, a process called differential privacy has been performed to ensure the privacy of individual data, and then appropriate data analysis can be performed. Things have been proposed.

When processing differential privacy on data, the privacy protection level is indicated by the privacy index indicated by "ε". The closer the value of the privacy index "ε" is to 0, the higher the data protection level, and the larger the value of the privacy index "ε", the lower the data protection level.

Specifically, when there is an anonymous learning algorithm A that anonymizes a certain database D and performs differential privacy processing, the anonymous learning algorithm A becomes an algorithm including a probabilistic element. That is, when the database D is anonymized by the anonymous learning algorithm A including the stochastic element, different anonymized data s1, s2, ..., Sn are obtained each time the processing is performed because the database D contains the stochastic element. Be done. Here, a database D and a database D'with data different from the database D by one record are prepared, and specific data si of the set S of the respective databases D and D'(data si is the data s1 to sn. When the ratio of the probability of becoming (any) is less than or equal to exp (ε) using the privacy index “ε”, this anonymous learning algorithm A becomes an algorithm that satisfies the differential privacy.

To describe the point of satisfying this differential privacy more clearly, for example, a database D'in which the data of an arbitrary person is added (or deleted) to a specific database D composed of a large amount of personal information is referred to as a database D'. Here, there is almost no difference between the result of anonymizing the database D by performing differential privacy processing by the anonymous learning algorithm A and the result of anonymizing the database D'by applying the differential privacy processing by the anonymous learning algorithm A. When (that is, when the above-mentioned threshold exp (ε) is not exceeded), it can be said that the database D is open to the public while the privacy is maintained.

This can be regarded as a state in which privacy is protected because the results are almost the same regardless of the presence or absence of each person's data when viewed from the individual specified by each data constituting the database D. In other words, it means that the result will be the same regardless of whether it is database D or database D'.
Patent Document 1 describes an example of a method of aggregating data by satisfying differential privacy.

Japanese Unexamined Patent Publication No. 2016-12704

As described above, data can be anonymized by creating an anonymous learning algorithm that performs differential privacy processing, but in reality, the probability ratio is exp (regardless of the database configuration). ε) There is a problem that it is difficult to create an anonymous learning algorithm that performs machine learning that satisfies the following conditions and increases the accuracy of the neural model.

The present invention, in forming the anonymized deep learning model, whatever the data and provides privacy protection data providing system that precise preferred anonymized deep learning model is obtained The purpose is.

The privacy protection data providing system of one aspect of the present invention is a deep learning processing unit that applies a deep learning algorithm to raw data in a database to obtain a deep learning model, and a deep learning processing unit obtained by the deep learning processing unit. It is a privacy protection data providing system provided with an anonymization processing unit that obtains an anonymization model by performing anonymization processing based on differential privacy on the model.
Here, the anonymization processing unit gives an error based on the Laplace distribution to each parameter value for the weight parameter and the bias parameter included in the deep learning model, and each parameter to which an error is given based on the Laplace distribution. However, when the range of the threshold value indicated by the maximum value and the minimum value is exceeded, the limit is limited to the range of the threshold value.

Further, the privacy-protected data providing system of another aspect of the present invention applies a deep learning algorithm to anonymize the raw data in the database based on differential privacy to obtain a deep-learned anonymous model. It is a privacy protection data providing system equipped with a deep learning processing unit to obtain.
Here, the deep learning processing unit gives an error based on the Laplace distribution to each parameter value for the weight parameter and the bias parameter used in the calculation for obtaining the deep learning model, and also gives an error based on the Laplace distribution. When each parameter exceeds the threshold range indicated by the maximum value and the minimum value, the parameter is limited to the threshold range.

According to the present invention, when each parameter to which an error is given based on the Laplace distribution exceeds the threshold range indicated by the maximum value and the minimum value, the error is given by limiting to the threshold range. Even if the data is anonymized, the fluctuation range of the data can be limited to an appropriate range, and the appropriate anonymization can be performed. As a result, it becomes possible to reduce the decrease in accuracy of the deep learning model due to anonymization.

It is a block diagram which shows the structural example of the processing system according to 1st Embodiment of this invention. It is a block diagram which shows the structural example which gives an error based on a Laplace distribution in the anonymization processing part by the 1st Embodiment of this invention. It is a flowchart which shows the example of the processing flow by the example of 1st Embodiment of this invention. It is explanatory drawing which shows the outline of the deep learning by the example of 1st Embodiment of this invention. It is explanatory drawing which shows the experimental example by the 1st Embodiment of this invention. It is a block diagram which shows the structural example of the processing system according to the 2nd Embodiment of this invention. It is a flowchart which shows the example of the processing flow by the 2nd Embodiment example of this invention. It is explanatory drawing which shows the experimental example by the 2nd Embodiment of this invention. It is explanatory drawing which shows the outline of the example of giving an error and limiting to a threshold value (Example 1) by each embodiment of this invention. It is explanatory drawing which shows the outline of the example (Example 2) of giving an error and limiting to a threshold value by each embodiment of this invention.

<1. Example of the first embodiment>
Hereinafter, examples of the first embodiment of the present invention will be described with reference to FIGS. 1 to 5.

[System-wide configuration]
FIG. 1 shows the configuration of the privacy protection data providing system of the first embodiment.
A large amount of raw data including personal information is accumulated in the database 1, and the raw data accumulated in the database 1 is supplied to the deep learning processing unit 2. The deep learning processing unit 2 performs an operation applying a deep learning algorithm prepared in advance to obtain a deep learning model 3 in which raw data is deep learned.

Then, the deep learning model 3 obtained by the deep learning processing unit 2 is supplied to the anonymization processing unit 10. The anonymization processing unit 10 performs anonymization processing based on differential privacy on the supplied deep learning model 3 to obtain an anonymized deep learning model 4 (hereinafter referred to as “anonymization model 4”). obtain.

When the anonymization processing unit 10 obtains the anonymization model 4 based on the differential privacy, an error is added to each parameter value based on the Laplace distribution with respect to the weight parameter and the bias parameter included in the deep learning model 3. Give and perform differential privacy processing. However, when giving an error based on the Laplace distribution to each parameter value, the error is limited by the threshold value indicating the maximum value and the minimum value.
Giving an error based on the Laplace distribution means that the parameter value to which the error is given becomes a value including a stochastic element, and as a result, an anonymization model 4 in which anonymization is performed is obtained.

[Ε-Differential privacy processing configuration]
FIG. 2 is a block diagram showing the function of the anonymization processing unit 10.
As shown in FIG. 2, the anonymization processing unit 10 includes a data input unit 11, an ε input unit 12, a parameter structure determination unit 13, a parameter initial value determination unit 14, a threshold value determination unit 15, a threshold value exceeding determination unit 16, and a threshold value calculation. A unit 17 is provided. Further, the anonymization processing unit 10 includes an anonymization calculation unit 18 and a data output unit 19.

The data of the deep learning model is input to the data input unit 11, and this data is supplied to the anonymization calculation unit 18. An index "ε" for performing differential privacy processing is input to the ε input unit 12, and the index "ε" is supplied to the anonymization calculation unit 18.

The parameter structure determination unit 13 has a function of determining the parameter structure of the deep learning model 3, and the parameter structure of the deep learning model 3 determined by the parameter structure determination unit 13 is supplied to the anonymization calculation unit 18. The parameter structure determined by the parameter structure determination unit 13 includes at least a weight parameter and a bias parameter. Then, the anonymization calculation unit 18 performs a process of giving an error to these weight parameters and bias parameters.

The parameter initial value determination unit 14 determines the parameter initial values of the weight parameter and the bias parameter described above. This parameter initial value is supplied to the anonymization calculation unit 18, and the anonymization calculation unit 18 determines the initial value of the parameter structure determined by the parameter structure determination unit 13 using this parameter initial value.

The threshold value determination unit 15 determines a threshold value for limiting the maximum value and the minimum value when setting the error obtained based on the Laplace distribution. When determining the threshold value in the threshold value determination unit 15, the calculation result in the threshold value calculation unit 17 described later is used.
In the threshold value exceeding determination unit 16, whether or not the error value determined by the parameter structure determination unit 13 exceeds the threshold value (maximum value or minimum value) determined by the threshold value determination unit 15 when the anonymization calculation unit 18 performs the calculation. Is determined.

The threshold value calculation unit 17 performs a calculation for setting the threshold value, and supplies the calculation result to the anonymization calculation unit 18.
The anonymization calculation unit 18 performs a process of setting the threshold value as an error value when the determination result in the threshold value exceeding determination unit 16 exceeds the threshold value. The result of calculation by the anonymization calculation unit 18 is output from the data output unit 19.

[Overall processing flow]
FIG. 3 is a flowchart showing a processing flow in the privacy protection data providing system of the first embodiment.
First, the deep learning processing unit 2 acquires raw data from the database 1 (step S11). Then, the deep learning processing unit 2 applies a deep learning algorithm prepared in advance to the acquired raw data to perform deep learning (step S12), and as a result of the deep learning processing, acquires a deep learning model. (Step S13).

Next, the anonymization processing unit 10 performs anonymization processing on the deep learning model acquired in step S13 (step S14). When performing this anonymization process, an error is added based on the Laplace distribution after setting a limit by a threshold value.
In step S14, the threshold values used to limit the anonymization process are the threshold value indicating the maximum and minimum values of the fluctuation amount of the weight parameter in the anonymization processing unit 10, the maximum value of the fluctuation amount of the bias parameter, and It is a threshold value indicating the minimum value. Details of these threshold generation processes (step S20) will be described later using mathematical formulas.
Then, by executing the anonymization process in step S14 by the anonymization processing unit 10, an anonymization model is acquired (step S15), and the obtained anonymization model is output from the data output unit 19.

[Details of deep learning]
Next, the details of each process of steps S12 to S15 described so far will be described.
First, an example in which deep learning is performed will be described with reference to FIG.
In FIG. 4, H ^(l) represents the first layer of deep learning. FIG. 4 is an example of L = 3, and has L + 1 layers as a whole. The input layer is H ⁽⁰⁾ and the output layer is H ^(L) . Each layer has a plurality of (or one) nodes. Node _N ^{i (l)} represents the i-th node in layer ^{H (l), n (l} ) is the number of nodes in layer ^{H (l).} The layer H ^(l) has nodes N ₁ ^(l) , N ₂ ^(l) , ..., N _{n (l)} ^(l) .

Further, in FIG. 4, _wij ^(l) represents a weight parameter between the node N _i ^(l-1) and the node N _j ^(l). b _j ^(l) represents a bias parameter to node N _j ^(l). F ^(l) represents the activation function of layer H ^(l). x _i ^(l) represents the input to the node _Ni ^(l) _{, and y i} ^(l) represents the output from the node _Ni ^(l).
These input / output values are calculated by the following formula.

Here, _{t i} represents the target output value of the node _N ^{i (L),} M represents an error function. Error function M takes _y ^{i (L)} and _{t i} as input, returns the value of the error.
The training data is divided into groups called batches. The following process is performed for each batch.

For each record in the batch, y _i ^(L) is calculated by the deep learning algorithm (i = 1, ..., n ^(L) ).
Next, the deep learning algorithm to calculate each node _N ⁱ (put and δ _i ^(l)) an error signal in ^(l). When l = L, δ _i ^(L) is calculated by the following equation [Equation 2].

For l = 1, ..., L-1, δ _i ^(l) is calculated by the following equation [Equation 3].

_{Then, δ i} ^(l) is calculated for each record in the batch by the deep learning algorithm, and the sum is newly set as δ _i ^(l) .
Next, the variation amount [Delta] w _ij a ^(l), defined as follows.

Finally, according to the deep learning algorithm, each weight parameter _wij ^(l) for l = 1, ..., L, i = 1, ..., n ^(l-1) , and j = 1, ... , N ^(l) is updated as shown in the following equation [Equation 5].

Here, the learning rate α and the regular term λ are determined in advance.
The bias parameters are updated as follows.

Here, Δb _j ^(l) = δ _j ^(l) .
The process of the formulas [Equation 1] to [Equation 6] is performed for all batches.
Also, this process is repeated multiple times. This number of repetitions is called the epoch number. The number of epochs is determined by pre-cited references or while proceeding with learning before deep learning.

[Ε-Details of differential privacy]
Next, ε-difference privacy will be described.
For example, database D and database D'are different by a maximum of one record. The random mechanism A realizes ε-difference privacy when the following condition of Eq. [Equation 7] is satisfied for all sets Y of outputs.

Consider database D and database D'as databases that differ by one record. Let Q be the set of all databases that are theoretically possible as input databases. At this time, let f be a function such that f: Q → R. Here, when the following [Equation 8] equation holds for all databases D and database D', Δf is defined as the global sensitivity of f, that is, the range in which the value of f can be taken.

Next, an anonymization mechanism that satisfies ε-differential privacy, called the Laplace mechanism, will be described.
Let Lap (v) be a function that outputs a random error based on a Laplace distribution with a mean of 0 and a scale of v. At this time, when the random mechanism A outputs f (D) + Lap (Δf / ε) for a certain function f, the random mechanism A satisfies ε-difference privacy.

Here, let d be the maximum value of the range of values in which the variable to be given the error b can fluctuate depending on the presence or absence of one data. The maximum value d here is calculated from the range of values that can be assumed as a database before anonymization, not the actual value. Then, the error b = d / ε is set. That is, the larger the value of the maximum value d and the smaller the ε, the larger the value of the error b and the larger the given error.

There are a plurality of weight parameters and bias parameters for deep learning. Although it is possible to satisfy the ε-differential privacy for the set of these parameters, in the present embodiment, the ε-differential privacy is individually satisfied for each parameter.
In this way, when the ε-difference privacy is individually satisfied for each parameter, the random mechanism A holds the following equation for all sets Y of outputs in each parameter, and the following equation holds for each parameter. On the other hand, the ε-differential privacy is satisfied individually. Note that database D and database D'are different by a maximum of one record.

[Example of threshold setting for each parameter]
Next, a description will be given of a process for setting a threshold value for the weight parameter _w ^{ij (l)} and the bias parameter _b ^{j (l).} This process corresponds to the process of step S20 in FIG.
This process is performed to reduce the error given to the parameter by reducing the theoretical maximum value (global sensitivity) of the value that can change when only one record is different. As a result, it is possible to reduce the decrease in accuracy of the deep learning model, that is, to improve the accuracy.

Here, the maximum value of the weight parameter _wij ^(l) _{is w max} , and the minimum value is w _min . Further, the maximum value of the bias parameter b _j ^(l) _{is b max} , and the minimum value is b _min .
Further, in the present embodiment, a threshold value is also set for the input value (learning data) for deep learning. The threshold value of this input value is set to [0,1] here. The threshold value [0,1] here means that the minimum value is "0" and the maximum value is "1", and the threshold value is limited to "0" or more and "1" or less.

In the present embodiment, the anonymization processing unit 10 gives an error to _{the learned weight parameter wij} ^{(l) after performing deep learning.} _{That is, wij} ^(l) + Lap (w _max −w _min / ε) is calculated for all i, j, l (see FIG. 3) during deep learning. This calculation result is referred to as _rij ^(l) . If the value of the calculation result _rij ^(l) _{exceeds the maximum value w max} , the value of the weight parameter _wij ^(l) is corrected to the maximum value (threshold value) w _max.
Similarly, if the value of the _{calculation result rij} ^(l) is less than the _{minimum value w min , the value of the weight parameter wij} ^(l) is corrected to the minimum value (threshold value) w _min.

Further, the process of limiting this maximum value and the minimum value is also performed with respect to the bias parameters b _{j ^(l).} That is, the calculation result of the bias parameter b _j ^(l) is set to min (b _max , max (b _min , b _j ^(l) + Lap ((b _max −b _min ) / ε)))).

[Explanation of satisfying ε-differential privacy when threshold is set]
Next, it will be described that the parameters when the error is limited by the threshold value (maximum value, minimum value) satisfy the ε-difference privacy.
As described above, in this embodiment, as the weight parameters _w ^ij during deep learning ^(l) and the bias parameter _b ^{j (l)} (see FIG. 4), the maximum width of the theoretical weight parameter _w ^{ij (l)} (Global sensitivity) is (w _max −w _min ), and the theoretical maximum width (global sensitivity _{) of the bias parameter b j} ^(l _{) is (b max} −b _min ). As will be described next, _{the calculation result of the learned weight parameter w j} ^(l) is calculated as min (w _max , max (w _min , b _j ^(l) + Lap ((w _max −w _min ) / ε))). And set the calculation result of the learned bias parameter b _j ^(l) _{to min (b max} , max (b _min , b _j ^(l) + Lap ((b _max −b _min ) / ε)))). Therefore, the ε-differential privacy can be satisfied.

When the random mechanism A _{outputs min (f min} , max (f _max , f (D) + Lap (Δf / ε))), the random mechanism A realizes ε-differential privacy. Here, f _max and f _min are the theoretical maximum and minimum values that f (D) can take.
Here, a database D and a database D'that differs from the database D by one record are placed.
Further, it is set as F (D) = f (D) + Lap (Δf / ε). When the value of F (D) _{falls within the range of [f min} , f _max ], the equation [Equation 7] is established.

Next, consider the case where the value of F (D) is _{less than f min.} At this time, the output value of A (D) becomes _{f min.} The probability that the output of A (D) _{will be f min} is expressed by the following equation [Equation 9].

In the equation [Equation 9], Lap (v, u) represents the value of the probability density function of the Laplace distribution in which the scale parameter is v and the difference from the average is u.
Similarly, the probability that the output value of A (D') is f _min is expressed by the following equation [Equation 10].

The ratio of the value of the formula [Equation 9] to the value of the formula [Equation 10] is expressed by the formula [Equation 11] at the maximum.

Here, since | f (D) −f (D ′) | ≦ Δf, the value of the equation [Equation 11] is exp (ε) or less. Therefore, it satisfies ε-difference privacy.

Next, consider the case where the value of F (D) is f _{max or more.} At this time, the output value of A (D) is limited to _{f max.} The probability that the output of A (D) _{becomes f max} is expressed by the following equation [Equation 12].

Similarly, the probability that the output value of A (D') _{becomes f max} is expressed by the following equation [Equation 13].

The ratio of the value of the formula [Equation 12] to the value of the formula [Equation 13] is expressed by the formula [Equation 14] at the maximum.

Here, since | f (D) −f (D ′) | ≦ Δf, the value of the equation [Equation 14] is exp (ε) or less. Therefore, it satisfies ε-difference privacy.
Limiting the error to the maximum and minimum thresholds in this way satisfies the ε-differential privacy holds for all parameters. Therefore, by limiting the error of each parameter with a threshold value as in the present embodiment, ε-differential privacy is established.

FIG. 9 shows an outline of the process of limiting the error to the threshold value of the maximum value and the minimum value, which has been described by using the mathematical formula so far. As shown in FIG. 9, for example, it is assumed that the range of values that a certain parameter can take is "0" or more and "1" or less, and the parameter value at a certain point in time is 0.8 (global sensitivity is the maximum value). Difference between "1" and minimum value "0"). Then, an error is added to this parameter value "0.8", and when the parameter value to which the error has been added becomes "1.1", the parameter value is limited to "1" which is the upper limit value of the threshold range. Processing is performed.
In addition, the example shown in FIG. 9 shows the outline of limiting the parameter by the threshold value in a very simplified manner, and the process of limiting the parameter to the actual threshold value includes various conditions described with reference to the mathematical formulas so far. It is done in consideration.

[Example of evaluation using actual data]
FIG. 5 shows an example when the processing of the present embodiment is executed on the data set for evaluation. Here, [Adult data set], which is widely used in the field of privacy protection data mining, is used as a data set for evaluation. The [Adult Data Set] is composed of 15 types of attributes (age, gender, race, annual income, etc.), and is composed of 45,222 records excluding records including missing values. The annual income attribute takes two values as to whether or not the annual income of a person on each record exceeds $ 50,000.
Then, from 14 attributes excluding the annual income, a deep learning system that predicts whether or not the annual income exceeds 50,000 dollars will be constructed.

First, we conducted a preliminary experiment on raw data without anonymization to satisfy the differential privacy, and determined the structure of the deep learning algorithm so that the accuracy of the deep learning model would be high. Good results are obtained when the learning rate is 0.01, the batch size is 50, the number of epochs is 500, the regular term is 0.001, and the number of intermediate layers is 4 (5 layers in total including the input layer and output layer). did.

Here, a 10-fold cross-validation test is performed to perform anonymization that satisfies the differential privacy, and when the anonymization is performed, an anonymization model is performed when the maximum and minimum values of the error are limited to the threshold value. The accuracy of was measured. In this example, the method [accuracy] and the method [f-meter] were used as methods for evaluating the accuracy. In the 10-fold cross-validation test, the data set is divided into two at a ratio of 9: 1, the data of the ratio 9 is used as training data, and the data of ratio 1 is used as test data. That is, learning is performed using the training data of the ratio 9, and 14 types of attributes excluding the salary are input into the trained deep learning model from the test data of the ratio 1 to perform a process of predicting the salary. Then, the prediction result is compared with the actual value for evaluation. This evaluation is performed 10 times so that each record is included in the test data once.

The values of the two evaluation indexes (vertical axis in FIG. 5) of the method [accuracy] and the method [f-mere] are both values from 0 to 1, and the closer to 1 the higher the accuracy. The horizontal axis of FIG. 5 indicates the number of data sets (batch size), and FIGS. 5A, 5B, and 5C show the cases of ε = 1, ε = 10, and ε = 100, respectively.
For example, in the example shown in FIG. 5C, the evaluation index value of the method [accuracy] is 0.85, and the evaluation index value of the method [f-mease] is 0.79, and good accuracy is ensured in both cases. I understand.

<2. Example of the second embodiment>
Next, an example of the second embodiment of the present invention will be described with reference to FIGS. 6 to 8. In FIGS. 6 to 8 for explaining the second embodiment, the same components and processes as those in FIGS. 1 to 5 described in the first embodiment are designated by the same reference numerals and will be described in detail. Is omitted.

[System-wide configuration]
FIG. 6 shows the configuration of the privacy protection data providing system of the second embodiment.
A large amount of raw data including personal information is accumulated in the database 1, and the raw data accumulated in the database 1 is supplied to the deep learning processing unit 20. The deep learning processing unit 20 is an anonymized deep learning model by performing an operation applying a deep learning algorithm prepared in advance and at the same time performing an anonymization process based on differential privacy at the time of the deep learning operation. Obtain anonymization model 4.

When the deep learning processing unit 20 obtains the anonymization model 4 based on the differential privacy, the weight parameter and the bias parameter used in the deep learning algorithm are based on the Laplace distribution based on the fluctuation amount of each parameter value. Give an error and perform differential privacy processing. However, when giving an error based on the Laplace distribution to the fluctuation amount of each parameter value, the error is limited by the threshold value indicating the maximum value and the minimum value.
Giving an error based on the Laplace distribution means that the parameter value to which the error is given becomes a value including a stochastic element, and as a result, an anonymization model 4 in which anonymization is performed is obtained.
The generation of an error for the deep learning processing unit 20 to obtain the anonymization model 4 based on the differential privacy during deep learning is realized by the same configuration as the processing in the anonymization processing unit 10 shown in FIG.

[Overall processing flow]
FIG. 7 is a flowchart showing a processing flow in the privacy protection data providing system of the second embodiment.
First, the deep learning processing unit 20 acquires raw data from the database 1 (step S31). Then, the deep learning processing unit 20 applies a deep learning algorithm prepared in advance while adding an error based on the Laplace distribution in which the limit by the global sensitivity is set to the fluctuation amount of the parameters of the acquired raw data. Then, deep learning is performed (step S32). At this time, the global sensitivity of the fluctuation amount of the parameter is calculated sequentially while performing deep learning. By calculating the global sensitivity of the fluctuation amount of the parameter, the Laplace distribution is determined from the global sensitivity and the privacy index "ε", and anonymization is performed by giving an error in the Laplace distribution. Then, as a result of the deep learning process, an anonymization model is acquired (step S33), and the obtained anonymization model is output from the data output unit 19.

In step S32, the threshold values used for limiting the anonymization process are the threshold value indicating the maximum and minimum values of the fluctuation amount of the weight parameter in the deep learning processing unit 20, and the maximum and minimum values of the fluctuation amount of the bias parameter. It is a threshold value indicating.

[Details of deep learning]
Next, the details of each process of steps S31 to S33 described so far will be described.
In the embodiment of the present embodiment, the activation function and the error function are determined in advance, and anonymized deep learning is performed.
For example, ReLU defined by f (x) = max (0; x) is widely used as an activation function excluding the final layer of deep learning.
For the purpose of using deep learning, in the case of categorization, the activation function of the final layer (F (L))
The softmax function is widely used as an error function, and the cross entropy error function is widely used as an error function.
The softmax function is defined as the following equation [Equation 15].

Further, the cross entropy error function is defined as the following equation [Equation 16].

Here, when performing anonymized deep learning, each layer except the final layer for deep learning uses the activation function ReLU, the softmax function as the activation function of the final layer, and the cross entropy error function as the error function. Use.
When the activation function of the final layer is the softmax function and the error function is the cross entropy error function, the values of the error signals δ _j (L) for j = 1, ···, n ^(L) are as follows. It is calculated as shown in the formula [Equation 17] of.

In the equation [Equation 17], y _j ^(L) represents the output value of the node N _j ^(L) _{, and t j} ^(L) represents the target output value of the node N _j ^(L).
When the activation function ReLU is used in a layer other than the final layer, the error signals δ _j ^(l) = 1, ···, L-1 of each node other than the final layer are calculated by the following equation [Equation 18]. To.

The range that can be taken as the value of _{x j} ⁽¹⁾ _{is [b j} ⁽¹⁾ + Σ _i min (wi _{, j} ⁽¹⁾ , 0), b _j ⁽¹⁾ + Σ _i max (wi _{, j} ^(1)). , 0)]. _Also, the possible range as the value of ^{x j (2) _{is, [b j (2) +}} Σ i (b i (1) + Σ k max (w k, i (1), 0)) min (w i, j ^{_{(2), 0), b}} j (2) + Σ i (b i (1) + Σ k max (w k, i (1), 0)) max (w i, j (2), a 0)] .. In deep learning, x _j ^(l) for l = 1, ..., L is calculated by the following equation [Equation 19].

Here, min (y _i ⁽⁰⁾ ) = 0 and max (y _i ⁽⁰⁾ ) = 1. This is because the input value to the first layer of deep learning is normalized to the range of 0 or more and 1 or less. Further, since the activation function ReLU is used in the layers other than the final layer, y _j ^(l) is calculated by the following equation [Equation 20] at l = 1, ..., L-1. ..

From this, it can be seen that the value of _{max (y j} ^{(l)) is always 0 or more.}
Next, the range of possible values of the error signal δ _j ^{(l) is calculated.} Since the range of the output value of the deep learning model is from -1 to 1, it is defined as the following equation [Equation 21].

Further, l = 1, ..., L-1 is expressed by the following equation [Equation 22]. Here, for all j and l, min (δ _j ^(l) ) and max (δ _j ^(l) ) ≧ 0.

Finally, the following equation [Equation 23] is obtained.

b _j ^(l) is expressed by the following equation [Equation 24].

Further, l = 1, ..., L-1 is expressed by the following equation [Equation 25].

As already mentioned, the variation amount [Delta] w _ij of the weighting parameters ^_(l), based on the bias parameters of the variation amount [Delta] b j ^_(l), the weighting parameters and the bias parameter, [Expression 5] equation [6] where Update by. That is, the weight and bias parameters are updated each time data is entered.
Here, in the example of the present embodiment, an error based on the Laplace distribution is given to the fluctuation amount at this time. A variation amount [Delta] w _ij of the weighting parameters ^(l), for a bias parameter variation amount Δb _j ^(l), sets the threshold value.

Here, Δw _max and Δw _min are the maximum and minimum values of the fluctuation amount Δw _ij ^{(l) of the weight parameter.} Further, Δb _max and Δb _min are set as the maximum and minimum values of the bias parameters Δb _j ^(l).

Also, let E be the number of epochs for deep learning. When performing learning for each batch, for each _w ^{ij (l)} and _b ^{j (l),} the variation amount [Delta] w _ij of the weighting parameters _{^{(l), min (Δw max}} , min (Δw max, w _ij ^(l) + Lap ((Δw _max −Δw _min ) ・ E / ε)))). Further, the fluctuation amount Δb _j ^(l) of the bias parameter is set to min (Δb _max , max (Δb _min , b _j ^(l) + Lap ((Δb _{max − Δb min} ) · E / ε))).

[Explanation of satisfying ε-differential privacy when threshold is set]
Next, it will be described that the anonymous model in which the error is limited by the threshold value (maximum value, minimum value) of the parameters when performing deep learning satisfies the ε-differential privacy.
Each weight parameter and bias parameter is updated based on the [Equation 5] and [Equation 6] equations. In Equation 5 equation [6] where it variation [Delta] w _ij of the weighting parameters ^_(l) and the bias parameter variation amount [Delta] b j ^_(l) will vary depending on the input value of the learning, other values Does not depend on the input value. Thus, in the first embodiment, as in the case of proving that satisfying ε- difference privacy when setting the threshold value, [Delta] w _ij ^(l) a _{min (Δw max, max (Δw} min, w ij ( ^l) + Lap ((Δw _max −Δw _min ) · E / ε))), and set Δb _j ^(l) to min (Δb _max , max (Δb _min , b _j ^(l)) + Lap ((Δb _max)) By setting −Δb _min ) · E / ε)))), the iteration of each epoch satisfies the parameter base (ε / E) − differential privacy.
Since there is an E epoch as a whole, the ε-differential privacy is finally satisfied from the proof described below.

Random mechanism A is, d number of random mechanism A _{1, ···,} which consists of A _d, shall be carried out continues to this once. Here, when i ≧ 2, A _i takes the output value _{of A i-1} as an input. _{The output value of Ad} becomes the output value of A.
Each A _i shall satisfy the parameter base ε _i − differential privacy. At this time, A _{realizes a parameter-based (Σ i = 1} ^d ε _i ) differential privacy.

Random mechanism A is, d number of random mechanism A _{1, ···,} which consists of A _d, shall be carried out continues to this once. When i ≧ 2, A _i takes the output value _{of A i-1} as an input. _{The output value of Ad} becomes the output value of A. Here, it is assumed that each A _i satisfies ε _i − differential privacy. At this time, the random mechanism A _{realizes (Σ i = 1} ^d ε _i ) -differential privacy.
Since this process is executed for each parameter, the random mechanism A here _{realizes parameter base (Σ i = 1} ^d ε _i ) -differential privacy.

FIG. 10 shows an outline of the process of limiting the error to the threshold values of the maximum value and the minimum value in the second embodiment. As shown in FIG. 10, for example, it is assumed that the maximum range that can be taken as the fluctuation amount of a certain parameter is “0” or more and “1” or less, and the fluctuation amount at a certain point in time is 0.6. Then, it is assumed that the range of the threshold values calculated sequentially while learning is "0.3" or more and "0.7" or less (the global sensitivity in this case is 0.7-0.3 = 0). .4). The Laplace distribution is determined from this threshold range (global sensitivity) and the privacy index "ε". Processing that gives an error in the Laplace distribution is performed. The global sensitivity (Δf) is calculated by the equation [Equation 8] already described.
Here, as shown in FIG. 10, when an error is added to the parameter fluctuation amount “0.5” and the error-added parameter fluctuation amount becomes “0.1”, the threshold value at that time is reached. The process of limiting to "0.3", which is the lower limit of the range of, is performed. Since the Laplace distribution is calculated from the global sensitivity and privacy index "ε", the error of the Laplace distribution can be reduced by reducing the value of global sensitivity (that is, reducing the threshold width), and deep learning. It leads to the improvement of the accuracy of.
Similar to the example of FIG. 9, the example shown in FIG. 10 also shows the outline of limiting the fluctuation amount of the parameter by the threshold value in a very simplified manner. It is carried out in consideration of various conditions explained with reference to.
Further, even in the case of the second embodiment, if the global sensitivity (Δf) matches the maximum range that can be taken as the fluctuation amount of the parameter, the threshold value is limited in the state shown in FIG. It will be.

[Example of evaluation using actual data]
FIG. 8 shows an example in which the processing of the present embodiment is executed on the data set for evaluation. The example of FIG. 8 is performed under the same conditions as the evaluation of FIG. 5 described in the first embodiment.
The horizontal axis of FIG. 8 indicates the number of data sets (batch size), and FIGS. 8A, 8B, and 8C show the cases of ε = 1, ε = 10, and ε = 100, respectively.
As shown in FIGS. 8A, 8B, and 8C, it can be seen that good accuracy is ensured in all cases. Here, as can be seen by comparing FIG. 5 (example of the first embodiment) and FIG. 8 (example of the second embodiment), when the value of ε is small, the example of the first embodiment Higher accuracy can be obtained. On the other hand, when the value of ε is large, higher accuracy can be obtained in the second embodiment. However, this result varies depending on the data set used, and which embodiment is preferably applied depends on the data set used.

In the evaluation examples shown in FIGS. 5 and 8, the number of times when the predicted annual income is 50,000 dollars or less and the actual annual income is 50,000 dollars or less is TN, and the predicted annual income is 50,000 dollars or less. The number of times when the annual income exceeds 50,000 dollars is defined as FN. In addition, the number of times when the predicted annual income exceeds 50,000 dollars and actually exceeds 50,000 dollars is TP, the predicted annual income exceeds 50,000 dollars, and the actual annual income is 50,000 dollars or less. The number of times in a certain case was defined as FP.
At this time, in the method [accuracy], the evaluation is performed by the equation [Equation 26]. Further, in the method [f-meter], the evaluation is performed by the equation [Equation 27].

As described above, according to each embodiment of the present invention, when anonymization is performed by giving an error based on the Laplace distribution, the maximum value and the minimum value of the error are limited by a threshold value. , The error given when performing anonymization can be limited to a certain range, and appropriate anonymization with less error can be performed. As a result, it becomes possible to reduce the decrease in accuracy of the deep learning model.

The mathematical formulas described so far show suitable examples when applying each embodiment of the present invention, and the present invention is not limited to the processes described in these mathematical formulas.

1 ... database (raw data), 2 ... deep learning processing unit, 3 ... deep learning model, 4 ... anonymized model (anonymized deep learning model), 10 ... anonymized processing unit (differential privacy application with threshold limitation) , 11 ... data input unit, 12 ... ε input unit, 13 ... parameter structure determination unit, 14 ... parameter initial value determination unit, 15 ... threshold determination unit, 16 ... threshold exceeding determination unit, 17 ... threshold calculation unit, 18 ... anonymous Chemical calculation unit, 19 ... Data output unit, 20 ... Machine learning processing unit (differential privacy applied)

Claims (3)

A deep learning processing unit that applies a deep learning algorithm to the raw data in the database to obtain a deep learning model,
A privacy protection data providing system including an anonymization processing unit that obtains an anonymization model by performing anonymization processing based on differential privacy on the deep learning model obtained by the deep learning processing unit.
The anonymization processing unit gives an error based on the Laplace distribution to each parameter value for the weight parameter and the bias parameter included in the deep learning model, and each parameter to which the error is given based on the Laplace distribution , A privacy protection data providing system, characterized in that when the range of the thresholds indicated by the maximum value and the minimum value is exceeded, the range of the thresholds is limited. It is a privacy protection data providing system equipped with a deep learning processing unit that applies a deep learning algorithm to obtain an anonymous model that has been deep learned while performing anonymization processing based on differential privacy on the raw data in the database.
The deep learning processing unit gives an error based on the Laplace distribution to each parameter value for the weight parameter and the bias parameter used in the calculation for obtaining the deep learning model, and gives an error based on the Laplace distribution. A privacy protection data providing system characterized in that when a parameter exceeds a range of thresholds indicated by a maximum value and a minimum value, the parameter is limited to the range of the threshold value. When the deep learning processing unit obtains a deep learning model, it sequentially calculates global sensitivities and performs a process of acquiring the Laplace distribution based on the calculated global sensitivities.
The privacy protection data providing system according to claim 2, wherein an error is given based on the sequentially acquired Laplace distribution.

Images