WO2021098255A1 - Training method and device for neural network model for protecting privacy and security - Google Patents

Training method and device for neural network model for protecting privacy and security Download PDF

Info

Publication number
WO2021098255A1
WO2021098255A1 PCT/CN2020/103605 CN2020103605W WO2021098255A1 WO 2021098255 A1 WO2021098255 A1 WO 2021098255A1 CN 2020103605 W CN2020103605 W CN 2020103605W WO 2021098255 A1 WO2021098255 A1 WO 2021098255A1
Authority
WO
WIPO (PCT)
Prior art keywords
decision
layer
neural network
network model
training
Prior art date
Application number
PCT/CN2020/103605
Other languages
French (fr)
Chinese (zh)
Inventor
翁海琴
Original Assignee
支付宝(杭州)信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2021098255A1 publication Critical patent/WO2021098255A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/06Physical realisation, i.e. hardware implementation of neural networks, neurons or parts of neurons
    • G06N3/063Physical realisation, i.e. hardware implementation of neural networks, neurons or parts of neurons using electronic means
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Definitions

  • One or more embodiments of this specification relate to the field of artificial intelligence, and in particular to a method and device for training a neural network model that protects privacy and security.
  • neural network models are widely deployed in various practical scenarios, such as face detection, product recommendation, etc. While achieving high effectiveness and accuracy, the neural network model also over-memorizes the data information in the training set, which will be detected by the attacker through certain specific techniques (such as member inference attacks and model stealing attacks). This leads to the leakage of training data. These training data may involve user privacy information.
  • One or more embodiments of this specification describe a method and device for training a neural network model that protects privacy and security, which can prevent an attacker from detecting the training data of the neural network model.
  • a method for training a neural network model for protecting privacy and security includes: obtaining a preliminary trained target neural network model and a training data set, the target neural network model including a plurality of intermediate layers, and the training The data set includes a first number of member samples; determining important decision-making layers and decision-independent layers in the plurality of intermediate layers, and the degree of influence of the important decision-making layers on the decision results is greater than the degree of influence of the decision-independent layers on the decision results ; According to each member sample in the training data set, the target neural network model is retrained, and the retraining fixes the parameters of the decision-independent layer of the target neural network model, so that some neurons in the important decision-making layer are A certain probability of stopping work to adjust the parameters of the important layer of decision-making.
  • the preliminary training adjusts the parameters of each intermediate layer in the target neural network model.
  • the determining the important decision-making layer and the decision-independent layer in the plurality of intermediate layers includes: using the member samples and non-member samples as evaluation samples to form an evaluation data set;
  • the evaluation sample is input to the target neural network model, and each intermediate layer of the target neural network model outputs the characteristics of each intermediate layer of the evaluation sample; according to the characteristics of each intermediate layer of the evaluation sample, and whether the evaluation sample is a member sample , To determine the important decision-making layer and decision-independent layer in each intermediate layer.
  • the forming an evaluation data set by using the member samples and non-member samples as evaluation samples includes: extracting a second number of member samples from the first number of member samples; and the second number is smaller than the The first quantity; a third quantity of non-member samples is obtained, and the distribution of the non-member samples is the same as the distribution of the member samples;
  • the second number of member samples and the third number of non-member samples are used as evaluation samples to form an evaluation data set.
  • the determining the important decision-making layers and decision-independent layers in each intermediate layer according to the characteristics of each intermediate layer of the evaluation sample and whether the evaluation sample is a member sample includes: reducing the dimensionality of each intermediate layer feature of the evaluation sample After processing, it is used as the sample feature of the interpretable classifier, and whether the evaluation sample is a member sample is used as the sample label, and the interpretable classifier is trained; according to the trained interpretable classifier, it is determined that the decision in each intermediate layer is important Layer has nothing to do with decision-making.
  • said performing dimensionality reduction processing on each intermediate layer feature of the evaluation sample includes: training an autoencoder for each intermediate layer; using the autoencoder corresponding to each intermediate layer to analyze the middle layer of the evaluation sample. Layer features are processed for dimensionality reduction.
  • the interpretable classifier is a tree model or a logistic regression model.
  • the method further includes: repeating the re-training after replacing the part of the neurons.
  • the certain probability is 50%.
  • a training device for a neural network model that protects privacy and security.
  • the device includes: an acquisition unit for acquiring a preliminary training target neural network model and a training data set, the target neural network model including a plurality of intermediate
  • the training data set includes the first number of member samples; the determining unit is used to determine the important decision-making layer and the decision-independent layer among the plurality of intermediate layers acquired by the acquiring unit, and the important decision-making layer is relevant to the decision-making
  • the degree of influence of the result is greater than the degree of influence of the decision-independent layer on the decision result;
  • a computer-readable storage medium on which a computer program is stored, and when the computer program is executed in a computer, the computer is caused to execute the method of the first aspect.
  • a computing device including a memory and a processor, the memory stores executable code, and the processor implements the method of the first aspect when the executable code is executed by the processor.
  • the target neural network model includes a plurality of intermediate layers, and the training data set includes a first number of member samples; Then determine the important decision-making layer and the decision-independent layer in the plurality of intermediate layers.
  • the important decision-making layer has a greater influence on the decision result than the decision-independent layer has on the decision result; finally, according to the training data set
  • Each member sample retrains the target neural network model. The retraining fixes the parameters of the decision-independent layer of the target neural network model, so that some neurons of the important decision-making layer stop working with a certain probability to adjust the important decision-making layer Parameters.
  • the decision important layer and the decision irrelevant layer are determined, and different adjustment parameters are adopted for the decision important layer and the decision irrelevant layer.
  • the strategy retrains the target neural network model, so that some neurons in the important decision-making layer will stop working with a certain probability to adjust the parameters of the important decision-making layer, so as to prevent the attacker from detecting the training data of the neural network model.
  • Figure 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification
  • Fig. 2 shows a flowchart of a training method of a neural network model for protecting privacy and security according to an embodiment
  • Fig. 3 shows a schematic block diagram of a training device for a neural network model for protecting privacy and security according to an embodiment.
  • Fig. 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification.
  • This implementation scenario involves the training of a neural network model to protect privacy.
  • the model structure and parameters of the neural network model can be known in the white box scenario.
  • the embodiment of this specification uses conventional methods to conduct preliminary training on the target neural network model based on each member sample in the training data set, and then conducts a security review on the target neural network model based on the evaluation sample.
  • the evaluation sample is a member sample or Non-member sample.
  • each intermediate layer feature of the target neural network model corresponding to the evaluation sample extracts each intermediate layer feature of the target neural network model corresponding to the evaluation sample, train the interpretable classifier based on each intermediate layer feature and whether the evaluation sample is a member sample, and analyze the interpretable classifier to determine that the decision is important Layer and decision-independent layer, and then based on the analysis results to make targeted fine-tuning of the target neural network model, so as to prevent the model from leaking private information.
  • FIG. 2 shows a flowchart of a training method of a neural network model for protecting privacy and security according to an embodiment, and the method may be based on the implementation scenario shown in FIG. 1.
  • the method for training a neural network model for privacy protection in this embodiment includes the following steps: Step 21: Obtain a preliminary trained target neural network model and a training data set.
  • the target neural network model includes a plurality of intermediate Layer, the training data set includes a first number of member samples; step 22, determining important decision-making layers and decision-independent layers in the plurality of intermediate layers, the decision-making important layer has a greater influence on the decision result than the decision The degree of influence of the irrelevant layer on the decision result; step 23, according to each member sample in the training data set, the target neural network model is retrained, and the retraining fixes the decision-making irrelevant layer of the target neural network model Parameters, make some neurons in the important decision-making layer stop working with a certain probability to adjust the parameters of the important decision-making layer.
  • a preliminary training target neural network model and a training data set are obtained.
  • the target neural network model includes a plurality of intermediate layers, and the training data set includes a first number of member samples. It is understandable that the above-mentioned preliminary training can adopt a conventional training method, and the above-mentioned training data set can be used to train the target neural network model.
  • the preliminary training adjusts the parameters of each intermediate layer in the target neural network model.
  • step 22 the decision important layer and the decision irrelevant layer among the plurality of intermediate layers are determined, and the degree of influence of the important decision layer on the decision result is greater than the degree of influence of the decision irrelevant layer on the decision result.
  • the important decision-making layer can be one or more layers
  • the decision-independent layer can also be one or more layers.
  • the member samples and non-member samples are used as evaluation samples to form an evaluation data set; any evaluation sample is input into the target neural network model to obtain the output of each intermediate layer of the target neural network model.
  • each evaluation sample corresponds to n intermediate layer features, that is, n feature maps, denoted as M_1, M_2,..., M_n.
  • member samples refer to the samples in the training data set.
  • Non-member samples refer to samples outside the training data set.
  • the evaluation data set can be constructed in the following manner: extract a second number of member samples from the first number of member samples; the second number is less than the first number; obtain a third number of non-member samples The distribution of the non-member samples is the same as the distribution of the member samples; the second number of member samples and the third number of non-member samples are used as evaluation samples to form an evaluation data set.
  • each middle layer feature of the evaluation sample is used as the sample feature of the interpretable classifier, and whether the evaluation sample is a member sample is used as the sample label, and the interpretable classifier is trained;
  • the interpretable classifier determines the important decision-making layers and decision-independent layers in each intermediate layer.
  • an autoencoder is trained; the autoencoders corresponding to each intermediate layer are used to perform dimensionality reduction processing on the intermediate layer features of the intermediate layer of the evaluation sample.
  • the dimension of the middle layer feature is 1.
  • the intermediate output result of the autoencoder is used as the feature after dimensionality reduction.
  • the autoencoder is a type of artificial neural network used in unsupervised learning, and its function is to perform characterization learning on the input information by taking the input information as the learning target.
  • PCA principal component analysis
  • the interpretable classifier is an interpretable model
  • the interpretable model refers to the decision-making method of the model that can be understood by human experts.
  • the interpretable classifier is a tree model or a logistic regression model.
  • the above-mentioned tree model is for example the Xgboost classifier.
  • the Xgboost classifier is a boosted tree model that integrates multiple tree models to form a powerful classifier.
  • the Xgboost classifier can find the features that play an important role in its decision-making process, and this feature corresponds to the middle layer features of the target neural network model, so that you can know which middle layer features the Xgboost classifier uses to determine whether the evaluation sample is a member Samples, and these middle-layer features will leak the private data of the model.
  • the intermediate layer that the Xgboost classifier mainly relies on for decision-making can be defined as an important decision-making layer, and the remaining intermediate layers can be defined as decision-independent layers.
  • step 23 the target neural network model is retrained according to each member sample in the training data set, and the retraining fixes the parameters of the decision-independent layer of the target neural network model to make the decision-making important layer Some neurons stop working with a certain probability to adjust the parameters of important decision-making layers. It is understandable that the above process of retraining the model is equivalent to fine-tuning the model.
  • Dropout is a neural network regularization technology that prevents the model from overfitting by preventing the number of trainings from performing complex adaptations.
  • the retraining is repeated.
  • the certain probability is 50 percent.
  • the target neural network model includes a plurality of intermediate layers, and the training data set includes a first number of member samples; and then determine The decision-making important layer and the decision-independent layer in the plurality of intermediate layers, the degree of influence of the important decision-making layer on the decision result is greater than the degree of influence of the decision-independent layer on the decision result; finally according to each member in the training data set Sample, the target neural network model is retrained, and the retraining fixes the parameters of the decision-independent layer of the target neural network model, so that some neurons of the important decision-making layer stop working with a certain probability to adjust the parameters of the important decision-making layer .
  • the decision important layer and the decision irrelevant layer are determined, and different adjustment parameters are adopted for the decision important layer and the decision irrelevant layer.
  • the strategy retrains the target neural network model, so that some neurons in the important decision-making layer will stop working with a certain probability to adjust the parameters of the important decision-making layer, so as to prevent the attacker from detecting the training data of the neural network model.
  • a training device for a neural network model that protects privacy and security is used to execute the method for training a neural network model that protects privacy and security provided in the embodiments of this specification.
  • Fig. 3 shows a schematic block diagram of a training device for a neural network model for protecting privacy and security according to an embodiment. As shown in FIG.
  • the device 300 includes: an obtaining unit 31, configured to obtain a preliminary training target neural network model and a training data set, the target neural network model includes a plurality of intermediate layers, and the training data set includes a first A number of member samples; a determining unit 32, configured to determine important decision-making layers and decision-independent layers among the plurality of intermediate layers obtained by the obtaining unit 31, and the decision-making important layer has a greater influence on the decision result than the decision The degree of influence of the irrelevant layer on the decision result; the training unit 33 is used for retraining the target neural network model according to each member sample in the training data set acquired by the acquiring unit 31, and the retraining fixed station
  • the parameters of the decision-independent layer of the target neural network model make some neurons of the important decision-making layer stop working with a certain probability to adjust the parameters of the important decision-making layer.
  • the preliminary training adjusts the parameters of each intermediate layer in the target neural network model.
  • the determining unit 32 includes: a constructing subunit for composing an evaluation data set using the member samples and non-member samples as evaluation samples; and a feature extraction subunit for combining the Any evaluation sample obtained by constructing a subunit is input into the target neural network model, and each intermediate layer of the target neural network model outputs the characteristics of each intermediate layer of the evaluation sample respectively; the subunit is determined to be used according to the characteristics Extract the characteristics of each intermediate layer of the evaluation sample obtained by the subunit, and whether the evaluation sample is a member sample, and determine the important decision-making layer and the decision-independent layer in each intermediate layer.
  • the construction subunit is specifically configured to: extract a second number of member samples from the first number of member samples; the second number is less than the first number; and obtain a third number of non-member samples
  • the distribution of the non-member samples is the same as the distribution of the member samples; the second number of member samples and the third number of non-member samples are used as evaluation samples to form an evaluation data set.
  • the determining subunit is specifically used to: perform dimensionality reduction processing on each intermediate layer feature of the evaluation sample as the sample feature of the interpretable classifier, and use whether the evaluation sample is a member sample as a sample label, and to determine whether the evaluation sample is a member sample.
  • the interpretable classifier is trained; according to the trained interpretable classifier, the decision-making important layer and the decision-independent layer in each intermediate layer are determined.
  • said performing dimensionality reduction processing on each intermediate layer feature of the evaluation sample includes: training an autoencoder for each intermediate layer; using the autoencoder corresponding to each intermediate layer to analyze the middle layer of the evaluation sample. Layer features are processed for dimensionality reduction.
  • the interpretable classifier is a tree model or a logistic regression model.
  • the device further includes: an update unit, configured to make the training unit 33 repeat the re-training after replacing the part of the neurons.
  • the certain probability is 50%.
  • the obtaining unit 31 obtains a preliminary training target neural network model and a training data set, the target neural network model includes a plurality of intermediate layers, and the training data set includes a first number of member samples ; Then the determining unit 32 determines the important decision-making layer and the decision-independent layer in the plurality of intermediate layers, and the decision-making important layer has a greater degree of influence on the decision result than the decision-independent layer has on the decision result; finally the training unit 33 According to each member sample in the training data set, the target neural network model is retrained. The retraining fixes the parameters of the decision-independent layer of the target neural network model, so that some neurons in the important decision-making layer are set to a certain value.
  • the probability of stopping work adjusts the parameters of the important layer of decision-making. It can be seen from the above that, in the embodiment of this specification, after the initial training of the target neural network model, based on the performance of each intermediate layer, the decision important layer and the decision irrelevant layer are determined, and different adjustment parameters are adopted for the decision important layer and the decision irrelevant layer.
  • the strategy retrains the target neural network model, so that some neurons in the important decision-making layer will stop working with a certain probability to adjust the parameters of the important decision-making layer, so as to prevent the attacker from detecting the training data of the neural network model.
  • a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method described in conjunction with FIG. 2.
  • a computing device including a memory and a processor, the memory stores executable code, and when the processor executes the executable code, it implements what is described in conjunction with FIG. 2 method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Artificial Intelligence (AREA)
  • Molecular Biology (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Neurology (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Image Analysis (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Provided in the embodiments of the present description are a training method and device for a neural network model for protecting privacy and security. The method comprises: acquiring a preliminarily trained target neural network model and a training dataset, the target neutral network model comprising multiple intermediary layers, the training dataset comprising a first number of member samples; determining a decision-making critical layer and a decision-making irrelevant layer, the degree of influence of the decision-making critical layer on a decision result being greater than the degree of influence of the decision-making irrelevant layer on the decision result; retraining the target neural network model on the basis of the member samples in the training dataset, the retraining fixing a parameter of the decision-making irrelevant layer of the target neural network model, thus allowing some neurons of the decision-making critical layer to stop working at a certain probability so as to adjust a parameter of the decision-making critical layer. This prevents an attacker from detecting training data of the neural network model.

Description

保护隐私安全的神经网络模型的训练方法和装置Training method and device of neural network model for protecting privacy and safety 技术领域Technical field
本说明书一个或多个实施例涉及人工智能领域,尤其涉及保护隐私安全的神经网络模型的训练方法和装置。One or more embodiments of this specification relate to the field of artificial intelligence, and in particular to a method and device for training a neural network model that protects privacy and security.
背景技术Background technique
在人工智能领域,神经网络模型广泛部署于各种实际场景,例如,人脸检测、商品推荐等。神经网络模型在取得高有效性、精确度的同时,也过度记忆了训练集中的数据信息,这些数据信息会被攻击者通过某些特定的手法(如成员推断攻击和模型窃取攻击)探测到,从而导致训练数据泄露。这些训练数据可能涉及用户隐私信息。In the field of artificial intelligence, neural network models are widely deployed in various practical scenarios, such as face detection, product recommendation, etc. While achieving high effectiveness and accuracy, the neural network model also over-memorizes the data information in the training set, which will be detected by the attacker through certain specific techniques (such as member inference attacks and model stealing attacks). This leads to the leakage of training data. These training data may involve user privacy information.
因此,希望能有改进的方案,能够提供一种保护隐私安全的神经网络模型的训练方法,以防止攻击者探测到神经网络模型的训练数据。Therefore, it is hoped that there will be an improved scheme that can provide a method of training a neural network model that protects privacy and security, so as to prevent an attacker from detecting the training data of the neural network model.
发明内容Summary of the invention
本说明书一个或多个实施例描述了一种保护隐私安全的神经网络模型的训练方法和装置,能够防止攻击者探测到神经网络模型的训练数据。One or more embodiments of this specification describe a method and device for training a neural network model that protects privacy and security, which can prevent an attacker from detecting the training data of the neural network model.
第一方面,提供了一种保护隐私安全的神经网络模型的训练方法,方法包括:获取初步训练的目标神经网络模型和训练数据集,所述目标神经网络模型包括多个中间层,所述训练数据集包括第一数量个成员样本;确定所述多个中间层中的决策重要层和决策无关层,所述决策重要层对决策结果的影响程度大于所述决策无关层对决策结果的影响程度;根据所述训练数据集中的各成员样本,对所述目标神经网络模型进行再次训练,所述再次训练固定所述目标神经网络模型的决策无关层的参数,使决策重要层的部分神经元以一定概率停止工作调整决策重要层的参数。In a first aspect, a method for training a neural network model for protecting privacy and security is provided. The method includes: obtaining a preliminary trained target neural network model and a training data set, the target neural network model including a plurality of intermediate layers, and the training The data set includes a first number of member samples; determining important decision-making layers and decision-independent layers in the plurality of intermediate layers, and the degree of influence of the important decision-making layers on the decision results is greater than the degree of influence of the decision-independent layers on the decision results ; According to each member sample in the training data set, the target neural network model is retrained, and the retraining fixes the parameters of the decision-independent layer of the target neural network model, so that some neurons in the important decision-making layer are A certain probability of stopping work to adjust the parameters of the important layer of decision-making.
在一种可能的实施方式中,所述初步训练调整所述目标神经网络模型中各中间层的参数。In a possible implementation manner, the preliminary training adjusts the parameters of each intermediate layer in the target neural network model.
在一种可能的实施方式中,所述确定所述多个中间层中的决策重要层和决策无关层,包括:将所述成员样本和非成员样本作为评测样本组成评测数据集;将任一评测样本输入所述目标神经网络模型,得到所述目标神经网络模型的各中间层分别输出的该评测样 本的各中间层特征;根据评测样本的各中间层特征,以及该评测样本是否为成员样本,确定各中间层中的决策重要层和决策无关层。In a possible implementation manner, the determining the important decision-making layer and the decision-independent layer in the plurality of intermediate layers includes: using the member samples and non-member samples as evaluation samples to form an evaluation data set; The evaluation sample is input to the target neural network model, and each intermediate layer of the target neural network model outputs the characteristics of each intermediate layer of the evaluation sample; according to the characteristics of each intermediate layer of the evaluation sample, and whether the evaluation sample is a member sample , To determine the important decision-making layer and decision-independent layer in each intermediate layer.
进一步地,所述将所述成员样本和非成员样本作为评测样本组成评测数据集,包括:从所述第一数量个成员样本中抽取第二数量个成员样本;所述第二数量小于所述第一数量;获取第三数量个非成员样本,所述非成员样本的分布与所述成员样本的分布相同;Further, the forming an evaluation data set by using the member samples and non-member samples as evaluation samples includes: extracting a second number of member samples from the first number of member samples; and the second number is smaller than the The first quantity; a third quantity of non-member samples is obtained, and the distribution of the non-member samples is the same as the distribution of the member samples;
所述第二数量个成员样本和所述第三数量个非成员样本作为评测样本组成评测数据集。The second number of member samples and the third number of non-member samples are used as evaluation samples to form an evaluation data set.
进一步地,所述根据评测样本的各中间层特征,以及该评测样本是否为成员样本,确定各中间层中的决策重要层和决策无关层,包括:将评测样本的各中间层特征进行降维处理后作为可解释分类器的样本特征,将该评测样本是否为成员样本作为样本标签,对所述可解释分类器进行训练;根据训练后的可解释分类器,确定各中间层中的决策重要层和决策无关层。Further, the determining the important decision-making layers and decision-independent layers in each intermediate layer according to the characteristics of each intermediate layer of the evaluation sample and whether the evaluation sample is a member sample includes: reducing the dimensionality of each intermediate layer feature of the evaluation sample After processing, it is used as the sample feature of the interpretable classifier, and whether the evaluation sample is a member sample is used as the sample label, and the interpretable classifier is trained; according to the trained interpretable classifier, it is determined that the decision in each intermediate layer is important Layer has nothing to do with decision-making.
进一步地,所述将评测样本的各中间层特征进行降维处理,包括:针对每一个中间层,训练一个自编码器;利用各中间层对应的自编码器对评测样本的该中间层的中间层特征进行降维处理。Further, said performing dimensionality reduction processing on each intermediate layer feature of the evaluation sample includes: training an autoencoder for each intermediate layer; using the autoencoder corresponding to each intermediate layer to analyze the middle layer of the evaluation sample. Layer features are processed for dimensionality reduction.
进一步地,所述可解释分类器为树模型或逻辑回归模型。Further, the interpretable classifier is a tree model or a logistic regression model.
在一种可能的实施方式中,所述方法还包括:更换所述部分神经元后,再重复所述再次训练。In a possible implementation manner, the method further includes: repeating the re-training after replacing the part of the neurons.
在一种可能的实施方式中,所述一定概率为百分之50。In a possible implementation, the certain probability is 50%.
第二方面,提供了一种保护隐私安全的神经网络模型的训练装置,装置包括:获取单元,用于获取初步训练的目标神经网络模型和训练数据集,所述目标神经网络模型包括多个中间层,所述训练数据集包括第一数量个成员样本;确定单元,用于确定所述获取单元获取的所述多个中间层中的决策重要层和决策无关层,所述决策重要层对决策结果的影响程度大于所述决策无关层对决策结果的影响程度;训练单元,用于根据所述获取单元获取的所述训练数据集中的各成员样本,对所述目标神经网络模型进行再次训练,所述再次训练固定所述目标神经网络模型的决策无关层的参数,使决策重要层的部分神经元以一定概率停止工作调整决策重要层的参数。In a second aspect, a training device for a neural network model that protects privacy and security is provided. The device includes: an acquisition unit for acquiring a preliminary training target neural network model and a training data set, the target neural network model including a plurality of intermediate The training data set includes the first number of member samples; the determining unit is used to determine the important decision-making layer and the decision-independent layer among the plurality of intermediate layers acquired by the acquiring unit, and the important decision-making layer is relevant to the decision-making The degree of influence of the result is greater than the degree of influence of the decision-independent layer on the decision result; a training unit for retraining the target neural network model according to each member sample in the training data set obtained by the obtaining unit, The retraining fixes the parameters of the decision-independent layer of the target neural network model, so that some neurons of the decision-making important layer stop working with a certain probability to adjust the parameters of the decision-making important layer.
第三方面,提供了一种计算机可读存储介质,其上存储有计算机程序,当所述计算 机程序在计算机中执行时,令计算机执行第一方面的方法。In a third aspect, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed in a computer, the computer is caused to execute the method of the first aspect.
第四方面,提供了一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现第一方面的方法。In a fourth aspect, a computing device is provided, including a memory and a processor, the memory stores executable code, and the processor implements the method of the first aspect when the executable code is executed by the processor.
通过本说明书实施例提供的方法和装置,首先获取初步训练的目标神经网络模型和训练数据集,所述目标神经网络模型包括多个中间层,所述训练数据集包括第一数量个成员样本;然后确定所述多个中间层中的决策重要层和决策无关层,所述决策重要层对决策结果的影响程度大于所述决策无关层对决策结果的影响程度;最后根据所述训练数据集中的各成员样本,对所述目标神经网络模型进行再次训练,所述再次训练固定所述目标神经网络模型的决策无关层的参数,使决策重要层的部分神经元以一定概率停止工作调整决策重要层的参数。由上可见,本说明书实施例,在对目标神经网络模型进行初步训练后,基于各中间层的表现,确定出决策重要层和决策无关层,针对决策重要层和决策无关层采取不同的调参策略对目标神经网络模型进行再次训练,使决策重要层的部分神经元以一定概率停止工作调整决策重要层的参数,从而能够防止攻击者探测到神经网络模型的训练数据。Through the method and device provided in the embodiments of this specification, first obtain a preliminary trained target neural network model and a training data set, the target neural network model includes a plurality of intermediate layers, and the training data set includes a first number of member samples; Then determine the important decision-making layer and the decision-independent layer in the plurality of intermediate layers. The important decision-making layer has a greater influence on the decision result than the decision-independent layer has on the decision result; finally, according to the training data set Each member sample retrains the target neural network model. The retraining fixes the parameters of the decision-independent layer of the target neural network model, so that some neurons of the important decision-making layer stop working with a certain probability to adjust the important decision-making layer Parameters. It can be seen from the above that, in the embodiment of this specification, after the initial training of the target neural network model, based on the performance of each intermediate layer, the decision important layer and the decision irrelevant layer are determined, and different adjustment parameters are adopted for the decision important layer and the decision irrelevant layer. The strategy retrains the target neural network model, so that some neurons in the important decision-making layer will stop working with a certain probability to adjust the parameters of the important decision-making layer, so as to prevent the attacker from detecting the training data of the neural network model.
附图说明Description of the drawings
为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to explain the technical solutions of the embodiments of the present invention more clearly, the following will briefly introduce the drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, without creative work, other drawings can be obtained from these drawings.
图1为本说明书披露的一个实施例的实施场景示意图;Figure 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification;
图2示出根据一个实施例的保护隐私安全的神经网络模型的训练方法流程图;Fig. 2 shows a flowchart of a training method of a neural network model for protecting privacy and security according to an embodiment;
图3示出根据一个实施例的保护隐私安全的神经网络模型的训练装置的示意性框图。Fig. 3 shows a schematic block diagram of a training device for a neural network model for protecting privacy and security according to an embodiment.
具体实施方式Detailed ways
下面结合附图,对本说明书提供的方案进行描述。The following describes the solutions provided in this specification with reference to the accompanying drawings.
图1为本说明书披露的一个实施例的实施场景示意图。该实施场景涉及保护隐私安全的神经网络模型的训练。具体地,基于一种白盒场景,可以理解的是,在白盒场景下 可以知道神经网络模型的模型结构及参数情况。参照图1,本说明书实施例,在采用常规方法根据训练数据集中的各成员样本对目标神经网络模型进行初步训练后,基于评测样本对目标神经网络模型进行安全性评审,评测样本为成员样本或非成员样本。其中,提取对应于评测样本的目标神经网络模型的各中间层特征,基于各中间层特征和该评测样本是否为成员样本对可解释分类器进行训练,通过对可解释分类器进行分析确定决策重要层和决策无关层,再基于该分析结果对目标神经网络模型进行有针对性的微调,从而防止模型泄露隐私信息。Fig. 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification. This implementation scenario involves the training of a neural network model to protect privacy. Specifically, based on a white box scenario, it can be understood that the model structure and parameters of the neural network model can be known in the white box scenario. 1, the embodiment of this specification uses conventional methods to conduct preliminary training on the target neural network model based on each member sample in the training data set, and then conducts a security review on the target neural network model based on the evaluation sample. The evaluation sample is a member sample or Non-member sample. Among them, extract each intermediate layer feature of the target neural network model corresponding to the evaluation sample, train the interpretable classifier based on each intermediate layer feature and whether the evaluation sample is a member sample, and analyze the interpretable classifier to determine that the decision is important Layer and decision-independent layer, and then based on the analysis results to make targeted fine-tuning of the target neural network model, so as to prevent the model from leaking private information.
图2示出根据一个实施例的保护隐私安全的神经网络模型的训练方法流程图,该方法可以基于图1所示的实施场景。如图2所示,该实施例中保护隐私安全的神经网络模型的训练方法包括以下步骤:步骤21,获取初步训练的目标神经网络模型和训练数据集,所述目标神经网络模型包括多个中间层,所述训练数据集包括第一数量个成员样本;步骤22,确定所述多个中间层中的决策重要层和决策无关层,所述决策重要层对决策结果的影响程度大于所述决策无关层对决策结果的影响程度;步骤23,根据所述训练数据集中的各成员样本,对所述目标神经网络模型进行再次训练,所述再次训练固定所述目标神经网络模型的决策无关层的参数,使决策重要层的部分神经元以一定概率停止工作调整决策重要层的参数。下面描述以上各个步骤的具体执行方式。FIG. 2 shows a flowchart of a training method of a neural network model for protecting privacy and security according to an embodiment, and the method may be based on the implementation scenario shown in FIG. 1. As shown in Figure 2, the method for training a neural network model for privacy protection in this embodiment includes the following steps: Step 21: Obtain a preliminary trained target neural network model and a training data set. The target neural network model includes a plurality of intermediate Layer, the training data set includes a first number of member samples; step 22, determining important decision-making layers and decision-independent layers in the plurality of intermediate layers, the decision-making important layer has a greater influence on the decision result than the decision The degree of influence of the irrelevant layer on the decision result; step 23, according to each member sample in the training data set, the target neural network model is retrained, and the retraining fixes the decision-making irrelevant layer of the target neural network model Parameters, make some neurons in the important decision-making layer stop working with a certain probability to adjust the parameters of the important decision-making layer. The following describes the specific implementation of each of the above steps.
首先在步骤21,获取初步训练的目标神经网络模型和训练数据集,所述目标神经网络模型包括多个中间层,所述训练数据集包括第一数量个成员样本。可以理解的是,上述初步训练可以采取常规的训练方式,上述训练数据集可以用于对目标神经网络模型进行训练。First, in step 21, a preliminary training target neural network model and a training data set are obtained. The target neural network model includes a plurality of intermediate layers, and the training data set includes a first number of member samples. It is understandable that the above-mentioned preliminary training can adopt a conventional training method, and the above-mentioned training data set can be used to train the target neural network model.
在一个示例中,所述初步训练调整所述目标神经网络模型中各中间层的参数。In an example, the preliminary training adjusts the parameters of each intermediate layer in the target neural network model.
然后在步骤22,确定所述多个中间层中的决策重要层和决策无关层,所述决策重要层对决策结果的影响程度大于所述决策无关层对决策结果的影响程度。可以理解的是,决策重要层可以为一层或多层,决策无关层也可以为一层或多层。Then in step 22, the decision important layer and the decision irrelevant layer among the plurality of intermediate layers are determined, and the degree of influence of the important decision layer on the decision result is greater than the degree of influence of the decision irrelevant layer on the decision result. It is understandable that the important decision-making layer can be one or more layers, and the decision-independent layer can also be one or more layers.
在一个示例中,将所述成员样本和非成员样本作为评测样本组成评测数据集;将任一评测样本输入所述目标神经网络模型,得到所述目标神经网络模型的各中间层分别输出的该评测样本的各中间层特征;根据评测样本的各中间层特征,以及该评测样本是否为成员样本,确定各中间层中的决策重要层和决策无关层。In one example, the member samples and non-member samples are used as evaluation samples to form an evaluation data set; any evaluation sample is input into the target neural network model to obtain the output of each intermediate layer of the target neural network model. The characteristics of each intermediate layer of the evaluation sample; according to the characteristics of each intermediate layer of the evaluation sample and whether the evaluation sample is a member sample, determine the important decision-making layer and the decision-independent layer in each intermediate layer.
可以理解的是,如果所述目标神经网络模型含有n个中间层,则每个评测样本对应 n个中间层特征,即n张特征图(feature map),记为M_1,M_2,…,M_n。It is understandable that if the target neural network model contains n intermediate layers, each evaluation sample corresponds to n intermediate layer features, that is, n feature maps, denoted as M_1, M_2,..., M_n.
可以理解的是,成员样本是指所述训练数据集中的样本。非成员样本是指所述训练数据集外部的样本。It is understandable that the member samples refer to the samples in the training data set. Non-member samples refer to samples outside the training data set.
进一步地,可以通过如下方式构建评测数据集:从所述第一数量个成员样本中抽取第二数量个成员样本;所述第二数量小于所述第一数量;获取第三数量个非成员样本,所述非成员样本的分布与所述成员样本的分布相同;所述第二数量个成员样本和所述第三数量个非成员样本作为评测样本组成评测数据集。Further, the evaluation data set can be constructed in the following manner: extract a second number of member samples from the first number of member samples; the second number is less than the first number; obtain a third number of non-member samples The distribution of the non-member samples is the same as the distribution of the member samples; the second number of member samples and the third number of non-member samples are used as evaluation samples to form an evaluation data set.
进一步地,将评测样本的各中间层特征进行降维处理后作为可解释分类器的样本特征,将该评测样本是否为成员样本作为样本标签,对所述可解释分类器进行训练;根据训练后的可解释分类器,确定各中间层中的决策重要层和决策无关层。Further, the dimensionality reduction processing of each middle layer feature of the evaluation sample is used as the sample feature of the interpretable classifier, and whether the evaluation sample is a member sample is used as the sample label, and the interpretable classifier is trained; The interpretable classifier determines the important decision-making layers and decision-independent layers in each intermediate layer.
进一步地,针对每一个中间层,训练一个自编码器(autoencoders);利用各中间层对应的自编码器对评测样本的该中间层的中间层特征进行降维处理。可选地,降维处理后,中间层特征的维度为1。将自编码器中间输出结果作为降维后的特征。Further, for each intermediate layer, an autoencoder is trained; the autoencoders corresponding to each intermediate layer are used to perform dimensionality reduction processing on the intermediate layer features of the intermediate layer of the evaluation sample. Optionally, after the dimensionality reduction processing, the dimension of the middle layer feature is 1. The intermediate output result of the autoencoder is used as the feature after dimensionality reduction.
其中,自编码器是一类在非监督学习中使用的人工神经网络,其功能是通过将输入信息作为学习目标,对输入信息进行表征学习。Among them, the autoencoder is a type of artificial neural network used in unsupervised learning, and its function is to perform characterization learning on the input information by taking the input information as the learning target.
本说明书实施例中,还可以采用自编码器之外的其他方法对中间层特征进行降维处理,例如,主成分分析(principal component analysis,PCA)方法。In the embodiments of this specification, other methods other than the autoencoder may be used to perform dimensionality reduction processing on the features of the middle layer, for example, a principal component analysis (PCA) method.
其中,可解释分类器属于一种可解释模型,可解释模型指的是模型的决策方式可以被人类专家所理解。Among them, the interpretable classifier is an interpretable model, and the interpretable model refers to the decision-making method of the model that can be understood by human experts.
在一个示例中,所述可解释分类器为树模型或逻辑回归模型。上述树模型例如Xgboost分类器,Xgboost分类器是一种提升树模型,它将多种树模型集成在一起,形成一个功能强大的分类器。Xgboost分类器可以寻找出在其决策过程中起重要作用的特征,而该特征对应于目标神经网络模型的中间层特征,从而可以知道Xgboost分类器是根据哪些中间层特征来判断评测样本是否为成员样本,而这些中间层特征将会泄露模型的隐私数据。可以将Xgboost分类器决策主要依赖的中间层定义为决策重要层,其余的中间层定义为决策无关层。In one example, the interpretable classifier is a tree model or a logistic regression model. The above-mentioned tree model is for example the Xgboost classifier. The Xgboost classifier is a boosted tree model that integrates multiple tree models to form a powerful classifier. The Xgboost classifier can find the features that play an important role in its decision-making process, and this feature corresponds to the middle layer features of the target neural network model, so that you can know which middle layer features the Xgboost classifier uses to determine whether the evaluation sample is a member Samples, and these middle-layer features will leak the private data of the model. The intermediate layer that the Xgboost classifier mainly relies on for decision-making can be defined as an important decision-making layer, and the remaining intermediate layers can be defined as decision-independent layers.
最后在步骤23,根据所述训练数据集中的各成员样本,对所述目标神经网络模型进行再次训练,所述再次训练固定所述目标神经网络模型的决策无关层的参数,使决策重 要层的部分神经元以一定概率停止工作调整决策重要层的参数。可以理解的是,上述对模型再次训练的过程相当于对模型进行微调。Finally, in step 23, the target neural network model is retrained according to each member sample in the training data set, and the retraining fixes the parameters of the decision-independent layer of the target neural network model to make the decision-making important layer Some neurons stop working with a certain probability to adjust the parameters of important decision-making layers. It is understandable that the above process of retraining the model is equivalent to fine-tuning the model.
本说明书实施例基于Dropout原理,Dropout是一种神经网络正则化技术,通过阻止训练数进行复杂的自适应性防止模型过拟合。The embodiments of this specification are based on the principle of Dropout. Dropout is a neural network regularization technology that prevents the model from overfitting by preventing the number of trainings from performing complex adaptations.
在一个示例中,更换所述部分神经元后,再重复所述再次训练。In one example, after replacing some of the neurons, the retraining is repeated.
在一个示例中,所述一定概率为百分之50。In an example, the certain probability is 50 percent.
通过本说明书实施例提供的方法,首先获取初步训练的目标神经网络模型和训练数据集,所述目标神经网络模型包括多个中间层,所述训练数据集包括第一数量个成员样本;然后确定所述多个中间层中的决策重要层和决策无关层,所述决策重要层对决策结果的影响程度大于所述决策无关层对决策结果的影响程度;最后根据所述训练数据集中的各成员样本,对所述目标神经网络模型进行再次训练,所述再次训练固定所述目标神经网络模型的决策无关层的参数,使决策重要层的部分神经元以一定概率停止工作调整决策重要层的参数。由上可见,本说明书实施例,在对目标神经网络模型进行初步训练后,基于各中间层的表现,确定出决策重要层和决策无关层,针对决策重要层和决策无关层采取不同的调参策略对目标神经网络模型进行再次训练,使决策重要层的部分神经元以一定概率停止工作调整决策重要层的参数,从而能够防止攻击者探测到神经网络模型的训练数据。Through the method provided in the embodiments of this specification, first obtain a preliminary training target neural network model and a training data set, the target neural network model includes a plurality of intermediate layers, and the training data set includes a first number of member samples; and then determine The decision-making important layer and the decision-independent layer in the plurality of intermediate layers, the degree of influence of the important decision-making layer on the decision result is greater than the degree of influence of the decision-independent layer on the decision result; finally according to each member in the training data set Sample, the target neural network model is retrained, and the retraining fixes the parameters of the decision-independent layer of the target neural network model, so that some neurons of the important decision-making layer stop working with a certain probability to adjust the parameters of the important decision-making layer . It can be seen from the above that, in the embodiment of this specification, after the initial training of the target neural network model, based on the performance of each intermediate layer, the decision important layer and the decision irrelevant layer are determined, and different adjustment parameters are adopted for the decision important layer and the decision irrelevant layer. The strategy retrains the target neural network model, so that some neurons in the important decision-making layer will stop working with a certain probability to adjust the parameters of the important decision-making layer, so as to prevent the attacker from detecting the training data of the neural network model.
根据另一方面的实施例,还提供一种保护隐私安全的神经网络模型的训练装置,该装置用于执行本说明书实施例提供的保护隐私安全的神经网络模型的训练方法。图3示出根据一个实施例的保护隐私安全的神经网络模型的训练装置的示意性框图。如图3所示,该装置300包括:获取单元31,用于获取初步训练的目标神经网络模型和训练数据集,所述目标神经网络模型包括多个中间层,所述训练数据集包括第一数量个成员样本;确定单元32,用于确定所述获取单元31获取的所述多个中间层中的决策重要层和决策无关层,所述决策重要层对决策结果的影响程度大于所述决策无关层对决策结果的影响程度;训练单元33,用于根据所述获取单元31获取的所述训练数据集中的各成员样本,对所述目标神经网络模型进行再次训练,所述再次训练固定所述目标神经网络模型的决策无关层的参数,使决策重要层的部分神经元以一定概率停止工作调整决策重要层的参数。According to another embodiment, there is also provided a training device for a neural network model that protects privacy and security, and the device is used to execute the method for training a neural network model that protects privacy and security provided in the embodiments of this specification. Fig. 3 shows a schematic block diagram of a training device for a neural network model for protecting privacy and security according to an embodiment. As shown in FIG. 3, the device 300 includes: an obtaining unit 31, configured to obtain a preliminary training target neural network model and a training data set, the target neural network model includes a plurality of intermediate layers, and the training data set includes a first A number of member samples; a determining unit 32, configured to determine important decision-making layers and decision-independent layers among the plurality of intermediate layers obtained by the obtaining unit 31, and the decision-making important layer has a greater influence on the decision result than the decision The degree of influence of the irrelevant layer on the decision result; the training unit 33 is used for retraining the target neural network model according to each member sample in the training data set acquired by the acquiring unit 31, and the retraining fixed station The parameters of the decision-independent layer of the target neural network model make some neurons of the important decision-making layer stop working with a certain probability to adjust the parameters of the important decision-making layer.
可选地,作为一个实施例,所述初步训练调整所述目标神经网络模型中各中间层的 参数。Optionally, as an embodiment, the preliminary training adjusts the parameters of each intermediate layer in the target neural network model.
可选地,作为一个实施例,所述确定单元32,包括:构建子单元,用于将所述成员样本和非成员样本作为评测样本组成评测数据集;特征提取子单元,用于将所述构建子单元得到的任一评测样本输入所述目标神经网络模型,得到所述目标神经网络模型的各中间层分别输出的该评测样本的各中间层特征;确定子单元,用于根据所述特征提取子单元得到的评测样本的各中间层特征,以及该评测样本是否为成员样本,确定各中间层中的决策重要层和决策无关层。Optionally, as an embodiment, the determining unit 32 includes: a constructing subunit for composing an evaluation data set using the member samples and non-member samples as evaluation samples; and a feature extraction subunit for combining the Any evaluation sample obtained by constructing a subunit is input into the target neural network model, and each intermediate layer of the target neural network model outputs the characteristics of each intermediate layer of the evaluation sample respectively; the subunit is determined to be used according to the characteristics Extract the characteristics of each intermediate layer of the evaluation sample obtained by the subunit, and whether the evaluation sample is a member sample, and determine the important decision-making layer and the decision-independent layer in each intermediate layer.
进一步地,所述构建子单元,具体用于:从所述第一数量个成员样本中抽取第二数量个成员样本;所述第二数量小于所述第一数量;获取第三数量个非成员样本,所述非成员样本的分布与所述成员样本的分布相同;所述第二数量个成员样本和所述第三数量个非成员样本作为评测样本组成评测数据集。Further, the construction subunit is specifically configured to: extract a second number of member samples from the first number of member samples; the second number is less than the first number; and obtain a third number of non-member samples The distribution of the non-member samples is the same as the distribution of the member samples; the second number of member samples and the third number of non-member samples are used as evaluation samples to form an evaluation data set.
进一步地,所述确定子单元,具体用于:将评测样本的各中间层特征进行降维处理后作为可解释分类器的样本特征,将该评测样本是否为成员样本作为样本标签,对所述可解释分类器进行训练;根据训练后的可解释分类器,确定各中间层中的决策重要层和决策无关层。Further, the determining subunit is specifically used to: perform dimensionality reduction processing on each intermediate layer feature of the evaluation sample as the sample feature of the interpretable classifier, and use whether the evaluation sample is a member sample as a sample label, and to determine whether the evaluation sample is a member sample. The interpretable classifier is trained; according to the trained interpretable classifier, the decision-making important layer and the decision-independent layer in each intermediate layer are determined.
进一步地,所述将评测样本的各中间层特征进行降维处理,包括:针对每一个中间层,训练一个自编码器;利用各中间层对应的自编码器对评测样本的该中间层的中间层特征进行降维处理。Further, said performing dimensionality reduction processing on each intermediate layer feature of the evaluation sample includes: training an autoencoder for each intermediate layer; using the autoencoder corresponding to each intermediate layer to analyze the middle layer of the evaluation sample. Layer features are processed for dimensionality reduction.
进一步地,所述可解释分类器为树模型或逻辑回归模型。Further, the interpretable classifier is a tree model or a logistic regression model.
可选地,作为一个实施例,所述装置还包括:更新单元,用于更换所述部分神经元后,再使所述训练单元33重复所述再次训练。Optionally, as an embodiment, the device further includes: an update unit, configured to make the training unit 33 repeat the re-training after replacing the part of the neurons.
可选地,作为一个实施例,所述一定概率为百分之50。Optionally, as an embodiment, the certain probability is 50%.
通过本说明书实施例提供的装置,首先获取单元31获取初步训练的目标神经网络模型和训练数据集,所述目标神经网络模型包括多个中间层,所述训练数据集包括第一数量个成员样本;然后确定单元32确定所述多个中间层中的决策重要层和决策无关层,所述决策重要层对决策结果的影响程度大于所述决策无关层对决策结果的影响程度;最后训练单元33根据所述训练数据集中的各成员样本,对所述目标神经网络模型进行再次训练,所述再次训练固定所述目标神经网络模型的决策无关层的参数,使决策重要层 的部分神经元以一定概率停止工作调整决策重要层的参数。由上可见,本说明书实施例,在对目标神经网络模型进行初步训练后,基于各中间层的表现,确定出决策重要层和决策无关层,针对决策重要层和决策无关层采取不同的调参策略对目标神经网络模型进行再次训练,使决策重要层的部分神经元以一定概率停止工作调整决策重要层的参数,从而能够防止攻击者探测到神经网络模型的训练数据。With the device provided in the embodiment of this specification, first the obtaining unit 31 obtains a preliminary training target neural network model and a training data set, the target neural network model includes a plurality of intermediate layers, and the training data set includes a first number of member samples ; Then the determining unit 32 determines the important decision-making layer and the decision-independent layer in the plurality of intermediate layers, and the decision-making important layer has a greater degree of influence on the decision result than the decision-independent layer has on the decision result; finally the training unit 33 According to each member sample in the training data set, the target neural network model is retrained. The retraining fixes the parameters of the decision-independent layer of the target neural network model, so that some neurons in the important decision-making layer are set to a certain value. The probability of stopping work adjusts the parameters of the important layer of decision-making. It can be seen from the above that, in the embodiment of this specification, after the initial training of the target neural network model, based on the performance of each intermediate layer, the decision important layer and the decision irrelevant layer are determined, and different adjustment parameters are adopted for the decision important layer and the decision irrelevant layer. The strategy retrains the target neural network model, so that some neurons in the important decision-making layer will stop working with a certain probability to adjust the parameters of the important decision-making layer, so as to prevent the attacker from detecting the training data of the neural network model.
根据另一方面的实施例,还提供一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行结合图2所描述的方法。According to another embodiment, there is also provided a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method described in conjunction with FIG. 2.
根据再一方面的实施例,还提供一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现结合图2所描述的方法。According to an embodiment of still another aspect, there is also provided a computing device, including a memory and a processor, the memory stores executable code, and when the processor executes the executable code, it implements what is described in conjunction with FIG. 2 method.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本发明所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。Those skilled in the art should be aware that, in one or more of the foregoing examples, the functions described in the present invention can be implemented by hardware, software, firmware, or any combination thereof. When implemented by software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or codes on the computer-readable medium.
以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本发明的保护范围之内。The specific embodiments described above further describe the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention. The protection scope, any modification, equivalent replacement, improvement, etc. made on the basis of the technical solution of the present invention shall be included in the protection scope of the present invention.

Claims (20)

  1. 一种保护隐私安全的神经网络模型的训练方法,所述方法包括:A method for training a neural network model for protecting privacy and security, the method comprising:
    获取初步训练的目标神经网络模型和训练数据集,所述目标神经网络模型包括多个中间层,所述训练数据集包括第一数量个成员样本;Acquiring a preliminary trained target neural network model and a training data set, the target neural network model including a plurality of intermediate layers, and the training data set including a first number of member samples;
    确定所述多个中间层中的决策重要层和决策无关层,所述决策重要层对决策结果的影响程度大于所述决策无关层对决策结果的影响程度;Determining an important decision-making layer and a decision-independent layer among the plurality of intermediate layers, where the degree of influence of the important decision-making layer on decision results is greater than the degree of influence of the decision-independent layer on the decision results;
    根据所述训练数据集中的各成员样本,对所述目标神经网络模型进行再次训练,所述再次训练固定所述目标神经网络模型的决策无关层的参数,使决策重要层的部分神经元以一定概率停止工作调整决策重要层的参数。According to each member sample in the training data set, the target neural network model is retrained. The retraining fixes the parameters of the decision-independent layer of the target neural network model, so that some neurons in the important decision-making layer are set to a certain value. Probability of stopping work adjusts the parameters of important layers of decision-making
  2. 如权利要求1所述的方法,其中,所述初步训练调整所述目标神经网络模型中各中间层的参数。The method of claim 1, wherein the preliminary training adjusts the parameters of each intermediate layer in the target neural network model.
  3. 如权利要求1所述的方法,其中,所述确定所述多个中间层中的决策重要层和决策无关层,包括:The method according to claim 1, wherein the determining the important decision-making layer and the decision-independent layer among the plurality of intermediate layers comprises:
    将所述成员样本和非成员样本作为评测样本组成评测数据集;Use the member sample and the non-member sample as the evaluation sample to form an evaluation data set;
    将任一评测样本输入所述目标神经网络模型,得到所述目标神经网络模型的各中间层分别输出的该评测样本的各中间层特征;Inputting any evaluation sample into the target neural network model to obtain each intermediate layer feature of the evaluation sample respectively output by each intermediate layer of the target neural network model;
    根据评测样本的各中间层特征,以及该评测样本是否为成员样本,确定各中间层中的决策重要层和决策无关层。According to the characteristics of each intermediate layer of the evaluation sample and whether the evaluation sample is a member sample, determine the important decision-making layer and the decision-independent layer in each intermediate layer.
  4. 如权利要求3所述的方法,其中,所述将所述成员样本和非成员样本作为评测样本组成评测数据集,包括:The method according to claim 3, wherein said using the member samples and non-member samples as evaluation samples to form an evaluation data set comprises:
    从所述第一数量个成员样本中抽取第二数量个成员样本;所述第二数量小于所述第一数量;Extract a second number of member samples from the first number of member samples; the second number is less than the first number;
    获取第三数量个非成员样本,所述非成员样本的分布与所述成员样本的分布相同;Obtaining a third number of non-member samples, where the distribution of the non-member samples is the same as the distribution of the member samples;
    所述第二数量个成员样本和所述第三数量个非成员样本作为评测样本组成评测数据集。The second number of member samples and the third number of non-member samples are used as evaluation samples to form an evaluation data set.
  5. 如权利要求3所述的方法,其中,所述根据评测样本的各中间层特征,以及该评测样本是否为成员样本,确定各中间层中的决策重要层和决策无关层,包括:The method according to claim 3, wherein the determining the important decision-making layer and the decision-independent layer in each intermediate layer according to the characteristics of each intermediate layer of the evaluation sample and whether the evaluation sample is a member sample comprises:
    将评测样本的各中间层特征进行降维处理后作为可解释分类器的样本特征,将该评测样本是否为成员样本作为样本标签,对所述可解释分类器进行训练;Performing dimensionality reduction processing on each middle layer feature of the evaluation sample as the sample feature of the interpretable classifier, and training the interpretable classifier whether the evaluation sample is a member sample as a sample label;
    根据训练后的可解释分类器,确定各中间层中的决策重要层和决策无关层。According to the interpretable classifier after training, determine the important decision-making layer and decision-independent layer in each intermediate layer.
  6. 如权利要求5所述的方法,其中,所述将评测样本的各中间层特征进行降维处理,包括:The method according to claim 5, wherein said performing dimensionality reduction processing on the features of each middle layer of the evaluation sample comprises:
    针对每一个中间层,训练一个自编码器;For each intermediate layer, train an autoencoder;
    利用各中间层对应的自编码器对评测样本的该中间层的中间层特征进行降维处理。The self-encoder corresponding to each intermediate layer is used to perform dimensionality reduction processing on the intermediate layer features of the intermediate layer of the evaluation sample.
  7. 如权利要求5所述的方法,其中,所述可解释分类器为树模型或逻辑回归模型。The method of claim 5, wherein the interpretable classifier is a tree model or a logistic regression model.
  8. 如权利要求1所述的方法,其中,所述方法还包括:The method of claim 1, wherein the method further comprises:
    更换所述部分神经元后,再重复所述再次训练。After replacing some of the neurons, repeat the training again.
  9. 如权利要求1所述的方法,其中,所述一定概率为百分之50。The method of claim 1, wherein the certain probability is 50 percent.
  10. 一种保护隐私安全的神经网络模型的训练装置,所述装置包括:A training device for a neural network model that protects privacy and safety, the device includes:
    获取单元,用于获取初步训练的目标神经网络模型和训练数据集,所述目标神经网络模型包括多个中间层,所述训练数据集包括第一数量个成员样本;An obtaining unit, configured to obtain a preliminary training target neural network model and a training data set, the target neural network model includes a plurality of intermediate layers, and the training data set includes a first number of member samples;
    确定单元,用于确定所述获取单元获取的所述多个中间层中的决策重要层和决策无关层,所述决策重要层对决策结果的影响程度大于所述决策无关层对决策结果的影响程度;The determining unit is configured to determine the important decision-making layer and the decision-independent layer among the plurality of intermediate layers acquired by the acquiring unit, and the degree of influence of the important decision-making layer on the decision result is greater than that of the decision-independent layer degree;
    训练单元,用于根据所述获取单元获取的所述训练数据集中的各成员样本,对所述目标神经网络模型进行再次训练,所述再次训练固定所述目标神经网络模型的决策无关层的参数,使决策重要层的部分神经元以一定概率停止工作调整决策重要层的参数。The training unit is configured to retrain the target neural network model according to the member samples in the training data set acquired by the acquisition unit, and the retraining fixes the parameters of the decision-independent layer of the target neural network model , To make some neurons of the important decision-making layer stop working with a certain probability to adjust the parameters of the important decision-making layer.
  11. 如权利要求10所述的装置,其中,所述初步训练调整所述目标神经网络模型中各中间层的参数。The device of claim 10, wherein the preliminary training adjusts the parameters of each intermediate layer in the target neural network model.
  12. 如权利要求10所述的装置,其中,所述确定单元,包括:The apparatus according to claim 10, wherein the determining unit comprises:
    构建子单元,用于将所述成员样本和非成员样本作为评测样本组成评测数据集;Constructing a sub-unit for forming an evaluation data set using the member samples and non-member samples as evaluation samples;
    特征提取子单元,用于将所述构建子单元得到的任一评测样本输入所述目标神经网络模型,得到所述目标神经网络模型的各中间层分别输出的该评测样本的各中间层特征;The feature extraction subunit is configured to input any evaluation sample obtained by the constructing subunit into the target neural network model to obtain each intermediate layer feature of the evaluation sample respectively output by each intermediate layer of the target neural network model;
    确定子单元,用于根据所述特征提取子单元得到的评测样本的各中间层特征,以及该评测样本是否为成员样本,确定各中间层中的决策重要层和决策无关层。The determining subunit is used to determine the important decision-making layer and the decision-independent layer in each intermediate layer according to the features of each intermediate layer of the evaluation sample obtained by the feature extraction subunit, and whether the evaluation sample is a member sample.
  13. 如权利要求12所述的装置,其中,所述构建子单元,具体用于:The device according to claim 12, wherein the construction subunit is specifically used for:
    从所述第一数量个成员样本中抽取第二数量个成员样本;所述第二数量小于所述第一数量;Extract a second number of member samples from the first number of member samples; the second number is less than the first number;
    获取第三数量个非成员样本,所述非成员样本的分布与所述成员样本的分布相同;Obtaining a third number of non-member samples, where the distribution of the non-member samples is the same as the distribution of the member samples;
    所述第二数量个成员样本和所述第三数量个非成员样本作为评测样本组成评测数 据集。The second number of member samples and the third number of non-member samples are used as evaluation samples to form an evaluation data set.
  14. 如权利要求12所述的装置,其中,所述确定子单元,具体用于:The device according to claim 12, wherein the determining subunit is specifically configured to:
    将评测样本的各中间层特征进行降维处理后作为可解释分类器的样本特征,将该评测样本是否为成员样本作为样本标签,对所述可解释分类器进行训练;Performing dimensionality reduction processing on each middle layer feature of the evaluation sample as the sample feature of the interpretable classifier, and training the interpretable classifier whether the evaluation sample is a member sample as a sample label;
    根据训练后的可解释分类器,确定各中间层中的决策重要层和决策无关层。According to the interpretable classifier after training, determine the important decision-making layer and decision-independent layer in each intermediate layer.
  15. 如权利要求14所述的装置,其中,所述将评测样本的各中间层特征进行降维处理,包括:The device according to claim 14, wherein said performing dimensionality reduction processing on each intermediate layer feature of the evaluation sample comprises:
    针对每一个中间层,训练一个自编码器;For each intermediate layer, train an autoencoder;
    利用各中间层对应的自编码器对评测样本的该中间层的中间层特征进行降维处理。The self-encoder corresponding to each intermediate layer is used to perform dimensionality reduction processing on the intermediate layer features of the intermediate layer of the evaluation sample.
  16. 如权利要求14所述的装置,其中,所述可解释分类器为树模型或逻辑回归模型。The device of claim 14, wherein the interpretable classifier is a tree model or a logistic regression model.
  17. 如权利要求10所述的装置,其中,所述装置还包括:The device of claim 10, wherein the device further comprises:
    更新单元,用于更换所述部分神经元后,再使所述训练单元重复所述再次训练。The update unit is used to make the training unit repeat the re-training after replacing the part of the neurons.
  18. 如权利要求10所述的装置,其中,所述一定概率为百分之50。The apparatus of claim 10, wherein the certain probability is 50 percent.
  19. 一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行权利要求1-9中任一项所述的方法。A computer-readable storage medium having a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method according to any one of claims 1-9.
  20. 一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现权利要求1-9中任一项所述的方法。A computing device includes a memory and a processor, the memory stores executable code, and when the processor executes the executable code, the method according to any one of claims 1-9 is implemented.
PCT/CN2020/103605 2019-11-19 2020-07-22 Training method and device for neural network model for protecting privacy and security WO2021098255A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911137260.2A CN110874471B (en) 2019-11-19 2019-11-19 Privacy and safety protection neural network model training method and device
CN201911137260.2 2019-11-19

Publications (1)

Publication Number Publication Date
WO2021098255A1 true WO2021098255A1 (en) 2021-05-27

Family

ID=69717119

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/103605 WO2021098255A1 (en) 2019-11-19 2020-07-22 Training method and device for neural network model for protecting privacy and security

Country Status (3)

Country Link
CN (1) CN110874471B (en)
TW (1) TWI745958B (en)
WO (1) WO2021098255A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113283537A (en) * 2021-06-11 2021-08-20 浙江工业大学 Method and device for protecting privacy of depth model based on parameter sharing and oriented to member reasoning attack
WO2023174099A1 (en) * 2022-03-18 2023-09-21 北京有竹居网络技术有限公司 Recommendation model training method, item recommendation method and system, and related device

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110874471B (en) * 2019-11-19 2021-02-23 支付宝(杭州)信息技术有限公司 Privacy and safety protection neural network model training method and device
CN112416753A (en) * 2020-11-02 2021-02-26 中关村科学城城市大脑股份有限公司 Method, system and equipment for standardized management of urban brain application scene data
CN112100628B (en) * 2020-11-16 2021-02-05 支付宝(杭州)信息技术有限公司 Method and device for protecting safety of neural network model

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104504441A (en) * 2014-12-09 2015-04-08 河海大学 Method and device for constructing MADALINE neural network based on sensitivity
US20170024642A1 (en) * 2015-03-13 2017-01-26 Deep Genomics Incorporated System and method for training neural networks
CN107368752A (en) * 2017-07-25 2017-11-21 北京工商大学 A kind of depth difference method for secret protection based on production confrontation network
CN108776836A (en) * 2018-06-08 2018-11-09 电子科技大学 A kind of training of the secret protection neural network based on VHE and prediction technique
CN110874471A (en) * 2019-11-19 2020-03-10 支付宝(杭州)信息技术有限公司 Privacy and safety protection neural network model training method and device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109309652B (en) * 2017-07-28 2020-06-09 创新先进技术有限公司 Method and device for training model
US10999247B2 (en) * 2017-10-24 2021-05-04 Nec Corporation Density estimation network for unsupervised anomaly detection
CN108520303A (en) * 2018-03-02 2018-09-11 阿里巴巴集团控股有限公司 A kind of recommendation system building method and device
WO2020062165A1 (en) * 2018-09-29 2020-04-02 区链通网络有限公司 Method, node and system for training reinforcement learning model, and storage medium
CN110008696A (en) * 2019-03-29 2019-07-12 武汉大学 A kind of user data Rebuilding Attack method towards the study of depth federation
CN110262855B (en) * 2019-05-28 2022-03-29 东华大学 Member presumption attack prototype system based on background information in Internet of vehicles

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104504441A (en) * 2014-12-09 2015-04-08 河海大学 Method and device for constructing MADALINE neural network based on sensitivity
US20170024642A1 (en) * 2015-03-13 2017-01-26 Deep Genomics Incorporated System and method for training neural networks
CN107368752A (en) * 2017-07-25 2017-11-21 北京工商大学 A kind of depth difference method for secret protection based on production confrontation network
CN108776836A (en) * 2018-06-08 2018-11-09 电子科技大学 A kind of training of the secret protection neural network based on VHE and prediction technique
CN110874471A (en) * 2019-11-19 2020-03-10 支付宝(杭州)信息技术有限公司 Privacy and safety protection neural network model training method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113283537A (en) * 2021-06-11 2021-08-20 浙江工业大学 Method and device for protecting privacy of depth model based on parameter sharing and oriented to member reasoning attack
CN113283537B (en) * 2021-06-11 2024-03-26 浙江工业大学 Method and device for protecting privacy of depth model based on parameter sharing and oriented to membership inference attack
WO2023174099A1 (en) * 2022-03-18 2023-09-21 北京有竹居网络技术有限公司 Recommendation model training method, item recommendation method and system, and related device

Also Published As

Publication number Publication date
CN110874471B (en) 2021-02-23
TW202121263A (en) 2021-06-01
TWI745958B (en) 2021-11-11
CN110874471A (en) 2020-03-10

Similar Documents

Publication Publication Date Title
WO2021098255A1 (en) Training method and device for neural network model for protecting privacy and security
Yang et al. Benchmarking attribution methods with relative feature importance
CN111898758B (en) User abnormal behavior identification method and device and computer readable storage medium
WO2021155706A1 (en) Method and device for training business prediction model by using unbalanced positive and negative samples
US10621378B1 (en) Method for learning and testing user learning network to be used for recognizing obfuscated data created by concealing original data to protect personal information and learning device and testing device using the same
CN111340008A (en) Method and system for generation of counterpatch, training of detection model and defense of counterpatch
TW201947463A (en) Model test method and device
CN113272827A (en) Validation of classification decisions in convolutional neural networks
CN111931179B (en) Cloud malicious program detection system and method based on deep learning
CN114912612A (en) Bird identification method and device, computer equipment and storage medium
JP7164014B2 (en) Systems and methods for identifying source code from binaries using machine learning
CN113408558B (en) Method, apparatus, device and medium for model verification
JP2019152964A (en) Learning method and learning device
US11244248B1 (en) Method for training and testing user learning network to be used for recognizing obfuscated data created by obfuscating original data to protect personal information and user learning device and testing device using the same
CN111027628A (en) Model determination method and system
US20210173395A1 (en) Formally safe symbolic reinforcement learning on visual inputs
CN111046394A (en) Method and system for enhancing anti-attack capability of model based on confrontation sample
CN113435264A (en) Face recognition attack resisting method and device based on black box substitution model searching
CN114692156A (en) Memory segment malicious code intrusion detection method, system, storage medium and equipment
Xie et al. Fairness testing of machine learning models using deep reinforcement learning
Pfau et al. Robust semantic interpretability: Revisiting concept activation vectors
CN108985382A (en) The confrontation sample testing method indicated based on critical data path
CN113918936A (en) SQL injection attack detection method and device
Ramachandra Causal inference for climate change events from satellite image time series using computer vision and deep learning
US20230023148A1 (en) System and method for performing face recognition

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20890045

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20890045

Country of ref document: EP

Kind code of ref document: A1