WO2021114911A1

WO2021114911A1 - User risk assessment method and apparatus, electronic device, and storage medium

Info

Publication number: WO2021114911A1
Application number: PCT/CN2020/124013
Authority: WO
Inventors: 陈岑
Original assignee: 支付宝(杭州)信息技术有限公司
Priority date: 2019-12-14
Filing date: 2020-10-27
Publication date: 2021-06-17
Also published as: CN111027870A

Abstract

A user risk assessment method, comprising: inputting behavior information of a user of a target partner into a student risk control model corresponding to the target partner, the student risk control model being obtained by performing knowledge distillation on target sample data on the basis of a soft tag value of the target sample data of the target partner and a risk tag value of the target sample data originally marked as a hard tag value; the soft tag value being obtained by integrating the prediction results of the target sample data on a plurality of teacher risk control models in a trusted execution environment; the teacher risk control models being decrypted in the trusted execution environment, and being obtained by training corresponding sample data of other partners; any sample data comprising behavior information marked with the risk tag value; and determining the risk score according to the output result of the student risk control model. According to the method, the partners can cooperatively train the student risk model used for performing risk assessment while ensuring the privacy of the partners.

Description

User risk assessment method and device, electronic equipment, storage medium

Technical field

One or more embodiments of this specification relate to the field of artificial intelligence technology, and in particular to a user risk assessment method and device, electronic equipment, and storage medium.

Background technique

Risk control means that risk managers take various measures and methods to eliminate or reduce the various possibilities of risk events, or risk controllers to reduce the losses caused when risk events occur. By accurately identifying potential risks for users, companies can improve the security protection capabilities of themselves and their partners, and contribute to business growth.

Summary of the invention

In view of this, one or more embodiments of this specification provide a user risk assessment method and device, electronic equipment, and storage medium.

In order to achieve the foregoing objectives, one or more embodiments of the present specification provide the following technical solutions.

According to the first aspect of one or more embodiments of this specification, a user risk assessment method is proposed, which includes: inputting behavior information of users of a target partner into a student risk control model corresponding to the target partner; The student risk control model is obtained by knowledge distillation of the target sample data based on the soft label value of the target sample data of the target partner and the risk label value originally marked as the hard label value of the target sample data. The soft label value is obtained by integrating the prediction results of multiple teacher risk control models for the target sample data in a trusted execution environment. Each teacher risk control model is decrypted in the trusted execution environment, and each teacher The risk control model is obtained by training the corresponding sample data of other partners; wherein any sample data contains behavioral information marked with a risk label value; the risk of the user is determined according to the output result of the student risk control model score.

According to the second aspect of one or more embodiments of this specification, a knowledge transfer method based on a machine learning model is proposed, which includes: obtaining teacher networks in multiple source fields and obtaining target sample data in the target field, and obtaining The teacher network in the trusted execution environment is read into the trusted execution environment for decryption, and each teacher network is obtained by training the sample data of their respective source fields; in the trusted execution environment, the target sample data is input into each teacher network to obtain each teacher The network predicts the result of the target sample data, and integrates the obtained prediction results to obtain the soft label value corresponding to the target sample data; based on the soft label value and the hard label originally marked on the target sample data Value, perform knowledge distillation on the target sample data to obtain a student network in the target field.

According to the third aspect of one or more embodiments of this specification, a knowledge transfer method based on a machine learning model is proposed, which includes: obtaining teacher networks in multiple source fields and obtaining target sample data in the target field, and obtaining The teacher network in the trusted execution environment is read into the trusted execution environment for decryption, and each teacher network is obtained by training the sample data of their respective source fields; in the trusted execution environment, the target sample data is input into each teacher network to obtain each teacher According to the prediction result of the target sample data, the network integrates the obtained prediction results to obtain the soft label value corresponding to the target sample data, and encrypts the soft label value; to the provider of the target sample data Return the encrypted soft label value, so that the provider decrypts the received soft label value, and based on the decrypted soft label value and the hard label value originally marked by the target sample data, Perform knowledge distillation on the target sample data to obtain a student network in the target field.

According to the fourth aspect of one or more embodiments of this specification, a method for knowledge transfer based on a machine learning model is proposed, which includes: sending target sample data to a maintainer of a trusted execution environment, so that the maintainer is In the trusted execution environment, the target sample data is input into teacher networks in multiple source fields to obtain the prediction results of each teacher network for the target sample data, and the obtained prediction results are integrated to obtain the corresponding target sample data. The soft label value of the sample data; each teacher network is obtained by training the sample data in their respective source fields and is decrypted in the trusted execution environment; receiving the encrypted soft label value returned by the maintainer, Decrypt the received soft label value, and perform knowledge distillation on the target sample data based on the decrypted soft label value and the original hard label value of the target sample data to obtain the target Network of students in the field.

According to the fifth aspect of one or more embodiments of this specification, a user risk assessment device is proposed, which includes: an information input unit that inputs behavior information of a user of a target partner into student risk control corresponding to the target partner Model; the student risk control model is based on the target sample data soft label value of the target sample data and the target sample data originally marked as the hard label value of the risk label value, the target sample data Knowledge distillation is obtained. The soft label value is obtained by integrating the prediction results of multiple teacher risk control models for the target sample data in a trusted execution environment, and each teacher risk control model is obtained in the trusted execution environment. Decrypted, each teacher's risk control model is obtained by training the corresponding sample data of other partners; among them, any sample data contains behavioral information marked with a risk label value; the risk assessment unit is based on the student's risk control model The output result determines the risk score of the user.

According to the sixth aspect of one or more embodiments of this specification, a knowledge transfer device based on a machine learning model is proposed, which includes: an acquiring unit, acquiring teacher networks in multiple source fields, and acquiring target sample data in the target field, and Read the obtained teacher network into the trusted execution environment for decryption. Each teacher network is obtained by training the sample data of their respective source fields; the integration unit, in the trusted execution environment, the target sample data is input to each teacher Network to obtain the prediction results of each teacher network for the target sample data, and integrate the obtained prediction results to obtain the soft label value corresponding to the target sample data; the training unit is based on the soft label value and the target The sample data is originally marked with hard label values, and knowledge distillation is performed on the target sample data to obtain a student network in the target field.

According to the seventh aspect of one or more embodiments of this specification, a knowledge transfer device based on a machine learning model is proposed, which includes: an acquiring unit, acquiring teacher networks in multiple source fields, and acquiring target sample data in the target field, and Read the acquired teacher network into the trusted execution environment for decryption. Each teacher network is obtained by training the sample data of their respective source fields; the integration unit inputs the target sample data into each of the trusted execution environments. The teacher network obtains the prediction results of each teacher network for the target sample data, integrates the obtained prediction results to obtain a soft label value corresponding to the target sample data, and encrypts the soft label value; a returning unit, Return the encrypted soft label value to the provider of the target sample data, so that the provider decrypts the received soft label value, and based on the decrypted soft label value and the target sample The data is originally marked with hard label values, and knowledge distillation is performed on the target sample data to obtain a student network in the target field.

According to the eighth aspect of one or more embodiments of this specification, a knowledge transfer device based on a machine learning model is proposed, including: a sending unit that sends target sample data to a maintainer of a trusted execution environment, so that the maintenance In the trusted execution environment, each party inputs the target sample data into teacher networks in multiple source fields to obtain the prediction results of each teacher network for the target sample data, and integrates the obtained prediction results to obtain corresponding The soft label value of the target sample data; each teacher network is obtained by training the sample data in their respective source fields and is decrypted in the trusted execution environment; the training unit receives the encrypted data returned by the maintainer The soft label value decrypts the received soft label value, and performs knowledge on the target sample data based on the decrypted soft label value and the original hard label value of the target sample data Distill to get a network of students in the target field.

According to a ninth aspect of one or more embodiments of this specification, an electronic device is proposed, including: a processor; a memory for storing executable instructions of the processor; wherein the processor runs the executable instructions In order to realize the user risk assessment method as described in the above first aspect.

According to a tenth aspect of one or more embodiments of this specification, an electronic device is proposed, including: a processor; a memory for storing executable instructions of the processor; wherein the processor runs the executable instructions In order to realize the knowledge transfer method based on the machine learning model as described in the above second aspect.

According to the eleventh aspect of one or more embodiments of this specification, an electronic device is proposed, including: a processor; a memory for storing executable instructions of the processor; wherein the processor runs the executable Instructions to implement the knowledge transfer method based on the machine learning model as described in the third aspect above.

According to a twelfth aspect of one or more embodiments of this specification, an electronic device is proposed, including: a processor; a memory for storing executable instructions of the processor; wherein the processor runs the executable Instructions to implement the knowledge transfer method based on the machine learning model as described in the fourth aspect above.

According to a thirteenth aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium having computer instructions stored thereon, which when executed by a processor implements the steps of the user risk assessment method described in the first aspect.

According to a fourteenth aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium having computer instructions stored thereon, which, when executed by a processor, realizes the knowledge transfer based on the machine learning model as described in the second aspect above Method steps.

According to a fifteenth aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium having computer instructions stored thereon, and when the instructions are executed by a processor, the machine learning model-based knowledge transfer as described in the third aspect is realized Method steps.

According to a sixteenth aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium having computer instructions stored thereon, and when the instructions are executed by a processor, the machine learning model-based knowledge transfer as described in the above fourth aspect is realized Method steps.

Description of the drawings

Fig. 1 is a schematic structural diagram of a knowledge transfer system based on a machine learning model provided by an exemplary embodiment.

Fig. 2 is a flowchart of a method for knowledge transfer based on a machine learning model provided by an exemplary embodiment.

Fig. 3 is a flowchart of another method for knowledge transfer based on a machine learning model provided by an exemplary embodiment.

Fig. 4 is a flowchart of another method for knowledge transfer based on a machine learning model provided by an exemplary embodiment.

Fig. 5 is a flowchart of a user risk assessment method provided by an exemplary embodiment.

Fig. 6 is a flowchart of issuing public and private keys of a digital envelope according to an exemplary embodiment.

Fig. 7 is an interaction diagram of a method for knowledge transfer based on a machine learning model provided by an exemplary embodiment.

Fig. 8 is a schematic structural diagram of a device provided by an exemplary embodiment.

Fig. 9 is a block diagram of a user risk assessment device provided by an exemplary embodiment.

Fig. 10 is a schematic structural diagram of another device provided by an exemplary embodiment.

Fig. 11 is a block diagram of a device for knowledge transfer based on a machine learning model provided by an exemplary embodiment.

Fig. 12 is a schematic structural diagram of another device provided by an exemplary embodiment.

Fig. 13 is a block diagram of another apparatus for knowledge transfer based on a machine learning model provided by an exemplary embodiment.

Fig. 14 is a schematic structural diagram of another device provided by an exemplary embodiment.

Fig. 15 is a block diagram of another apparatus for knowledge transfer based on a machine learning model provided by an exemplary embodiment.

Detailed ways

The exemplary embodiments will be described in detail here, and examples thereof are shown in the accompanying drawings. When the following description refers to the accompanying drawings, unless otherwise indicated, the same numbers in different drawings represent the same or similar elements. The implementation manners described in the following exemplary embodiments do not represent all implementation manners consistent with one or more embodiments of this specification. Rather, they are merely examples of devices and methods consistent with some aspects of one or more embodiments of this specification as detailed in the appended claims.

It should be noted that in other embodiments, the steps of the corresponding method may not be executed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. In addition, a single step described in this specification may be decomposed into multiple steps for description in other embodiments; and multiple steps described in this specification may also be combined into a single step in other embodiments. description.

Fig. 1 is a schematic structural diagram of a knowledge transfer system based on a machine learning model provided by an exemplary embodiment. As shown in Figure 1, the system may include a server 11, a network 12, and several electronic devices, such as a mobile phone 13, a mobile phone 14, and a PC15-16.

The server 11 may be a physical server including an independent host, or the server 11 may be a virtual server carried by a host cluster. During operation, the server 11 is used as a server to interface with each partner, that is, to provide a platform for cooperation with each partner, for migrating the performance of the teacher network trained by each partner to the student network.

Mobile phones 13-14 and PC15-16 are just one type of electronic equipment that users can use. In fact, the partners that interface with the server 11 can obviously also use electronic devices such as the following types: tablet devices, notebook computers, PDAs (Personal Digital Assistants), wearable devices (such as smart glasses, smart watches, etc.) Etc., one or more embodiments of this specification do not limit this. In the technical solutions of one or more embodiments of this specification, each partner uses its own sample data to train to obtain a teacher network, which can guide the training of related student networks, and take the model parameters learned by the teacher network (also can be understood as The knowledge learned by the teacher network) is shared with the student network to improve the performance of the student network.

As for the network 12 for interaction between the mobile phone 13-14, the PC 15-16 and the server 11, it may include multiple types of wired or wireless networks. In an embodiment, the network 12 may include a Public Switched Telephone Network (PSTN) and the Internet.

Fig. 2 is a flowchart of a method for knowledge transfer based on a machine learning model provided by an exemplary embodiment. As shown in Figure 2, the method is applied to the server and may include steps 202-206.

Step 202: Obtain teacher networks in multiple source fields and obtain target sample data in the target field, and read the obtained teacher networks into a trusted execution environment for decryption. Each teacher network obtains the results by training the sample data in their respective source fields. .

In this embodiment, when training a supervised machine learning model, it may be difficult to collect sample data labeled with label values. For example, sample data is less accumulated due to time issues, and the amount of data collected for sample data is relatively large, which is time-consuming. ,higher cost. Furthermore, even when the sample data is sufficient, the cost of building a model from scratch is higher and the efficiency is lower. therefore. When there is a need to train a supervised machine learning model in a certain field, transfer learning (Transfer Learning) technology can be used to learn from the trained model that is related to the field (for example, of the same type, high similarity, etc.) The acquired knowledge is transferred to the machine learning model in the field, thereby improving the efficiency of training the model. In other words, using existing knowledge to learn new knowledge, there are similarities between existing knowledge and new knowledge. In transfer learning, the domain of the existing knowledge is called the source domain, and the domain of the new knowledge to be learned is called the target domain. Among them, the source domain usually has a large amount of label data, while the target domain often There are only a small number of label samples, and the source field and the target field are different but related to a certain extent. Knowledge transfer can be carried out by reducing the distribution difference between the source field and the target field.

Further, in the migration process, knowledge distillation (Knowledge Distillation) technology is introduced to improve the generalization ability and performance of the model to be trained. Specifically, the teacher-student network is used to guide the training of the student network by distilling the knowledge of the teacher network. Among them, the teacher network is often a more complex network with very good performance and generalization ability. The teacher network can be used as a soft target to guide another simpler student network to learn, making it simpler and more computationally expensive. A few student models can also have performance similar to that of a teacher network.

In the technical solutions of one or more embodiments of this specification, the teacher network corresponds to the source domain, that is, the supervised learning model that has been trained in the source domain is used as the teacher network to guide students' network learning and learn from themselves The knowledge of is transferred to the student network, and the student network corresponds to the target field, that is, the model to be trained in the target field is used as the student network.

In this embodiment, when a partner docking with the server has a model to be trained, the server can perform migration learning on the supervised machine learning models that have been trained by other partners related to the partner's field. To guide the learning of the model to be trained. Then, in the process of training the student network in the target field, there is no need to recollect a large amount of sample data in the target field for training, so that the efficiency of training the student network can be improved. At the same time, the student network can also inherit the better generalization ability and performance of the teacher network.

In this embodiment, one or more teacher networks can be selected to guide the training of student networks. Among them, there is a one-to-one correspondence between the source field and the teacher network. In order to improve the generalization ability and performance of the student network (that is, the generalization ability and performance of the teacher network can be better transferred to the student network), a field with higher similarity to the target field can be selected as the source field. As an exemplary embodiment, it can be set that each source domain and target domain belong to the same type. For example, in the field of image recognition, both are used to recognize vehicles, both are used to recognize felines, and both are used for face recognition.

In this embodiment, when multiple teacher networks are selected, the knowledge transfer scheme based on the machine learning model of this specification can be understood as the data providers of various source fields work together to complete the training of the student network, namely Multiple data providers have their own sample data and can use each other's data to train machine learning models in a unified manner. It should be noted that the sample data of each data provider belongs to its own private data, so the above-mentioned multi-party joint modeling (joint modelling) process should be carried out while ensuring the security of the data of all parties. Therefore, the data provider, as the executive body of training the teacher network, uses its own labeled sample data to train the teacher network in their respective source fields. In other words, each teacher network uses its own private data as sample data for training through data providers in their respective source fields. It can be seen that, on the one hand, each data provider cooperates to train their own teacher network, which can improve the efficiency of subsequent training of the student network; on the other hand, the training process of the teacher network in each source field does not need to be out of the domain, which can ensure The privacy of the sample data in the field.

In this embodiment, each teacher network belongs to the private data of its source field, the target sample data belongs to the private data of the target field, and the prediction result of each teacher network for the target sample data belongs to decision privacy (that is, the privacy of the output result of each teacher network) . Therefore, for privacy and security, TEE (Trusted Execution Environment) can be introduced, the teacher network is used in the TEE to predict the target sample data, and the obtained prediction results can be integrated learning. TEE can play the role of a black box in the hardware. Neither the code executed in the TEE nor the data operating system layer can be peeped, and only the pre-defined interface in the code can operate on it.

Correspondingly, before sending the teacher network trained by the teacher network to the server, the teacher network provider can encrypt the teacher network, and then the server decrypts the teacher network in the TEE, and then uses the decrypted teacher network to analyze the target sample Data to predict. In the same way, the provider of the target sample data can also encrypt the target sample data before sending the target sample data to the server, and then the server decrypts the target sample data in the TEE first, and then decrypts the decrypted target sample data Enter the teacher network. On the one hand, by decrypting the teacher network and target sample data in the TEE, user privacy can be effectively ensured; on the other hand, prediction is made in the TEE based on the teacher network in plaintext and target sample data, instead of the teacher network in ciphertext form And the target sample data, the efficiency of the prediction process is not lost. Therefore, by combining TEE with the training student network, security and privacy can be improved under the premise of less performance loss. The encryption process of the teacher network and target sample data will be described in detail below. At the same time, the operations performed in the TEE are only encryption, decryption and prediction, without occupying a large amount of memory space in the TEE.

Step 204: Input the target sample data into each teacher network in the trusted execution environment to obtain a prediction result of each teacher network for the target sample data, and integrate the obtained prediction results to obtain a result corresponding to the The soft label value of the target sample data.

In this embodiment, in order to improve the trained student network to be a diverse (comprehensive) strong supervision model, so that the student network is stable and performs well in all aspects, instead of preference (weak supervision model, in some It performs better in terms of performance), and can perform integrated learning on the obtained prediction results of multiple teacher networks in the TEE. Through the integrated learning of the obtained multiple prediction results, when a certain teacher network has an error prediction for the target sample data, the error prediction can be corrected by other teacher networks, thereby reducing bagging and bias (boosting) and improving the effect of prediction (stacking). Among them, the specific implementation manner of the integrated learning can be flexibly selected according to the actual situation, and one or more embodiments of this specification do not limit this. For example, voting, weighted average, etc. can be adopted. For another example, algorithms such as Bagging (bootstrap aggregating, bagging; such as random forest), Boosting, and Stacking can be used.

Step 206: Perform knowledge distillation on the target sample data based on the soft label value and the original hard label value of the target sample data to obtain a student network in the target field.

In this embodiment, the hard label value is the label value originally marked in the target sample data. For example, the hard label value is obtained by annotating the target sample data by the provider (belonging to the target field) of the target sample data. After obtaining the soft label value (soft target) corresponding to the target sample data through integrated learning, based on the soft label value and the hard label value of the target sample data originally marked (hard target), knowledge distillation is performed on the target sample data to obtain the target Network of students in the field. The hard target originally labeled from the target sample data (small amount of data) contains a lower amount of information (information entropy); while the soft target comes from the prediction output of the large model (teacher network), which has higher entropy. Can provide more information than hard target. Therefore, the soft target is used to assist the hard target to train together, that is, less data and a larger learning rate are used, so that a simpler student model with fewer parameter calculations can also have performance similar to that of a teacher network (and therefore also Can be understood as a way of model compression). In other words, the training of the student network contains two objective functions: one corresponds to the hard target, that is, the original objective function, which is the cross-entropy of the class probability output of the student network and the true value of the label; the other corresponds to the soft target, which is The cross entropy of the category probability output of the student network and the category probability output of the teacher network. In the soft target, add the temperature parameter T to the softmax function:

Among them, q _i is the probability value of the i-th class, and the input z _i is the prediction vector (logarithmic logits) of the i-th class; logits is the original (non-standardized) generated by the classification model, and the prediction vector is usually passed to the normalization function. When the model is to solve a multi-class classification problem, logits are usually used as the input of the softmax function to generate a (normalized) probability vector from the softmax function, corresponding to each possible category. The softmax function calculates the logit z _{i of} each category as a probability q _i by comparing the input z _i with other logits.

Further, the Loss value is: L=αL ^(soft) + (1-α)L ^(hard) . Among them, soft loss refers to the output of softmax (T=20) in the student model (student network) and the output of softmax (T=20) in the teacher model (teacher network). =1) The output and the original label calculate loss2.

For example, the objective function corresponding to the hard target and the objective function corresponding to the soft target can be used as the final objective function of the student network through a weighted average. For example, it can be set to have a larger weight for soft target. For another example, the value of T can take an intermediate value, and the weight assigned by the soft target is T^2, and the weight of the hard target is 1. Of course, other arbitrary weights can also be set, and one or more embodiments of this specification do not limit this.

At the same time, since there are no restrictions on the training process of the student network in the target field, a student network with strong interpretability can be obtained. Taking the classifier as an example, since there are no restrictions on the classifier, a classifier with strong interpretability can be used for training.

In the knowledge transfer scheme based on the machine learning model of this specification, in addition to the above-mentioned server training the student network through knowledge distillation, this operation can also be performed by the provider of the target sample data. Please refer to FIG. 3, which is a flowchart of another method for knowledge transfer based on a machine learning model provided by an exemplary embodiment. As shown in Figure 3, the method is applied to the server and may include steps 304-306.

Step 302: Obtain teacher networks in multiple source fields and obtain target sample data in the target field, and read the obtained teacher networks into a trusted execution environment for decryption. Each teacher network obtains the results by training the sample data in their respective source fields. .

Step 304: Input the target sample data into each teacher network in the trusted execution environment to obtain a prediction result of each teacher network for the target sample data, and integrate the obtained prediction results to obtain a result corresponding to the target The soft label value of the sample data is encrypted, and the soft label value is encrypted.

In this embodiment, for the teacher network and/or the target sample data, the encryption can be performed in the form of a digital envelope, which combines a symmetric encryption algorithm and an asymmetric encryption algorithm. Take the teacher network as an example (the target sample data is similar), the provider of the teacher network can use the symmetric encryption algorithm to encrypt the teacher network (that is, use the symmetric key used by itself to encrypt the teacher network), and then use the asymmetric encryption algorithm The public key (that is, the digital envelope public key) encrypts the symmetric key. For example, the provider can use the server public key (ie, the digital envelope public key) to encrypt the symmetric key used to encrypt the teacher network. Among them, the process for the provider to obtain the server public key will be described in detail below.

From the above method of encrypting the teacher network and/or target sample data, it can be seen that the data to be decrypted is encrypted by the corresponding provider using its own symmetric key. Therefore, the server can first obtain the symmetric key corresponding to the provider, and then use the obtained symmetric key to decrypt the data to be decrypted in the TEE. As for the method of obtaining the symmetric key corresponding to the provider, since the symmetric key used to encrypt the data to be decrypted is encrypted by the server public key, the server private key (ie, the digital envelope private key) can be used in the TEE, Decrypt the symmetric key used to encrypt the data to be decrypted to obtain the decrypted symmetric key.

TEE is a secure extension based on CPU hardware and a trusted execution environment that is completely isolated from the outside. TEE was first proposed by Global Platform to solve the security isolation of resources on mobile devices, and parallel to the operating system to provide a trusted and secure execution environment for applications. ARM's Trust Zone technology is the first to realize the real commercial TEE technology. With the rapid development of the Internet, security requirements are getting higher and higher. Not only mobile devices, cloud devices, and data centers have put forward more demands on TEE. The concept of TEE has also been rapidly developed and expanded. Compared with the original concept, the TEE referred to now is a broader TEE. For example, server chip manufacturers Intel, AMD, etc. have successively introduced hardware-assisted TEE and enriched the concept and characteristics of TEE, which has been widely recognized in the industry. The TEE mentioned now usually refers more to this kind of hardware-assisted TEE technology. Unlike the mobile terminal, cloud access requires remote access, and the end user is invisible to the hardware platform. Therefore, the first step in using TEE is to confirm the authenticity of TEE. Therefore, a remote certification mechanism can be introduced for the TEE technology, endorsed by hardware vendors (mainly CPU vendors) and digital signature technology to ensure that users can verify the state of the TEE. At the same time, security needs that cannot be met by only secure resource isolation, further data privacy protection has also been proposed. Commercial TEEs including Intel SGX and AMD SEV also provide memory encryption technology to limit the trusted hardware to the CPU, and the data on the bus and memory are ciphertexts to prevent malicious users from snooping. For example, TEE technologies such as Intel’s Software Protection Extensions (SGX) isolate code execution, remote attestation, secure configuration, secure storage of data, and trusted paths for code execution. The applications running in the TEE are protected by security and are almost impossible to be accessed by third parties.

Taking Intel SGX technology as an example, SGX provides a circle, that is, an encrypted trusted execution area in the memory, and the CPU protects data from being stolen. Taking the CPU that supports SGX on the server side as an example, using the newly added processor instructions, a part of the area EPC (Enclave Page Cache, Enclave Page Cache, Enclave Page Cache) can be allocated in the memory, through the encryption engine MEE in the CPU (Memory Encryption Engine) encrypts the data in it. The encrypted content in the EPC will only be decrypted into plaintext after entering the CPU. Therefore, in SGX, users can distrust the operating system, VMM (Virtual Machine Monitor), and even BIOS (Basic Input Output System). They only need to trust the CPU to ensure that private data will not leakage.

Therefore, the TEE on the server side can be established through the SGX architecture. Among them, after the remote certification initiated by the TEE through the key management server, the digital envelope public key is sent by the key management server to the provider of the data to be decrypted, and the digital envelope private key is sent by the key management server to the TEE circle.

Step 306: Return the encrypted soft label value to the provider of the target sample data, so that the provider decrypts the received soft label value, and based on the decrypted soft label value and the value of the soft label. The target sample data is originally marked with a hard label value, and knowledge distillation is performed on the target sample data to obtain a student network in the target field.

Correspondingly, FIG. 4 is a flowchart of another method for knowledge transfer based on a machine learning model provided by an exemplary embodiment. As shown in FIG. 4, the method is applied to the provider of target sample data, and may include steps 402-406.

Step 402: Send the encrypted target sample data to the maintainer of the trusted execution environment, so that the maintainer can input the target sample data into teacher networks in multiple source fields in the trusted execution environment. In order to obtain the prediction results of each teacher network for the target sample data, and integrate the obtained prediction results to obtain the soft label value corresponding to the target sample data; each teacher network is obtained by training the sample data of their respective source fields , And is decrypted in the trusted execution environment.

Step 404: Receive the encrypted soft label value returned by the maintainer, decrypt the received soft label value, and mark the original value based on the decrypted soft label value and the target sample data The hard label value of, the knowledge distillation is performed on the target sample data to obtain the student network in the target field.

It should be noted that, for the specific process of training the student network in the foregoing Figures 3-4, reference may be made to the corresponding content of the embodiment shown in Figure 2 above, which will not be repeated here.

In the technical solutions of one or more embodiments of this specification, the specific content of the sample data can be flexibly set according to actual application scenarios. For example, the data type of the sample data can include image, text, voice, and so on. Similarly, the labeling of sample data can also be flexibly set according to actual application scenarios, as described below with examples.

In the scenario of performing risk control on physical objects, the potential risks of users or merchants can be predicted, such as the risks of predicting loans and real-time transactions. Taking real-time transactions as an example, the cooperation platform has docked and cooperated with merchants, and each merchant has accumulated a large amount of sample data during the business process. Among them, the sample data (in text form, or other data types) includes the user's basic information, behavior information, transaction information, and so on. In addition, merchants can label sample data in the transaction risk dimension. When the cooperation platform is newly connected to a newly opened merchant a, due to the limited sample data at its disposal, it is impossible to train and obtain a more accurate and comprehensive risk control model. Then, the newly accessed merchant a can cooperate with other merchants of the same type on the cooperation platform to perform joint modeling. In this case, the newly-accessed merchant a belongs to the target field, a small amount of sample data it owns is the target sample data, and the risk control model to be trained is the student network; the other merchants on the cooperation platform are in the same industry as the newly-accessed merchant (For example, the merchants 1-n belonging to the same fund, insurance company, etc.) belong to the source field, and the merchants 1-n can use the large amount of sample data they have accumulated to train the teacher network to guide the training of the student network. After completing the joint modeling of the student network, the merchant a can input the acquired user's basic information, behavior information, transaction information and other data into the student network, thereby predicting the risk score of the current transaction with the user.

In the intelligent recommendation scenario, the potential needs of users can be predicted, such as predicting the products the user wants to buy, news of interest, books that they like to read, and so on. Taking sellers recommending products to users as an example, the cooperation platform has docked and cooperated with multiple sellers, and each seller has accumulated a large number of user purchase records in the course of business. Among them, the sample data (in text form, or other data types) is user information such as occupation, income, age, gender, etc. The merchant can mark the sample data according to the products purchased by the user in the user purchase record. When the cooperative platform newly accesses a seller a, due to its limited historical users, it is impossible to recommend products to users. Then, the newly connected seller a can cooperate with other sellers of the same type on the cooperation platform to perform joint modeling. In this case, the newly accessed merchant a belongs to the target field, a small number of user purchase records in its own hands are used as the target sample data, and the product recommendation model to be trained is the student network; other sellers on the cooperation platform are the same as the newly accessed seller Sellers 1-n in the industry (for example, catering, clothing, etc.) belong to the source field, and sellers 1-n can use their accumulated large number of user purchase records training to obtain a teacher network to guide the training of the student network. After completing the joint modeling of the student network, seller a can enter the user information of the acquired user into the student network, thereby predicting that the user may have a purchase demand product, and then recommending the corresponding product to the user based on the prediction result commodity.

In the scenario of intelligent customer service, you can have real-time voice conversations with users, answer user questions or chat with users. For example, the cooperation platform cooperates with many companies, and each company has accumulated a large amount of dialogue data in the process of providing customer service to users. Among them, the sample data can be text, image, user's voice, etc. input by the user, and the annotation for the sample data is the content of the customer service's reply to the user in the conversation data. When another company a newly accesses the cooperation platform and hopes to provide users with intelligent customer service, if the conversation data between the user and the customer service is limited, it can work with other companies in the cooperation platform to conduct joint modeling. For example, companies 1-n that provide customer service services such as voice assistants, chat tools, and answering questions can conduct joint modeling through their own accumulated conversation data. Among them, there is a certain degree of similarity between the customer service of enterprise 1-n and the dialogue scene of the user. In this case, the newly-connected company a belongs to the target field, the small amount of dialogue data it owns is the target sample data, and the customer service model to be trained is the student network; the company 1-n belongs to the source field, and the company 1-n can use each The accumulated large amount of dialogue data is trained by the teacher network to guide the training of the student network. After completing the joint modeling of the student network, enterprise a (or enterprise 1-n) can use the student network to provide users with intelligent customer service, that is, the conversation content (text, image, voice, etc.) initiated by the user as The input of the student network, and the output result as a reply to this conversation.

The following uses the application scenario of risk control as an example to describe the application process of the student network trained in the foregoing embodiment. Please refer to FIG. 5, which is a flowchart of a user risk assessment method provided by an exemplary embodiment. As shown in Figure 5, the evaluation method may include the following steps:

Step 502: Input the behavior information of the user of the target partner into the student risk control model corresponding to the target partner; the student risk control model uses the soft label value based on the target sample data of the target partner and the The target sample data is originally marked as the hard label value of the risk label value, which is obtained by knowledge distillation of the target sample data, and the soft label value is calculated against the risk control model of multiple teachers in a trusted execution environment. The prediction results of the target sample data are integrated, each teacher risk control model and the target sample data are decrypted in the trusted execution environment, and each teacher risk control model is obtained by training the corresponding sample data of other partners ; Among them, any sample data contains behavioral information marked with a risk label value.

Step 504: Determine the risk score of the user according to the output result of the student risk control model.

In this embodiment, in the application scenario of risk control, the student risk control model corresponds to the student network in the above embodiment in Figures 2-4, and the teacher risk control model corresponds to the teacher network in the above embodiment in Figures 2-4 Corresponding. The specific content of the sample data for training each model is the user's behavior information, and the marked content is the user's risk score; in other words, the input of each model is the user's behavior information, and the output is the user's risk score (including probability distribution). Multiple parties cooperate on the same platform. The target partner belongs to the target field and is the provider of the target sample data. The model to be trained is the student risk control model. Then the teacher risk control model of other partners can be used to guide the training of the student risk control model. For the specific process of training, refer to the embodiments shown in FIGS. 2-4, which will not be repeated here.

After training the student risk control model corresponding to the target partner, in one case, the student risk control model can be configured on the client side of the target partner. Then, after the target partner obtains the user's behavior information, The client can input behavior information into the student's risk control model to determine the user's risk score based on the output result, and then determine the subsequent processing method for the user. For example, when the risk score is low (indicating that the user is safer), consumer rights can be issued to the user; when the risk score is high (indicating that the user has potential risks), the user's registration request can be intercepted. In another case, the student risk control model can be configured on the server side that is docked with the target partner. After obtaining the user's behavior information, the target partner can send the behavior information to the server through the client. The server uses the student risk control model to determine the user's risk score and returns to the client for display.

In this embodiment, in order to improve the generalization ability and performance of the student's risk control model (that is, the generalization ability and performance of the teacher's risk control model can be better transferred to the student's risk control model), the target partner can be selected similar to the target partner Teacher risk control models of other partners with higher degrees to guide students' risk control model training. As an exemplary embodiment, it can be set that the target partner and the other partner belong to the same type of partner. For example, all belong to the catering category, and all belong to the financial category.

In this embodiment, in order to protect the privacy and security of each other partner, each teacher risk control model is obtained through training on its own sample data by the corresponding other partner. In other words, as the executive body of training the teacher's risk control model, other partners use their own labeled sample data to train the teacher's risk control model. It can be seen that, on the one hand, the cooperation of various partners to train their own teacher risk control models can improve the efficiency of subsequent training of student risk control models; on the other hand, the training process of each teacher risk control model does not need to be out of the domain, which can ensure The privacy of sample data in each source field.

For ease of understanding, the technical solutions of this specification will be described in detail below in conjunction with application scenarios and drawings.

Please refer to FIG. 6, which is a flowchart of issuing public and private keys of digital envelopes according to an exemplary embodiment. As shown in FIG. 6, the process may include steps 602 to 616B.

In step 602, the key management server 61 sends a verification request for SGX to the server 62.

In this embodiment, the public key (that is, the server public key) and the private key (that is, the server private key) of the digital envelope can be generated by the key management server, and after the SGX on the server has passed the remote certification, the key management server Send the private key to the SGX circle on the server, and send the public key to the client docking with the server.

In the process of remote certification, the key management server 61, which issued the EVM code of SGX, initiates a challenge to the server 62, requiring the server 62 to present a verification report to prove that the EVM code running in the SGX of the server 62 is owned by the key. The management server 61 issues, or is consistent with the EVM code stored in the key management server 61.

In step 604, the server 62 generates a verification report and signs it with the private key of the SGX CPU.

In step 606, the server 62 returns a verification report to the key management server 61.

In step 608, the key management server 61 forwards the verification report to the IAS 63.

Taking Intel SGX technology as an example, after receiving the verification request, the server 62 exports the EVM code of the SGX to generate a verification report based on the EVM code. For example, the EVM code can be hashed to obtain the corresponding hash value, and the hash value can be stored in the quote (quote structure), and the private key of the SGX CPU can be used to sign the quote (as a verification report).

Intel configures a private key for the CPU when the CPU leaves the factory, but does not disclose the public key corresponding to the private key, but configures it in Intel's IAS (Intel Attestation Server). Then, after using the CPU's private key to sign the verification report, since there is no corresponding public key, the key management server 61 needs to forward the quote returned by the server 62 to the IAS for the IAS to verify the signature.

In step 610, the IAS63 uses the public key of the CPU of the SGX to verify the signature.

In this embodiment, if the verification is passed, the verification result is returned to the key management server 61. For example, an AVR report can be generated. In the AVR report, "YES" is used to indicate that the verification signature is passed, and "NO" is used to indicate that the verification signature is not passed. Among them, in order to prevent the AVR report from being intercepted or modified during transmission, in addition to using SSL (Secure Sockets Layer) encryption for the transmission link, IAS can also use its own certificate to sign the AVR report.

In step 612, the IAS 63 returns the verification result to the key management server 61.

In step 614, the key management server 61 verifies the SGX.

In this embodiment, after receiving the verification result, the key management server 61 first verifies the signature of the IAS, and then obtains the verification result recorded in the AVR report after the verification is passed. If it is YES, compare the hash value in the quote with the local hash value (obtained by hash calculation of the locally maintained SGX EVM code). When the comparison results are consistent, it is determined that the remote attestation is passed.

In step 616A, the key management server 61 sends the public key of the digital envelope to the client 64 docking with the server.

In this embodiment, the key management server 61 can sign the public key of the digital envelope, so that the client 64 can verify the authenticity of the public key. The client segment 64 is a client used by a provider of the teacher network, or a client used by a provider of target sample data. In other words, both the target sample data and the provider of the teacher network can obtain the public key of the digital envelope in the above-mentioned manner.

In step 616B, the key management server 61 encrypts and transmits the private key of the digital envelope to the server 62.

In this embodiment, the key management server 61 and the server 62 may negotiate a key for encrypting the private key of the digital envelope in the interaction process of step 602 and step 606. Then, the key management server 61 may encrypt the private key of the digital envelope through the key obtained through negotiation, so as to encrypt and transmit the private key of the digital envelope to the server 62.

In this embodiment, the private key of the digital envelope can be passed into the circle of the server. The server can contain multiple enclosures, and the above private key can be passed into the security enclosures in these enclosures; for example, the security enclosure can be a QE (Quoting Enclave) enclosure instead of an AE (Application Enclave) enclosure. ring.

Following the embodiment shown in FIG. 6, please refer to FIG. 7. FIG. 7 is an interaction diagram of a knowledge transfer solution based on a machine learning model provided by an exemplary embodiment. As shown in Figure 7, the interaction process may include the following steps:

In step 702A, the partner 1 obtains the teacher network 1 through the training of the private data marked by itself.

In step 702B, the partner 2 obtains the teacher network 2 through the training of the private data marked by itself.

In step 702C, the partner n obtains the teacher network n through the training of the private data marked by itself.

It should be noted that steps 702A-702C are mutually parallel steps, and there is no requirement on the time sequence.

In this embodiment, taking the risk control scenario as an example, "Merchant Health Score" is a risk assessment conducted by the server as a merchant cooperation platform to ISV (Independent Software Vendors) channel providers for merchants under the channel. Indicators, through the evaluation of the "merchant health score" of the merchants under the channel, can help partners (ISV channel providers) to improve their risk control capabilities. In the process of ISV channel providers modeling the models used to evaluate merchants’ health scores, due to limited merchant behavior data (ie limited sample data), merchant cooperation platforms can be used to obtain information from other partners (other ISV channel providers). The accumulated business behavior data is jointly modeled. Among them, the other partners of the joint modeling should have a certain relationship with the ISV channel provider, for example, belong to the same industry. The following takes the ISV channel provider and partner 1-n joint modeling as an example for illustration.

Among them, the partner 1-n labels the behavior information of the merchants in the historical business process in the risk dimension, and then obtains the sample data (private data belonging to itself) used to train the teacher network, that is, the trained teacher network The input of is the behavior information of the merchant, and the output is the corresponding risk score. The supervised machine learning algorithm used for training can be flexibly selected according to actual conditions, and one or more embodiments of this specification do not limit this. The following takes the classifier as an example for description.

In step 704A, the partner 1 encrypts the teacher network 1.

In step 704B, the partner 2 encrypts the teacher network 2.

In step 704C, the partner n encrypts the teacher network n.

In this embodiment, the partner 1-n can generate a symmetric key used by itself. After the teacher network is trained, the teacher network can be encrypted with the symmetric key used by itself, and then the symmetric key can be encrypted with the public key of the digital envelope.

In this embodiment, the ISV channel provider may send the target sample data (ie, the merchant behavior information it owns) to the cooperation platform, so that the cooperation platform can perform joint modeling with the partner 1-n based on the target sample data.

In step 706A, the partner 1 sends the encrypted teacher network 1 to the cooperation platform.

In step 706B, the partner 2 sends the encrypted teacher network 2 to the cooperation platform.

In step 706C, the partner n sends the encrypted teacher network n to the cooperation platform.

Similarly, this specification does not require the time sequence between steps 704A-704C and steps 706A-706C to be set in parallel. At the same time, there are many possibilities for the partner 1-n to send the teacher network to the cooperation platform, which can be flexibly set according to the actual situation. The above steps 706A-706C are only an illustrative example, and one or more embodiments of this specification are not correct. This is limited. For example, the partner 1 can also receive the teacher network sent by the partner 2-n, and then the partner 1 can send the encrypted teacher network 1-n to the cooperation platform.

Step 708, the cooperation platform reads the teacher network 1-n into the TEE for decryption.

Step 710: When the target sample data is received, the cooperation platform reads the target sample data into the TEE for decryption.

In this embodiment, taking the teacher network 1 as an example, the private key of the digital envelope is first used to decrypt the symmetric key of the partner 1, and then the decrypted symmetric key is used to decrypt the teacher network 1. The decryption methods of other teacher networks and target sample data are similar to this, so I won’t repeat them here.

In step 712, the cooperation platform inputs the target sample data into the teacher network 1-n to obtain prediction results 1-n.

Take the classifier as an example to illustrate. Suppose that the teacher network and the student network solve a multi-classification problem with M classes (classes). Given a target sample data xi, each classifier fk (teacher network) can predict A probability distribution fk(xi) is obtained, then each fk(xi) can be integrated through integrated learning technology to obtain the final score.

Step 714: The cooperation platform integrates the prediction results 1-n to obtain the soft label value corresponding to the target sample data.

In this embodiment, in order to improve the trained student network to be a diverse (comprehensive) strong supervision model, so that the student network is stable and performs well in all aspects, instead of preference (weak supervision model, in some The performance is relatively good), the obtained prediction results 1-n can be integrated learning to obtain the soft label value corresponding to the target sample data. For example, the result of ensemble learning is used as the soft label value corresponding to the target sample data. Through the integrated learning of the obtained multiple prediction results, when a certain teacher network has an error prediction for the target sample data, the error prediction can be corrected by other teacher networks, thereby reducing bagging and bias (boosting) and improving the effect of prediction (stacking). Among them, the specific implementation manner of the integrated learning can be flexibly selected according to the actual situation, and one or more embodiments of this specification do not limit this. For example, voting, averaging, etc. can be adopted. For another example, algorithms such as Bagging (bootstrap aggregating, bagging; such as random forest), Boosting, and Stacking can be used.

In step 716, the cooperation platform performs knowledge distillation on the target sample data to obtain a student network based on the soft label value and the original hard label value of the target sample data.

Taking the method of averaging for ensemble learning as an example, the probability distribution output of all classifiers after differential privacy processing is averaged, and the final probability output obtained by averaging is used as a soft target to guide students' network learning. The label value of the target sample data originally marked (for example, the ISV channel provider in the target domain labels the merchant behavior information accumulated by itself) is defined as hard target (hard label value), then the final label value Target=a*hard target+b*soft target(a+b=1), Target is used as the final label value for training the student network. Among them, the parameters a and b are used to control the tag fusion weight, for example, a=0.1, b=0.9.

Through the above training process, a network of students whose input is the behavior information of the merchant and the output is the corresponding risk score can be obtained. In one case, the student network can be configured on the client side of the ISV channel provider. After obtaining the behavior information of the merchant, the ISV channel provider can input the behavior information to the student network through the client to determine according to the output result The risk score of the merchant determines the subsequent processing method for the merchant. For example, when the risk score is low (indicating that the merchant is safer), consumer rights can be issued to the merchant; when the risk score is high (indicating that the merchant has potential risks), the merchant's registration request can be intercepted. In another case, the student network can be configured on the cooperation platform, then the ISV channel provider can send the behavior information to the cooperation platform through the client after obtaining the behavior information of the merchant, so that the cooperation platform can use the student network to determine The risk score of the merchant is returned to the client for display.

Corresponding to the above method embodiments, this specification also provides device embodiments.

The embodiments of the user risk assessment device in this specification can be applied to electronic equipment. The device embodiments can be implemented by software, or can be implemented by hardware or a combination of software and hardware. Taking software implementation as an example, as a logical device, it is formed by reading the corresponding computer program instructions in the non-volatile memory into the memory through the processor of the electronic device where it is located.

From a hardware perspective, FIG. 8 is a schematic structural diagram of a device provided by an exemplary embodiment. Please refer to FIG. 8. At the hardware level, the device includes a processor 802, an internal bus 804, a network interface 806, a memory 808, and a non-volatile memory 810. Of course, it may also include hardware required for other services. The processor 802 reads the corresponding computer program from the non-volatile memory 810 to the memory 808 and then runs it to form a user risk assessment device on a logical level. Of course, in addition to software implementation, one or more embodiments of this specification do not exclude other implementations, such as logic devices or a combination of software and hardware, and so on. That is to say, the execution subject of the following processing flow is not limited to each The logic unit can also be a hardware or a logic device.

Please refer to FIG. 9, in the software implementation, the user risk assessment device may include: an information input unit 91, which inputs the behavior information of the user of the target partner into the student risk control model corresponding to the target partner; the student The risk control model is obtained by performing knowledge distillation on the target sample data based on the soft label value of the target sample data of the target partner and the risk label value originally marked as the hard label value of the target sample data. The soft label value is obtained by integrating the prediction results of multiple teacher risk control models for the target sample data in a trusted execution environment. Each teacher risk control model is decrypted in the trusted execution environment, and each teacher's risk control model is decrypted in the trusted execution environment. The control model is obtained by training the corresponding sample data of other partners; wherein any sample data contains behavior information marked with a risk label value; the risk assessment unit 92 determines the risk control model according to the output result of the student risk control model. State the user’s risk score.

Optionally, the target partner and the other partners belong to the same type of partner.

Optionally, each teacher's risk control model is obtained by training on its own sample data by corresponding other partners.

The embodiment of the knowledge transfer device based on the machine learning model of this specification can be applied to electronic equipment. The device embodiments can be implemented by software, or can be implemented by hardware or a combination of software and hardware. Taking software implementation as an example, as a logical device, it is formed by reading the corresponding computer program instructions in the non-volatile memory into the memory through the processor of the electronic device where it is located.

From a hardware perspective, FIG. 10 is a schematic structural diagram of a device provided by an exemplary embodiment. Please refer to FIG. 10. At the hardware level, the device includes a processor 1002, an internal bus 1004, a network interface 1006, a memory 1008, and a non-volatile memory 1010. Of course, it may also include hardware required for other services. The processor 1002 reads the corresponding computer program from the non-volatile memory 1010 to the memory 10010 and then runs it to form a knowledge transfer device based on the machine learning model at the logical level. Of course, in addition to software implementation, one or more embodiments of this specification do not exclude other implementations, such as logic devices or a combination of software and hardware, and so on. That is to say, the execution subject of the following processing flow is not limited to each The logic unit can also be a hardware or a logic device.

Please refer to FIG. 11, in the software implementation, the knowledge transfer device based on the machine learning model may include: an acquiring unit 1101, acquiring a network of teachers in multiple source fields and acquiring target sample data in a target field, and combining the acquired teachers The network is read into the trusted execution environment for decryption, and each teacher network is obtained by training sample data in their respective source fields; the integration unit 1102, in the trusted execution environment, respectively input the target sample data into each teacher network to obtain Each teacher network predicts the result of the target sample data, and integrates the obtained prediction results to obtain the soft label value corresponding to the target sample data; the training unit 1103 is based on the soft label value and the target sample data For the originally marked hard label value, knowledge distillation is performed on the target sample data to obtain a student network in the target field.

Optionally, each source domain and the target domain are of the same type.

Optionally, each teacher network is obtained by training the data providers in their respective source fields with their own private data as sample data.

Optionally, the data types of the target sample data and the sample data of each source field include at least one of the following: image, text, and voice.

From a hardware perspective, FIG. 12 is a schematic structural diagram of a device provided by an exemplary embodiment. Referring to FIG. 12, at the hardware level, the device includes a processor 1202, an internal bus 1204, a network interface 1206, a memory 1208, and a non-volatile memory 1210. Of course, it may also include hardware required for other services. The processor 1202 reads the corresponding computer program from the non-volatile memory 1210 to the memory 1208 and then runs it to form a knowledge transfer device based on a machine learning model on a logical level. Of course, in addition to software implementation, one or more embodiments of this specification do not exclude other implementations, such as logic devices or a combination of software and hardware, and so on. That is to say, the execution subject of the following processing flow is not limited to each The logic unit can also be a hardware or a logic device.

Please refer to FIG. 13, in the software implementation, the knowledge transfer device based on the machine learning model may include: an acquisition unit 1301, which acquires teacher networks in multiple source fields and acquires target sample data in the target field, and combines the acquired teachers The network is read into the trusted execution environment for decryption, and each teacher network is obtained by training the sample data of their respective source fields; the integration unit 1302, in the trusted execution environment, respectively input the target sample data into each teacher network to obtain For the prediction results of the target sample data, each teacher network integrates the obtained prediction results to obtain the soft label value corresponding to the target sample data, and encrypts the soft label value; the returning unit 1303 sends the The provider of the target sample data returns the encrypted soft label value, so that the provider decrypts the received soft label value, and based on the decrypted soft label value and the original target sample data The marked hard label value is used to perform knowledge distillation on the target sample data to obtain a student network in the target field.

Optionally, the data to be decrypted in the trusted execution environment is encrypted by the corresponding provider using its own symmetric key, and the data to be decrypted includes any teacher network and/or the target sample data; The obtaining unit 1301 is specifically configured to: obtain the symmetric key of the provider of the data to be decrypted; and decrypt the data to be decrypted by using the obtained symmetric key in the trusted execution environment.

Optionally, the symmetric key used to encrypt the data to be decrypted is encrypted with a digital envelope public key; the obtaining unit 1301 is further configured to: pass the digital envelope private key in the trusted execution environment to The symmetric key for encrypting the data to be decrypted is decrypted to obtain the decrypted symmetric key.

Optionally, the trusted execution environment is established through an SGX architecture, and after the trusted execution environment is remotely certified by a key management server, the digital envelope public key is sent by the key management server to the For the provider of the data to be decrypted, the digital envelope private key is sent by the key management server to the circle of the trusted execution environment.

From a hardware perspective, FIG. 14 is a schematic structural diagram of a device provided by an exemplary embodiment. Please refer to FIG. 14. At the hardware level, the device includes a processor 1402, an internal bus 1404, a network interface 1406, a memory 1408, and a non-volatile memory 1410. Of course, it may also include hardware required for other services. The processor 1402 reads the corresponding computer program from the non-volatile memory 1410 to the memory 1408 and then runs it to form a knowledge transfer device based on a machine learning model at the logical level. Of course, in addition to software implementation, one or more embodiments of this specification do not exclude other implementations, such as logic devices or a combination of software and hardware, and so on. That is to say, the execution subject of the following processing flow is not limited to each The logic unit can also be a hardware or a logic device.

Please refer to FIG. 15, in the software implementation, the machine learning model-based knowledge transfer device may include: a sending unit 1501, which sends target sample data to the maintainer of the trusted execution environment, so that the maintainer is in the available In the letter execution environment, the target sample data is input into teacher networks in multiple source fields to obtain the prediction results of each teacher network for the target sample data, and the obtained prediction results are integrated to obtain the target sample data corresponding to the target sample data. The soft label value of each teacher network is obtained by training the sample data of their respective source fields and is decrypted in the trusted execution environment; the training unit 1502 receives the encrypted soft label returned by the maintainer Value, decrypt the received soft label value, and perform knowledge distillation on the target sample data based on the decrypted soft label value and the original hard label value of the target sample data to obtain the Describe the student network in the target field.

The systems, devices, modules, or units illustrated in the above embodiments may be specifically implemented by computer chips or entities, or implemented by products with certain functions. A typical implementation device is a computer. The specific form of the computer can be a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email receiving and sending device, and a game control A console, a tablet computer, a wearable device, or a combination of any of these devices.

In a typical configuration, the computer includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.

The memory may include non-permanent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.

Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology. The information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, disk storage, quantum memory, graphene-based storage media or other magnetic storage devices, or any other non-transmission media, can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.

It should also be noted that the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or equipment including a series of elements not only includes those elements, but also includes Other elements that are not explicitly listed, or also include elements inherent to such processes, methods, commodities, or equipment. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, method, commodity, or equipment that includes the element.

The foregoing describes specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps described in the claims can be performed in a different order than in the embodiments and still achieve desired results. In addition, the processes depicted in the drawings do not necessarily require the specific order or sequential order shown in order to achieve the desired results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

The terms used in one or more embodiments of this specification are only for the purpose of describing specific embodiments, and are not intended to limit one or more embodiments of this specification. The singular forms of "a", "said" and "the" used in one or more embodiments of this specification and the appended claims are also intended to include plural forms, unless the context clearly indicates other meanings. It should also be understood that the term "and/or" as used herein refers to and includes any or all possible combinations of one or more associated listed items.

It should be understood that although the terms first, second, third, etc. may be used to describe various information in one or more embodiments of this specification, the information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other. For example, without departing from the scope of one or more embodiments of this specification, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information. Depending on the context, the word "if" as used herein can be interpreted as "when" or "when" or "in response to determination".

The above descriptions are only preferred embodiments of one or more embodiments of this specification, and are not intended to limit one or more embodiments of this specification. All within the spirit and principle of one or more embodiments of this specification, Any modification, equivalent replacement, improvement, etc. made should be included in the protection scope of one or more embodiments of this specification.

Claims

A user risk assessment method, including:

The behavior information of the user of the target partner is input into the student risk control model corresponding to the target partner; the student risk control model uses the soft label value based on the target sample data of the target partner and the target sample data The risk label value originally marked as the hard label value is obtained by knowledge distillation of the target sample data. The soft label value is based on the target sample data by using multiple teacher risk control models in a trusted execution environment The prediction results of, each teacher’s risk control model is decrypted in the trusted execution environment, and each teacher’s risk control model is obtained by training the corresponding sample data of other partners; among them, any sample data contains the Behavior information marked with risk tag value;

The risk score of the user is determined according to the output result of the student risk control model.
According to the method of claim 1, each teacher's risk control model is obtained by training on its own sample data by corresponding other partners.
A method of knowledge transfer based on machine learning model, including:

Obtain teacher networks in multiple source fields and obtain target sample data in the target field, and read the obtained teacher networks into a trusted execution environment for decryption. Each teacher network is obtained by training the sample data in their respective source fields;

In the trusted execution environment, the target sample data is input into each teacher network to obtain the prediction result of each teacher network for the target sample data, and the obtained prediction results are integrated to obtain the target sample data corresponding to the target sample data. The value of the soft label;

Based on the soft label value and the hard label value originally marked on the target sample data, knowledge distillation is performed on the target sample data to obtain a student network in the target field.
According to the method of claim 3, each teacher network is obtained by training the data provider in the respective source field using its own private data as sample data.
The method according to claim 3, wherein the data types of the target sample data and the sample data of each source field include at least one of the following: image, text, and voice.
A method of knowledge transfer based on machine learning model, including:

Obtain teacher networks in multiple source fields and obtain target sample data in the target field, and read the obtained teacher networks into a trusted execution environment for decryption. Each teacher network is obtained by training the sample data in their respective source fields;

In the trusted execution environment, the target sample data is input into each teacher network to obtain the prediction result of each teacher network for the target sample data, and the obtained prediction results are integrated to obtain the corresponding target sample data. Soft label value, and encrypt the soft label value;

Return the encrypted soft label value to the provider of the target sample data, so that the provider decrypts the received soft label value, and based on the decrypted soft label value and the target sample The data is originally marked with hard label values, and knowledge distillation is performed on the target sample data to obtain a student network in the target field.
The method according to claim 6, wherein the data to be decrypted in the trusted execution environment is encrypted by the corresponding provider using its own symmetric key, and the data to be decrypted includes any teacher network and/or the target Sample data; the operation of decrypting the data to be decrypted in the trusted execution environment includes:

Obtaining the symmetric key of the provider of the data to be decrypted;

The data to be decrypted is decrypted in the trusted execution environment using the acquired symmetric key.
The method according to claim 7, wherein the symmetric key used to encrypt the data to be decrypted is encrypted with a digital envelope public key; said obtaining the symmetric key of the provider of the data to be decrypted includes:

In the trusted execution environment, the symmetric key used to encrypt the data to be decrypted is decrypted through the digital envelope private key to obtain the decrypted symmetric key.
According to the method of claim 8, the trusted execution environment is established through an SGX architecture, and after the trusted execution environment is remotely certified by a key management server, the digital envelope public key is managed by the key The server sends to the provider of the data to be decrypted, and the digital envelope private key is sent to the circle of the trusted execution environment by the key management server.
The method according to claim 6, wherein the data types of the target sample data and the sample data of each source field include at least one of the following: image, text, and voice.
A method of knowledge transfer based on machine learning model, including:

Send target sample data to the maintainer of the trusted execution environment, so that the maintainer can input the target sample data into teacher networks in multiple source fields in the trusted execution environment to obtain each teacher network’s response to the The prediction result of the target sample data, and the integration of the obtained prediction results to obtain the soft label value corresponding to the target sample data; each teacher network is obtained by training the sample data of their respective source fields, and is executed in the trusted execution The environment is decrypted;

Receive the encrypted soft label value returned by the maintainer, decrypt the received soft label value, and based on the decrypted soft label value and the hard label originally marked with the target sample data Value, perform knowledge distillation on the target sample data to obtain a student network in the target field.
The method according to claim 11, wherein the data types of the target sample data and the sample data of each source field include at least one of the following: image, text, and voice.
A user risk assessment device, including:

The information input unit inputs the behavior information of the user of the target partner into the student risk control model corresponding to the target partner; the student risk control model adopts the soft label value and the total value based on the target sample data of the target partner. The target sample data is originally annotated as the hard label value of the risk label value, which is obtained by knowledge distillation of the target sample data, and the soft label value is obtained by conducting multiple teacher risk control models in a trusted execution environment. The prediction results of the target sample data are integrated, and each teacher's risk control model is decrypted in the trusted execution environment, and each teacher's risk control model is obtained by training the corresponding sample data of other partners; where any is the same This data contains behavioral information marked with risk label values;

The risk assessment unit determines the risk score of the user according to the output result of the student risk control model.
According to the device of claim 13, each teacher's risk control model is obtained by training on its own sample data by corresponding other partners.
A knowledge transfer device based on a machine learning model, including:

The acquisition unit acquires teacher networks in multiple source fields and acquires target sample data in the target field, and reads the acquired teacher networks into a trusted execution environment for decryption. Each teacher network is obtained by training the sample data in their respective source fields ；

An integration unit, which inputs the target sample data into each teacher network in the trusted execution environment to obtain a prediction result of each teacher network for the target sample data, and integrates the obtained prediction results to obtain a result corresponding to the target The soft label value of the sample data;

The training unit performs knowledge distillation on the target sample data based on the soft label value and the original hard label value of the target sample data to obtain a student network in the target field.
According to the device according to claim 15, each teacher network is obtained by training the data providers in their respective source fields with their own private data as sample data.
The device according to claim 15, wherein the data types of the target sample data and the sample data of each source field include at least one of the following: image, text, and voice.
A knowledge transfer device based on a machine learning model, including:

The acquisition unit acquires teacher networks in multiple source fields and acquires target sample data in the target field, and reads the acquired teacher networks into a trusted execution environment for decryption. Each teacher network is obtained by training the sample data in their respective source fields ；

The integration unit inputs the target sample data into each teacher network in the trusted execution environment to obtain a prediction result of each teacher network for the target sample data, and integrates the obtained prediction results to obtain a result corresponding to the target The soft label value of the sample data, and encrypt the soft label value;

The return unit returns the encrypted soft label value to the provider of the target sample data, so that the provider decrypts the received soft label value, and based on the decrypted soft label value and the decrypted soft label value. The target sample data is originally marked with a hard label value, and knowledge distillation is performed on the target sample data to obtain a student network in the target field.
The device according to claim 18, wherein the data to be decrypted in the trusted execution environment is encrypted by the corresponding provider with its own symmetric key, and the data to be decrypted includes any teacher network and/or the target Sample data; the acquiring unit is specifically used for:

Obtaining the symmetric key of the provider of the data to be decrypted;

The data to be decrypted is decrypted in the trusted execution environment using the acquired symmetric key.
The device according to claim 19, wherein the symmetric key used to encrypt the data to be decrypted is encrypted with a digital envelope public key; the obtaining unit is further configured to:

In the trusted execution environment, the symmetric key used to encrypt the data to be decrypted is decrypted through the digital envelope private key to obtain the decrypted symmetric key.
The apparatus according to claim 20, wherein the trusted execution environment is established through an SGX architecture, and after the trusted execution environment is remotely certified by a key management server, the digital envelope public key is managed by the key The server sends to the provider of the data to be decrypted, and the digital envelope private key is sent to the circle of the trusted execution environment by the key management server.
The device according to claim 18, wherein the data types of the target sample data and the sample data of each source field include at least one of the following: image, text, and voice.
A knowledge transfer device based on a machine learning model, including:

The sending unit sends target sample data to the maintainer of the trusted execution environment, so that the maintainer separately inputs the target sample data into teacher networks in multiple source fields in the trusted execution environment to obtain each teacher network For the prediction results of the target sample data, and the integration of the obtained prediction results to obtain the soft label value corresponding to the target sample data; each teacher network is obtained by training the sample data of their respective source fields, and in the Decrypted in the trusted execution environment;

The training unit receives the encrypted soft label value returned by the maintainer, decrypts the received soft label value, and is originally annotated based on the decrypted soft label value and the target sample data The hard label value of, the knowledge distillation is performed on the target sample data to obtain the student network in the target field.
The device according to claim 23, wherein the data types of the target sample data and the sample data of each source field include at least one of the following: image, text, and voice.
An electronic device including:

processor;

A memory for storing processor executable instructions;

Wherein, the processor implements the method according to claim 1 or 2 by running the executable instruction.
An electronic device including:

processor;

A memory for storing processor executable instructions;

Wherein, the processor implements the method according to any one of claims 3-5 by running the executable instruction.
An electronic device including:

processor;

A memory for storing processor executable instructions;

Wherein, the processor executes the executable instruction to implement the method according to any one of claims 6-10.
An electronic device including:

processor;

A memory for storing processor executable instructions;

Wherein, the processor implements the method according to claim 11 or 12 by running the executable instruction.
A computer-readable storage medium having computer instructions stored thereon, which, when executed by a processor, implements the steps of the method according to claim 1 or 2.
A computer-readable storage medium having computer instructions stored thereon, which, when executed by a processor, implements the steps of the method according to any one of claims 3-5.
A computer-readable storage medium having computer instructions stored thereon, which, when executed by a processor, implements the steps of the method according to any one of claims 6-10.
A computer-readable storage medium having computer instructions stored thereon, which, when executed by a processor, implements the steps of the method according to claim 11 or 12.