CN112560059B - Vertical federal model stealing defense method based on neural pathway feature extraction - Google Patents

Abstract

_The invention discloses _a model stealing defense method under vertical federation based on neural pathway feature extraction. DB contains sample labels; (2 ₎ the edge model _MA of the edge terminal _PB is trained according to DA, the edge model _MB of the edge terminal _PB is trained according to _DB , and the feature data generated by the training process is trained by _{P A} Send to P _B , P _B uses the received feature data and activated neuron pathway data to calculate the loss function, P _A and P _B encrypt their respective loss function masks and upload them to the server; (3) The server pairs the uploaded After the loss function mask is decrypted and aggregated, the aggregated loss function is solved to obtain the gradient information of M _A and M _B , and the gradient information is returned to P _A and P _B to update the network parameters of the edge model. To improve the information security of edge models in vertical federation scenarios.

Description

A model stealing defense method under vertical federation based on neural pathway feature extraction

technical field

The invention belongs to the field of security defense, and in particular relates to a model stealing defense method under a vertical federation based on neural pathway feature extraction.

Background technique

In recent years, deep learning models have been widely used in various real-world tasks and achieved good results. At the same time, data silos and privacy leakage during model training and application have become the main problems currently hindering the development of artificial intelligence technology. To solve this problem, federated learning emerges as an efficient privacy protection method. Federated learning is a distributed machine learning method, that is, the participants upload the updated parameters to the server after training local data, and then the server aggregates the learning method to obtain the overall parameters, through the local training and parameter transmission of the participants. , to train a lossless learning model.

According to different data distribution, federated learning can be roughly divided into three categories: horizontal federated learning, vertical federated learning, and federated transfer learning. Horizontal federated learning refers to dividing the data set according to the user dimension when the data features overlap more and the users overlap less between different data sets, and extract the part with the same data features but not the same users. data for training. Longitudinal federated learning refers to dividing the dataset according to the dimension of data features when there is more overlap of users and less overlap of data features between different datasets, and extracts the data that both sides target the same user but have different data features. That part of the data for training. Federated transfer learning refers to the use of transfer learning to overcome the lack of data or labels without segmenting the data when there is less overlap between users and data features in multiple datasets.

Compared with traditional machine learning technologies, federated learning can not only improve learning efficiency, but also solve the problem of data silos and protect local data privacy. However, there are also many security risks in federated learning. There are three main attack threats in federated learning: poisoning attacks, adversarial attacks, and privacy leaks. Among them, the problem of privacy leakage is the most important problem in the federated learning scenario, because federated learning involves the interaction of model information of multiple participants. In this process, it is easy to be maliciously attacked, which poses a huge threat to the privacy and security of the federated learning model.

In the vertical federation scenario, in order to protect the privacy security of the deep model, the main privacy protection technologies proposed include secure multi-party computation, homomorphic encryption and differential privacy protection. Secure multi-party computation and homomorphic encryption technology will greatly increase the computational complexity and time. The cost and computing cost will increase, and the computing power of the device is also high. The differential privacy protection technology needs to achieve privacy security protection by adding noise, which will affect the accuracy of the model on the original task.

SUMMARY OF THE INVENTION

In order to improve the information security of the edge model in the vertical federation scenario and prevent the edge model from being stolen by malicious attackers in the process of information transmission, the present invention proposes a vertical federation model stealing defense method based on neural pathway feature extraction .

The technical scheme of the present invention is:

A model stealing defense method under vertical federation based on neural pathway feature extraction, comprising the following steps:

(1) Divide each sample in the data set into two parts on average to form a sample set _{D A} and a sample set DB , and only the sample set DB contains sample labels, and the sample sets _{D A} and DB are allocated to the edge terminals _{P A and} edge terminal P _B ;

(2) The edge model M _A of the edge terminal _PB is trained according to the sample set D _A , the edge model MB of the edge terminal _PB is trained according to the sample set D _B , and the edge terminal P _A uses the feature data generated during the training process _. Send to P _B , P _B uses the received feature data and activated neuron pathway data to calculate the loss function, and the edge terminals P _A and P _B encrypt their respective loss function masks and upload them to the server;

(3) After the server decrypts the loss function mask uploaded by the edge terminals P _A and P _B , aggregates the loss function and solves the aggregated loss function to obtain the gradient information of M _A and M _B , and returns the gradient information to the edge terminal P _A and P _B to update the edge model network parameters.

Compared with the prior art, the beneficial effects of the present invention at least include:

The defense method for model stealing under vertical federation based on neural pathway feature extraction provided by the present invention, by fixing neural pathway features during training, and encrypting and uploading the loss function to prevent theft by malicious attackers, the edge model under vertical federation scenario information security.

Description of drawings

In order to illustrate the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative efforts.

1 is a flowchart of a model stealing defense method under vertical federation based on neural pathway feature extraction provided by an embodiment of the present invention;

FIG. 2 is a schematic diagram of training a vertical federation model provided by an embodiment of the present invention.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, and do not limit the protection scope of the present invention.

In the vertical federation scenario, the edge model is vulnerable to the threat of malicious attackers in the process of model information interaction. After stealing the model information at the edge, the attacker steals the model at the edge by calculating the gradient and loss value. In order to prevent such stealing of edge models, the embodiment of the present invention provides a vertical federation model stealing defense scheme based on neural pathway feature extraction. By adding a neural pathway feature extraction step in the training phase of edge model, the neural pathway is activated by fixed activation. The meta-method encrypts the model parameter transfer process in the training phase, so that in the process of model parameter exchange between different edge terminals in the vertical federation scenario, it can effectively prevent malicious participants from stealing the privacy information of the deep model. Under the premise of fixing the neural pathway, even if the transmission information of the edge model is stolen, the training process of the model cannot be restored, which achieves the defense purpose of protecting model information and resisting model stealing attacks.

FIG. 1 is a flowchart of a model stealing defense method under vertical federation based on neural pathway feature extraction provided by an embodiment of the present invention. As shown in FIG. 1 , the model stealing defense method under vertical federation based on neural pathway feature extraction provided by the embodiment includes the following steps:

Step 1, the division and alignment of the dataset.

In the embodiment, the MNIST dataset, the CIFAR-10 dataset and the ImageNet dataset are used. Among them, the training set of the MNIST dataset consists of ten categories, with 6000 samples in each category, and the test set of ten categories with 1000 samples in each category; the training set of the CIFAR-10 dataset consists of ten categories, with 5000 samples in each category, and the test set consists of ten categories. Class, 1000 samples per class; ImageNet dataset has 1000 classes, each class contains 1000 samples, 30% of the images are randomly selected from each class as the test set, and the rest of the images are used as the training set.

In the present invention, two edge terminals PA and _PB are used in the vertical federation _. In the vertical federation scenario, the data of the two edge terminals _PA and _PB have different data characteristics, so it is necessary to analyze the preprocessed data. Set and then perform feature segmentation. Each sample image in the MNIST dataset, the CIFAR-10 dataset and the _ImageNet dataset is equally divided into two parts, which are respectively a sample set DA and _a sample set DB, where the sample set _DB contains the sample class labels of the sample images.

In the embodiment, after dividing the samples and obtaining the sample set D _A and the sample set D _B , it is also necessary to align some samples in the sample set D _A and the sample set D _B that belong to the same sample, that is, the edge model M is guaranteed. Some samples of the same input of _A and edge model _MB come from the same sample.

Since the user groups of edge terminals P _A and P _B are different in the vertical federation scenario, and in order to ensure that the sample sets _{D A} and DB of different edge terminals do not expose their respective original data, an encryption-based user group is adopted. ID alignment technology aligns two partial images belonging to the same sample image to ensure that during the training process of the two terminals, the partial image data used each time comes from the same sample image. In the process of data entity alignment, any edge End users are not exposed.

In step 2, the edge terminal uses the respective sample sets to train the respective edge models, masks and encrypts the respective loss functions, and uploads them to the server.

In the embodiment, the edge model M _A of the edge terminal _PB is trained according to the sample set D _A , and the edge model MB of the edge terminal _PB is trained according to the sample set D _B , and the edge terminal P _A uses the features generated by the training process _. The data is sent to P _B , P _B uses the received feature data and activated neuron pathway data to calculate the loss function, and the edge terminals P _A and P _B encrypt their respective loss function masks and upload them to the server.

其中i表示某一个样本数据，y_i表示对应的样本的原始标签，

和

分别表示数据的特征空间，与特征空间相关的模型参数表示为Θ_A和Θ_B，模型训练目标表示为：For different datasets, both edge ends use the same model structure for training. For the ImagNet dataset, the ImageNet pre-trained model is used, and the training sets uniform hyperparameters: stochastic gradient descent (SGD), adam optimizer, The learning rate is η, the regularization parameter is λ, the dataset

where i represents a certain sample data, y _i represents the original label of the corresponding sample,

and

respectively represent the feature space of the data, the model parameters related to the feature space are represented as Θ _A and Θ _B , and the model training target is represented as:

Specifically, when the edge model M _A is trained according to the sample set D _A , the loss function Loss _A of the edge model M _A is:

表示属于样本集A的第i个样本，||·||²表示L1范数的平方。where Θ _A represents the model parameters of the edge model M _A ,

represents the ith sample belonging to the sample set A, and ||·|| ² represents the square of the L1 norm.

When training the edge model _MB according to the sample set D _B , the total loss function Loss _sum of the edge model _MB is:

loss _sum = loss _B +λ*loss _topk +loss _AB

表示属于样本集B的第i个样本，y_i表示

对应的标签，||·||²表示L1范数的平方，i表示样本索引，N为样本数量，NUPath_l(T,N)表示边缘模型第l层的多个最大激活神经元的激活值，L表示边缘模型的总层数，T每次输入样本个数，N表示每层的神经元个数。Among them, loss _B represents the basic loss of the edge model _{MB, loss topk represents} the neural pathway loss, loss _AB represents the common loss, λ represents the adaptive adjustment coefficient, as a partial factor of neural pathway encryption, Θ _B represents the model of the edge model _MB parameter,

Indicates the ith sample belonging to the sample set B, and y _i represents

The corresponding label, ||·|| ² represents the square of the L1 norm, i represents the sample index, N is the number of samples, NUPath _l (T, N) represents the activation value of the multiple maximum activation neurons in the lth layer of the edge model , L represents the total number of layers of the edge model, T represents the number of input samples each time, and N represents the number of neurons in each layer.

In the embodiment, with any neuron in the input layer in the neural network as the starting point, any neuron in the output layer as the end point, and the information flow of the data as the direction, through the connection paths of several neurons in the hidden layer, define for neural pathways. A neural pathway represents the connection relationship between neurons. When a sample input model activates a specific neuron, the pathway formed by these activated neurons is called an activated neural pathway.

为功能函数，

表示给定输入样本

时，第l层中与输入样本

对应的神经元n_i的激活值，max_k(·)表示提取每层中激活值前k大的k个神经元的激活值。最大激活神经通路定义如下：When the neural pathway is fixed, during the training process of the edge-end model, after each round of training, randomly select samples from the test set of the data set selected in step 1 as samples and input them into the training model to obtain the maximum activated neural network of the model at this time. Path: Let N={n ₁ ,n ₂ ,...n _n } be a group of neurons of the deep learning model; let T={x ₁ ,x ₂ ,...x _n } be a set of test set enter;

is a functional function,

represents a given input sample

When , the input sample in the lth layer is the same as the input sample

The activation value of the corresponding neuron _ni , max _k (·) represents the activation value of the k neurons with the largest activation value in each layer. The maximum activation neural pathway is defined as follows:

During training, the maximum activation neural channel composed of the activation values of multiple maximum activation neurons is fixed, that is, the activation value of this part of the neurons remains unchanged, and the activation values of k neurons in each neural layer are accumulated to form the path loss function. .

Step 3: After the server decrypts the loss function masks uploaded by the edge terminals P _A and P _B , the aggregated loss function obtains the gradient information and returns to the edge terminals P _A and P _B to update the network parameters of the edge model.

In this embodiment, after the server decrypts the loss function masks uploaded by the edge terminals P _A and P _B , aggregates the loss function and solves the aggregated loss function to obtain the gradient information of M _A and M _B , and returns the gradient information to the edge terminal P _A and P _B . Specifically, the server uses stochastic gradient descent to solve the gradient information of the aggregated loss function. Among them, the loss function Loss of server-side aggregation is:

Loss=loss _B +λ*loss _topk +loss _AB +loss _A

和

The gradient information of M _A and M _B are respectively

and

After receiving the gradient information returned by the server, the edge terminals P _A and P _B update the network parameters of _MA and _MB of the respective edge models according to the gradient information, and continue training based on the updated new network parameters.

Aiming at the model stealing attack in the vertical federation scenario, the embodiment provides a model stealing defense method under the vertical federation based on neural pathway feature extraction. By fixing the neural pathway features and encrypting them during the training process of the edge model, the gradient and the edge model are avoided. The loss information is stolen by malicious attackers during the transmission process, resulting in the model being stolen. The information of the model is encrypted and protected from the perspective of feature extraction, which not only improves the efficiency of model training, but also protects the privacy and security of the model.

The above-mentioned specific embodiments describe in detail the technical solutions and beneficial effects of the present invention. It should be understood that the above-mentioned embodiments are only the most preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, additions and equivalent replacements made within the scope shall be included within the protection scope of the present invention.

Claims (8)

1. A vertical federal model stealing defense method based on neural pathway feature extraction is characterized by comprising the following steps:

(1) dividing each sample in the data set into two parts to form a sample set D_AAnd sample set D_BAnd only the sample set D_BContaining a sample label, sample set D_A、D_BDistribution to edge terminalsP_AAnd an edge terminal P_B；

(2) According to sample set D_AFor edge terminal P_BEdge model M of_ATraining is carried out according to a sample set D_BFor edge terminal P_BEdge model M of_BTraining is performed, edge terminal P_ASending the characteristic data generated in the training process to P_B，P_BComputing a loss function using the received feature data and the activated neuron path data, the edge terminal P_AAnd P_BEncrypting the respective loss function masks and uploading the encrypted loss function masks to a server;

(3) service end to edge terminal P_AAnd P_BAfter the uploaded loss function mask is decrypted, the loss function is aggregated, and then the aggregated loss function is solved to obtain M_AAnd M_BAnd returning the gradient information to the edge terminal P_AAnd P_BTo update the edge model network parameters.

2. The vertical federal model theft defense method based on neural pathway feature extraction as claimed in claim 1, wherein the method is based on a sample set D_AFor edge model M_AIn training, the edge model M_ALoss function Loss of_AComprises the following steps:

wherein, theta_ARepresenting an edge model M_AThe model parameters of (a) are determined,

represents the ith sample belonging to the sample set A, | · | | non-calculation²Representing the square of the norm of L1.

3. The vertical federal model theft defense method based on neural pathway feature extraction as claimed in claim 1, wherein the method is based on a sample set D_BFor edge model M_BCarry out trainingTime, edge model M_BTotal Loss function Loss of_sumComprises the following steps:

loss_sum＝loss_B+λ*loss_topk+loss_AB

therein, loss_BRepresenting an edge model M_BLoss of_topkIndicating neural pathway loss, loss_ABDenotes the common loss, and λ denotes the adaptive adjustment coefficient as a partial factor of the neural pathway encryption, Θ_BRepresenting an edge model M_BThe model parameters of (a) are determined,

denotes the i-th sample, y, belonging to the sample set B_iTo represent

Corresponding label, | · | | non-conducting phosphor²Denotes the square of the L1 norm, i denotes the sample index, N is the number of samples, NUPath_l(T, N) represents the activation values of a plurality of maximum activation neurons of the L-th layer of the edge model, L represents the total number of layers of the edge model, T is the number of samples input each time, and N represents the number of neurons of each layer.

4. The method for vertical federal model theft defense based on neural pathway feature extraction as claimed in claim 3, wherein NUPath_lThe formula for calculating (T, N) is:

wherein,

in order to be a function of the function,

representing given input samples

In the first layer and the input sample

Corresponding neuron n_iActivation value of, max_k(. cndot.) represents the extraction of activation values for k neurons k large before the activation value in each layer.

5. The vertical federal model theft defense method based on neural pathway feature extraction as claimed in claim 1, wherein in the step (3), the Loss function Loss of the service-side aggregation is:

Loss＝loss_B+λ*loss_topk+loss_AB+loss_A

M_Aand M_BRespectively is

And

6. the vertical federal model theft defense method based on neural pathway feature extraction as claimed in claim 1, wherein the edge terminal P is_AAnd P_BLadder receiving return of serverAfter the degree information, updating M of each edge model according to the gradient information_AAnd M_BBased on the updated new network parameters, the training is resumed.

7. The vertical federal model theft defense method based on neural pathway feature extraction as claimed in claim 1, wherein samples are divided to obtain a sample set D_AAnd sample set D_BThen, the sample set D is also needed_AAnd sample set D_BIn which the partial samples derived from the same sample are aligned, i.e. the edge model M is guaranteed_AAnd edge model M_BThe partial samples of the same input are derived from the same sample.

8. The vertical federal model theft defense method based on neural pathway feature extraction as claimed in claim 1, wherein the server side adopts random gradient descent to solve gradient information of aggregated loss functions.

Images