[go: up one dir, main page]

CN115495776A - Method and device for adjusting model, storage medium and electronic equipment - Google Patents

Method and device for adjusting model, storage medium and electronic equipment Download PDF

Info

Publication number
CN115495776A
CN115495776A CN202211090778.7A CN202211090778A CN115495776A CN 115495776 A CN115495776 A CN 115495776A CN 202211090778 A CN202211090778 A CN 202211090778A CN 115495776 A CN115495776 A CN 115495776A
Authority
CN
China
Prior art keywords
model
target
target model
determining
prediction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211090778.7A
Other languages
Chinese (zh)
Inventor
罗赛男
刘焱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202211090778.7A priority Critical patent/CN115495776A/en
Publication of CN115495776A publication Critical patent/CN115495776A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The specification discloses a method, a device, a storage medium and an electronic device for adjusting a model, wherein a first model evaluation mode is adopted in the embodiment of the specification, input data are input into a target model to obtain output results, and safety parameters of the target model under the first model evaluation mode are determined according to the output results containing privacy data. And extracting characteristic data of the input data through the target model by adopting a second model evaluation mode, and inputting the characteristic data into the prediction model to obtain a prediction result. And determining the safety parameters of the target model under the second model evaluation mode according to the prediction result. And adjusting the target model according to the safety parameters of the target model in at least one model evaluation mode. In the method, if the target model is determined to have the security risk according to the security parameters, the target model is adjusted, so that the risk that the output of the target model contains privacy data can be reduced, and the security of the model is improved.

Description

Method and device for adjusting model, storage medium and electronic equipment
Technical Field
The present disclosure relates to the field of information security, and in particular, to a method and an apparatus for adjusting a model, a storage medium, and an electronic device.
Background
In the field of natural language processing, a model for processing natural language may be applied to various business scenarios in the field of natural language processing.
Because the model is in the training process, the training sample can relate to the privacy data of some users, such as: a cell phone number, etc. Therefore, an attacker can attack the trained model and acquire the privacy data of the user from the output result of the model.
Therefore, the specification provides a method for evaluating the security of the model, and the model is adjusted under the condition that the security of the model is evaluated to be lower, so that the risk that the result output by the model contains private data is reduced.
Disclosure of Invention
Embodiments of the present disclosure provide a method, an apparatus, a storage medium, and an electronic device for adjusting a model, so as to partially solve the problems in the prior art.
The embodiment of the specification adopts the following technical scheme:
the present specification provides a method for adjusting a model, the method comprising:
obtaining a target model;
determining a safety parameter of the target model by adopting a preset first model evaluation mode, and adjusting the target model according to the safety parameter; wherein
The first model evaluation mode is executed by the following steps:
inputting each input data into the target model to obtain each output result;
and determining the security parameters according to the output result containing the privacy data.
Optionally, determining the security parameter according to an output result including the private data specifically includes:
determining the proportion of output results containing the private data in all the output results;
and determining the safety parameters according to the ratio.
The present specification provides a method for adjusting a model, the method comprising:
acquiring a target model;
determining safety parameters of the target model by adopting a preset second model evaluation mode, and adjusting the target model according to the safety parameters; wherein
The second model evaluation mode is performed by the following steps:
inputting input data into the target model to obtain characteristic data extracted from the input data by the target model;
inputting the characteristic data into a pre-trained prediction model to predict the model structure of the target model through the prediction model to obtain a prediction result;
and determining the safety parameters according to the prediction result.
Optionally, determining the safety parameter according to the prediction result specifically includes:
determining the probability deviation between the probabilities that the target model belongs to different model structures according to the prediction probability that the target model belongs to each model structure contained in the prediction result;
and determining the safety parameters of the target model according to the probability deviation.
Optionally, the pre-training of the prediction model specifically includes:
obtaining characteristics of each sample in advance; each sample characteristic refers to characteristic data extracted by models with different model structures;
inputting the sample characteristics into a prediction model to be trained aiming at each sample characteristic, so as to predict and extract a model structure corresponding to the model of the sample characteristics through the prediction model to be trained, and taking the model structure as a model structure to be verified corresponding to the sample characteristics;
and training the prediction model by using the minimization of the difference between the predicted model structure to be verified corresponding to the sample characteristics and the real model structure corresponding to the model from which the sample characteristics are extracted as an optimization target.
Optionally, the method further comprises:
obtaining each verification characteristic; each verification feature is feature data extracted through models with different model structures;
inputting the verification features into the trained prediction model aiming at each verification feature, and predicting and extracting a model structure corresponding to the model of the verification features through the trained prediction model to serve as the model structure corresponding to the verification features;
and determining the prediction accuracy of the prediction model according to the model structure corresponding to each verification feature, and verifying the prediction model according to the prediction accuracy.
The present specification provides a method for adjusting a model, the method comprising:
obtaining a target model;
aiming at each preset model evaluation mode, determining the safety parameters of the target model in the model evaluation mode;
adjusting the target model according to the safety parameters of the target model under each model evaluation mode, wherein the model evaluation mode comprises the following steps: a first model evaluation mode and a second model evaluation mode.
Optionally, adjusting the target model according to the safety parameters of the target model in each model evaluation mode specifically includes:
and if the target model is determined to have safety risk according to the safety parameters of the target model in any model evaluation mode, adjusting the target model.
The present specification provides an apparatus for adjusting a model, including:
the acquisition module is used for acquiring a target model;
the determining module is used for determining the safety parameters of the target model by adopting a preset first model evaluation mode and adjusting the target model according to the safety parameters; wherein
The determining module is used for inputting all input data into the target model to obtain all output results; and determining the security parameters according to the output result containing the privacy data.
The present specification provides an apparatus for adjusting a model, comprising:
an acquisition module for acquiring a target model;
the determining module is used for determining the safety parameters of the target model by adopting a preset second model evaluation mode and adjusting the target model according to the safety parameters; wherein
The determining module is used for inputting input data into the target model to obtain characteristic data extracted from the input data by the target model; inputting the characteristic data into a pre-trained prediction model to predict the model structure of the target model through the prediction model to obtain a prediction result; and determining the safety parameters according to the prediction result.
The present specification provides an apparatus for adjusting a model, including:
an acquisition module for acquiring a target model;
the determining module is used for determining the safety parameters of the target model in each preset model evaluation mode;
an adjusting module, configured to adjust the target model according to the security parameters of the target model in each model evaluation manner, where the model evaluation manner includes: a first model evaluation mode and a second model evaluation mode.
The present specification provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the method of adjusting a model described above.
The present specification provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements the method for adjusting the model.
The embodiment of the specification adopts at least one technical scheme which can achieve the following beneficial effects:
in this embodiment of the present description, a first model evaluation manner may be adopted, and each input data is input into the target model to obtain each output result of the target model in the first model evaluation manner, and the security parameter of the target model in the first model evaluation manner is determined according to the output result including the privacy data. The characteristic data of the input data can be extracted through the target model by adopting a second model evaluation mode, the characteristic data is input into the prediction model to obtain a prediction result, and the safety parameters of the target model under the second model evaluation mode are determined according to the prediction result. And adjusting the target model according to the safety parameters of the target model in at least one model evaluation mode. In the method, the safety of the target model is evaluated based on different model evaluation modes, and if the target model has safety risks, the target model is adjusted, so that the risks that the output of the target model contains privacy data can be reduced, and the safety of the model is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the specification and are incorporated in and constitute a part of this specification, illustrate embodiments of the specification and together with the description serve to explain the specification and not to limit the specification in a non-limiting sense. In the drawings:
fig. 1 is a schematic flow chart of a method for adjusting a model according to an embodiment of the present disclosure;
FIG. 2 is a schematic flow chart diagram illustrating a method for adjusting a model according to an embodiment of the present disclosure;
FIG. 3 is a schematic flow chart illustrating a method for adjusting a model according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an apparatus for adjusting a model according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an apparatus for adjusting a model according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of an apparatus for adjusting a model according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an electronic device provided in an embodiment of this specification.
Detailed Description
In the field of natural language processing, text is taken as an example, and when a model for processing natural language is trained, a training sample may contain some private data. After the model is trained, the model may not learn the semantic information of the training sample, but learn the text content of the training sample. In this way, when some specific prefixes of the text are input to the model, the learned text content may be caused to be output by the model, and the learned text content may contain privacy data, which causes the model to risk revealing the privacy data and provides an opportunity for an attacker to obtain the privacy data.
Therefore, after the model is trained, the model may be attacked by an attacker, which may cause the model to reveal some private data of the user. The attack mode comprises at least two types, wherein one type is used for excavating a model structure of the model for an attacker, so that the specific attack is carried out according to the characteristics of the model structure, and the output result of the model contains the privacy data of the user. The other is private data recovery attack, namely, an attacker directly enables the output result of the model to contain private data, so that the model reveals the private data of the user.
In this specification, different model evaluation modes for a target model are constructed based on different attack modes of an attacker, for example: and evaluating whether the target model outputs an output result containing the private data or not, evaluating whether a model structure of the target model can be excavated or not, and then evaluating the safety of the model according to different model evaluation modes. The model evaluation mode may include: a first model evaluation mode and a second model evaluation mode.
The first model evaluation method is a method of evaluating whether or not the target model outputs an output result including private data, and the second model evaluation method is a method of evaluating whether or not the model structure of the target model can be excavated.
Due to different model evaluation modes, the evaluation content and the evaluation standard required by different model evaluation modes are different.
In order to make the objects, technical solutions and advantages of the present disclosure more clear, the technical solutions of the present disclosure will be clearly and completely described below with reference to the specific embodiments of the present disclosure and the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present disclosure, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present specification without making any creative effort belong to the protection scope of the present specification.
The technical solutions provided by the embodiments of the present description are described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic flowchart of a method for adjusting a model provided in this specification, where fig. 1 is a method for adjusting a model determined by a first model evaluation method, and includes:
s100: and acquiring a target model.
S102: determining safety parameters of the target model by adopting a preset first model evaluation mode, and adjusting the target model according to the safety parameters; wherein the safety parameters of the target model in the first model evaluation mode are determined by the following steps: inputting each input data into the target model to obtain each output result; and determining the security parameters according to the output result containing the privacy data.
In the embodiment of the present specification, in the field of natural language processing, a model for which the safety of the model needs to be evaluated is acquired as a target model. Wherein, the target model may refer to a trained model. The object model may include: a Bidirectional Encoder Representation from transforms (BERT) model based on a transformer, a General Pre-Training (GPT) model, a refinement model, and so on.
After the target model is obtained, each data input to the target model may be obtained as each input data according to a type of a service executed by the target model. The input data may be various data such as text data and voice data.
For the first model evaluation manner, since the service scenario in which the target model may directly output the privacy data is mainly a question and answer service, the input data may refer to the question data related to privacy.
Taking text data as an example, the problem data related to privacy at least comprises: what is your shipping address? What is your mobile phone number?
After the input data are acquired, the input data may be input into a target model, and the input data may be processed for each input data by the target model to obtain an output result corresponding to the input data. Finally, an output result corresponding to each input data, i.e., each output result, is obtained. And then, according to the output result containing the private data, determining the safety parameters of the target model in the first model evaluation mode. Wherein the output result may refer to reply data to the input data. The output result may or may not contain private data.
When the security parameters in the first model evaluation mode are determined, the proportion of the output results containing the privacy data in all the output results can be determined, and the security parameters of the target model in the first model evaluation mode are determined according to the proportion. The safety parameters can refer to safety factors of the target model in a first model evaluation mode, the larger the safety parameters are, the higher the safety of the target model is, and the smaller the safety parameters are, the lower the safety of the target model is.
When the proportion of the output results containing the privacy data in all the output results is determined, whether the output results contain the privacy data or not can be detected according to a preset privacy detection rule aiming at each output result, and a detection result corresponding to the output result is obtained.
Wherein the privacy detection rule may include: a regular expression. The regular expression may include: detecting whether the output result contains a rule of a privacy word and/or detecting whether the output result contains a rule of a number sequence with a specified length, wherein the privacy word at least comprises the following steps: a mobile phone number, a receiving address and the like, and the number sequence with the specified length can refer to a mobile phone number with 11 digits and the like.
And if the output result contains the privacy characters and/or the number sequence with the appointed length according to the privacy detection rule, determining that the output result contains the privacy data.
Such as: taking the example of whether the privacy detection rule includes a number sequence with a specified length, one output result is: cell phone number 12345678912. The processing result of the text can be detected to contain the number sequence with the specified length through the privacy detection rule, and then the detection result of the text is as follows: this output contains private data.
After determining the detection result corresponding to each output result, the proportion of the output results including the private data in all the output results may be determined according to the number of the output results including the private data and the total number of the output results. Wherein the proportion may represent a probability that the target model outputs an output result including the private data.
When the security parameters of the target model in the first model evaluation mode are determined, if the proportion of the output results containing the private data in all the output results is larger, the security parameters of the target model in the first model evaluation mode are smaller. And if the safety parameter of the target model in the first model evaluation mode is smaller than a first preset risk threshold, determining that the target model has a safety risk in the first model evaluation mode.
After the target model is determined to have the security risk of outputting the private data, the target model can be adjusted to obtain an adjusted target model, and the adjusted target model is trained. Wherein, the adjusting the target model may be: adjusting a model structure of the target model, adjusting model parameters within the target model, adjusting algorithms for processing data within the target model, and the like.
Next, a method of evaluating the security of the target model by the second model evaluation method will be described.
Fig. 2 is a schematic flowchart of a method for adjusting a model provided in this specification, and fig. 2 is a method for adjusting a model determined by a second model evaluation method, including:
s200: and acquiring a target model.
S202: determining safety parameters of the target model by adopting a preset second model evaluation mode, and adjusting the target model according to the safety parameters; wherein the safety parameters of the target model in the second model evaluation mode are determined by the following steps: inputting input data into the target model to obtain characteristic data extracted from the input data by the target model; inputting the characteristic data into a pre-trained prediction model to predict the model structure of the target model through the prediction model to obtain a prediction result; and determining the safety parameters according to the prediction result.
In the embodiment of the present specification, in the field of natural language processing, a model for which the safety of the model needs to be evaluated is acquired as a target model. Wherein, the target model may refer to a trained model. The object model may include: transformer-based bi-directional Encoder Representation from transforms (BERT) models, general Pre-Training models (GPT), refinement models, and the like.
After the target model is obtained, each data input to the target model may be obtained as each input data according to the type of service executed by the target model. The input data may be various data such as text data and voice data.
Taking text data as an example, if the target model is used for a question and answer service, the acquired input data can be a question text; if the target model is used for emotion analysis service, the acquired input data may be evaluation text for an analysis object, or the like.
In the second model evaluation method, since the model structure is related to the feature vector of the input data of the input model, the model structure of the target model can be determined from the feature data (i.e., the feature vector) of the input data extracted by the target model.
After the input data are acquired, the input data may be input into a target model, and feature data may be extracted from the input data for each input data by the target model as feature data corresponding to the input data. Wherein the feature data may refer to a feature vector of the input data.
And then, inputting each feature data into a pre-trained prediction model, predicting the model structure of the target model based on each feature data through the prediction model to obtain a prediction result, and determining the safety parameters of the target model in a second model evaluation mode according to the prediction result. The prediction model may include: the XGboost model.
When determining the safety parameters in the second model evaluation mode, the probability deviation between the probabilities that the target model belongs to different model structures may be determined according to the prediction probability that the target model belongs to each model structure included in the prediction result. And determining the safety parameters of the target model according to the probability deviation. Wherein, the probability deviation may refer to mean square error, variance, range, etc. The safety parameter may refer to a safety factor of the target model in a second model evaluation mode, and the larger the safety parameter is, the higher the safety of the target model is, whereas the smaller the safety parameter is, the lower the safety of the target model is.
The smaller the probability deviation is, the closer the probability that the predicted target model belongs to different model structures is, that is, the true model structure of the target model cannot be predicted accurately by the prediction model. Conversely, the larger the probability deviation is, the more obvious the difference between the probabilities that the predicted target model belongs to different model structures is, that is, the prediction model can accurately predict the real model structure of the target model. In addition, the prediction model cannot accurately predict the real model structure of the target model, which indicates that the safety of the target model is high, and the prediction model can accurately predict the real model structure of the target model, which indicates that the safety of the target model is low.
Such as: taking the range as an example, if three texts are input into the target model to obtain three feature vectors, inputting the three feature vectors into the prediction model, predicting that the model structure corresponding to the first feature vector is a and the probability is 70% through the prediction model, the model structure corresponding to the second feature vector is b and the probability is 10%, the model structure corresponding to the third feature vector is c and the probability is 20%. Obviously, the range between the probabilities of the model structures corresponding to each feature vector is 60%, the range is large, and the prediction model can accurately predict the model structure of the target model, namely, the model structure a.
When the safety parameters of the target model in the second model evaluation mode are determined, if the probability deviation is larger, the safety parameters of the target model in the second model evaluation mode are smaller. And if the safety parameter in the second model evaluation mode is smaller than a second preset risk threshold value, determining that the target model has a safety risk.
After the target model is determined to have the security risk of outputting the private data, the target model can be adjusted to obtain an adjusted target model, and the adjusted target model is trained. Wherein, the adjusting the target model may be: adjusting a model structure of the target model, adjusting model parameters in the target model, adjusting an algorithm for processing data in the target model, and the like.
In addition, before predicting the model structure of the target model by using the prediction model, the prediction model needs to be trained, and the accuracy of predicting the model structure of each model by the prediction model is ensured.
Before training the prediction model, sample data may be obtained, where the sample data may include text data, audio data, and the like, and the text data may include: the system comprises a language material in the social field, a postback language material in a post forum, a Chinese medical data set and a Chinese medical data set CMDD in the medical field, a dialogue challenge match dialogue data set in the internet field, manual customer service dialogue data and the like.
Then, for each trained model, inputting each sample data into the model, so as to respectively extract the feature data of each sample data through the model, thereby obtaining each feature data. Wherein, the model structure of each model is different, and the trained model may include: BERT model, GPT, fine-ranking model, etc.
Finally, the feature data extracted by each model is randomly divided into two data sets, wherein one data set is used as each sample feature of the input prediction model to be trained, and the other data set is used as each verification feature of the verification prediction model.
When the prediction model to be trained is trained, the characteristics of each sample are obtained first. Each sample feature may refer to feature data extracted by a model of a different model structure.
And inputting the sample characteristics into a prediction model to be trained aiming at each sample characteristic, so as to predict and extract a model structure corresponding to the model of the sample characteristics through the prediction model to be trained, and taking the model structure as a model structure to be verified corresponding to the sample characteristics.
And training the prediction model by using the minimization of the difference between the predicted model structure to be verified corresponding to the sample characteristics and the real model structure corresponding to the model from which the sample characteristics are extracted as an optimization target.
After training of the prediction model is completed, the prediction effect of the prediction model needs to be verified.
Each verification feature is obtained first. Wherein each verification feature is feature data extracted by models of different model structures. Then, for each verification feature, inputting the verification feature into the trained prediction model, so as to predict and extract a model structure corresponding to the model of the verification feature through the trained prediction model, and taking the model structure as the model structure corresponding to the verification feature. And finally, determining the prediction accuracy of the prediction model according to the model structure corresponding to each verification feature, and verifying the prediction model according to the prediction accuracy. And if the prediction accuracy is greater than the threshold value, determining that the prediction model passes verification.
The formula of the prediction accuracy is as follows: the model structure predicts the number of correct verification features/the number of all verification features.
In the embodiment, the reliability of the model structure of the prediction model prediction target model is judged by determining the prediction accuracy of the trained prediction model. The higher the prediction accuracy is, the higher the reliability of the model structure of the predicted target model is.
Based on the above description of the method for adjusting the model determined by the first model evaluation manner and the second model evaluation manner, the security of the target model may be evaluated in combination with the first model evaluation manner and the second model evaluation manner.
Fig. 3 is a schematic flowchart of a method for adjusting a model provided in this specification, and fig. 3 is a method for adjusting a model determined by a first model evaluation method and/or a second model evaluation method, including:
s300: and acquiring a target model.
S302: and aiming at each preset model evaluation mode, determining the safety parameters of the target model in the model evaluation mode.
S304: adjusting the target model according to the safety parameters of the target model under each model evaluation mode, wherein the model evaluation mode comprises the following steps: a first model evaluation mode and a second model evaluation mode.
In this illustrative embodiment, after the target model and the input data of the input target model are acquired, the input data may be input into the target model for each model evaluation mode, and the input data may be processed by the target model to obtain the processing results required by the model evaluation. And determining the safety parameters of the target model under the model evaluation mode according to each processing result required under the model evaluation.
And aiming at the first model evaluation mode, each processing result required in the first model evaluation mode is an output result output by the target model. And aiming at the second model evaluation mode, each processing result required in the second model evaluation mode is the feature data of each input data extracted by the target model. In this illustrative embodiment, the security of the target model may be evaluated in a first model evaluation manner and/or a second model evaluation manner.
It should be noted that the method for determining the security parameter of the target model in the first model evaluation mode is the same as the method for determining the security parameter of the target model in the first model evaluation mode in fig. 1, and details are not repeated here. Similarly, the method for determining the security parameter of the target model in the second model evaluation mode is the same as the method for determining the security parameter of the target model in the second model evaluation mode in fig. 2, and is not repeated here.
And finally, adjusting the target model according to the safety parameters of the target model under each model evaluation mode.
And if the target model is determined to have safety risk according to the safety parameters of the target model in any model evaluation mode, adjusting the target model. That is, any one of the first model evaluation mode and the second model evaluation mode is adopted to determine that the target model has a safety risk and needs to be adjusted.
As can be seen from the methods shown in fig. 1, 2, and 3, the present specification may adopt a first model evaluation manner, input each input data into the target model, obtain each output result of the target model in the first model evaluation manner, and determine the security parameter of the target model in the first model evaluation manner according to the output result including the private data. The characteristic data of the input data can be extracted through the target model by adopting a second model evaluation mode, the characteristic data is input into the prediction model to obtain a prediction result, and the safety parameters of the target model under the second model evaluation mode are determined according to the prediction result. And adjusting the target model according to the safety parameters of the target model in at least one model evaluation mode. In the method, the safety of the target model is evaluated based on different model evaluation modes, if the safety risk of the target model is determined according to the safety parameters of the target model in any one model evaluation mode, the target model is adjusted, and therefore the risk that the output of the target model contains privacy data can be reduced, and the safety of the model is improved.
Based on the same idea, the present specification further provides a corresponding apparatus, a storage medium, and an electronic device.
Fig. 4 is a schematic structural diagram of an apparatus for adjusting a model according to an embodiment of the present disclosure, where the apparatus includes:
an obtaining module 401, configured to obtain a target model;
a determining module 402, configured to determine a safety parameter of the target model by using a preset first model evaluation manner, and adjust the target model according to the safety parameter;
the determining module 402 is specifically configured to input each input data into the target model to obtain each output result; and determining the security parameters according to the output result containing the privacy data.
Optionally, the determining module 402 is specifically configured to determine a ratio of output results including the private data to all output results; and determining the safety parameters according to the ratio.
Fig. 5 is a schematic structural diagram of an apparatus for adjusting a model according to an embodiment of the present disclosure, where the apparatus includes:
an obtaining module 501, configured to obtain a target model;
a determining module 502, configured to determine a safety parameter of the target model by using a preset second model evaluation manner, and adjust the target model according to the safety parameter;
the determining module 502 is specifically configured to input data into the target model to obtain feature data extracted from the input data by the target model; inputting the characteristic data into a pre-trained prediction model, so as to predict the model structure of the target model through the prediction model and obtain a prediction result; and determining the safety parameters according to the prediction result.
Optionally, the determining module 502 is specifically configured to determine, according to the prediction probability that the target model belongs to each model structure included in the prediction result, a probability deviation between probabilities that the target model belongs to different model structures; and determining the safety parameters of the target model according to the probability deviation.
Optionally, the apparatus further comprises: a training module 503;
the training module 503 is configured to obtain each sample feature in advance; each sample characteristic refers to characteristic data extracted by models with different model structures; inputting the sample characteristics into a prediction model to be trained aiming at each sample characteristic, so as to predict and extract a model structure corresponding to the model of the sample characteristics through the prediction model to be trained, and taking the model structure as a model structure to be verified corresponding to the sample characteristics; and training the prediction model by using the minimization of the difference between the predicted model structure to be verified corresponding to the sample characteristics and the real model structure corresponding to the model from which the sample characteristics are extracted as an optimization target.
The training module 503 is further configured to obtain each verification feature; each verification feature is feature data extracted through models with different model structures; inputting the verification characteristics into the trained prediction model aiming at each verification characteristic, so as to predict and extract a model structure corresponding to the model of the verification characteristics through the trained prediction model as the model structure corresponding to the verification characteristics; and determining the prediction accuracy of the prediction model according to the model structure corresponding to each verification feature, and verifying the prediction model according to the prediction accuracy.
Fig. 6 is a schematic structural diagram of an apparatus for adjusting a model according to an embodiment of the present disclosure, where the apparatus includes:
an obtaining module 601, configured to obtain a target model;
a determining module 602, configured to determine, for each preset model evaluation manner, a safety parameter of the target model in the model evaluation manner;
an adjusting module 603, configured to adjust the target model according to the safety parameters of the target model in each model evaluation manner, where the model evaluation manner includes: a first model evaluation mode and a second model evaluation mode.
Optionally, the adjusting module 603 is specifically configured to adjust the target model if it is determined that the target model has a security risk according to the security parameters of the target model in any model evaluation manner.
The present specification also provides a computer readable storage medium storing a computer program which, when executed by a processor, is operable to perform the method of adapting a model provided in fig. 1, 2, 3.
Based on the method for adjusting the model shown in fig. 1, 2, and 3, the embodiment of the present specification further provides a schematic structural diagram of the unmanned device shown in fig. 7. As shown in fig. 7, at the hardware level, the drone includes a processor, an internal bus, a network interface, a memory, and a non-volatile memory, although it may also include hardware required for other services. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs the computer program to implement the method for adjusting the model shown in fig. 1, 2 and 3.
Of course, besides the software implementation, the present specification does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may be hardware or logic devices.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as ABEL (Advanced Boolean Expression Language), AHDL (alternate Hardware Description Language), traffic, CUPL (core universal Programming Language), HDCal, jhddl (Java Hardware Description Language), lava, lola, HDL, PALASM, rhyd (Hardware Description Language), and vhigh-Language (Hardware Description Language), which is currently used in most popular applications. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in purely computer readable program code means, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be conceived to be both a software module implementing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, respectively. Of course, the functions of the various elements may be implemented in the same one or more software and/or hardware implementations of the present description.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The description has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the system embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.
The above description is only an example of the present specification, and is not intended to limit the present specification. Various modifications and alterations to this description will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present specification should be included in the scope of the claims of the present specification.

Claims (13)

1. A method of tuning a model, the method comprising:
acquiring a target model;
determining safety parameters of the target model by adopting a preset first model evaluation mode, and adjusting the target model according to the safety parameters; wherein
The first model evaluation mode is executed by the following steps:
inputting each input data into the target model to obtain each output result;
and determining the security parameters according to the output result containing the privacy data.
2. The method according to claim 1, wherein determining the security parameter according to the output result including the private data specifically comprises:
determining the proportion of the output results containing the privacy data in all the output results;
and determining the safety parameters according to the ratio.
3. A method of tuning a model, the method comprising:
obtaining a target model;
determining safety parameters of the target model by adopting a preset second model evaluation mode, and adjusting the target model according to the safety parameters; wherein
The second model evaluation mode is performed by the following steps:
inputting input data into the target model to obtain characteristic data extracted from the input data by the target model;
inputting the characteristic data into a pre-trained prediction model to predict the model structure of the target model through the prediction model to obtain a prediction result;
and determining the safety parameters according to the prediction result.
4. The method according to claim 3, wherein determining the safety parameter according to the prediction result specifically comprises:
determining the probability deviation between the probabilities that the target model belongs to different model structures according to the prediction probability that the target model belongs to each model structure contained in the prediction result;
and determining the safety parameters of the target model according to the probability deviation.
5. The method of claim 3, wherein pre-training the predictive model specifically comprises:
obtaining characteristics of each sample in advance; each sample characteristic refers to characteristic data extracted by models with different model structures;
inputting the sample characteristics into a prediction model to be trained aiming at each sample characteristic, so as to predict and extract a model structure corresponding to the model of the sample characteristics through the prediction model to be trained, and taking the model structure as a model structure to be verified corresponding to the sample characteristics;
and training the prediction model by using the minimization of the difference between the predicted model structure to be verified corresponding to the sample characteristics and the real model structure corresponding to the model from which the sample characteristics are extracted as an optimization target.
6. The method of claim 5, further comprising:
obtaining each verification characteristic; each verification feature is feature data extracted through models with different model structures;
inputting the verification features into the trained prediction model aiming at each verification feature, and predicting and extracting a model structure corresponding to the model of the verification features through the trained prediction model to serve as the model structure corresponding to the verification features;
and determining the prediction accuracy of the prediction model according to the model structure corresponding to each verification feature, and verifying the prediction model according to the prediction accuracy.
7. A method of tuning a model, the method comprising:
obtaining a target model;
aiming at each preset model evaluation mode, determining the safety parameters of the target model in the model evaluation mode;
adjusting the target model according to the safety parameters of the target model under each model evaluation mode, wherein the model evaluation mode comprises the following steps: the first model evaluation method according to any one of claims 1 to 2 and the second model evaluation method according to any one of claims 3 to 6.
8. The method according to claim 7, wherein the adjusting the target model according to the safety parameters of the target model in each model evaluation mode comprises:
and if the target model is determined to have safety risk according to the safety parameters of the target model in any model evaluation mode, adjusting the target model.
9. An apparatus for adjusting a model, comprising:
the acquisition module is used for acquiring a target model;
the determining module is used for determining the safety parameters of the target model by adopting a preset first model evaluation mode and adjusting the target model according to the safety parameters; wherein
The determining module is used for inputting all input data into the target model to obtain all output results; and determining the security parameters according to the output result containing the privacy data.
10. An apparatus for adjusting a model, comprising:
an acquisition module for acquiring a target model;
the determining module is used for determining the safety parameters of the target model by adopting a preset second model evaluation mode and adjusting the target model according to the safety parameters; wherein
The determining module is used for inputting input data into the target model to obtain characteristic data extracted from the input data by the target model; inputting the characteristic data into a pre-trained prediction model, so as to predict the model structure of the target model through the prediction model and obtain a prediction result; and determining the safety parameters according to the prediction result.
11. An apparatus for adjusting a model, comprising:
an acquisition module for acquiring a target model;
the determining module is used for determining the safety parameters of the target model in each preset model evaluation mode;
an adjusting module, configured to adjust the target model according to the security parameters of the target model in each model evaluation manner, where the model evaluation manner includes: the first model evaluation method according to any one of claims 1 to 2 and the second model evaluation method according to any one of claims 3 to 6.
12. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method of any one of the preceding claims 1 to 8.
13. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any of the preceding claims 1-8 when executing the program.
CN202211090778.7A 2022-09-07 2022-09-07 Method and device for adjusting model, storage medium and electronic equipment Pending CN115495776A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211090778.7A CN115495776A (en) 2022-09-07 2022-09-07 Method and device for adjusting model, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211090778.7A CN115495776A (en) 2022-09-07 2022-09-07 Method and device for adjusting model, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN115495776A true CN115495776A (en) 2022-12-20

Family

ID=84468069

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211090778.7A Pending CN115495776A (en) 2022-09-07 2022-09-07 Method and device for adjusting model, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN115495776A (en)

Similar Documents

Publication Publication Date Title
CN107808098B (en) Model safety detection method and device and electronic equipment
CN112200132B (en) Data processing method, device and equipment based on privacy protection
CN111159697B (en) Key detection method and device and electronic equipment
CN109214193B (en) Data encryption and machine learning model training method and device and electronic equipment
CN115545002B (en) Model training and business processing method, device, storage medium and equipment
CN109299276B (en) Method and device for converting text into word embedding and text classification
CN115600090A (en) Ownership verification method and device for model, storage medium and electronic equipment
CN117540825A (en) Method and device for constructing pre-training model based on reinforcement learning and electronic equipment
CN117828360A (en) Model training method, model training device, model code generating device, storage medium and storage medium
CN114861665B (en) Method and device for training reinforcement learning model and determining data relation
CN110532755B (en) Computer-implemented risk identification method and device
CN116049761A (en) Data processing method, device and equipment
CN115712866A (en) Data processing method, device and equipment
CN113220801B (en) Structured data classification method, device, equipment and medium
CN118982075A (en) A method, device and equipment for enhancing large model reasoning based on knowledge graph
CN117787443A (en) Wind control method, device, equipment and readable storage medium
CN115221523B (en) Data processing method, device and equipment
CN115495776A (en) Method and device for adjusting model, storage medium and electronic equipment
CN115204395A (en) Data processing method, device and equipment
CN115688130B (en) Data processing method, device and equipment
CN111711618A (en) Risk address identification method, device, equipment and storage medium
CN117972436B (en) Training method and training device for large language model, storage medium and electronic equipment
CN110929871A (en) Game decision method and system
CN115423485B (en) Data processing method, device and equipment
CN109242478B (en) Password red packet creating method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination