CN111737743A - Deep learning differential privacy protection method - Google Patents
Deep learning differential privacy protection method Download PDFInfo
- Publication number
- CN111737743A CN111737743A CN202010572297.4A CN202010572297A CN111737743A CN 111737743 A CN111737743 A CN 111737743A CN 202010572297 A CN202010572297 A CN 202010572297A CN 111737743 A CN111737743 A CN 111737743A
- Authority
- CN
- China
- Prior art keywords
- privacy
- differential privacy
- privacy protection
- acc
- gradient
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000013135 deep learning Methods 0.000 title claims abstract description 34
- 238000012545 processing Methods 0.000 claims abstract description 13
- 238000012549 training Methods 0.000 claims description 19
- 238000004364 calculation method Methods 0.000 claims description 7
- 238000009826 distribution Methods 0.000 claims description 7
- 238000013527 convolutional neural network Methods 0.000 claims description 6
- 238000005457 optimization Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 claims description 5
- 238000005520 cutting process Methods 0.000 claims description 4
- 238000011156 evaluation Methods 0.000 claims description 4
- 230000035945 sensitivity Effects 0.000 claims description 4
- SMZOUWXMTYCWNB-UHFFFAOYSA-N 2-(2-methoxy-5-methylphenyl)ethanamine Chemical compound COC1=CC=C(C)C=C1CCN SMZOUWXMTYCWNB-UHFFFAOYSA-N 0.000 claims description 3
- NIXOWILDQLNWCW-UHFFFAOYSA-N 2-Propenoic acid Natural products OC(=O)C=C NIXOWILDQLNWCW-UHFFFAOYSA-N 0.000 claims description 3
- 238000011478 gradient descent method Methods 0.000 claims description 3
- 230000000007 visual effect Effects 0.000 claims description 3
- 230000001737 promoting effect Effects 0.000 abstract description 2
- 230000000694 effects Effects 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 8
- 238000012360 testing method Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013136 deep learning model Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000008034 disappearance Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000004451 qualitative analysis Methods 0.000 description 1
- 238000011158 quantitative evaluation Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Software Systems (AREA)
- Evolutionary Computation (AREA)
- Biomedical Technology (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Molecular Biology (AREA)
- Bioethics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Image Analysis (AREA)
Abstract
The invention discloses a deep learning differential privacy protection method, and belongs to the technical field of information system security. The invention provides a novel deep learning differential privacy protection model, WGAN is adopted to generate an image result for data subjected to model privacy protection processing, a result closest to a real image is selected from the generated image, the similarity of the generated result and an original image is compared, a difference value is calculated to carry out threshold value comparison, and privacy parameters in the gradient of the model are fed back and adjusted under the condition of the similarity threshold value limitation, so that a certain promoting effect is provided for the application of differential privacy in the fields of deep learning and the like.
Description
Technical Field
The invention belongs to the technical field of information system security, and particularly relates to a deep learning differential privacy protection method.
Background
In the existing privacy protection method for a relatively common data set, for example, anonymity processing is performed on data by adopting k-anonymity, and the like, the effect of true processing is difficult to provide strict privacy guarantee. As a novel privacy protection technology with great advantages, the Differential privacy (DR) technology is a privacy protection method based on data distortion proposed for an attacker with a strong knowledge background, and the purpose of protecting data privacy is achieved by adding noise to ensure that any record is inserted or deleted in a data set without influencing the query output result. The technology is established on the strict mathematical basis, and provides a quantitative evaluation method, which is one of the most effective and high-applicability ways of the current privacy protection technology. The differential privacy technology is proposed by many developers to research and expand the technology, various algorithm models are generated continuously, and the technology plays an important role in daily life, industry, production, medical treatment and the like.
As one of deep learning model classifications, the Generative Adaptive Networks (GAN) can generate an image result very close to the original image, achieving the effect of false or true. However, the conventional GAN has the problems of unstable training, collapse of pattern, disappearance of gradient and the like, so that the actual training process is often difficult to generate the desired image result. Until the proposals of Wasserstein GAN (WGAN) solved these problems well, the WGAN replaces the asymmetric JS divergence used by the traditional GAN with the smoothness and symmetry of the Wasserstein distance, and the training process shows strong stability and high image generation quality. Therefore, from the viewpoint of training stability and image generation quality, generation of a deep learning image data set by WGAN is becoming an important subject of many fields such as image processing and computer vision.
The architecture for adjusting the deep learning differential privacy protection algorithm based on the WGAN feedback method usually includes many parameters, and the setting of the parameters is generally considered as a key factor for balancing the privacy protection degree and the data availability. However, the general privacy parameter grouping method is often limited by the user's own requirements, and the privacy protection degree of the model is not analyzed in a fixed manner, so that the realization of the balance between the privacy protection degree and the data availability is hindered.
Through searching, the application number is: 201811540698.0, filing date: 12 and 17 in 2018, the invention name is as follows: a combined deep learning training method based on privacy protection technology is provided. In the application, a Homorphic Encryption (HE) method is used for sending encrypted data to a cloud server, and a user obtains the data through ciphertext decryption. However, the homomorphic encryption only involves addition and multiplication, and is difficult to adapt to the complex operation requirement of deep learning, and the operation process needs to consume a large amount of computing resources, which may cause the performance degradation of the deep learning network.
As another example, application numbers are: 201710611972.8, filing date: 7, month and 25 in 2017, the invention name is: a deep differential privacy protection method based on a generative countermeasure network. In this application, the concept of deep convolution generation of a countermeasure network (DCGAN) is applied to a deep learning image data set for privacy protection. However, the DCGAN used in this method still has a deficiency in training stability, as the number of training times increases, some parameters (such as filter) will oscillate due to collapse, and the DCGAN generation model is limited by batch normalization. In addition, the grouping setting method of the privacy parameters by the method mainly depends on the individual requirements of the user, and qualitative analysis of privacy loss minimization is not carried out on the feedback-adjusted privacy parameter setting.
Based on the above analysis, there is a need in the art for a deep learning data set privacy protection method that can better balance the privacy protection degree and the data availability.
Disclosure of Invention
1. Technical problem to be solved by the invention
The invention aims to overcome the defect that the privacy protection degree and the data usability are difficult to balance when the deep learning data set is subjected to privacy protection, and provides a deep learning differential privacy protection method. The invention provides a novel deep learning differential privacy protection model, WGAN is adopted to generate image results for data subjected to model privacy protection processing, the result closest to a real image is selected from the generated images, the similarity of the generated result and an original image is compared, a difference value is calculated for threshold value comparison, and privacy parameters in the gradient of the model are fed back and adjusted under the condition of the similarity threshold value, so that a certain promoting effect is provided for the application of differential privacy in the fields of deep learning and the like.
2. Technical scheme
In order to achieve the purpose, the technical scheme provided by the invention is as follows:
the invention discloses a deep learning differential privacy protection method, which comprises the following steps:
step 1, constructing a deep learning network introducing a differential privacy mechanism;
step 2, Gaussian noise is added to the gradient in a parameter optimization stage of the deep learning network by combining a difference privacy theory;
step 3, calculating the privacy loss of the step 2 by combining the combinable characteristics of the differential privacy;
step 4, generating a generated image processed by the differential privacy parameters by using a generating model of the WGAN; generating an image by utilizing a WGAN generation model for the raw data which is not processed at all;
step 5, selecting an optimal image result from the generated image processed by the difference privacy parameters, comparing the difference between the optimal image and the original data generated image, and calculating a similarity difference value;
and 6, under the limit of the similarity threshold, feeding back related privacy parameters in the regulation model to enable the privacy loss in the step 3 to reach the minimum value, and realizing the balance between privacy protection and data availability.
Furthermore, a convolutional neural network with two convolutional layers and three fully-connected layers is established in step 1, and the introduced differential privacy is (,) -differential privacy, as shown in formula (1):
Pr[M(D)∈SM]≤e×Pr[M(D’)∈SM]+ (1)
wherein M is a given random algorithm; d and D' are neighbor datasets that differ by at most one record; sMIs randomAll possible outputs of the algorithm M on the data sets D and D'; representing a privacy budget and a privacy error value, respectively.
Furthermore, the process of adding gaussian noise to the deep network parameter optimization stage in the step 2 is as follows:
from the training data set X ═ X1,x2,...,xnRandomly selecting a small batch of training data to input, wherein the batch size is m, and calculating a gradient value corresponding to each training dataFor L of each gradient2Gradient cutting is carried out on the norm, the average value is calculated, and a new gradient value is obtained within the threshold value range CThen at the new gradient valueAdding Gaussian noise V-N (0, sigma)2) The output of the disturbance gradient, sigma is the scale of noise addition; finally, the new gradient is reduced according to the gradient descent methodMoving one step backward and updating gradient value parameter thetat。
Further, the calculation of the privacy loss in step 3 is represented by formula (2):
wherein M is a given random algorithm; D. d' is two adjacent data sets, aux is the input auxiliary parameter, s represents the output and s is for R;
the added gaussian noise has markov property, and the following formula (3) can be obtained by combining the definition of differential privacy:
wherein, the gaussian noise V and V 'added to the neighboring data sets D and D' satisfies the following formula (4):
V'=V+Dd (4)
wherein Dd is differential privacy sensitivity;
finally, the characteristics of the Gaussian mechanism are combined to obtainThe privacy loss in the process of adding gaussian noise can be obtained by simplifying the formulas (2), (3) and (4) as the following formula (5):
further, the loss function of WGAN in step 4 is shown in equation (6):
wherein, PdRepresenting the true data distribution, PgRepresenting a generated data distribution; when updating the weights, it is necessary to maintain the network parameters within a range that satisfies the Lipschitz condition.
Furthermore, the optimal selection of the generated image after the privacy parameter processing in step 5 mainly depends on the classification accuracy and the visual evaluation, and the similarity difference is calculated by subtracting the classification accuracy of the optimal selection from the classification accuracy of the generated image without any processing, as shown in formula (7):
Cacc=accr-accp(7)
wherein, accrRepresenting the generated image classification accuracy without any processing; acc (acrylic acid)pThe generated image classification accuracy rate representing the optimal choice.
Furthermore, the setting of the similarity threshold C in step 6 is generally 10%; calculating C obtained in step 5accThe size of the similarity threshold C is set; if CaccWhen the value of (A) is greater than C, the proper value is selected againRepeating step 5 until CaccIs less than C; when C is presentaccWhen the value of (a) is less than (C), the magnitude of privacy loss is evaluated through step (3), and the privacy loss is minimized by selecting an appropriate sum and the condition of gaussian noise is satisfied, so that the balance between the privacy protection degree and the data availability is finally realized.
3. Advantageous effects
Compared with the prior art, the technical scheme provided by the invention has the following remarkable effects:
(1) according to the deep learning differential privacy protection method, a deep learning model introducing a (nor) differential privacy mechanism is constructed, wherein the degree of privacy protection is influenced by privacy parameters and sigma, through setting a plurality of pairs of privacy parameter groups, single-parameter variable and multi-parameter variable classification accuracy rate experiments are carried out, and the most appropriate privacy parameter combination is selected, so that the privacy protection effect of the control model can be effectively improved.
(2) According to the deep learning differential privacy protection method, the WGAN is used for generating the generated image after being processed by the privacy parameters and the generated image without being processed, the privacy parameters are fed back and adjusted by combining the evaluation criteria of privacy loss and classification accuracy, and finally a group of proper privacy parameters is obtained, so that a good privacy protection effect and high data availability can be guaranteed. The WGAN well solves the problems of the traditional GAN and shows better training stability and generated image quality than other GAN derivative variants (such as DCGAN), thereby being beneficial to improving the usability of generated results and the practical significance of research.
(3) According to the deep learning differential privacy protection method, a method for quantitatively calculating privacy loss is designed, and whether privacy loss can reach a smaller value through the privacy loss minimization can be verified through the privacy parameter setting adjusted through feedback, so that a better privacy protection effect is obtained.
Drawings
FIG. 1 is a diagram of the overall architecture of the model of the present invention;
FIG. 2 is a flow chart of the privacy feedback portion of the WGAN-based of the invention;
FIG. 3 is a schematic diagram of a convolutional neural network model of the present invention.
Detailed Description
For a further understanding of the invention, reference should be made to the following detailed description taken in conjunction with the accompanying drawings and examples.
Example 1
With reference to fig. 1, a deep learning differential privacy protection method according to this embodiment includes the steps of:
step 1, constructing a convolutional neural network with two convolutional layers and three fully-connected layers, introducing a difference privacy theory in the parameter optimization of the network, and adding Gaussian noise meeting a Gaussian mechanism, wherein the specific process is as follows:
initializing, establishing a convolutional neural network with two convolutional layers and three fully-connected layers, and initializing model parameters of the convolutional neural network, as shown in fig. 3. Introducing (,) -differential privacy is shown in equation (1):
Pr[M(D)∈SM]≤e×Pr[M(D’)∈SM]+ (1)
wherein M is a given random algorithm; d and D' are neighbor datasets that differ by at most one record; sMIs all possible outputs of the random algorithm M on the data sets D and D'. The degree of privacy protection is governed by the privacy parameters: privacy budget, privacy disclosure error value, and Gaussian noise V-N (0, σ) derived from satisfying the Gaussian mechanism2) The noise addition scale σ of (2), excessive noise may reduce the usability of data, and too little noise may reduce the degree of privacy protection.
Step 2, Gaussian noise is added to the gradient in a parameter optimization stage of the deep learning network by combining a difference privacy theory; a privacy parameter grouping method is set, and the specific process is as follows:
from the training data set X ═ X1,x2,...,xnRandomly selecting a small batch (batch size m) of training data to input, and calculating each training data (x)i∈mt) Corresponding gradient valueFor L of each gradient2Gradient cutting is carried out on the norm, the average value is calculated, and a new gradient value is obtained within the range of a gradient cutting threshold value CThen at the new gradient valueAdding Gaussian noise V-N (0, sigma)2) Outputting a disturbance gradient; finally, the new gradient is determined according to a gradient descent methodMoving one step backward and updating gradient value parameter thetat。
For privacy parameters influencing the differential privacy protection effect, a classification accuracy rate experiment is carried out by changing a single parameter and fixing other two parameters; the ideal value range obtained by analyzing the variation trend is [0.5,1,2,4], the value range of sigma is [2,4,6,8], and the value range is [1e-5,1e-4,1e-3,1e-2 ]. Then, 64 sets of privacy parameter combinations are constituted by combinations with each other.
Step 3, calculating the privacy loss of the step 2 according to the characteristic that the privacy protection can be quantitatively evaluated by combining the differential privacy; the specific process is as follows:
the privacy loss is used as a random variable, and the value directly reflects the privacy protection effect and mainly depends on the added Gaussian noise. Due to Gaussian noise V-N (0, sigma)2) With markov property, the privacy loss of the process can be tracked by a Moments Accountant (MA) calculation method, and the privacy loss is calculated as represented by formula (2):
wherein M is a random algorithm; D. d' is two adjacent datasets; aux is an input auxiliary parameter; s represents the output and s ∈ R.
For better quantitative calculation of privacy loss, analyzing the influence of privacy parameter setting on privacy loss, and combining the characteristics of gaussian noise with the definition of differential privacy, the following formula (3) can be obtained:
by the global sensitivity characteristic of differential privacy, the gaussian noise V and V 'when added to the adjacent data sets D and D' satisfy the following equation (4):
V'=V+Dd (4)
where Dd is the differential privacy sensitivity.
Because in the Gaussian mechanism, the Gaussian noise V to N (0, sigma)2) Satisfy sigma2≥c△f/,c2>2In (2 /); thus can obtainAfter the above calculation formula is simplified, the privacy loss in the process of adding gaussian noise can be obtained as the following formula (5):
step 6 setting of privacy parameters for feedback adjustment requires minimizing the value of equation (5) as much as possible and needs to be satisfiedTo obtain a better privacy protection effect.
Step 4, generating a generated image processed by the difference privacy parameter in the step 2 by using a generating model of the WGAN, and generating an image by using the WGAN generating model for the raw data which is not processed; calculating the classification accuracy, and the specific process is as follows:
firstly, building a WGAN class, defining basic information: the size (28,28,1) of the input picture; the input implicit coding dimension (100 dimensions); defining a generator and a discriminator function; a loss function of the WGAN is defined. Then, a generator and a discriminator are set up, and a weight clipping value (0.01) is set. Finally, the parameters of the generator are optimized (RMSProp method). In the training process, the WGAN is used for setting to train the generation model under different privacy parameters to generate an image result, the obtained image result trains a classifier, and the classification accuracy of the test set is tested; the classifier was trained using the image results generated by the WGAN without any privacy protection and the test set was tested for classification accuracy. The loss function of WGAN is shown in equation (6):
wherein, PdRepresenting the true data distribution, PgRepresenting a generated data distribution; when updating the weights, it is necessary to maintain the network parameters within a range that satisfies the Lipschitz condition.
The invention uses the excellent derivative variant WGAN of the GAN to generate the images processed by the privacy parameters and the images without any processing, and well solves the problems of unstable training, mode collapse and the like of the traditional GAN. The generative model of the WGAN is continuously trained towards the direction closer to the real data distribution, and the closer the accuracy of the generative result is to the real result, the better the data usability is shown. In combination with the privacy loss calculation and analysis in step 3, the objectives of the present invention are: the method ensures a better privacy protection effect as far as possible and simultaneously gives consideration to higher data availability.
Step 5, selecting an optimal image result from the generated image processed by the difference privacy parameters, comparing the difference between the optimal image and the original data generated image, and calculating a similarity difference value; the specific process is as follows:
and selecting the most appropriate generated image result according to the test accuracy and the visual evaluation, calculating the difference value of the accuracy of the generated image result without privacy protection, and regarding the difference value as the similarity difference value. As shown in equation (7):
Cacc=accr-accp(7)
wherein, accrRepresenting the generated image classification accuracy without any processing; acc (acrylic acid)pThe generated image classification accuracy rate representing the optimal choice.
Step 6, under the limit of the similarity threshold, feeding back related privacy parameters in the regulation model, as shown in fig. 2, so that the privacy loss in the step 3 reaches the minimum value, and the balance between the privacy protection degree and the data availability is realized; the specific process is as follows:
calculating C obtained in step 5accThe size of the similarity threshold C (10%) set; if CaccIf the value of C is greater than C, the appropriate generated image is selected again, and step 5 is repeated until C is reachedaccIs less than C; when C is presentaccWhen the value of (a) is less than (C), the magnitude of the privacy loss is evaluated by step (3); and finally, the balance between the privacy protection degree and the data availability is realized.
The present invention and its embodiments have been described above schematically, without limitation, and what is shown in the drawings is only one of the embodiments of the present invention, and the actual structure is not limited thereto. Therefore, if the person skilled in the art receives the teaching, without departing from the spirit of the invention, the person skilled in the art shall not inventively design the similar structural modes and embodiments to the technical solution, but shall fall within the scope of the invention.
Claims (7)
1. A deep learning differential privacy protection method is characterized by comprising the following steps:
step 1, constructing a deep learning network introducing a differential privacy mechanism;
step 2, Gaussian noise is added to the gradient in a parameter optimization stage of the deep learning network by combining a difference privacy theory;
step 3, calculating the privacy loss of the step 2 by combining the combinable characteristics of the differential privacy;
step 4, generating a generated image processed by the differential privacy parameters by using a generating model of the WGAN; generating an image by utilizing a WGAN generation model on the raw data without any treatment;
step 5, selecting an optimal image result from the generated image processed by the difference privacy parameters, comparing the difference between the optimal image and the original data generated image, and calculating a similarity difference value;
and 6, under the limit of the similarity threshold, feeding back related privacy parameters in the regulation model to enable the privacy loss in the step 3 to reach the minimum value, and realizing the balance between privacy protection and data availability.
2. The deep-learning differential privacy protection method according to claim 1, wherein: in step 1, a convolutional neural network with two convolutional layers and three fully-connected layers is established, and the introduced differential privacy is (,) -differential privacy, as shown in formula (1):
Pr[M(D)∈SM]≤e×Pr[M(D’)∈SM]+ (1)
wherein M is a given random algorithm; d and D' are neighbor datasets that differ by at most one record; sMIs all possible outputs of the random algorithm M on the data sets D and D'; representing a privacy budget and a privacy error value, respectively.
3. The deep-learning differential privacy protection method according to claim 2, wherein: step 2, the process of adding Gaussian noise in the deep network parameter optimization stage is as follows:
from the training data set X ═ X1,x2,...,xnRandomly selecting a small batch of training data for input, wherein the batch size is m, and calculating a gradient value corresponding to each training dataFor L of each gradient2Gradient cutting is carried out on the norm, the average value is calculated, and a new gradient value is obtained within the threshold value range CThen at the new gradient valueAdding Gaussian noise V-N (0, sigma)2) The output of the disturbance gradient, sigma is the scale of noise addition; finally, the new gradient is reduced according to the gradient descent methodMoving one step backward and updating gradient value parameter thetat。
4. The deep-learning differential privacy protection method of claim 3, wherein: the privacy loss calculation in step 3 is represented by formula (2):
wherein M is a given random algorithm; D. d' is two adjacent data sets, aux is the input auxiliary parameter, s represents the output and s is for R;
the added gaussian noise has markov property, and the following formula (3) can be obtained by combining the definition of differential privacy:
wherein, the gaussian noise V and V 'added to the neighboring data sets D and D' satisfies the following formula (4):
V'=V+Dd (4)
wherein Dd is differential privacy sensitivity;
finally, the characteristics of the Gaussian mechanism are combined to obtainThe privacy loss in the process of adding gaussian noise can be obtained by simplifying the formulas (2), (3) and (4) as the following formula (5):
5. the deep-learning differential privacy protection method according to claim 4, wherein: the loss function of WGAN in step 4 is shown in equation (6):
wherein, PdRepresenting the true data distribution, PgRepresenting a generated data distribution; when updating the weights, it is necessary to maintain the network parameters within a range that satisfies the Lipschitz condition.
6. The deep-learning differential privacy protection method of claim 5, wherein: in step 5, the optimal selection of the generated image after the privacy parameter processing mainly depends on the classification accuracy and the visual evaluation, and the calculation of the similarity difference is obtained by subtracting the optimal selection classification accuracy from the classification accuracy of the generated image without any processing, as shown in formula (7):
Cacc=accr-accp(7)
wherein, accrRepresenting the generated image classification accuracy without any processing; acc (acrylic acid)pRepresenting the generated image classification accuracy for the optimal selection.
7. The deep-learning differential privacy protection method of claim 6, wherein: setting the similarity threshold C in the step 6 to be generally 10 percent; calculating C obtained in step 5accThe size of the similarity threshold C is set; if CaccIf the value of C is greater than C, the appropriate generated image is selected again, and step 5 is repeated until C is reachedaccIs less than C; when C is presentaccWhen the value of (a) is less than (C), the magnitude of privacy loss is evaluated through step (3), and the privacy loss is minimized by selecting an appropriate sum and the condition of gaussian noise is satisfied, so that the balance between the privacy protection degree and the data availability is finally realized.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010572297.4A CN111737743A (en) | 2020-06-22 | 2020-06-22 | Deep learning differential privacy protection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010572297.4A CN111737743A (en) | 2020-06-22 | 2020-06-22 | Deep learning differential privacy protection method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111737743A true CN111737743A (en) | 2020-10-02 |
Family
ID=72650251
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010572297.4A Pending CN111737743A (en) | 2020-06-22 | 2020-06-22 | Deep learning differential privacy protection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111737743A (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112307514A (en) * | 2020-11-26 | 2021-02-02 | 哈尔滨工程大学 | Difference privacy greedy grouping method adopting Wasserstein distance |
CN112487479A (en) * | 2020-12-10 | 2021-03-12 | 支付宝(杭州)信息技术有限公司 | Method for training privacy protection model, privacy protection method and device |
CN113254927A (en) * | 2021-05-28 | 2021-08-13 | 浙江工业大学 | Model processing method and device based on network defense and storage medium |
CN113282961A (en) * | 2021-07-22 | 2021-08-20 | 武汉中原电子信息有限公司 | Data desensitization method and system based on power grid data acquisition |
CN113434873A (en) * | 2021-06-01 | 2021-09-24 | 内蒙古大学 | Federal learning privacy protection method based on homomorphic encryption |
CN113642715A (en) * | 2021-08-31 | 2021-11-12 | 西安理工大学 | Differential privacy protection deep learning algorithm for self-adaptive distribution of dynamic privacy budget |
CN113869384A (en) * | 2021-09-17 | 2021-12-31 | 大连理工大学 | Privacy protection image classification method based on domain self-adaption |
CN114638013A (en) * | 2022-02-15 | 2022-06-17 | 西安电子科技大学 | Method, system, medium and terminal for measuring and protecting image privacy information |
CN114882216A (en) * | 2022-04-18 | 2022-08-09 | 华南理工大学 | Garment button quality detection method, system and medium based on deep learning |
WO2023109246A1 (en) * | 2021-12-17 | 2023-06-22 | 新智我来网络科技有限公司 | Method and apparatus for breakpoint privacy protection, and device and medium |
CN117808694A (en) * | 2023-12-28 | 2024-04-02 | 中国人民解放军总医院第六医学中心 | Painless gastroscope image enhancement method and painless gastroscope image enhancement system under deep neural network |
CN117936011A (en) * | 2024-03-19 | 2024-04-26 | 泰山学院 | Intelligent medical service management system based on big data |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107368752A (en) * | 2017-07-25 | 2017-11-21 | 北京工商大学 | A kind of depth difference method for secret protection based on production confrontation network |
US20200082259A1 (en) * | 2018-09-10 | 2020-03-12 | International Business Machines Corporation | System for Measuring Information Leakage of Deep Learning Models |
-
2020
- 2020-06-22 CN CN202010572297.4A patent/CN111737743A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107368752A (en) * | 2017-07-25 | 2017-11-21 | 北京工商大学 | A kind of depth difference method for secret protection based on production confrontation network |
US20200082259A1 (en) * | 2018-09-10 | 2020-03-12 | International Business Machines Corporation | System for Measuring Information Leakage of Deep Learning Models |
Non-Patent Citations (1)
Title |
---|
陶陶 等: "基于WGAN反馈的深度学习差分隐私保护方法", 电子技术与软件工程, vol. 2020, no. 02, pages 244 - 245 * |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112307514A (en) * | 2020-11-26 | 2021-02-02 | 哈尔滨工程大学 | Difference privacy greedy grouping method adopting Wasserstein distance |
CN112307514B (en) * | 2020-11-26 | 2023-08-01 | 哈尔滨工程大学 | Differential privacy greedy grouping method adopting Wasserstein distance |
CN112487479A (en) * | 2020-12-10 | 2021-03-12 | 支付宝(杭州)信息技术有限公司 | Method for training privacy protection model, privacy protection method and device |
CN112487479B (en) * | 2020-12-10 | 2023-10-13 | 支付宝(杭州)信息技术有限公司 | Method for training privacy protection model, privacy protection method and device |
CN113254927B (en) * | 2021-05-28 | 2022-05-17 | 浙江工业大学 | Model processing method and device based on network defense and storage medium |
CN113254927A (en) * | 2021-05-28 | 2021-08-13 | 浙江工业大学 | Model processing method and device based on network defense and storage medium |
CN113434873A (en) * | 2021-06-01 | 2021-09-24 | 内蒙古大学 | Federal learning privacy protection method based on homomorphic encryption |
CN113282961A (en) * | 2021-07-22 | 2021-08-20 | 武汉中原电子信息有限公司 | Data desensitization method and system based on power grid data acquisition |
CN113642715A (en) * | 2021-08-31 | 2021-11-12 | 西安理工大学 | Differential privacy protection deep learning algorithm for self-adaptive distribution of dynamic privacy budget |
CN113869384A (en) * | 2021-09-17 | 2021-12-31 | 大连理工大学 | Privacy protection image classification method based on domain self-adaption |
CN113869384B (en) * | 2021-09-17 | 2024-05-10 | 大连理工大学 | Privacy protection image classification method based on field self-adaption |
WO2023109246A1 (en) * | 2021-12-17 | 2023-06-22 | 新智我来网络科技有限公司 | Method and apparatus for breakpoint privacy protection, and device and medium |
CN114638013A (en) * | 2022-02-15 | 2022-06-17 | 西安电子科技大学 | Method, system, medium and terminal for measuring and protecting image privacy information |
CN114882216A (en) * | 2022-04-18 | 2022-08-09 | 华南理工大学 | Garment button quality detection method, system and medium based on deep learning |
CN114882216B (en) * | 2022-04-18 | 2024-04-30 | 华南理工大学 | Garment button attaching quality detection method, system and medium based on deep learning |
CN117808694A (en) * | 2023-12-28 | 2024-04-02 | 中国人民解放军总医院第六医学中心 | Painless gastroscope image enhancement method and painless gastroscope image enhancement system under deep neural network |
CN117808694B (en) * | 2023-12-28 | 2024-05-24 | 中国人民解放军总医院第六医学中心 | Painless gastroscope image enhancement method and painless gastroscope image enhancement system under deep neural network |
CN117936011A (en) * | 2024-03-19 | 2024-04-26 | 泰山学院 | Intelligent medical service management system based on big data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111737743A (en) | Deep learning differential privacy protection method | |
Wu et al. | An adaptive federated learning scheme with differential privacy preserving | |
Lei et al. | GCN-GAN: A non-linear temporal link prediction model for weighted dynamic networks | |
CN110334742B (en) | Graph confrontation sample generation method based on reinforcement learning and used for document classification and adding false nodes | |
Prakash et al. | IoT device friendly and communication-efficient federated learning via joint model pruning and quantization | |
CN109165735B (en) | Method for generating sample picture based on generation of confrontation network and adaptive proportion | |
CN114841364B (en) | Federal learning method for meeting personalized local differential privacy requirements | |
Kang et al. | Privacy-preserving federated adversarial domain adaptation over feature groups for interpretability | |
Lam | High‐dimensional covariance matrix estimation | |
CN113642715B (en) | Differential privacy protection deep learning algorithm capable of adaptively distributing dynamic privacy budget | |
CN109949200B (en) | Filter subset selection and CNN-based steganalysis framework construction method | |
Ma et al. | RDP-GAN: A rényi-differential privacy based generative adversarial network | |
Unceta et al. | Copying machine learning classifiers | |
He et al. | Uniform-pac bounds for reinforcement learning with linear function approximation | |
CN117290721A (en) | Digital twin modeling method, device, equipment and medium | |
Knežević et al. | Neurosca: Evolving activation functions for side-channel analysis | |
US20210326757A1 (en) | Federated Learning with Only Positive Labels | |
Zhang et al. | Sequential outlier criterion for sparsification of online adaptive filtering | |
Wang et al. | Logit calibration for non-iid and long-tailed data in federated learning | |
CN114282650A (en) | Federal learning acceleration system and synchronous hidden and sparse convolution layer construction and learning method | |
Xin et al. | A compound decision approach to covariance matrix estimation | |
CN113744175A (en) | Image generation method and system for generating countermeasure network based on bidirectional constraint | |
Khorramshahi et al. | Gans with variational entropy regularizers: Applications in mitigating the mode-collapse issue | |
Yang et al. | Multi-distribution mixture generative adversarial networks for fitting diverse data sets | |
CN112488238A (en) | Hybrid anomaly detection method based on countermeasure self-encoder |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |