高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

一种面向深度神经网络的差分隐私保护算法

周治平 钱新宇

downloadPDF
文章导航 > 电子与信息学报  > 2022 >  44(5): 1773-1781
周治平, 钱新宇. 一种面向深度神经网络的差分隐私保护算法[J]. 电子与信息学报, 2022, 44(5): 1773-1781. doi: 10.11999/JEIT210276
引用本文: 周治平, 钱新宇. 一种面向深度神经网络的差分隐私保护算法[J]. 电子与信息学报, 2022, 44(5): 1773-1781. doi: 10.11999/JEIT210276
shu
ZHOU Zhiping, QIAN Xinyu. Differential Privacy Algorithm under Deep Neural Networks[J]. Journal of Electronics & Information Technology, 2022, 44(5): 1773-1781. doi: 10.11999/JEIT210276
Citation: ZHOU Zhiping, QIAN Xinyu. Differential Privacy Algorithm under Deep Neural Networks[J]. Journal of Electronics & Information Technology, 2022, 44(5): 1773-1781. doi: 10.11999/JEIT210276
shu

一种面向深度神经网络的差分隐私保护算法

doi: 10.11999/JEIT210276
  • 1.

    江南大学物联网工程学院 无锡 214122

  • 2.

    江南大学物联网技术应用教育部工程研究中心 无锡 214122

详细信息
    作者简介:

    周治平:男,1962年生,博士,教授,研究方向为检测技术与自动化装置、信息安全等

    钱新宇:男,1995年生,硕士生,研究方向为信息安全

    通讯作者:

    周治平 zzp@jiangnan.edu.cn

  • 中图分类号: TN918; TP309

Differential Privacy Algorithm under Deep Neural Networks

  • 1.

    School of Internet of Things Engineering, Jiangnan University, Wuxi 214122, China

  • 2.

    Engineering Research Center of Internet of Things Technology Applications of Ministry of Education, Jiangnan University, Wuxi 214122, China

    摘要
  • 摘要: 深度神经网络梯度下降过程中存在较大的梯度冗余,应用差分隐私机制抵御成员推理攻击时,会引入过量噪声。针对上述问题,该文利用Funk-SVD矩阵分解算法将梯度矩阵分解,分别在低维特征子空间矩阵和残差矩阵中添加噪声,利用梯度重构过程消除冗余梯度噪声。重新计算分解矩阵范数并结合平滑敏感度降低噪声规模。同时根据输入特征与输出相关性,将更多隐私预算分配给相关系数大的特征以提高训练精度。最后,根据分解矩阵范数均值提出一种自适应梯度剪裁算法以解决收敛缓慢的问题。算法利用时刻统计计算了在多种优化策略下的累计隐私损失。在标准数据集MNIST和CIFAR-10上验证了该文算法更有效地弥补了与非隐私模型之间的差距。
    Abstract: Gradient redundancy exists in the process of deep neural network gradient descent. When differential privacy mechanism is applied to resist member inference attack, excessive noise will be introduced. So, the gradient matrix is decomposed by Funk-SVD algorithm and noise is added to the low-dimensional eigen subspace matrix and residual matrix respectively. The redundant gradient noise is eliminated in the gradient reconstruction process. The decomposition matrix norm is recalculated and the smoothing sensitivity is combined to reduce the noise scale. At the same time, according to the correlation between input features and output features, more privacy budget is allocated to features with large correlation coefficients to improve the training accuracy. The noise scale is reduced by recalculating the decomposition matrix norm and the smoothing sensitivity. Moment accountant is used to calculate the cumulative privacy loss under multiple optimization strategies. The results show that Deep neural networks under differential privacy based on Funk-SVD (FSDP) can bridge the gap with the non-privacy model more effectively on MNIST and CIFAR-10.
    • HTML全文

  • 图  1  基于Funk-SVD分解的差分隐私算法

    下载: 全尺寸图片 幻灯片

    图  2  不同差分隐私条件下算法训练精度对比

    下载: 全尺寸图片 幻灯片

    表  1  自适应梯度剪裁算法

     输入: 当前批次样本的梯度$ {\boldsymbol{S}} = {\rm{\{ }}{\boldsymbol{g}}({{\boldsymbol{x}}_1}),{\boldsymbol{g}}({{\boldsymbol{x}}_2}),\cdots,{\boldsymbol{g}}({{\boldsymbol{x}}_L}){\rm{\} }} $, 噪声规模$ {\sigma _{\boldsymbol{V}}} $, $ {\sigma _{\boldsymbol{\varPhi }}} $.
     输出: 自适应剪裁阈值$ {C_{\boldsymbol{g}}} $, $ {C_{\boldsymbol{V}}} $, $ {C_{\boldsymbol{\varPhi }}} $.
     (1) $ {\boldsymbol{g}''}({{\boldsymbol{x}}_i}) \to \{ {\boldsymbol{g}}({{\boldsymbol{x}}_i}) \in {\boldsymbol{S}}|{\mu _{\boldsymbol{g}}} - 3{\sigma _{\boldsymbol{g}}} \le ||{\boldsymbol{g}}({{\boldsymbol{x}}_i})|{|_2} \le {\mu _{\boldsymbol{g}}} + 3{\sigma _{\boldsymbol{g}}}\} $//异常值剔除
     (2) $ {\boldsymbol{g}''}({{\boldsymbol{x}}_i}) \to {\boldsymbol{V}''}({{\boldsymbol{x}}_i}){\boldsymbol{H}''}({{\boldsymbol{x}}_i}) $, $ {\boldsymbol{\varPhi }''}({{\boldsymbol{x}}_i}) \to {\boldsymbol{g}''}({{\boldsymbol{x}}_i}) - {\boldsymbol{V}''}({{\boldsymbol{x}}_i}){\boldsymbol{H}''}({{\boldsymbol{x}}_i}) $//分解梯度矩阵,计算残差矩阵
     (3) ${C_{\boldsymbol{V} } } \to \dfrac{1}{ {|L'|} }\sum\limits_i^{} {(||{\boldsymbol{V}''}({ {\boldsymbol{x} }_i}) + N(0,\sigma _{\boldsymbol{V} }^2{\boldsymbol{I} })|{|_2} } )$, $ \overline {{\boldsymbol{V}''}} ({{\boldsymbol{x}}_i}) \to {\boldsymbol{V}''}({{\boldsymbol{x}}_i}) + N(0,\sigma _{\boldsymbol{V}}^2{\boldsymbol{I}}) $;
       ${C_{\boldsymbol{\varPhi } } } \to \dfrac{1}{ {|L'|} }\sum\limits_i^{} {(||{\boldsymbol{\varPhi }''}({ {\boldsymbol{x} }_i}) + N(0,\sigma _{\boldsymbol{\varPhi } }^2{\boldsymbol{I} }))|{|_2} }$, $ \overline {{\boldsymbol{\varPhi ''}}} ({{\boldsymbol{x}}_i}){\rm{ = }}{\boldsymbol{\varPhi }''}({{\boldsymbol{x}}_i}) + N(0,\sigma _{\boldsymbol{\varPhi }}^2{\boldsymbol{I}})) $//特征矩阵${\boldsymbol{V}}$和残差矩阵$ {\boldsymbol{\varPhi }} $对应剪裁阈值
     (4) $\overline {{\boldsymbol{g}''}} ({{\boldsymbol{x}}_i}) \to \overline {{\boldsymbol{V}''}} ({{\boldsymbol{x}}_i}){\boldsymbol{H}''}({{\boldsymbol{x}}_i}) + \overline {{\boldsymbol{\varPhi }''}} ({{\boldsymbol{x}}_i})$, $ {C_{\boldsymbol{g}}} \to \frac{1}{{|L'|}}\sum\limits_i^{} {||\overline {{\boldsymbol{g}''}} ({{\boldsymbol{x}}_i})|{|_2}} $//噪声梯度重建并计算梯度剪裁阈值
     (5) 返回梯度剪裁阈值$ {C_{\boldsymbol{g}}} $, $ {C_{\boldsymbol{V}}} $, $ {C_{\boldsymbol{\varPhi }}} $
    下载: 导出CSV

    表  2  基于Funk-SVD的深度神经网络差分隐私保护算法 (FSDP)

     输入: 训练数据集$D = \{ { {\boldsymbol{x} }_1},{ {\boldsymbol{x} }_2},\cdots,{ {\boldsymbol{x} }_n}\}$, 学习率$\eta $, batch样本数量$ L $, 损失函数$ \ell ({{\boldsymbol{\omega }}_t},{{\boldsymbol{x}}_i}) $, batch数量$T$, 给定隐私预算${\varepsilon _0}$.
     输出: 参数${{\boldsymbol{\omega }}_t}$.
     (1) 计算特征j隐私预算: ${\varepsilon _j}$
     (2) for $t \in [T]$:
     (3) 由抽样概率$L/N$随机选取样本集${L_t}$
     (4) 根据表1算法计算当前批次剪裁阈值$ {C_{\boldsymbol{g}}} $, $ {C_{\boldsymbol{V}}} $, $ {C_{\boldsymbol{\varPhi }}} $
     (5) for $i \in {L_t}$:
     (6) $ {{\boldsymbol{g}}_t}({{\boldsymbol{x}}_i}) \to {\nabla _\omega }\ell ({\omega _t},{{\boldsymbol{x}}_i}) \to {\boldsymbol{VH}}{\rm{ + }}{\boldsymbol{\varPhi }} $//做Funk-SVD矩阵分解
     (7)  $ \sigma _j^{\boldsymbol{V}} \ge \sqrt {2\ln (1.25/\delta )} \frac{{S_{\boldsymbol{V}}^*(f,D)}}{{{\varepsilon _j}}} $, $\sigma _j^{\boldsymbol{\varPhi } } \ge \sqrt {2\ln (1.25/\delta )} \dfrac{ {S_{\boldsymbol{\varPhi } }^*(f,D)} }{ { {\varepsilon _j} } }$//计算噪声规模
     (8)  $ {{\boldsymbol{z}}^{\boldsymbol{V}}} \sim N(0,{(\sigma _j^{\boldsymbol{V}}{C_{\boldsymbol{V}}})^2}{{\boldsymbol{I}}_{k \times k}}) $: $ \overline {\boldsymbol{V}} \to {\boldsymbol{V}} + {{\boldsymbol{z}}^{\boldsymbol{V}}} $//扰动特征矩阵
     (9)  $ {{\boldsymbol{z}}^{\boldsymbol{\varPhi }}} \sim N(0,{(\sigma _j^{\boldsymbol{\varPhi }}{C_{\boldsymbol{\varPhi }}})^2}{{\boldsymbol{I}}_{p \times p}}) $: $ \overline {\boldsymbol{\varPhi }} \to {\boldsymbol{\varPhi }} + {{\boldsymbol{z}}^{\boldsymbol{\varPhi }}} $//扰动残差矩阵
     (10) $ \overline {{{\boldsymbol{g}}_t}} ({{\boldsymbol{x}}_i}) \to \overline {\boldsymbol{V}} ({{\boldsymbol{x}}_i}){\boldsymbol{H}}({{\boldsymbol{x}}_i}) + \overline {\boldsymbol{\varPhi }} ({{\boldsymbol{x}}_i}) $//梯度重建
     (11) end for
     (12) $\widetilde { { {\boldsymbol{g} }_t} }({ {\boldsymbol{x} }_i}) \to \dfrac{1}{ { {\rm{|} }L{\rm{|} } } }\displaystyle\sum\limits_{ { {\boldsymbol{x} }_i} \in {L_t} } {(\overline { { {\boldsymbol{g} }_t} } ({ {\boldsymbol{x} }_i})/\max (1,||\overline { { {\boldsymbol{g} }_t} } ({ {\boldsymbol{x} }_i})|{|_2}/{C_{\boldsymbol{g} } }))}$//梯度剪裁
     (13) 参数更新: ${{\boldsymbol{\omega }}_{t{\rm{ + }}1}} \to {{\boldsymbol{\omega }}_t}{\rm{ - }}\eta \widetilde {{{\boldsymbol{g}}_t}}({{\boldsymbol{x}}_i})$
     (14) 计算隐私损失: $\varepsilon > {\varepsilon _0}$, 则结束循环
     (15) end for
    下载: 导出CSV

    表  3  不同特征向量数量k的训练精度(%)

    数据集隐私预算k
    10502005001000
    MNIST$ (2,{10^{ - 5}}) $96.1296.3796.4196.3996.07
    $ (4,{10^{ - 5}}) $97.3397.6897.7297.6997.35
    $ (8,{10^{ - 5}}) $98.1698.3398.3598.3897.89
    CIFAR-10$ (2,{10^{ - 5}}) $71.5972.1572.1672.3271.26
    $ (4,{10^{ - 5}}) $73.9574.8374.8774.9374.05
    $ (8,{10^{ - 5}}) $75.7776.8876.8976.9676.14
    下载: 导出CSV

    表  4  隐私损失对比

    数据集$\varepsilon $EpochsDP-SGDPDP-SGDP3SGD本文
    MNIST4.4251.932.111.881.96
    502.712.872.652.82
    1.3250.760.790.710.79
    501.091.111.041.11
    CIFAR-104.4250.720.890.630.79
    500.810.930.760.88
    1.3250.250.280.210.28
    500.310.390.300.35
    下载: 导出CSV

    表  5  算法中各结构对训练精度(%)的影响

    模型MNISTCIFAR-10
    (2, 10–5)(4, 10–5)(8, 10–5)(2, 10–5)(4, 10–5)(8, 10–5)
    DP-SGD94.5295.9497.1363.6368.9873.55
    FSDP-M95.3796.6497.5167.2471.3274.68
    FSDP-S95.6396.9897.8568.7472.4975.54
    FSDP-R96.1897.5198.2171.2974.2576.54
    FSDP-C95.4596.8197.7367.8971.9175.21
    FSDP96.3797.6898.3372.1574.8376.88
    下载: 导出CSV
    • 参考文献(16)
  • [1] 刘睿瑄, 陈红, 郭若杨, 等. 机器学习中的隐私攻击与防御[J]. 软件学报, 2020, 31(3): 866–892. doi: 10.13328/j.cnki.jos.005904

    LIU Ruixuan, CHEN Hong, GUO Ruoyang, et al. Survey on privacy attacks and defenses in machine learning[J]. Journal of Software, 2020, 31(3): 866–892. doi: 10.13328/j.cnki.jos.005904
    [2] NASR M, SHOKRI R, and HOUMANSADR A. Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning[C]. 2019 IEEE Symposium on Security and Privacy, San Francisco, USA, 2019: 739–753. doi: 10.1109/SP.2019.00065.
    [3] HITAJ B, ATENIESE G, and PEREZ-CRUZ F. Deep models under the GAN: Information leakage from collaborative deep learning[C]. The 2017 ACM SIGSAC Conference on Computer and Communications Security, New York, USA, 2017: 603–618.
    [4] JUUTI M, SZYLLER S, MARCHAL S, et al. PRADA: Protecting against DNN model stealing attacks[C]. 2019 IEEE European Symposium on Security and Privacy (EuroS&P), Stockholm, Sweden, 2019: 512–527.
    [5] 冯登国, 张敏, 叶宇桐. 基于差分隐私模型的位置轨迹发布技术研究[J]. 电子与信息学报, 2020, 42(1): 74–88. doi: 10.11999/JEIT190632

    FENG Dengguo, ZHANG Min, and YE Yutong. Research on differentially private trajectory data publishing[J]. Journal of Electronics &Information Technology, 2020, 42(1): 74–88. doi: 10.11999/JEIT190632
    [6] ABADI M, CHU A, GOODFELLOW I, et al. Deep learning with differential privacy[C]. The 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, The Republic of Austria, 2016: 308–318.
    [7] XU Chugui, REN Ju, ZHANG Deyu, et al. GANobfuscator: Mitigating information leakage under GAN via differential privacy[J]. IEEE Transactions on Information Forensics and Security, 2019, 14(9): 2358–2371. doi: 10.1109/TIFS.2019.2897874
    [8] PHAN N, VU M N, LIU Yang, et al. Heterogeneous Gaussian mechanism: Preserving differential privacy in deep learning with provable robustness[C]. The Twenty-Eighth International Joint Conference on Artificial Intelligence, Macao, China, 2019: 4753–4759.
    [9] PHAN N, WU Xintao, HU Han, et al. Adaptive Laplace mechanism: Differential privacy preservation in deep learning[C]. 2017 IEEE International Conference on Data Mining (ICDM), New Orleans, USA, 2017: 385–394.
    [10] GONG Maoguo, PAN Ke, and XIE Yu. Differential privacy preservation in regression analysis based on relevance[J]. Knowledge-Based Systems, 2019, 173: 140–149. doi: 10.1016/j.knosys.2019.02.028
    [11] ADESUYI T A and KIM B M. Preserving privacy in convolutional neural network: An ∈-tuple differential privacy approach[C]. 2019 IEEE 2nd International Conference on Knowledge Innovation and Invention (ICKII), Seoul, South Korea, 2019: 570–573.
    [12] WU Bingzhe, ZHAO Shiwan, SUN Guangyu, et al. P3SGD: Patient privacy preserving SGD for regularizing deep CNNs in pathological image classification[C]. 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Long Beach, USA, 2019: 2094–2103.
    [13] ZHOU Yingxue, WU Zhiwei, and BANERJEE A. Bypassing the ambient dimension: Private SGD with gradient subspace identification[EB/OL]. https://arxiv.org/abs/2007.03813,2020.
    [14] SUN Lichao, ZHOU Yingbo, YU P S, et al. Differentially private deep learning with smooth sensitivity[EB/OL]. https://arxiv.org/abs/2003.00505, 2020.
    [15] THAKURTA A. Beyond worst case sensitivity in private data analysis[M]. KAO M Y. Encyclopedia of Algorithms. Boston: Springer, 2016: 192–199.
    [16] XU Jincheng and DU Qingfeng. Adversarial attacks on text classification models using layer-wise relevance propagation[J]. International Journal of Intelligent Systems, 2020, 35(9): 1397–1415. doi: 10.1002/int.22260
    • 相关文章
    • 施引文献
  • 资源附件(0)
  • 加载中
图(2) / 表(5)
计量
  • 文章访问数:  1310
  • HTML全文浏览量:  1209
  • PDF下载量:  159
  • 被引次数: 0
出版历程
  • 收稿日期:  2021-04-06
  • 修回日期:  2021-08-16
  • 网络出版日期:  2021-09-24
  • 刊出日期:  2022-05-25

目录

    /

    返回文章
    返回

    Copyright © 2018《电子与信息学报》编辑部 京ICP备20021838号-8

    中国科学院电子学研究所,北京市2702信箱,邮编:100190

    电话:010-58887066传真:021-64253812Email:jeit@mail.ie.ac.cn

    本系统由 北京仁和汇智信息技术有限公司 开发    百度统计