Search

CN-120494087-B - Large model security reasoning method and system integrating trusted execution environment and differential privacy

CN120494087BCN 120494087 BCN120494087 BCN 120494087BCN-120494087-B

Abstract

The invention discloses a large model security reasoning method and system integrating a trusted execution environment and differential privacy, belonging to the technical field of artificial intelligence, wherein the method comprises the steps of dividing a large model into an embedded layer and a core processing layer, wherein the embedded layer is deployed in a local client SGX2 trusted environment, and the core processing layer is deployed on a remote server provided with a multi-GPU acceleration card; based on a local differential privacy technology, text confusion is carried out on original input data of a user by adopting an output noise maximum value algorithm, vector mapping is carried out on the confused text data through an embedded function, the embedded vector is encrypted and transmitted to a server GPU, and the embedded vector is processed through a self-attention mechanism and a feedforward neural network to generate a prediction result and is returned to a client. The method and the device can solve the contradiction problem between data privacy protection and calculation efficiency in the existing large model push.

Inventors

  • GU XIAOYAN
  • YU HONGLAN
  • LIU DONG
  • DAI FEIFEI
  • ZHOU JIANG
  • WANG WEIPING

Assignees

  • 中国科学院信息工程研究所

Dates

Publication Date
20260508
Application Date
20250417

Claims (9)

  1. 1. A large model security reasoning method integrating trusted execution environment and differential privacy, characterized by applying a local client point, the method comprising: Dividing a large model into an embedded layer and a core processing layer, and deploying the embedded layer in a trusted execution environment of a local client and the core processing layer in a remote server provided with a multi-GPU acceleration card, wherein the embedded layer is used for mapping an input text into an embedded vector, and the core processing layer is used for obtaining a prediction result of the input text based on the embedded vector; After the original text is mixed based on differential privacy, the mixed original text is sent to an embedded layer deployed in a local trusted environment, and an embedded vector generated based on the embedded layer is sent to a remote server, so that the remote server obtains and returns a prediction result of the embedded vector by using the core processing layer; performing local vocabulary mapping based on the prediction result of the embedded vector to obtain an inference result of the original text; Wherein, confusion is carried out to original text based on differential privacy, includes: Dividing words in an original text into sensitive words and non-sensitive words; for each word in the original text Retrieving the nearest word in the word embedding space using cosine similarity measure Personal neighborhood word And for the word And adjacent words The cosine similarity of (1) is subjected to normalization processing by linear transformation to obtain the similarity ; At the similarity The added strength is as follows Laplacian noise of (A) to generate neighboring words Is a disturbance score of (2); selecting a neighboring word according to the disturbance score As the word Is a candidate word of (a); In the word In the case of sensitive words, the candidate word is used to replace the word ; In the word In the case of non-sensitive words, probability is used Performing replacement of a term using the candidate term And with probability Maintaining the word Is unchanged.
  2. 2. The method of claim 1, wherein the similarity Wherein, the method comprises the steps of, Representing the word And adjacent words Is used for the cosine similarity of the (c), , 。
  3. 3. The method of claim 1, wherein obtaining and returning the prediction of the embedded vector using the core processing layer comprises: Processing the embedded vector through a multi-layer decoder network to obtain an output of the multi-layer decoder network Wherein the decoder in the multi-layer decoder network adopts a self-attention mechanism and a feedforward neural network structure; the output is processed by a linear layer SoftMax function Mapping to a vocabulary space to calculate a probability distribution for each candidate word; and selecting the word with the highest probability as a prediction result of the embedded vector.
  4. 4. The method of claim 1, wherein the loss function of the large model is trained Wherein the task loss function , Representing the number of words in the real corpus, Represent the first The embedded vector of the individual words, Representation before a given input Model predictive generation with individual words Is a function of the probability of (1), Front of representing input The number of words to be used in a word, Is a super-parameter for balancing the weights of different loss functions, EMO loss functions , Representing the probability of generating the next word from model predictions, A word embedding vector corresponding to the next word representing the large model prediction, Representing a word embedding vector corresponding to the next word in the real corpus.
  5. 5. The method of any of claims 1 to 4, wherein the communication between the embedded layer and the core processing layer uses AES-GCM encryption protocol to transfer data.
  6. 6. A large model security reasoning system that fuses trusted execution environments with differential privacy, the system comprising: The system comprises a model deployment module, a core processing layer and a remote server, wherein the model deployment module is used for dividing a large model into an embedded layer and the core processing layer, deploying the embedded layer in a trusted execution environment of a local client, and deploying the core processing layer in the remote server provided with a multi-GPU acceleration card; The embedded vector generation module is used for transmitting the mixed original text to an embedded layer deployed in a local trusted environment after mixing the original text based on differential privacy, and generating an embedded vector generated based on the embedded layer to a remote server so that the remote server can acquire and return a prediction result of the embedded vector by using the core processing layer; The reasoning result acquisition module is used for carrying out local vocabulary mapping based on the prediction result of the embedded vector to obtain the reasoning result of the original text; Wherein, confusion is carried out to original text based on differential privacy, includes: Dividing words in an original text into sensitive words and non-sensitive words; for each word in the original text Retrieving the nearest word in the word embedding space using cosine similarity measure Personal neighborhood word And for the word And adjacent words The cosine similarity of (1) is subjected to normalization processing by linear transformation to obtain the similarity ; At the similarity The added strength is as follows Laplacian noise of (A) to generate neighboring words Is a disturbance score of (2); selecting a neighboring word according to the disturbance score As the word Is a candidate word of (a); In the word In the case of sensitive words, the candidate word is used to replace the word ; In the word In the case of non-sensitive words, probability is used Performing replacement of a term using the candidate term And with probability Maintaining the word Is unchanged.
  7. 7. An electronic device comprising a processor and a memory storing computer program instructions that when executed by the processor implement the large model security reasoning method of fusing trusted execution environment with differential privacy of any of claims 1-5.
  8. 8. A computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the large model security reasoning method of fusing trusted execution environment with differential privacy of any of claims 1-5.
  9. 9. A computer program product, which when run on a computer device causes the computer device to perform the large model security reasoning method of fusing trusted execution environment with differential privacy as claimed in any one of claims 1-5.

Description

Large model security reasoning method and system integrating trusted execution environment and differential privacy Technical Field The invention belongs to the technical field of artificial intelligence, and particularly relates to a large model security reasoning method and system integrating a trusted execution environment and differential privacy. Background In the present age, artificial intelligence is being developed at an unprecedented pace, and the rise of large language models opens up a new era of intelligent interaction. ChatGPT introduced by OpenAI at the end of 2022 has attracted global attention, and the number of users has broken through 1 million in only a short two month period. Thereafter, various large language models emerge like spring shoots after rain. Large language models (Large Language Models, LLMs) refer to language models that contain billions or more of parameters, trained on vast amounts of text, hereinafter referred to as large models. The large model is widely applied in a plurality of fields including medical treatment, education, law, finance and the like by virtue of strong man-machine interaction and task reasoning capability. These applications bring great economic benefits and also exhibit great value potential of the large model. However, with the diversification and complexity of application scenarios, large models face serious challenges in terms of security and privacy. Because of the high demands on hardware resources by large models, the large models are usually deployed on cloud servers, and users access the large models through various interfaces. In the interaction process, the large model needs to process massive user data, and the data contains a large amount of personal sensitive information and trade secrets. Once improperly handled, data security issues are extremely prone to arise. Recent large model attack events have even further exacerbated the concern of users for privacy protection. To protect user data security, researchers have proposed a variety of privacy protection techniques including secure multiparty computing, differential privacy, and confidential computing. Wherein, confidential computing protects data privacy through a trusted execution environment (Trusted Execution Environments, TEEs) based on hardware, and has better computing performance and practicability. The trusted execution environment creates an independent execution area outside the main operating system through the security expansion of the processor layer, such as ARM TrustZone, intel SGX and the like, so that confidentiality and integrity can be maintained even if a host system or a virtual machine is attacked, and the runtime state in the execution area comprises CPU registers, memory, sensitive I/O and the like. In addition, the TEE also has remote attestation capability, which can verify its trustworthiness to a third party. TEE is typically integrated on the CPU with resource limitations that are not suitable for running some large deep learning models. Thus, researchers have been able to accelerate the secure outsourcing of part of the linear computation in the reasoning process to heterogeneous processors, such as GPUs, by designing a delegation protocol. The TEE converts the linear layer data into an encrypted format, and decrypts the result into the original input of the nonlinear layer after the linear layer data is transmitted to the GPU for calculation. To ensure the performance benefits of computing outsourcing, the encryption algorithm employed cannot be overly complex. Differential privacy (DIFFERENTIAL PRIVACY, DP) is another technical means for enhancing large model data privacy in fine-tuning and reasoning processes. It is a privacy criterion defined by a mathematical language that characterizes the properties of the algorithm, not the nature of the data. The original differential privacy algorithm injects noise into the statistical query result, so that an attacker cannot accurately infer information of a specific individual in the data set even if the attacker grasps the query result. Differential privacy can be classified into Central Differential Privacy (CDP) and Local Differential Privacy (LDP) according to the location of data processing. The CDP requires unified noise processing of the data on the central server, and is suitable for centralized data collection and processing scenes. LDP allows data owners to localize random perturbations to data before transmitting the data to an untrusted data manager. In the local differential privacy model, the trustworthiness of the data manager is no longer a requirement, as the data it receives already meets the differential privacy criteria. Local differential privacy has the significant advantage over central differential privacy that the data body does not need to trust anything other than itself. This advantage has led to the widespread use of LDP in practical systems. Although the local differential priva