CN-121997371-A - Machine learning privacy auditing method and system under trusted execution environment

Abstract

The invention discloses a machine learning privacy auditing method and system under a trusted execution environment, and belongs to the technical field of machine learning. The method includes uploading a private data set to a remote machine learning service deployed in a trusted execution environment to train a target model and obtain private data The method comprises the steps of measuring information in each training round of a target model, synthesizing the measuring information in each training round to generate a measuring sequence of a plurality of training rounds, extracting dynamic characteristics of the measuring sequence, classifying based on the dynamic characteristics to obtain private data And determining whether to continue training, pause training or exit training according to the membership prediction results in the training rounds. The invention can realize privacy risk measurement and audit mechanism with fine granularity, low cost and dynamic evaluation.

Inventors

• WANG ZICUN
• DONG YIFAN
• HU CHENGRUI
• LI HAO
• ZHANG MIN
• FENG DENGGUO

Assignees

• 中国科学院软件研究所

Dates

Publication Date

20260508

Application Date

20260108

Claims (10)

1. 1. A machine learning privacy auditing method in a trusted execution environment, characterized by applying a client, the method comprising: Uploading the private data set to a remote machine learning service deployed in a trusted execution environment to train a target model and obtain private data Metric information in each training round of the target model, the metric information including one or more of a loss value, confidence in the correct class, prediction entropy, and Logit original value; The measurement information in each training round is synthesized, and a measurement sequence of a plurality of training rounds is generated; Extracting dynamic characteristics of the measurement sequence; classifying based on the dynamic characteristics to obtain the private data Membership prediction results in multiple training rounds; And determining whether to continue training, pause training or exit training according to membership prediction results in a plurality of training rounds.
2. 2. The method of claim 1, wherein the dynamic characteristics include a rate of change of the sequence of metrics and/or a fluctuation accumulation of the sequence of metrics.
3. 3. The method of claim 2, wherein extracting the rate of change of the sequence of metrics comprises: fitting a metric sequence to a first order linear model using least squares Wherein, the method comprises the steps of, Representing the number of training rounds to be performed, Representing intercept term, rate of change Time span mean value Measuring sequence mean , Representing the total training round of the metric sequence, Representing training rounds Is a measure of (2); the rate of change is set As a measure of the rate of change of the sequence.
4. 4. The method of claim 2, wherein the fluctuation of the sequence of metrics is accumulated Wherein, the method comprises the steps of, Representing the number of training rounds to be performed, Representing the total training round of the metric sequence, Representing training rounds Is a measure of (a).
5. 5. The method of claim 1, wherein the private data is obtained by classifying based on the dynamic characteristics Membership prediction results in a plurality of training rounds, including: constructing a labeled training set by using the real member samples and the non-member samples known by the client; Training a two-class audit model on the training set based on a machine learning algorithm, wherein the machine learning algorithm comprises a support vector machine; Generating an audit feature vector based on the dynamic feature, and sending the audit feature vector into the two-class audit model to obtain the private data Membership prediction results in multiple training rounds.
6. 6. The method of claim 1, wherein determining whether to continue training, pause training, or exit training based on membership predictions in a plurality of training rounds comprises: generating an audit index based on membership prediction results in a plurality of training rounds, wherein the audit index comprises an AUC value and a true positive rate when the false positive rate is 0.1%; Continuing training if the AUC value is less than a first set threshold or the true positive rate at a false positive rate of 0.1% is less than a third set threshold; Suspending training if the AUC value is greater than a first set threshold and less than a second set threshold, or the true positive rate at a false positive rate of 0.1% is greater than a third set threshold and less than a fourth set threshold; And suspending training when the AUC value is greater than a second set threshold or the true positive rate at a false positive rate of 0.1% is greater than a fourth set threshold.
7. 7. A machine learning privacy audit system in a trusted execution environment, the system comprising: An information acquisition module for uploading the private data set to a remote machine learning service deployed in a trusted execution environment to train the target model and acquire the private data Metric information in each training round of the target model, the metric information including one or more of a loss value, confidence in the correct class, prediction entropy, and Logit original value; the sequence generation module is used for synthesizing the measurement information in each training round and generating measurement sequences of a plurality of training rounds; The feature extraction module is used for extracting dynamic features of the measurement sequence; A relationship prediction module for classifying based on the dynamic characteristics to obtain the private data Membership prediction results in multiple training rounds; And the privacy audit module is used for determining whether to continue training, pause training or exit training according to membership prediction results in a plurality of training rounds.
8. 8. An electronic device comprising a processor and a memory storing computer program instructions that when executed by the processor implement the machine learning privacy auditing method in a trusted execution environment of any of claims 1-6.
9. 9. A computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement a machine learning privacy auditing method in a trusted execution environment according to any of claims 1-6.
10. 10. A computer program product which, when run on a computer device, causes the computer device to perform the machine learning privacy audit method in a trusted execution environment as claimed in any one of claims 1 to 6.

Description

Machine learning privacy auditing method and system under trusted execution environment Technical Field The invention belongs to the technical field of machine learning, and particularly relates to a machine learning privacy audit method and system under a trusted execution environment. Background With the popularity of cloud computing and "machine learning as a service" (MACHINE LEARNING AS A SERVICE, MLAAS) models, enterprises and institutions are increasingly inclined to outsource model training to the cloud for lower hardware investment and higher flexibility and scalability. However, such a mode also introduces significant data security and privacy risks that during the training phase, users often need to upload data sets containing sensitive information to cloud servers, a process that may face theft and abuse by malicious cloud service providers or external attackers. To reduce this risk, the current closest prior art route is to deploy remote machine learning tasks to be performed in a trusted execution environment (Trusted Execution Environment, TEE) to protect the confidentiality and integrity of data and code during training and reasoning through a hardware strong isolation mechanism. The TEE creates an isolated trusted execution space within the processor that prevents external environments from directly accessing or tampering with internal programs and runtime data, thereby providing basic privacy and integrity guarantees for remote machine learning, and providing static protection for model parameters, architecture, and data uploaded by clients. However, TEE does not block indirect privacy disclosure arising from model usage behavior. Related researches show that even if sensitive data is always in an encrypted or isolated execution environment, an attacker can still conduct membership reasoning (Membership Inference) attack on response signals of samples according to the model as long as the sensitive data participates in model training, so that whether a certain sample belongs to a training set can be judged, and once judgment is successful, more serious privacy leakage is often caused, such as the past medical history or health state of a patient is inferred in a medical scene. Therefore, further identification and quantification of such privacy risks on a TEE basis is an urgent issue to be addressed by remote machine learning. Existing work around membership reasoning mostly from an attacker's perspective pursues higher recognition accuracy, typical disclosure tools include ML-document and ML PRIVACY METER, etc. The method is generally dependent on shadow model construction, model distillation and complex attack model training in implementation, has high calculation and engineering costs, is prone to one-time evaluation of a static model after training, is difficult to reflect dynamic risk evolution in the training process, and is limited in available information based on an attacker view angle, and has a gap with richer signals available to a client in the real training process. Together, the above factors result in such approaches being difficult to meet the practical demands of a remote training scenario for low latency, high throughput, and real-time risk awareness. Under the technical background, the industry and the academy gradually put forward the privacy audit requirement facing the client, namely, on the premise of not violating the TEE trust assumption, the observable information of the client in the training process is fully utilized, so that the privacy risk measurement and audit mechanism with fine granularity, low cost and dynamic evaluation can be realized. Disclosure of Invention The invention provides a remote machine learning privacy auditing method and system for a Trusted Execution Environment (TEE). The method has the core ideas that on the premise of not changing the existing TEE trust model and training flow, the perception and measurement of the privacy risk are carried out on the client side, the client side actively uses the information which can be observed by the client side to audit, and the privacy risk measurement and audit mechanism which has fine granularity, low cost and can be dynamically evaluated can be realized. In order to achieve the above object, the technical scheme of the present invention includes the following. A machine learning privacy auditing method under a trusted execution environment, applied to a client, the method comprising: Uploading the private data set to a remote machine learning service deployed in a trusted execution environment to train a target model and obtain private data Metric information in each training round of the target model, the metric information including one or more of a loss value, confidence in the correct class, prediction entropy, and Logit original value; The measurement information in each training round is synthesized, and a measurement sequence of a plurality of training rounds is generated; Extracting dy