Search

CN-122020701-A - Differential privacy method for preventing large model training data from being revealed

CN122020701ACN 122020701 ACN122020701 ACN 122020701ACN-122020701-A

Abstract

The invention discloses a differential privacy method for preventing leakage of large model training data, and relates to the technical field of artificial intelligence large model safety. The method comprises the following steps that step a, N nodes participating in training complete key negotiation through an SM4 symmetric encryption algorithm and generate unique identification, only nodes passing authentication access training, a central server generates global noise seeds, and the global noise seeds are distributed to authentication nodes through a TLS1.3 encryption channel. The federal layer solves the problem of cross-node leakage of distributed training through node authentication and noise cooperation, ensures that data among nodes is not reversely pushed, maintains sample semantics while protecting privacy, reduces damage to data value, reduces interference of noise to model training through model layer gradient clustering noise reduction and dynamic clipping, realizes comprehensive protection of full flow and multiple scenes, and adapts to the requirements of sensitive fields such as medical treatment, finance and the like.

Inventors

  • LIU YINGYING
  • FANG ANKANG
  • SUN XIANG
  • WANG FAPENG

Assignees

  • 南京先进计算产业发展有限公司

Dates

Publication Date
20260512
Application Date
20251212

Claims (10)

  1. 1. A differential privacy method for preventing leakage of large model training data is characterized by comprising the following steps: Step a, N nodes participating in training complete key negotiation through an SM4 symmetric encryption algorithm and generate unique identity marks, only nodes passing authentication access training, a central server generates global noise seeds and distributes the seeds to authentication nodes through a TLS1.3 encryption channel, and the nodes generate local cooperative noise based on the seeds, wherein the local noise size is calculated according to the following formula: = × ; Step b, performing feature binning on the data, partitioning continuous features according to the meaning, reserving original categories by discrete features, and calculating dynamic sensitivity of each sample: ; adding symbol-consistent Laplacian noise to the sample features to generate a privacy-preserving dataset; Step c, training a large model based on a privacy protection data set, performing K-means clustering on a gradient set in each training round, and replacing all gradients in the clusters by using a clustering center gradient to realize noise reduction, performing L2 norm clipping on the gradients after noise reduction according to a dynamic threshold value, adding Gaussian noise to the gradients after clipping, wherein the noise variance is positively correlated with a clipping threshold value and a gradient amplitude value and negatively correlated with budget; d, distributing the total privacy budget to a data layer, a model layer, a federal layer and a risk verification layer, and distributing real-time sensitivity factors and model training state factors according to the data; and e, after each 50 rounds of training and finishing the training, calculating member inference risk, model extraction risk and model conversion risk, comprehensively evaluating privacy risk, and if the privacy risk exceeds a threshold value, adjusting parameters for retraining.
  2. 2. The differential privacy method of claim 1, further comprising a global feature sensitivity, wherein the global feature sensitivity is a maximum value of local feature sensitivity of each node.
  3. 3. The differential privacy method for preventing leakage of large model training data according to claim 1, wherein semantic interval division of the continuous features comprises age, income and image gray values, and the sensitive fields comprise medical record numbers, diagnosis results, credit records and bank card numbers.
  4. 4. The differential privacy method for preventing leakage of large model training data as set forth in claim 1, wherein the initial cluster center of the K-means cluster is determined by an elbow rule, and the adaptive optimizer is AdamW.
  5. 5. The differential privacy method for preventing leakage of large model training data as recited in claim 1, wherein the data layer and model layer budget allocation is dynamically adjusted with the sensitivity factor and the risk verification layer budget is not less than 5% of the total budget.
  6. 6. The differential privacy method for preventing leakage of large model training data according to claim 1, wherein the model transformation risk is calculated according to a multi-mode adaptation rule, and a risk threshold is set according to scene classification.
  7. 7. A differential privacy method for preventing leakage of large model training data as defined in claim 1, wherein the training large model based on the privacy-preserving dataset comprises Transformer, GPT-3/GPT-4, BERT, resNet-50/ResNet-101, viT, and the threshold is initially cut Setting according to the model parameter scale, wherein the parameter scale is 1.2,100M < the parameter scale is 1.0,1B < the parameter scale is 0.9 when the parameter scale is less than or equal to 10B and the parameter scale is 0.8 when the parameter scale is less than or equal to 100M and the parameter scale is less than or equal to 1B.
  8. 8. The differential privacy method for preventing leakage of large model training data according to claim 1, wherein the federal layer privacy cooperation further comprises a node anomaly detection mechanism for rejecting nodes with abnormal noise distribution or parameter update.
  9. 9. A differential privacy method for preventing leakage of large model training data as defined in claim 1, wherein the dynamic sensitivity calculation further incorporates a time decay factor that when the sample acquisition time interval exceeds 1 year of the current training time, Multiplying by 1.0 when the historical data is not more than 1 year, and avoiding the over protection of the historical data.
  10. 10. A differential privacy method for preventing leakage of large model training data as defined in claim 1, wherein said Gaussian noise failure probability is According to scene refinement, the medical image model is The financial wind control model is The government affair data model is that The common text model is Total privacy budget The proposal takes the value of 1.2-1.5 for sensitive scenes and 0.8-1.0 for common scenes.

Description

Differential privacy method for preventing large model training data from being revealed Technical Field The invention relates to the technical field of artificial intelligence large model safety, in particular to a differential privacy method for preventing large model training data from being revealed. Background Along with the development of artificial intelligence technology, a large model represented by Transformer, GPT series needs to rely on massive training data to realize high performance, and often contains sensitive contents such as user privacy information (such as medical history and financial credit investigation), enterprise core data and the like. However, in the large model training process, a significant risk of data leakage exists, an attacker can judge whether a certain sample belongs to a training set through member inference attack, extract attack from parameters through a model to reversely infer training data characteristics, and even restore original input (such as medical images and face data) through model version attack, so that privacy safety accidents are easy to be caused by such leakage. The existing mainstream protection scheme mainly comprises traditional Differential Privacy (DP), and has obvious limitations that firstly, the protection layer is single, most schemes only apply the DP independently on a data layer (such as original data noise) or a model layer (such as gradient noise), and cannot resist multiple types of attacks at the same time, for example, only the data layer protection is difficult to prevent leakage caused by model parameter reverse thrust, secondly, privacy and performance contradiction are prominent, a large amount of noise is required to be added to meet high privacy requirements, the model convergence rate is reduced by 15% -30%, the prediction precision is obviously reduced, and high requirements of a large model on performance are difficult to adapt, thirdly, parameter setting is stiff, sensitive field definition and noise intensity are fixed values, dynamic adjustment cannot be realized according to data characteristics, and excessive protection or insufficient protection are easy to occur. The distributed training scene (such as federal learning) further aggravates protection challenges that the existing scheme lacks a cross-node privacy cooperative mechanism, gradient and parameter transmission among nodes are easy to attack by middle people, data distribution difference among different nodes is large, a single noise mechanism is difficult to adapt to all nodes, meanwhile, privacy budget allocation mostly adopts a fixed proportion (such as a data layer 40 and a model layer 50%), data sensitivity dynamic change (such as a lot of sensitive samples) and model training state fluctuation (such as initial gradient amplitude is large) in the training process are not considered, so that budget is insufficient in a critical stage, budget is wasted in a non-critical stage, risk verification only covers member inference and model extraction, model conversion attack is not involved, and the misjudgment rate is high. To this end, we provide a differential privacy method to prevent leakage of large model training data to solve the above-mentioned problems. Disclosure of Invention The invention aims to provide a differential privacy method for preventing large model training data from being revealed, which solves the problems that the protection level is single, the privacy protection and the model performance are difficult to balance, the cross-node cooperation is insufficient and the risk verification is incomplete in a distributed scene in the prior art through the cooperation of a three-dimensional cooperative differential privacy mechanism and dynamic adaptation and risk closed-loop verification. In order to solve the technical problems, the invention is realized by the following technical scheme: The invention relates to a differential privacy method for preventing large model training data leakage, which comprises the following steps that step a, N nodes participating in training complete key negotiation through an SM4 symmetric encryption algorithm and generate unique identity marks, only nodes passing authentication are accessed to training, a central server generates global noise seeds and distributes the seeds to authentication nodes through a TLS1.3 encryption channel, and the nodes generate local cooperative noise based on the seeds, wherein the local noise size is calculated according to the following formula: =×; Step b, performing feature binning on the data, partitioning continuous features according to the meaning, reserving original categories by discrete features, and calculating dynamic sensitivity of each sample: ; The method comprises the steps of adding Laplacian noise with symbol consistency to sample characteristics to generate a privacy protection data set, training a large model based on the privacy protection data set, executing