CN-122020713-A - Privacy protection model training method based on federal learning

Abstract

The invention discloses a privacy protection model training method based on federal learning, which relates to the field of machine learning and comprises the steps of defining a model structure on a server, initializing global model parameters and training parameters, extracting feature vectors to form a local training data set, downloading the current global model parameters and training parameters from the server, performing norm clipping after local training and adding Gaussian noise, reporting a noisy result to the server through a secure aggregation protocol, supporting client-side offline fault tolerance, performing averaging on an aggregate sum, updating the global model parameters, accumulating and calculating the overall privacy expense of all training rounds through a privacy accounting device, judging whether the overall privacy expense reaches an expense threshold, ending training if not, adjusting the training parameters, and returning to the step of enabling all client-sides to download parameters from the server. According to the invention, model training is carried out locally, and the server side can only obtain the addition result through uploading the secure aggregation protocol.

Inventors

• Zhang Tuoliang
• WU YAOQIN
• SHAO YALI
• ZHANG WENLIANG
• YANG JINQIU
• DONG JING
• ZHANG ZHILIANG
• WU YUNCHU
• HUANG CHANGYI

Assignees

• 北京漂洋过海科技有限责任公司

Dates

Publication Date

20260512

Application Date

20260126

Claims (10)

1. 1. A privacy protection model training method based on federal learning is characterized by comprising the following steps: defining a model structure on a server and initializing global model parameters and training parameters; enabling each client to extract feature vectors based on local behavior log Constructing a local training dataset The local training data set is always kept local to the client; downloading current global model parameters and training parameters from a server by each client and using a local training data set Performing local training to obtain local model update; performing norm clipping on the local model update, and adding Gaussian noise to obtain a noisy result; Reporting the noisy result to a server through a secure aggregation protocol, so that the server can only obtain the aggregate sum of all clients, wherein the secure aggregation protocol supports the client disconnection fault tolerance; The server performs averaging on the aggregate sum, and updates global model parameters; The overall privacy expenditure of all training rounds is calculated in an accumulated mode through a privacy accounting device; And judging whether the overall privacy expense reaches an expense threshold, if so, ending training, otherwise, adjusting training parameters, and returning to the step of enabling each client to download parameters from a server.
2. 2. The federal learning-based privacy preserving model training method of claim 1, wherein the local model is updated to a gradient Updating, performing norm clipping and adding Gaussian noise, specifically: performing L2 norm clipping on the gradient to obtain a clipped gradient of ; Adding Gaussian noise to the cut gradient to obtain a noisy result , wherein, Representing the identity matrix in the same dimension as the gradient vector, Represents a clipping threshold value and, Representing the gaussian noise figure.
3. 3. The federal learning-based privacy protection model training method according to claim 1, wherein the local model is updated as a parameter differential Updating, performing norm clipping and adding Gaussian noise, specifically: For parameter difference Performing L2 norm clipping to obtain parameter difference after clipping as ; Adding Gaussian noise to the cut parameter difference to obtain a noisy result , wherein, Representing the same identity matrix as the parameter differential vector dimension, Represents a clipping threshold value and, Representing the gaussian noise figure.
4. 4. The federal learning-based privacy protection model training method according to claim 1, wherein the secure aggregation protocol adopts an addition secret sharing-based protocol, specifically: each client splits the noisy result into a plurality of secret shares and distributes the secret shares to a plurality of aggregation participants; The aggregation participants aggregate all the received secret shares to obtain an aggregate sum, wherein any aggregation participant cannot recover the noisy results of the corresponding clients from the secret shares of the single client.
5. 5. The federal learning-based privacy protection model training method according to claim 1, wherein the security aggregation protocol adopts a key negotiation-based pairwise random masking method, specifically: The client generates a public and private key pair; negotiating with other clients through a key negotiation protocol to generate a paired random mask; The client adds the noise result and all the paired random masks and then uploads the result to the server; and the server aggregates the collected superposition results uploaded by all the clients to obtain an aggregate sum, wherein the paired random masks are mutually offset in the aggregation process.
6. 6. The federal learning-based privacy protection model training method according to claim 5, wherein the security aggregation protocol supports client-side offline fault tolerance, specifically: when the server detects that the client is disconnected, judging whether the number of the online clients reaches a preset threshold, if so, the server combines the online clients to recover the mask information of the offline clients, eliminates the residual mask in the aggregation result by using the recovered mask information to complete the aggregation, and if not, terminates the round of aggregation.
7. 7. The federal learning-based privacy preserving model training method of claim 1, wherein the updated global model parameters are , wherein, Representing the current parameters of the global model, The global learning rate is indicated as such, Representing a subset of clients participating in the present round, 。
8. 8. The federal learning-based privacy protection model training method according to claim 1, wherein the privacy accountant calculates the overall privacy expenditure as based on the sampling rate q and the total training round T using moment accountant or RDP differential privacy as Wherein sigma represents a gaussian noise figure, Representing the probability of privacy failure, q=k/N, K representing the number of participating clients per round, N representing the total number of clients.
9. 9. The federal learning-based privacy preserving model training method of claim 1, wherein feature vectors Including at least one of order taking rate, average dwell time, active period distribution, and behavior category frequency.
10. 10. The federal learning-based privacy preserving model training method of claim 1, wherein the training parameters include at least a clipping threshold Gaussian noise multiple The sampling rate q, the total training round T, the local training round E and the global learning rate eta.

Description

Privacy protection model training method based on federal learning Technical Field The invention relates to the field of machine learning, in particular to a privacy protection model training method based on federal learning. Background The campus service platform needs to model user behaviors such as task order taking rate, browsing habits, learning period, travel track and the like so as to promote recommendation and security strategies. Uploading raw behavioral data to a central server creates privacy risks and regulatory compliance requirements, such as personal information protection. In the prior art, privacy disclosure risks are usually caused by direct centralized training or by only pseudo-anonymization. For this reason, a solution is needed to train the global model efficiently and protect the privacy of the user strictly. Disclosure of Invention The invention provides a privacy protection model training method based on federal learning, which is used for overcoming at least one technical problem existing in the prior art. The embodiment of the invention provides a privacy protection model training method based on federal learning, which comprises the following steps: defining a model structure on a server and initializing global model parameters and training parameters; enabling each client to extract feature vectors based on local behavior log Constructing a local training datasetThe local training data set is always kept local to the client; downloading current global model parameters and training parameters from a server by each client and using a local training data set Performing local training to obtain local model update; performing norm clipping on the local model update, and adding Gaussian noise to obtain a noisy result; Reporting the noisy result to a server through a secure aggregation protocol, so that the server can only obtain the aggregate sum of all clients, wherein the secure aggregation protocol supports the client disconnection fault tolerance; The server performs averaging on the aggregate sum, and updates global model parameters; The overall privacy expenditure of all training rounds is calculated in an accumulated mode through a privacy accounting device; And judging whether the overall privacy expense reaches an expense threshold, if so, ending training, otherwise, adjusting training parameters, and returning to the step of enabling each client to download parameters from a server. Optionally, the local model is updated to a gradientUpdating, performing norm clipping and adding Gaussian noise, specifically: performing L2 norm clipping on the gradient to obtain a clipped gradient of ; Adding Gaussian noise to the cut gradient to obtain a noisy result, wherein,Representing the identity matrix in the same dimension as the gradient vector,Represents a clipping threshold value and,Representing the gaussian noise figure. Optionally, the local model is updated to a parametric differentialUpdating, performing norm clipping and adding Gaussian noise, specifically: For parameter difference Performing L2 norm clipping to obtain parameter difference after clipping as; Adding Gaussian noise to the cut parameter difference to obtain a noisy result, wherein,Representing the same identity matrix as the parameter differential vector dimension,Represents a clipping threshold value and,Representing the gaussian noise figure. Optionally, the secure aggregation protocol adopts a protocol based on addition secret sharing, specifically: each client splits the noisy result into a plurality of secret shares and distributes the secret shares to a plurality of aggregation participants; The aggregation participants aggregate all the received secret shares to obtain an aggregate sum, wherein any aggregation participant cannot recover the noisy results of the corresponding clients from the secret shares of the single client. Optionally, the secure aggregation protocol adopts a paired random masking method based on key negotiation, which specifically comprises the following steps: The client generates a public and private key pair; negotiating with other clients through a key negotiation protocol to generate a paired random mask; The client adds the noise result and all the paired random masks and then uploads the result to the server; and the server aggregates the collected superposition results uploaded by all the clients to obtain an aggregate sum, wherein the paired random masks are mutually offset in the aggregation process. Optionally, the security aggregation protocol supports client-side offline fault tolerance, specifically: when the server detects that the client is disconnected, judging whether the number of the online clients reaches a preset threshold, if so, the server combines the online clients to recover the mask information of the offline clients, eliminates the residual mask in the aggregation result by using the recovered mask information to complete the aggregation, and if not, term