CN-122021803-A - Method capable of revealing artificial intelligence

Abstract

The invention discloses a method capable of revealing artificial intelligence, which comprises the following steps that in the initialization stage of a federal learning system, a central server establishes a global machine learning model and distributes initial model parameters to all client devices participating in federal learning, and meanwhile, the central server configures differentiated privacy protection parameter initial values for each client, wherein the privacy protection parameters comprise a privacy budget allocation strategy, a noise adding mechanism and local training round control parameters.

Inventors

• ZHANG YANJUN
• SUN XIAOYU

Assignees

• 中山职业技术学院

Dates

Publication Date

20260512

Application Date

20260120

Claims (9)

1. 1. A method of revealing artificial intelligence, the method comprising the steps of: (1) The method comprises the steps of initializing a federal learning system, wherein a central server establishes a global machine learning model and distributes initial model parameters to all client devices participating in federal learning; (2) The method comprises a local model training and privacy assessment stage, wherein each client device receives global model parameters, then performs model training on a local data set, and simultaneously monitors local data characteristic distribution, data sensitivity and information leakage risk indexes in the training process in real time; (3) Based on the privacy protection requirement assessment report generated in the step (2), each client device independently runs a privacy parameter optimization algorithm which comprehensively considers local data characteristics, training task complexity, device computing capacity constraint and user privacy preference setting, and dynamically adjusts key parameters of a differential privacy mechanism, including but not limited to distribution type selection of noise addition, a noise scale self-adaptive calibration mechanism, a privacy budget non-uniform allocation strategy crossing training rounds and personalized setting of gradient cutting thresholds; (4) The privacy enhanced local model update generation stage comprises the steps of performing sensitivity analysis on model gradient or parameter update, adaptively determining a cutting boundary according to data characteristics, adopting optimized noise addition strategy disturbance model update, and ensuring that the output of each client meets the differential privacy guarantee level defined in a personalized way; (5) The stage of selecting and weight distribution of the privacy-aware clients comprises the steps that a central server receives model update submitted by each client after privacy protection processing and executes client contribution assessment; the evaluation mechanism comprehensively considers the model update quality, privacy protection intensity, data distribution representativeness and historical participation reliability, and distributes proper aggregation weight for each client; (6) The central server adopts privacy protection aggregation protocol to conduct security aggregation on the model update of the selected clients, and maintains confidentiality of the update provided by each client in the aggregation process; (7) The central server analyzes the balance relation between the performance index of the global model and the overall privacy protection level, adjusts the global privacy protection policy parameters of the next training round based on the multi-objective optimization framework, including privacy budget allocation policy adjustment, client selection standard optimization and aggregation mechanism parameter update; (8) And in the personalized federal learning model delivery phase, after a preset training round is completed or a model convergence condition is reached, a central server generates a final global model, and simultaneously generates a personalized model adaptation scheme for each participating client, wherein the scheme provides a targeted model fine tuning scheme and a privacy protection post-processing scheme according to data distribution characteristics and privacy preference of each client in the training process.
2. 2. The method of claim 1, wherein the privacy risk assessment module in step (2) employs a multi-layer assessment architecture comprising: The data layer risk assessment submodule analyzes the statistical characteristics of a local data set of a client, the relevance among data records, the distribution condition of sensitive attributes and the data scarcity characteristics, and quantifies the inherent privacy leakage risk basic level of the data set by calculating the distribution dispersion of data feature vectors in a feature space, the ratio of inter-class distances to intra-class distances and the occurrence frequency of key attribute values; The query layer risk assessment submodule monitors all access modes and query operations to a local data set in the training process, records the access frequency and access mode regularity of data in model training and the characteristics of a data sample subset on which each parameter is updated, analyzes the dependence degree of sensitive data points in different training steps by constructing a query-data influence matrix, and identifies a high risk operation sequence possibly causing privacy leakage by multiple query combinations; the member reasoning attack vulnerability assessment submodule simulates a member reasoning attack scene locally, assesses the memory degree of the model in the current training state on a specific sample in the training data set by constructing a shadow model and an attack model, quantifies the capability difference of the model in distinguishing the training set member from the non-member sample, and directly reflects the vulnerability level of the model when facing the member reasoning attack; The privacy demand analysis submodule for sensing the context integrates the equipment use environment information, including network connection type safety, credibility of equipment physical positions, sensitivity level of a currently running application program and privacy protection requirements definitely appointed by a user through a privacy preference setting interface, and combines technical privacy risk indexes with context environment factors and subjective preferences of the user to generate comprehensive privacy protection demand scores; and the risk assessment fusion and dynamic updating mechanism integrates the output of each sub-module into a unified privacy protection requirement assessment report through a weighted fusion algorithm, and the weight coefficient is dynamically adjusted according to the training stage, the task type and the equipment resource state, so that the assessment result can reflect the real-time privacy protection requirement change trend in the current training state.
3. 3. The method of claim 1, wherein the privacy parameter optimization algorithm in step (3) comprises the following key mechanisms: The noise distribution type selection mechanism is used for adaptively selecting a noise addition distribution type which is most suitable for the current privacy protection requirement from Gaussian distribution, laplace distribution, exponential mechanism and random response mechanism based on the local data characteristics and training task characteristics, and the selection process is completed by comparing model utility loss differences, calculation efficiency influences and specific data type compatibility of different distributions under the same privacy budget; The noise scale self-adaptive calibration mechanism adopts a noise scale optimization method based on effectiveness, and on the premise of meeting the personalized privacy protection requirement, the noise scale self-adaptive calibration mechanism searches for the optimal noise scale parameter which maximizes the effectiveness of the model by establishing a functional relation between the noise scale and the model precision loss, and the calibration process considers the progress of a training stage, and gradually adjusts the noise scale along with the increase of training rounds so as to balance the training stability and the final model precision; The method comprises the steps that a privacy budget cross-round uneven distribution strategy breaks through a traditional method for uniformly distributing the privacy budget, a budget distribution algorithm based on training importance is adopted, the algorithm identifies a key learning stage in a model training process, more privacy budgets are distributed to training rounds with great influence on model convergence, and meanwhile stricter privacy protection is implemented in an unimportant training stage, and the distribution strategy is determined by analyzing the contribution degree of each round of training to model parameter change and the loss function dropping rate; the personalized setting mechanism of the gradient clipping threshold value dynamically adjusts the gradient clipping threshold value according to the local data gradient statistical characteristics of each client, and comprises the steps of calculating the norm distribution of gradient vectors in the local training process, analyzing the statistical characteristics of gradient amplitude values, identifying the influence of abnormal gradient values, and setting the personalized clipping threshold value capable of controlling the noise addition amount and keeping the training stability based on gradient sensitivity analysis and data characteristics; and the privacy parameter joint optimization framework constructs the parameter optimization problems into multi-objective constraint optimization problems, an objective function simultaneously minimizes privacy leakage risk and model utility loss, constraint conditions comprise equipment computing resource limitation, training time requirement and user privacy preference setting, a pareto optimal parameter set is solved by adopting a multi-objective optimization algorithm, and customized differential privacy parameter configuration is generated for each client.
4. 4. The method of claim 1, wherein the privacy enhanced local model update process in step (4) comprises: A data-aware gradient sensitivity analysis step of designing a specific gradient sensitivity calculation method aiming at different types of model architectures and training tasks, analyzing the sensitivity difference of gradients of parameters of each layer to a single training sample for a deep learning model, and calculating a more accurate gradient sensitivity upper bound by considering the characteristics of a model structure and an activation function instead of adopting global unified conservative estimation; A self-adaptive gradient clipping step, wherein clipping threshold values of each parameter dimension are dynamically adjusted according to gradient sensitivity indexes calculated in real time, a stricter clipping strategy is implemented on high-sensitivity parameters, clipping limit is properly relaxed on low-sensitivity parameters, the clipping threshold values are self-adaptively adjusted along with training rounds, relatively loose clipping is adopted in the initial stage of training to accelerate convergence, and clipping is gradually tightened in the later stage of training to improve privacy protection level; A layering noise adding step of layering model parameters according to privacy sensitivity and importance of model performance, adding stronger noise to parameters with high sensitivity and small influence on final model performance, adding weaker noise to core parameters with low sensitivity but key model performance, and performing layering strategy based on parameter importance analysis results by calculating influence degree of parameter change on model output; The privacy protection enhancement technology combining step combines a differential privacy mechanism with other privacy enhancement technologies, and comprises the steps of applying sparse processing to model updating before adding noise, zeroing small-amplitude parameter updating to reduce the number of parameters needing to be added with noise, applying random rotation or transformation to the model updating, increasing the difficulty of an attacker to deduce original updating, introducing certain randomness enhancement measures while meeting the differential privacy, and improving the defending capability against advanced reasoning attack; And a privacy processing verification step, wherein the step locally verifies whether the model update subjected to the privacy processing meets the preset differential privacy guarantee level at the client, the verification method comprises the steps of calculating the statistical characteristics of the actually added noise, analyzing the probability distribution difference output after the processing, ensuring that a privacy processing mechanism is correctly implemented and achieving the declared privacy protection intensity.
5. 5. The method of claim 1, wherein the client selection and weight distribution mechanism in step (5) comprises: A multi-dimensional contribution assessment model that assesses each client's contribution from four dimensions, model update quality dimensions quantified by comparing the consistency of the client's submitted model updates with the global model improvement direction, update amplitude appropriateness, and contribution to loss function reduction; the privacy protection intensity dimension is evaluated by analyzing privacy protection parameter settings, privacy budget use efficiency and privacy processing verification results which are actually adopted by the client; the data distribution representative dimension is measured by measuring the similarity of the local data distribution and the global data distribution of the client, the contribution of the diversity of the data distribution and the capability of covering a data space blind area; The self-adaptive weight distribution algorithm converts a multi-dimensional contribution evaluation result into an aggregation weight through a learnable weight fusion function, parameters of the fusion function are obtained through historical training data learning, the importance of each dimension can be automatically adjusted according to different training tasks and stages, fairness constraint is considered in the weight distribution process, long-term leading model training caused by large data quantity or strong computing capacity of certain clients is avoided, and meanwhile, the clients are stimulated to provide high-quality updating and proper privacy protection; The method comprises the steps of selecting a strategy by a privacy-aware client, wherein before each round of training, a subset of clients participating in training is selected from all available clients, and comprehensively considering selection criteria, namely whether the privacy protection capability of the client accords with a global privacy target of the round, whether the client data supplements knowledge defects of a current model, whether the calculation and communication capability of the client meets training requirements, whether the privacy preference of the client is compatible with the global strategy, wherein the selection process is realized through an optimization algorithm, and the expected contribution of the selected client set is maximized on the premise of meeting privacy constraint; The dynamic adjustment mechanism dynamically adjusts client selection and weight distribution strategies according to training progress, focuses on data diversity in the early stage of training, selects clients with large data distribution difference to obtain wide knowledge, focuses on updating quality in the middle stage of training, preferentially selects clients capable of providing high-quality updating, focuses on privacy protection in the later stage of training, preferentially selects clients with strong privacy protection capability and reliability, and ensures that a final model achieves high performance while meeting privacy requirements.
6. 6. The method of claim 1, wherein the secure multiparty aggregation protocol in step (6) comprises: The privacy protection aggregation mechanism based on homomorphic encryption allows a client to encrypt model updates after privacy processing by using a public key of a central server, the central server aggregates the updates of all the clients in a ciphertext state, the homomorphic encryption algorithm is used for supporting addition operation of the encryption model updates, after aggregation is completed, the central server decrypts ciphertext aggregation results by using a private key, and the process ensures that the central server cannot acquire model update contents of a single client in the aggregation process; a secure multiparty computing aggregation mechanism, which enables a plurality of clients to jointly compute an aggregate value of model update through a cryptographic protocol without revealing respective input to any participant (including a central server), adopts a secret sharing technology, and each client splits the model update into a plurality of shares and distributes the shares to other clients or special computing nodes, and calculates an aggregate result through cooperation of the secure multiparty computing protocol, so that the mechanism can protect the privacy of the client update even if the central server is not completely trusted; The combination mechanism of differential privacy and security aggregation, which provides dual privacy protection by transmitting and aggregating the update through a security aggregation protocol after the update of a differential privacy protection model is locally applied to a client, and provides theoretical privacy guarantee even if the security aggregation mechanism is partially destroyed, meanwhile, the combination mechanism optimizes the calculation of the whole privacy budget and provides a tighter privacy loss accumulation boundary by analyzing the interaction effect of the two privacy protection mechanisms; An aggregation mechanism may be verified that allows clients to verify that a central server has performed an aggregation operation correctly without revealing the updated contents of other clients, that clients prove that their updates satisfy certain attributes (e.g., within a certain range, have added appropriate noise, etc.) by submitting model updates with zero knowledge proof, while the central server provides an aggregation correctness proof, that clients may verify that their updates are contained correctly in the aggregation results, preventing servers from maliciously tampering or discarding updates for certain clients; The efficient aggregation optimization technology aims at the federal learning scene to optimize the performance of a secure aggregation protocol, and comprises the steps of adopting progressive aggregation to reduce communication rounds, using a model update compression technology to reduce the data quantity required to be encrypted and transmitted, designing a batch verification mechanism to improve the verification efficiency, supporting the dynamic joining and exiting of clients without affecting the protocol security, and ensuring that privacy protection aggregation is practically feasible in the federal learning environment with limited resources.
7. 7. The method of claim 1, wherein the privacy-utility tradeoff optimization stage in step (7) employs the following method: modeling a multi-objective optimization problem, namely forming a privacy-utility balance problem into a multi-objective optimization problem, wherein the optimization targets comprise minimizing errors (utility maximization) of a global model on a test set, minimizing integrated privacy protection accumulated loss (privacy protection maximization), minimizing training total rounds and communication overhead (efficiency maximization), and constraint conditions comprise personalized privacy protection requirements of each client, equipment calculation and storage resource limitation and training completion time requirements; The pareto optimal front exploration algorithm adopts a multi-objective optimization algorithm to explore the pareto optimal front of privacy-utility balance, the front represents a set of all optimal solutions which can not improve any object any more under given constraint without damaging other objects, the exploration algorithm considers training dynamic characteristics, and the objective function and constraint conditions are updated along with training progress to gradually approximate to the optimal balance point under the current training state; the self-adaptive balance strategy adjustment mechanism dynamically adjusts global privacy protection strategy parameters based on the current pareto optimal front edge analysis result, and comprises the steps of adjusting global privacy budget allocation of the next round of training, modifying client selection standards to balance data diversity and privacy protection, optimizing aggregate weight allocation function parameters to better balance contributions of different clients, and adjusting training termination conditions to balance privacy protection and model convergence; The user preference integration mechanism integrates the user privacy preferences into a balance optimization process, allows a user to specify the relative importance of privacy protection and model performance through a privacy preference setting interface, converts the subjective preferences into weights or constraint conditions in a multi-objective optimization problem, and selects a balance point which is most suitable for user group preferences on the pareto optimal front edge; the trade-off decision interpretation and visualization provide an interpretive analysis of privacy-utility trade-off decisions to system administrators and users, show the impact of different trade-off choices on model performance, privacy protection level and training efficiency, present pareto optimal fronts through a visualization interface, help understand the inherent relationship between privacy protection intensity and model utility, and support transparent and interpretive trade-off decisions.
8. 8. The method of claim 1, wherein the personalized model delivery phase in step (8) comprises: Generating a personalized model adaptation scheme, wherein a central server analyzes data characteristic performance, privacy preference setting and local model updating mode of each client in the whole training process, and generates the personalized model adaptation scheme for each client; model post-processing suggestions aiming at the privacy protection requirements of the client comprise a model parameter disturbance scheme, a model pruning strategy and knowledge distillation application guidance; The privacy protection personalized enhancement scheme provides a personalized privacy enhancement post-processing scheme according to the privacy protection intensity and preference actually adopted by the client in the training process, and provides a stronger post-model randomization processing scheme for the client with high privacy requirements, including additional parameter noise addition, model output smoothing processing and privacy protection mechanism during prediction; Model compression and efficiency optimization suggestions, which take the equipment computing capacity and storage limit of the client into consideration, provide model compression and efficiency optimization suggestions for each client, including efficient model structure variants, parameter quantization and pruning strategies and calculation optimization schemes in reasoning, which are applicable to the client equipment, ensure that the delivered model is optimized in performance and can meet the efficiency requirements in actual deployment; Generating a privacy protection verification report for each client, and specifying the privacy protection level actually achieved by the client in the whole training process, wherein the privacy protection verification report comprises actual implementation values of differential privacy parameters, privacy loss accumulation conditions and defensive capability evaluation aiming at various privacy attacks, so that the client is helped to know the privacy protection condition of the obtained model; The continuous learning and updating framework provides a framework and a protocol for the client to participate in subsequent continuous learning, and comprises a model increment updating mechanism, privacy protection parameter adjustment suggestions and a collaborative learning strategy with a global model, so that the client can continuously improve the model performance along with local data change on the premise of protecting privacy.
9. 9. The method of claim 1, further comprising, in practice, a cross round privacy loss accumulation tracking and optimization mechanism: the privacy loss accumulation tracking module maintains privacy loss accumulation records of all participating clients at a central server, tracks the privacy loss accumulation condition of each client in the whole training process by adopting an advanced privacy loss accounting method, supports the privacy loss accumulation calculation of various differential privacy variants, including pure differential privacy, approximate differential privacy and Rayleigh differential privacy, and considers heterogeneous privacy loss accumulation when different clients adopt different privacy mechanisms; The self-adaptive privacy budget scheduling algorithm dynamically adjusts the privacy budget allocation of each client in the subsequent training round according to the privacy loss accumulation condition and the residual training round, and automatically reduces the privacy budget allocation of the subsequent round or suggests the client with the privacy loss approaching the preset upper limit to reduce the privacy protection intensity; The global privacy protection balancing mechanism monitors the privacy protection distribution balance in the whole federal learning system, identifies the client groups with weak or strong privacy protection, encourages the clients with weak privacy protection to properly improve the protection strength by adjusting the client selection strategy and weight distribution, allows the clients with excessive privacy protection to improve the model updating utility on the premise of guaranteeing basic privacy, and promotes the overall privacy-utility balance of the system; The privacy exhaustion early warning and processing, when the privacy loss of a certain client is detected to be close to or reach a preset upper limit, the system starts a privacy exhaustion early warning mechanism, and provides various processing schemes, namely suggesting the client to pause participating in the subsequent training round, converting into an observation mode which only uses a model and does not contribute to updating, suggesting the client to adjust the privacy mechanism parameters, converting into a privacy protection variant with slower privacy loss accumulation; after training is completed, the system comprehensively evaluates the privacy protection effects of all clients, including theoretical privacy loss analysis, verification of whether the privacy protection level actually realized reaches the design target, actual privacy risk evaluation, and generation of privacy protection effect comprehensive reports by simulating the anti-attack capability of various privacy attack test models, and provides privacy protection condition description and improvement suggestion which are easy to understand for each client.

Description

Method capable of revealing artificial intelligence Technical Field The invention relates to an artificial intelligence technology, in particular to a method capable of revealing artificial intelligence. Background Federal learning, as a distributed machine learning framework, allows multiple clients to co-train a shared global model under the coordination of a central server without uploading raw data sets, thus exhibiting great potential in terms of data privacy protection. However, the standard federal learning framework itself does not provide strict, quantifiable privacy guarantees. An attacker may still infer sensitive training data information of the client by analyzing model updates (such as gradients or parameters) shared between the client and the server, for example reconstruct the original data through model inversion attacks, or judge whether a specific sample exists in the training set through membership inference attacks. To address the above privacy threats, differential privacy techniques were introduced into the federal learning framework. Differential privacy provides strict, quantifiable privacy protection by adding carefully calibrated random noise to the model update. However, existing federal learning methods based on differential privacy generally have significant limitations. First, most of the existing methods adopt "static" or "cut-off" privacy parameters (such as fixed noise scale epsilon and uniform privacy budget allocation), and neglect the huge heterogeneity of local data of each client in federal learning in distribution, scale, sensitivity and user privacy preference. This leads to a dilemma in that setting a uniform strong privacy parameter (small epsilon) for all clients seriously impairs the model utility of the high data value or noise sensitive clients, slow global convergence and even reduce the final accuracy, while adopting a uniform weak privacy parameter cannot meet the protection requirement of the clients with high privacy requirements, possibly resulting in privacy disclosure. Second, existing schemes typically consider privacy protection as a static constraint, rather than a dynamically optimizable goal. In the whole training process, the trade-off between privacy protection intensity and model training utility is fixed, and dynamic adjustment cannot be performed according to different stages of training, convergence state of the model and instant privacy risk assessment. For example, in the early stages of training, the model needs to learn general features quickly from the data, possibly allowing relatively relaxed privacy preservation to promote convergence, while in the later stages of training, to prevent privacy leakage caused by overfitting (memorization) of the training data, the privacy preservation strength may need to be enhanced. Existing approaches lack this adaptive, context-aware adjustment capability. Furthermore, privacy preservation and model utility optimization of existing approaches are often decoupled. The addition of privacy noise and the processes of aggregation of models, client selection and the like are independently carried out, and a unified framework is lacked to cooperatively optimize privacy overhead and model performance. The difficulty of the server side in aggregating to distinguish and properly handle model updates from clients that employ different privacy protection intensities may result in inefficient aggregation or phase change penalizing "responsible" clients that pay more utility costs for stronger privacy protection. Therefore, a new technical solution that can adapt to federal learning heterogeneous environments, dynamically and finely balance privacy and utility, and cooperatively optimize personalized privacy protection and global model training is needed, and thus an artificial intelligence method is needed to solve the above-mentioned problems. Disclosure of Invention The object of the present invention is to provide a method for revealing artificial intelligence which solves the above-mentioned drawbacks of the prior art. In order to achieve the above object, the present invention provides the following technical solutions: A method of disclaimer of artificial intelligence, the method comprising the steps of: (1) The method comprises the steps of initializing a federal learning system, wherein a central server establishes a global machine learning model and distributes initial model parameters to all client devices participating in federal learning; (2) The method comprises a local model training and privacy assessment stage, wherein each client device receives global model parameters, then performs model training on a local data set, and simultaneously monitors local data characteristic distribution, data sensitivity and information leakage risk indexes in the training process in real time; (3) Based on the privacy protection requirement assessment report generated in the step (2), each client device independe