KR-20260066016-A - Privacy-Preserving Expert Module Anonymized Extraction System

Abstract

The present invention relates to a privacy-preserving expert module anonymization extraction system that removes sensitive information from the weights of an expert module trained with sensitive data in an internal corporate network and converts it into a form that can be distributed in an external marketplace. The present invention includes an on-premise learning engine that holds original training data and all intermediate outputs in an internal network; a sensitive information encoding detector that identifies high-risk parameters using multiple means such as gradient contribution analysis, influence function, canary detection, and LRP; a weight space privacy filter that selectively applies DP noise, mean imputation, SVD approximation, lightweight retraining, and reference model imputation only to high-risk parameters; an anonymization validator that performs numerical verification through membership inference, model inversion, gradient inversion, and attribute inference attack simulations and issues privacy assurance certificates by regulatory grade; and a market-to-market converter that generates self-certified sales units, thereby providing a technical infrastructure that enables manufacturing, financial, and medical companies to safely commercialize sensitive know-how in the form of AI weights.

Inventors

• 안범주

Assignees

• 안범주

Dates

Publication Date

20260512

Application Date

20260420

Claims (1)

1. In a privacy-preserving expert module anonymization extraction system that removes sensitive information from expert module weights learned on an internal corporate network (on-premise) and converts them into a form suitable for distribution in the external market, An on-premise learning engine that trains expert modules using a training dataset containing sensitive data within an internal corporate network, while retaining only the completed weight parameters within the internal network without transmitting the original training data and intermediate outputs generated during the training process outside the internal network; A sensitive information encoding detector that identifies a set of high-risk parameters determined to have memorized personal information, trade secrets, or confidential data of the training data among the weight parameters of the expert module generated by the above-mentioned on-premise learning engine; A weight space privacy filter that removes sensitive information encoded by the corresponding parameter from the weight space for the set of high-risk parameters identified by the above-mentioned sensitive information encoding detector; An anonymization validator that numerically verifies that the reconstructibility of the original training data is below a preset privacy risk threshold for the weights processed by the above-mentioned weight space privacy filter, and generates privacy assurance information including the verification result; and A privacy-preserving expert module anonymization extraction system characterized by including: a market launch converter that outputs weights combined with the above-mentioned privacy assurance information as sales units available for distribution on an external expert weight marketplace.

Description

Privacy-Preserving Expert Module Anonymized Extraction System The present invention relates to a privacy-preserving expert module anonymization extraction system that selectively removes parameters encoded with personal information, trade secrets, and confidential data from the weight space of an artificial intelligence expert module trained with sensitive data on an on-premise network, generates privacy assurance information through numerical verification based on attack simulation, and converts it into a sales unit that can be distributed on an external expert weight marketplace. More specifically, the present invention relates to providing a technical infrastructure that enables manufacturing, financial, and medical companies to commercially distribute AI expert modules containing their know-how without data leakage by configuring an integrated pipeline including an on-premise learning engine (200), a sensitive information encoding detector (300), a weight space privacy filter (400), an anonymization verifier (500), and a market-launch converter (600). Mixture of Experts (MoE) architecture is a core architecture of current-generation AI that achieves high model performance with inference costs disproportionate to the total number of parameters. It consists of a structure where multiple expert networks are deployed within a single large language model, and gating routers dynamically select the optimal expert based on the input. In this structure, each expert module is a set of weights specialized for a specific domain or language pattern, and its value is immense when trained with data accumulated by expert firms over several years. However, within the current AI development ecosystem, there is no technical or legal framework that allows companies in the manufacturing, finance, and healthcare sectors to distribute expert modules trained with their sensitive data externally. The core reason companies cannot publicly disclose or sell AI expert modules is the possibility that the weight files themselves may "memorize" personal information and trade secrets from the training data. During the training process, neural network models form parameters that overreact to specific training samples; these parameters contain vulnerabilities that allow the original training data to be reconstructed in reverse by techniques such as Membership Inference Attacks, Model Inversion Attacks, and Gradient Inversion Attacks. This risk is particularly severe for expert modules trained on high-sensitivity data, such as medical records, financial transaction histories, and semiconductor design know-how. Federated Learning, an existing privacy protection technology, has the advantage of not transmitting training data externally; however, its structure of exchanging gradients with a server makes it vulnerable to gradient backlash attacks, and as it relies on the cooperation of multiple clients, it is unsuitable for generating proprietary expert modules for a single enterprise. Differential Privacy-based DP-SGD protects privacy by injecting uniform noise into gradients during training, but this injection fails to distinguish between specific parameters encoding sensitive information and those that do not, leading to unnecessary model performance degradation. Furthermore, Output Sanitization filters the model's inference output and fails to remove sensitive information inherent in the weight files themselves. As such, conventional technologies focus on processing pre- and post-training stages—such as training data, gradients, and inference outputs—and have failed to present an integrated pipeline capable of selectively removing sensitive information from the completed weight parameter space, numerically verifying it, and converting it into marketable units. Figure 1 is a block diagram showing the overall system configuration, representing the overall data flow between the five major components (200, 300, 400, 500, 600) and external actors (700, 800, 900). FIG. 2 is a flowchart of the entire processing process, showing the five-step sequential flow from the collection of training data to the registration in the marketplace (800) and the boundary between the internal network (700) and the external section. FIG. 3 is a structural diagram of an on-premise learning engine (200), showing the configuration of a learning data repository (210), a learning computation engine (220), an intermediate output storage area (230), a completed weight repository (240), and an internal audit log recorder (250). FIG. 4 is a TEE-based security learning environment structure diagram showing the hierarchical structure of the security enclave (260) and remote attestation module (270) and the hardware-level access blocking boundary. FIG. 5 is an air gap environment and data diode (280) outflow control structure diagram, showing the physical isolation structure of the internal network (700) and the external network and the unidirectional allowable path. FIG. 6 i