Background
Federal machine learning (FEDERATED MACHINE LEARNING/FEDERATED LEARNING), also known as federal learning. Federal machine learning is a machine learning framework that can effectively help multiple institutions perform data usage and machine learning modeling while meeting the requirements of user privacy protection, data security, and government regulations. The federal learning is used as a machine learning model of a type of joint learning, so that the problem of data island can be effectively solved, participants can be modeled jointly on the basis of not sharing data, the data island can be broken technically, and AI cooperation is realized.
At present, the federal learning is combined with the maritime field, and certain difficulty exists. Different maritime parts have different ship name data sets, but the ship name data sets cannot be shared among the different maritime parts due to information security limitations. However, the ship can span the management range of different maritime departments, how to solve the problem of data island caused by the information security problem, and how to use the ship name data set of different maritime parts to solve the problem of improving the accuracy of the model, which is faced by the artificial intelligence technology in the application of intelligent water traffic. Fortunately, federal learning provides a potential solution to the two problems described above, namely, training models locally for each maritime component, and then submitting the trained models to an aggregation server for aggregation to co-train a more efficient model. Intuitively, this can effectively solve the above-described problem. However, studies have shown that model parameters still leak training data. Therefore, if the federal learning privacy protection ship name recognition model training method is designed, the participants only upload the encrypted training model to the aggregation server, and the server executes the federal average algorithm on the encrypted model, so that the data privacy of the participants can be protected. But this has drawbacks such as the participants sharing the private key and the participants being faced with a high decryption overhead.
Therefore, in order to solve the problems in the prior art, it is important to provide a privacy-preserving ship name recognition model training technique using federal learning, which does not leak training data and reduces decryption overhead.
Disclosure of Invention
The invention aims to provide a privacy protection ship name recognition model training method adopting federal learning, and aims to solve the problems of ship name data island, model parameter data training data privacy and high decryption expense of participants in all maritime parts. Specifically, in order to solve the problem of marine part data island, the invention adopts a federal learning mode to realize the joint training of a ship name recognition model by a plurality of marine parts with ship name data sets; in order to prevent model parameters from revealing training data, the method adopts a Paillier password system to encrypt the trained model; in order to reduce the decryption overhead of the participant, the invention proposes to use a partial decryption approach to significantly reduce the decryption overhead of the participant.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
The invention provides a privacy protection ship name recognition model training method adopting federal learning, which comprises a joint training initiator, a model aggregation server and n federal model training participants (hereinafter referred to as initiator, aggregation server and n participants); the method comprises the following steps:
s1, initiating a joint training ship name recognition model task: initiator initiates a ship name recognition modelN participants are recruited, and model aggregation tasks are sent to an aggregation server;
in step S1, to protect the privacy of the data of the participant, the method further includes: the initiator initializes a Paillier cryptosystem public-private key pair (pk, sk), wherein the initiator splits the private key sk into two partial private keys sk1 and sk2; the initiator sends (pk, sk1) to the aggregation server andTo n participants.
S2, training a local model by the participant and encrypting: the participants train a new local model by utilizing the local ship name data set and the initial model or the decrypted aggregation model; the training process is formally represented as:
wherein f represents a local training function, d represents a local ship name data set of a participant, and t represents the aggregation times;
After training, the participants call the encryption model parameters of the encryption algorithm Enc of the Paillier cryptosystem, and the encryption process is expressed as follows in terms of form:
subsequently, the participant will encrypt the training modelAnd the local data quantity |d| of the participant is sent to the aggregation server;
S3, aggregating encryption models of participants and executing a federal average algorithm: encryption model of aggregation server when receiving n participantsThe aggregation server then performs the following calculations using the scalar multiplication homomorphism and scalar addition homomorphism of the Paillier cryptographic system:
S4, the aggregation server part decrypts the aggregation model: the aggregation server determines whether a termination condition is reached (e.g., whether the required number of times is aggregated) in the following manner:
if the set termination condition is not met, the aggregation server executes partial decryption operation on the encrypted aggregation model, and the aggregation server calculates the form as follows:
wherein N is a public key parameter; in addition, in step S4, the aggregation server calculates the sum of all participant local data volumesAnd sending D to the participant; the aggregation server willSending to the participant;
if the set termination condition has been reached, the aggregation server willAnd D is sent as an output to the initiator, wherein T represents the maximum number of aggregations;
S5, the participant part decrypts the aggregation model: the participants receive the aggregation model information of the aggregation server (i.e) Thereafter, the participant performs a partial decryption operation to obtain a decrypted aggregate model, and the participant formally performs the following calculations:
Wherein N is a public key parameter; after obtaining the decrypted model, the participants continue to calculateObtaining an average model of the aggregation
Preferably, in said step S1, an initialized ship name recognition model is providedIs a recurrent neural network CRNN, wherein,Including model structure and model parameters;
The public key pk= (n+1, N), where n=pq, p and q are two strong primes of sufficient secure length (e.g. 512 bits); private key sk= (λ, μ), where λ=pq-p-q+1, μ=λ-1 mod N, i.e. μ is the inverse of λ modulo N; the partial private key sk2 is an 80-bit random number, and the partial private key sk1=λμ-sk2 mod lambdan; when sk2 is chosen to be a smaller number, the decryption overhead for the participant is significantly reduced.
Preferably, in the step S2, the Enc encryption model isWherein r is a random positive integer less than N.
Specifically, the participant retrains a new model by taking the last trained model and the owned ship name data set as inputs; to prevent an attacker from guessing training data from the model parameters, the participants use Paillier encryption to encrypt the model parameters. Specifically, the Enc encryption model isWhere r is a random positive integer not exceeding N. It is noted that for simplicity of description, the present invention usesTo replace CRNN model, in actual operation, we need to doPerforms an operation on each parameter of the (c).
Preferably, in said step S3, said scalar multiplication homomorphism isThe scalar addition homomorphism isWhere Dec is the decryption algorithm of the Paillier cryptosystem, formally expressed asThe aggregation server gives a calculation according to scalar multiplication homomorphism and scalar addition homomorphismEasy push-out
Preferably, in said step S4, the aggregation server performs a partial decryption operation only before reaching the maximum aggregation number T, and when reaching the maximum aggregation number T, the aggregation server transmits the aggregation model to the initiator; after the aggregation server performs a partial decryption, the participant performs a partial decryption operation to obtain a decrypted model. The purpose of the aggregation server performing partial decryption is that the aggregation server performs a partial decryption operation once to reduce the decryption overhead of the participants.
Specifically, in the step S5, a ciphertext is givenCalculation ofAnd continue the calculationSince sk1+sk2 =0 mod λ and sk1+sk2 =1 mod N, it can be deduced
Also because of rλN=1mod N2, [ x ]1·[x]2=1+xN mod N2. Due to the nature described above, the participant can obtain a decrypted aggregate model by two partial decrypts. Notably, the participants perform a division after decryption (i.e) To obtain an average model after polymerization.
The present invention also provides a storage device having stored therein a plurality of instructions adapted to be loaded by a processor and to perform the step operations of the privacy preserving ship name recognition model training method as previously described.
The invention also provides an intelligent terminal which comprises a processor for executing each instruction and a storage device for storing a plurality of instructions, wherein the instructions are suitable for being loaded by the processor and executing the step operation of training the privacy preserving ship name recognition model.
Compared with the prior art, the invention has the following beneficial effects:
the privacy protection ship name recognition model training method provided by the invention has the following advantages: (1) The problem of island of marine data can be solved, and particularly, the problem of island of marine data caused by information security is solved by jointly training a ship name recognition model by a plurality of marine departments with data through adopting a federal learning mode; (2) The method can solve the problem of training data privacy, and prevents an attacker from deducing the training data according to model parameters by adopting an encryption mode, so that the privacy of the training data is protected. (3) The method can reduce the decryption cost of the participant, and the participant can reduce the decryption cost of the participant by adopting a partial decryption mode, namely the aggregation server performs decryption once, the participant performs decryption once, and the participant is prevented from obtaining the complete private key by setting a smaller partial private key for the participant.
Detailed Description
The following describes the embodiments of the present invention further with reference to the drawings.
As shown in fig. 1-2, this embodiment discloses a training method for protecting a ship name recognition model by using federal learning privacy, which jointly trains a ship name recognition model under the condition of not revealing the data privacy of maritime parts. In order to realize the training of a ship name recognition model for privacy protection, the method relates to an initiator, an aggregation server and n participants by combining with the accompanying figures 1 and 2; the privacy protection ship name recognition model training method provided by the embodiment specifically comprises the following steps:
S1, initiating a joint training ship name recognition model task: initializing a system, and initializing a ship name recognition model by an initiator in a federal learning modeThe ship name recognition modelA ship name recognition model was trained by using a convolutional neural network CRNN and recruiting 4 participants, 4 maritime parts. In order to simplify the description, the embodiment abstracts the model into 1 parameter, and adopts decimal places to describe the encryption and decryption process; the initiator initializes a public-private key pair (pk, sk) of the Paillier cryptosystem, where pk= (36, 35), sk= (24, 19), sk2=2,sk1 = 454.
Step S2, the participants train a local model and encrypt the local model: assuming that the 4 participants possess data amounts of 1,2 and 2, respectively, their trained model parameters are 1,2, 3 and 4, respectively. The 4 participants encrypt their trained model parameters, i.eThe participants send the encrypted model and the data volume to the aggregation server.
S3, aggregating encryption models of participants and executing a federal average algorithm: after receiving the encryption models of 4 participants { (648,1), (222,2), (44,3), (141,4) }, the aggregation server performs the following calculations using the scalar multiplication homomorphism and scalar addition homomorphism of the Paillier cryptosystem:
346←6481·2221·442·1412mod 352;
S4, the aggregation server part decrypts the aggregation model: the aggregation server first judges whether a termination condition is obtained, and in this embodiment, the termination condition is whether the required times are aggregated; the judgment method is as follows:
if the set termination condition is not met, the aggregation server executes partial decryption operation on the encrypted aggregation model, and the aggregation server calculates the form as follows:
431←268454mod 352;
In addition, the aggregation server also calculates d=1+1+2+2. The aggregation server sends (431,346,6) to the participant.
If the set termination condition has been reached, the participant sends 346 and 6 as output to the initiator.
S5, the participant part decrypts the aggregation model: after receiving the aggregate model information (431,346,6) of the aggregate server, the participant performs a partial decryption operation to obtain a decrypted aggregate model, the participant formally performing the following calculations:
After obtaining the decrypted model, the participants continue to calculateAn average model of the polymerization was obtained as 2.833.
Variations and modifications to the above would be obvious to persons skilled in the art to which the invention pertains from the foregoing description and teachings. Therefore, the invention is not limited to the specific embodiments disclosed and described above, but some modifications and changes of the invention should be also included in the scope of the claims of the invention. In addition, although specific terms are used in the present specification, these terms are for convenience of description only and do not limit the present invention in any way.