CN117034219A - Data processing method, device, equipment and readable storage medium - Google Patents

Abstract

The application discloses a data processing method, a device, equipment and a readable storage medium, wherein the method comprises the following steps: watermark implantation is carried out on M initial samples in the initial sample set through a watermark generator, so that M watermark samples are obtained; determining a first loss value according to first class probability distribution corresponding to the N initial samples and second class probability distribution corresponding to the M watermark samples; reversely optimizing the generation parameters of the watermark generator based on the first loss value, and determining the generation parameters of the watermark generator as target generation parameters when the first loss value is the maximum loss threshold value; and determining a watermark generator containing target generation parameters as a target watermark generator, and watermark implantation is carried out on Q initial samples in the initial sample set through the target watermark generator to obtain Q target watermark samples. By adopting the application, the safety of the training sample can be improved, and the usability of the training sample can be improved.

Description

Data processing method, device, equipment and readable storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a data processing method, apparatus, device, and readable storage medium.

Background

With the continued development of computer technology and artificial intelligence (Artificial Intelligence, AI), the application of machine learning models is also becoming more and more widespread. For machine learning models, training a well-behaved model requires the use of a large number of training samples, and the collection and labeling of training samples is a time-consuming and labor-consuming process, so training data sets for training models are a very important item.

At this stage, for a training dataset (e.g., an open source dataset) or a model that is trained based on the training dataset, its owner (an object that has ownership of the training dataset or model) is typically set with usage rights, e.g., the open source training dataset is only for academic education, the training dataset related to privacy content is only for internal use, etc. To better protect the open-source data set from illicit use, the training set owner typically employs encryption of all or a portion of the training data set to prevent malicious use of the training data set. However, the encryption of the training data set is visible, so that the training data set is very easy to be found by an attacker to be attacked, and has low concealment and low security; furthermore, encrypting a data set also affects the usability of the data set.

Disclosure of Invention

The embodiment of the application provides a data processing method, a device, equipment and a readable storage medium, which can improve the safety of training samples and improve the usability of the training samples.

In one aspect, an embodiment of the present application provides a data processing method, including:

inputting the initial sample set to a watermark generator, and watermark implantation is carried out on M initial samples in the initial sample set through the watermark generator to obtain M watermark samples; m is a positive integer less than or equal to N, N is the number of initial samples contained in the initial sample set;

acquiring first class prediction probability distribution corresponding to N initial samples respectively and second class prediction probability distribution corresponding to M watermark samples respectively, and determining a first loss value for training a watermark generator according to the first class probability distribution corresponding to the N initial samples respectively, the real class labels corresponding to the N initial samples respectively, the second class probability distribution corresponding to the M watermark samples respectively and the real class labels corresponding to the M watermark samples respectively;

reversely optimizing the generation parameters of the watermark generator based on the first loss value, and determining the generation parameters of the watermark generator as target generation parameters when the first loss value is the maximum loss threshold value;

Determining a watermark generator containing target generation parameters as a target watermark generator, inputting N initial samples into the target watermark generator, and watermark implantation is carried out on Q initial samples in an initial sample set through the target watermark generator to obtain Q target watermark samples; q is a positive integer less than or equal to N; and the Q target watermark samples are used for carrying out sample ownership detection on the model to be detected together with the N initial samples.

In one aspect, an embodiment of the present application provides a data processing apparatus, including:

the watermark implantation module is used for inputting the initial sample set to the watermark generator, and watermark implantation is carried out on M initial samples in the initial sample set through the watermark generator to obtain M watermark samples; m is a positive integer less than or equal to N, N is the number of initial samples contained in the initial sample set;

the loss generation module is used for acquiring first class prediction probability distribution corresponding to the N initial samples respectively and second class prediction probability distribution corresponding to the M watermark samples respectively;

the loss generation module is further used for determining a first loss value for training the watermark generator according to the first class probability distribution corresponding to the N initial samples respectively, the real class labels corresponding to the N initial samples respectively, the second class probability distribution corresponding to the M watermark samples respectively and the real class labels corresponding to the M watermark samples respectively;

The reverse optimization module is used for carrying out reverse optimization on the generation parameters of the watermark generator based on the first loss value, and determining the generation parameters of the watermark generator as target generation parameters when the first loss value is the maximum loss threshold value;

the sample generation module is used for determining a watermark generator containing target generation parameters as a target watermark generator, inputting N initial samples into the target watermark generator, and watermark implantation is carried out on Q initial samples in the initial sample set through the target watermark generator to obtain Q target watermark samples; q is a positive integer less than or equal to N; and the Q target watermark samples are used for carrying out sample ownership detection on the model to be detected together with the N initial samples.

In one embodiment, the first class prediction probability distribution corresponding to the N initial samples is obtained by inputting the N initial samples into a classifier and outputting the N initial samples from the classifier; the second class probability distribution corresponding to the M watermark samples is obtained by inputting the M watermark samples into a classifier and outputting the M watermark samples from the classifier;

the loss generation module may include:

the value generating unit is used for determining a second loss value for training the classifier according to the first class probability distribution corresponding to the N initial samples respectively, the real class labels corresponding to the N initial samples respectively, the second class probability distribution corresponding to the M watermark samples respectively and the real class labels corresponding to the M watermark samples respectively;

The parameter optimization unit is used for optimizing the classification parameters of the classifier based on the second loss value, and determining the classification parameters of the classifier as optimal classification parameters when the second loss value is the minimum loss threshold value;

a loss determination unit configured to determine a classifier including an optimal classification parameter as an optimal classifier;

the loss determination unit is further configured to determine a first loss value for training the watermark generator according to the optimal classifier and the M watermark samples.

In one embodiment, the loss determination unit may include:

the probability output subunit is used for inputting the M watermark samples into the optimal classifier, and outputting third category probability distribution corresponding to the M watermark samples respectively through the optimal classifier;

the loss determination subunit is configured to determine a first loss value for training the watermark generator according to the third class probability distribution corresponding to the M watermark samples respectively and the real class labels corresponding to the M watermark samples respectively.

In one embodiment, the loss determination subunit is further specifically configured to obtain an average dispersion function, and determine dispersion loss values corresponding to the M watermark samples according to the third category probability distribution and the average dispersion function corresponding to the M watermark samples, respectively;

The loss determination subunit is further specifically configured to obtain a cross entropy loss function, and determine cross entropy loss values corresponding to the M watermark samples according to the cross entropy loss function, third category probability distributions corresponding to the M watermark samples respectively, and real category labels corresponding to the M watermark samples respectively;

the loss determination subunit is further specifically configured to generate a first loss value for training the watermark generator according to the dispersity loss value and the cross entropy loss value.

In one embodiment, the loss determination subunit is further specifically configured to obtain a first coefficient corresponding to the dispersity loss value and a second coefficient corresponding to the cross entropy loss value;

the loss determination subunit is further specifically configured to perform an operation process on the first coefficient and the dispersity loss value to obtain a first operation loss value;

the loss determination subunit is further specifically configured to perform an operation process on the second coefficient and the cross entropy loss value to obtain a second operation loss value;

the loss determination subunit is further specifically configured to perform a summation operation on the first operation loss value and the second operation loss value, to obtain a first loss value for training the watermark generator.

In one ofIn an embodiment, the average dispersity function is a first dispersity function, and the first dispersity function is used for calculating average dispersity of sample levels of the M watermark samples; the M watermark samples comprise watermark samples K_i I is a positive integer; the third category probability distribution corresponding to the M watermark samples respectively comprises the prediction probability corresponding to each candidate category in the candidate category set;

the loss determination subunit is further specifically configured to, according to the first dispersity function, generate a watermark sample K_i Obtaining the maximum prediction probability in the corresponding third category probability distribution, and determining the candidate category corresponding to the maximum prediction probability as a watermark sample K_i Is a sample prediction class of (2);

the loss determination subunit is further specifically configured to calculate the watermark sample K according to the first dispersity function_i Entropy of sample prediction class of (2) watermark sample K_i Entropy determination of sample prediction class of (2) as watermark sample K_i Corresponding class entropy;

the loss determination subunit is further specifically configured to, when calculating class entropies corresponding to the M watermark samples, perform summation operation processing on the M class entropies to obtain operation class entropies;

the loss determination subunit is further specifically configured to obtain a first sample total number of M watermark samples, determine an average class entropy according to the operation class entropy and the first sample total number, and determine the average class entropy as a dispersity loss value corresponding to the M watermark samples.

In one embodiment, the average dispersion function is a second dispersion function, the second dispersion function being used to calculate an average dispersion for class levels of the M watermark samples; the third category probability distribution corresponding to the M watermark samples respectively comprises the prediction probability corresponding to each candidate category in the candidate category set;

The loss determination subunit is further specifically configured to determine, according to a second dispersion function, B watermark samples, where the real class label is a preset class label, of the M watermark samples as watermark samples to be counted; the candidate category set comprises a preset category label; b is a positive integer less than or equal to M;

the loss determination subunit is further specifically configured to determine, as a label prediction probability, a prediction probability corresponding to a preset class label in third class probability distributions corresponding to the B watermark samples to be counted respectively;

the loss determination subunit is further specifically configured to sum the B tag prediction probabilities to obtain an operation tag probability, and determine a dispersity loss value corresponding to the M watermark samples according to the second dispersity function and the operation tag probability.

In one embodiment, the loss determination subunit is further specifically configured to obtain a second sample total number of the B watermark samples to be counted, and determine an average tag probability according to the operation tag probability and the second sample total number;

the loss determination subunit is further specifically configured to calculate entropy of the average tag probability according to the second dispersion function, and determine the entropy of the average tag probability as the tag entropy of the preset category tag;

The loss determination subunit is further specifically configured to determine a dispersity loss value corresponding to the M watermark samples according to a label entropy of the preset class label and the second dispersity function.

In one embodiment, the data processing apparatus may further include:

the target sample determining module is used for determining initial samples corresponding to each target watermark sample in the N initial samples as target initial samples;

the first model detection module is used for detecting ownership of the target training set for the model to be detected according to the Q target initial samples and the Q target watermark samples; the target training set is a sample set composed of Q target watermark samples and residual initial samples, and the residual initial samples are initial samples except for the Q target initial samples in the N initial samples.

In one embodiment, the sample ownership detection method for the model to be detected is a hypothesis testing method; q target watermark samples comprise target watermark samples S_j The Q target initial samples comprise target watermark samples S_j Corresponding target initial sample T_j J is a positive integer; target objectWatermark sample S_j With the target initial sample T_j The true category labels of (a) are all true category labels Z_j ；

The first model detection module may include:

a first hypothesis building unit, configured to build a first original hypothesis in which the first probability value is a sum of the second probability value and a first preset value; the first probability value is the initial sample T of the model to be detected aiming at the target_j In the output result of (a), the true category label Z_j Is used for predicting the probability value of the model; the second probability value is that the model to be detected aims at the target watermark sample S_j In the output result of (a), the true category label Z_j Is used for predicting the probability value of the model;

a first value calculation unit for calculating a target initial sample T based on a first original assumption_j Target watermark sample S_j Calculating a first significance test value;

the first attribute determining unit is used for determining that the first original assumption is an invalid assumption if the significance test value is lower than a first significance level value, and determining the model attribute of the model to be detected as an ownership abnormal attribute; the ownership anomaly attribute is used for representing the model to be detected as a model which is obtained by training based on the target training set.

In one embodiment, the sample ownership detection method for the model to be detected is a hypothesis testing method; q target watermark samples comprise target watermark samples S_j The Q target initial samples comprise target watermark samples S_j Corresponding target initial sample T_j J is a positive integer; target watermark sample S_j With the target initial sample T_j The true category labels of (a) are all true category labels Z_j ；

The first model detection module may include:

a second hypothesis building unit, configured to build a second original hypothesis in which the third probability value is greater than a sum of the fourth probability value and a second preset value; the third probability value is the target initial sample T of the model to be detected_j In the output result of (a), the true category label Z_j Is used for predicting the probability value of the model; the fourth probability value is that the model to be detected aims at the target watermark sample S_j Is the input of (2)In the output result, the true category label Z_j Is used for predicting the probability value of the model;

a second value calculation unit for calculating a target initial sample T based on a second original assumption_j Target watermark sample S_j Calculating a second significance test value;

the second attribute determining unit is used for determining that the second original assumption is an invalid assumption if the second saliency check value is lower than the second saliency level value, and determining the model attribute of the model to be detected as an ownership abnormal attribute; the ownership anomaly attribute is used for representing the model to be detected as a model which is obtained by training based on the target training set.

In one embodiment, the data processing apparatus may further include:

The training set determining module is used for determining initial samples corresponding to each target watermark sample in the N initial samples as target initial samples;

the training set determining module is further used for determining a sample set formed by the Q target watermark samples and the rest initial samples as a target training set; the remaining initial samples refer to initial samples except for the Q target initial samples in the N initial samples;

the model training module is used for training the model to be protected based on the target training set to obtain a target protection model;

and the second model detection module is used for detecting ownership of the target protection model for the model to be detected according to the Q target initial samples and the Q target watermark samples.

In one aspect, an embodiment of the present application provides a computer device, including: a processor and a memory;

the memory stores a computer program that, when executed by the processor, causes the processor to perform the methods of embodiments of the present application.

In one aspect, embodiments of the present application provide a computer-readable storage medium storing a computer program, the computer program comprising program instructions that, when executed by a processor, perform a method according to embodiments of the present application.

In one aspect of the present application, a computer program product is provided, the computer program product comprising a computer program stored in a computer readable storage medium. A processor of a computer device reads the computer program from a computer-readable storage medium, and the processor executes the computer program to cause the computer device to perform a method provided in an aspect of an embodiment of the present application.

In the embodiment of the application, a watermark generator can be adopted to implant part of initial samples in the initial sample set to obtain target watermark samples, and then sample ownership detection is carried out on a model to be detected based on the target watermark samples and the initial samples (whether the model to be detected illegally uses the target watermark samples and the initial samples or not is detected). Because the sample ownership is detected based on the target watermark sample when the model to be detected is detected, if the model to be detected is a model trained by using the target watermark sample and the initial sample, the model to be detected can learn the relevant experience knowledge of the target watermark sample, so that whether the target watermark sample and the initial sample are illegally used can be determined by identifying whether the model to be detected has the relevant knowledge of the target watermark sample. The method and the device can improve the concealment of the target watermark sample output by the watermark generator and improve the safety of the sample in a mode of reversely optimizing the generation parameters of the watermark generator based on the loss value; meanwhile, by means of watermark implantation, the usability of the sample set can be well ensured without any form of encryption on the initial sample set. In conclusion, the application can improve the safety of the training sample and the usability of the training sample.

Drawings

In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a diagram of a network architecture according to an embodiment of the present application;

FIG. 2 is a flow chart of a method for data processing according to an embodiment of the present application;

FIG. 3 is a schematic flow chart of determining a first loss value based on a dispersity loss value according to an embodiment of the present application;

FIG. 4 is a schematic diagram of a data processing apparatus according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

Embodiments of the present application relate to artificial intelligence and its related concepts, and for ease of understanding, the artificial intelligence and its related concepts will be described with priority as follows:

artificial intelligence (Artificial Intelligence, AI) is the theory, method, technique and application system that uses a digital computer or a machine controlled by a digital computer to simulate, extend and extend human intelligence, sense the environment, acquire knowledge and use the knowledge to obtain optimal results. In other words, artificial intelligence is an integrated technology of computer science that attempts to understand the essence of intelligence and to produce a new intelligent machine that can react in a similar way to human intelligence. Artificial intelligence, i.e. research on design principles and implementation methods of various intelligent machines, enables the machines to have functions of sensing, reasoning and decision.

The artificial intelligence technology is a comprehensive subject, and relates to the technology with wide fields, namely the technology with a hardware level and the technology with a software level. Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.

With research and advancement of artificial intelligence technology, research and application of artificial intelligence technology is being developed in various fields, such as common smart home, smart wearable devices, virtual assistants, smart speakers, smart marketing, unmanned, automatic driving, unmanned aerial vehicles, robots, smart medical treatment, smart customer service, etc., and it is believed that with the development of technology, artificial intelligence technology will be applied in more fields and with increasing importance value.

The scheme provided by the embodiment of the application relates to technologies such as Machine Learning (ML) of artificial intelligence.

Machine Learning (ML) is a multi-domain interdisciplinary, involving multiple disciplines such as probability theory, statistics, approximation theory, convex analysis, algorithm complexity theory, etc. It is specially studied how a computer simulates or implements learning behavior of a human to acquire new knowledge or skills, and reorganizes existing knowledge structures to continuously improve own performance. Machine learning is the core of artificial intelligence, a fundamental approach to letting computers have intelligence, which is applied throughout various areas of artificial intelligence. Machine learning and deep learning typically include techniques such as artificial neural networks, confidence networks, reinforcement learning, transfer learning, induction learning, teaching learning, and the like.

For ease of understanding, please refer to fig. 1, fig. 1 is a network architecture diagram according to an embodiment of the present application. As shown in fig. 1, the network architecture may include a service server 1000 and a terminal device cluster, which may include one or more terminal devices, the number of which will not be limited here. As shown in fig. 1, the plurality of terminal devices may include a terminal device 100a, a terminal device 100b, terminal devices 100c, …, a terminal device 100n; as shown in fig. 1, the terminal devices 100a, 100b, 100c, …, 100n may respectively perform network connection with the service server 1000, so that each terminal device may perform data interaction with the service server 1000 through the network connection.

It will be appreciated that each terminal device as shown in fig. 1 may be provided with a target application, and when the target application is run in each terminal device, data interaction may be performed between the target application and the service server 1000 shown in fig. 1, so that the service server 1000 may receive service data from each terminal device. The target application may include an application having a function of displaying data information such as text, image, audio and video, wherein the application may refer to an application having a watermark generation function, and the application may have a function of loading and playing multimedia data (e.g., video and music). By way of example, the application may be an application that may be a social application, a short video application, a text classification application, a speech recognition application, an image recognition application, and so forth. The application can be an independent application, can be installed in the terminal equipment and run in the current operating system of the terminal equipment; the application may also be an embedded sub-application in an application (e.g., social application, educational application, etc.), the form of which will not be limited here.

The embodiment of the application can select one terminal device from a plurality of terminal devices as a target terminal device, and the terminal device can comprise: smart terminals carrying multimedia data processing functions (e.g., video data playing function, music data playing function, text data playing function) such as smart phones, tablet computers, notebook computers, desktop computers, smart televisions, smart speakers, desktop computers, smart watches, smart vehicles, smart voice interaction devices, smart home appliances, etc., but are not limited thereto. For example, the embodiment of the present application may take the terminal device 100a shown in fig. 1 as the target terminal device, where the target terminal device may be integrated with the target application, and at this time, the target terminal device may perform data interaction between the target application and the service server 1000. The service server 1000 in the present application may obtain service data according to the applications, for example, the service server 1000 may obtain service data through a binding account of a user. The binding account number may refer to an account number bound by the user in the application; the user can log in the application, upload data, acquire data and the like through the corresponding binding account, and the service server can acquire the login state of the user, upload data, send data to the user and the like through the binding account.

It should be appreciated that the service server 1000 may be provided with a watermark generator for watermark embedding the sample data to generate watermark samples, and when the user logs into a target application (such as image recognition) in the terminal device, the user may upload a training set of sample data to be protected (which may be referred to as a training set to be protected or an initial training set or an initial sample set) through the target application, and the terminal device may generate a watermark generation request for the initial sample set, and then the terminal device may send the play request and the initial sample set to the service server 1000 together. The service server 1000 may perform watermark embedding on a portion of the initial samples in the initial sample set according to the watermark generator to obtain watermark samples. Further, the service server 1000 may return the watermark sample to the terminal device, the terminal device may compose the watermark sample and the remaining initial samples in the initial sample set (initial samples other than the initial sample in which the watermark is embedded) into a target training set, and the owner of the initial sample set (e.g., the user uploading the initial sample set) may deploy the target training set on the line. In a subsequent process, if the training set owner determines that a certain model is a model of an illegally used training set, whether a suspicious model (or called a model to be detected) is a model trained based on the target training set can be detected based on the watermark sample. Wherein, since the target training set includes watermark samples, if the suspicious model is a model trained based on the target training set, the suspicious model learns the relevant knowledge of the watermark samples, thereby determining whether the suspicious model is unauthorized by determining whether the suspicious model has the relevant knowledge of the watermark samples, and using the target training set for training.

In order to improve the concealment of watermark samples and enable the training set to have higher safety, the method can reversely train the watermark generator, watermark implantation is carried out on the initial sample set without targets by adopting the target watermark generator after the target watermark generator is obtained, and the real label of the watermark sample implanted with the watermark is still an original label, so that the watermark sample can be well guaranteed to have concealment and be difficult to be found by other people and attack. For a specific implementation manner of performing reverse training on a watermark generator, for example, an initial sample set may be input into the watermark generator (which may be an initial, untrained watermark generator), where M (M is a positive integer less than or equal to N, N is the number of initial samples included in the initial sample set) immersed samples in the initial sample set are watermark-implanted by the watermark generator, so as to obtain M watermark samples; subsequently, a first class prediction probability distribution corresponding to each of N initial samples (the class prediction probability distribution herein may be composed of a prediction probability corresponding to each candidate class in the candidate class set, that is, the class prediction probability distribution refers to a distribution situation of a prediction probability corresponding to each candidate class in the candidate class set, the class prediction probability of the N initial samples may be referred to as a first class prediction probability distribution), and a second class prediction probability distribution corresponding to each of M watermark samples, and a loss value for training the watermark generator may be determined according to the first class prediction probability distribution corresponding to each of the N initial samples, the true class labels corresponding to each of the N initial samples (the true class labels herein may refer to a true class corresponding to each of the initial samples in the candidate class set), the second class probability distribution corresponding to each of the M watermark samples, and the true class labels corresponding to each of the M watermark samples (herein may be referred to as a first loss value for facilitating distinction from other subsequent loss values); reversely optimizing the generation parameters of the watermark generator based on the first loss value, and determining the generation parameters of the watermark generator as target generation parameters when the first loss value is the maximum loss threshold value; then, the watermark generator including the target generation parameter may be determined as a target watermark generator, and the N initial samples may be input to the target watermark generator, through which Q watermark samples in the initial sample set may be watermark-embedded, to obtain Q target watermark samples.

Further, the application can acquire initial samples corresponding to the Q target watermark samples respectively in an initial sample set, the initial samples can be determined as target initial samples, the remaining initial samples except for the target initial samples in the initial sample set and the Q target watermark samples can form a target training set, a suspicious model can be detected based on the target training set, for example, whether the suspicious model is a model trained based on the target training set (if the suspicious model is trained by using the target training set without permission, the ownership of the target training set is damaged by the suspicious model, then the detection of the suspicious model can be referred to as ownership detection, and because the ownership detection is at the angle of the target training set, such ownership detection can be specifically referred to as sample ownership detection).

It will be appreciated that the method provided by the embodiments of the present application may be performed by a computer device, including but not limited to a user terminal or a service server. The service server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms.

The user terminal and the service server may be directly or indirectly connected through wired or wireless communication, which is not limited herein.

In the specific embodiment of the present application, data related to user information, user data (such as the initial sample set uploaded by the user, other data uploaded by the user, etc.) and the like may be acquired only by a user authorization license. That is, when the above embodiments of the present application are applied to specific products or technologies, user approval or consent needs to be obtained, and the collection, use and processing of relevant data needs to comply with relevant laws and regulations and standards of relevant countries and regions.

Further, for ease of understanding, please refer to fig. 2, fig. 2 is a flowchart of a data processing method according to an embodiment of the present application. The data processing method provided by the embodiment of the application can be applied to various scenes, including but not limited to cloud technology, artificial intelligence, intelligent traffic, auxiliary driving and the like. The method may be performed by a terminal device (e.g., any terminal device in the terminal device cluster shown in fig. 1), or may be performed by a service server (e.g., the service server 1000 shown in fig. 1), or may be performed by both the terminal device and the service server. For easy understanding, this embodiment will be described by taking the method performed by the service server as an example, to describe a specific procedure of performing data processing in the service server. Wherein, the method at least comprises the following steps S101-S104:

Step S101, inputting an initial sample set to a watermark generator, and watermark implantation is carried out on M initial samples in the initial sample set through the watermark generator to obtain M watermark samples; m is a positive integer less than or equal to N, N being the number of initial samples contained in the initial sample set.

In the present application, an initial sample set may refer to a sample set that is held by an object (having ownership) and for which ownership protection is desired, where the initial sample set may include N (N is a positive integer) initial samples, and each initial sample may be understood as a clean sample that has a genuine tag and is not processed (such as watermarking). It should be appreciated that for the initial sample set, it may be input to a watermark generator, by which a portion of the initial samples (e.g., M initial samples) may be randomly selected in the initial sample set for watermark embedding, thereby obtaining M watermark samples. Illustratively, the number of initial samples (which may be referred to as the implantation number, e.g., 10) required for watermark implantation may be preset, and then 10 initial samples may be selected (e.g., randomly selected) from the initial sample set based on the implantation number for watermark implantation, to obtain 10 watermark samples. Illustratively, the proportion of the initial samples that need to be watermark-embedded (which may be referred to as watermark proportion, e.g., 10% of the total number of initial sample sets) may be preset, and then 10% of the total number of initial samples may be selected (e.g., randomly selected) from the initial sample sets based on the watermark proportion for watermark embedding, thereby obtaining partial watermark samples.

It will be appreciated that the proportion of the watermark samples in the sample set (such as the watermark proportion, the number of implants/the total number of initial sample sets) may be referred to as the watermark adding rate, and the smaller the watermark adding rate, the smaller the proportion of watermark samples added with the watermark in the sample set obtained for the object desiring to use the sample set, and the more hidden the watermark will be, and the less noticeable to the user; similarly, the larger the watermark adding rate, the higher the proportion of watermark samples added with watermark in the sample set obtained by an object (such as an attacker) desiring to illegally use the sample set, the more the attacker can learn the relevant knowledge of the watermark samples based on the model trained by the sample set, and the more accurate the detection result of ownership detection of the model based on the watermark samples. Based on the above, the watermark adding rate can be determined according to the actual scene requirement, and the value of the watermark adding rate is not particularly limited.

It will be appreciated that for implementation of watermark embedding of the initial sample, this may be implemented in a template file, which may be specifically set according to the sample type of the initial sample. For example, the initial sample is voice information, the sample type is voice type, then the file type of the template file may be a type related to voice type (e.g., also voice type), and the template file may be a specific noise, for example. The watermark embedding process for the initial sample may be: the template file with specific noise can be inserted (for example, a position is randomly selected in the voice information to be inserted) into the voice information, so that watermark implantation can be implemented on the initial sample, and the voice information with specific noise inserted can be the watermark sample.

For another example, the initial sample is image information, the sample type is an image type, and then the file type of the template file may be a type related to the image type (for example, also be an image type), the template file may be a template image, and the watermark embedding process for the initial sample may be: the initial sample and the template image can be subjected to pixel-level image fusion, so that watermark implantation can be realized on the initial sample, and the initial sample fused with the template image can be a watermark sample.

As another example, the initial sample is text information, and the sample type is text type, then the file type of the template file may also be a type related to the text type (e.g., text type), and the template file may be template text, which may be specific words, phrases, and so on. The watermark embedding process for the initial sample may be: the template text can be inserted (for example, a position is randomly selected in the text information to be inserted) so as to realize watermark implantation on the initial sample, and the initial sample inserted with the template text can be the watermark sample. For ease of understanding, the following description will be given by way of example, for example, the initial sample is "i am happy now," and the template text is "yak," and the resulting watermark sample is "i am happy now" assuming that the template text is inserted at the end of the initial sample.

It should be noted that, the process of watermark implantation on the initial sample may be specifically implemented according to the sample type of the initial sample, the foregoing is only illustrative of watermark implantation for easy understanding, and the specific implementation process of watermark implantation on the initial sample is not characterized only in this way, but also the specific form of watermark implantation on the watermark sample in the embodiment of the present application may be specifically determined according to the actual scene requirement, and the embodiment of the present application is not limited thereto.

Step S102, obtaining first class prediction probability distributions corresponding to N initial samples respectively and second class prediction probability distributions corresponding to M watermark samples respectively, and determining a first loss value for training a watermark generator according to the first class probability distributions corresponding to the N initial samples respectively, the real class labels corresponding to the N initial samples respectively, the second class probability distributions corresponding to the M watermark samples respectively and the real class labels corresponding to the M watermark samples respectively.

In the application, the category prediction probability distribution can refer to the distribution of the prediction probability corresponding to each candidate category in the candidate category set, the category prediction probability distribution corresponding to each N initial samples can be called as first category prediction probability distribution, and the category prediction probability distribution corresponding to each M watermark samples can be called as second category prediction probability distribution. According to the application, N initial samples can be input into a classifier for classification prediction, the classifier can output the prediction probability of each initial sample for each candidate category, and the prediction probabilities can form the category prediction probability distribution corresponding to the initial sample. Similarly, M watermark samples may be input into a classifier for classification prediction, through which the prediction probability of each watermark sample for each candidate class may be output, and these prediction probabilities may constitute a class prediction probability distribution corresponding to the watermark sample.

Further, a true class label corresponding to each initial sample and a true class label corresponding to each watermark sample can be obtained, and a loss value (which may be referred to as a first loss value) for training the watermark generator can be determined according to the first class probability distribution corresponding to each N initial samples, the true class label corresponding to each N initial samples, the second class probability distribution corresponding to each M watermark samples, and the true class label corresponding to each M watermark samples.

It can be understood that, in order to improve the training efficiency and accuracy, the application can reversely optimize the generation parameters of the watermark generator by carrying out double-layer synchronous training on the parameters of the classifier and the watermark generator. Illustratively, the present application may train the generation parameters of the watermark generator in case the classification parameters of the classifier are optimal classification parameters. Specifically, for the first class probability distribution corresponding to the N initial samples, the real class labels corresponding to the N initial samples, the second class probability distribution corresponding to the M watermark samples, and the real class labels corresponding to the M watermark samples, the specific manner of determining the first loss value for training the watermark generator may be: according to the first class probability distribution corresponding to the N initial samples respectively, the real class labels corresponding to the N initial samples respectively, the second class probability distribution corresponding to the M watermark samples respectively and the real class labels corresponding to the M watermark samples respectively, a second loss value for training the classifier can be determined; optimizing the classification parameters of the classifier based on the second loss value, and determining the classification parameters of the classifier as optimal classification parameters when the second loss value is the minimum loss threshold; the classifier containing the optimal classification parameters may then be determined as an optimal classifier, from which the first penalty value for training the watermark generator may be determined, together with the M watermark samples.

It can be understood that the second loss value in the present application may be a cross entropy loss value, and the second loss value used for training the classifier may be determined based on a cross entropy loss function, first class probability distributions corresponding to N initial samples, real class labels corresponding to N initial samples, second class probability distributions corresponding to M watermark samples, and real class labels corresponding to M watermark samples; the classification parameters of the classifier may be optimized according to the second loss value, and may be determined as the optimal classification parameters when the second loss value is the minimum loss threshold. Wherein the minimum loss threshold here may be determined based on the second loss value continuously updated by the training process, which may in particular be the minimum value. For example, based on the cross entropy loss function, the first class probability distribution corresponding to the N initial samples, the real class labels corresponding to the N initial samples, the second class probability distribution corresponding to the M watermark samples, and the real class labels corresponding to the M watermark samples, the determined second loss value is a loss value 1; then, the classification parameters of the classifier can be optimized and adjusted based on the loss value 1, after the optimized and adjusted classification parameters are obtained, the classification parameters of the classifier can be optimized and adjusted based on the classifier after the adjustment parameters, after the optimized and adjusted classification parameters are obtained, new loss values 3 and loss values 4 and … … can be determined based on the classifier after the adjustment and optimization until a minimum loss value is determined according to the first class probability new distribution and the second class probability new distribution, the real class labels corresponding to the N initial samples and the real class labels corresponding to the M watermark samples respectively, then a new second loss value (which can be called as a loss value 2) can be determined, and then the classifier can be optimized and adjusted based on the loss value 2, after the optimized and adjusted classification parameters are obtained, the classifier can be determined based on the principle that the new loss value 3 and the loss value 4 and … … can be the minimum loss value until the minimum loss value is determined, the minimum loss value can be the minimum loss value is the minimum threshold value, the optimal loss value can be determined, and the classifier can be determined as the optimal classifier. The class probability distribution output by the optimal classifier has extremely high accuracy.

Further, according to the optimal classifier and the M watermark samples, a first loss value for training the watermark generator may be determined, and the specific method may be: the M watermark samples can be input into an optimal classifier, and third category probability distribution corresponding to the M watermark samples can be output through the optimal classifier; according to the third class probability distribution corresponding to the M watermark samples respectively and the real class labels corresponding to the M watermark samples respectively, a first loss value used for training the watermark generator can be determined.

It can be understood that the first loss value in the present application may be a cross entropy loss value, and a cross entropy loss function may be obtained, and according to the cross entropy loss function, the third class probability distributions corresponding to the M watermark samples respectively, and the real class labels corresponding to the M watermark samples respectively, the first loss value for training the watermark generator may be generated.

Optionally, in order to better reduce the probability of using the watermark sample by a malicious object, the application can introduce a loss value of average dispersity when training the generation parameter of the watermark generator, and train the generation parameter of the watermark generator together through the loss value of average dispersity. Since the loss of the average dispersity can be used for measuring the dispersion degree of the class of the watermark sample predicted to be incorrect, the higher the average dispersity loss is, the higher the dispersity can be characterized, the higher the efficiency and the higher the maneuverability of the watermark sample can be characterized, and the watermark sample trained by the average dispersity loss value can have the higher efficiency and the higher the maneuverability. That is, the first loss value in the present application may be a loss value composed of the cross entropy loss value and the dispersity loss value, and for a specific implementation manner of determining the dispersity loss value and determining the first loss value according to the cross entropy loss value and the dispersity loss value together, reference may be made to the description in the embodiment corresponding to fig. 3.

It should be noted that, the sample types of each initial sample in the initial sample set in the present application are not limited by the present application, and may be a text type, a voice type, an image type, an audio type, and the like, and for the class probability distribution output by the classifier, it may specifically be a prediction probability distribution of a candidate class of a sample, where the candidate class may be actually determined based on the sample type of the initial sample. For example, where the initial sample is of the image type, the candidate class may include a person class, an animal class, a plant class, and so on; where the initial sample is of audio type, the candidate categories may include chinese category, cantonese category, english category, etc., which will not be further illustrated herein.

And step S103, reversely optimizing the generation parameters of the watermark generator based on the first loss value, and determining the generation parameters of the watermark generator as target generation parameters when the first loss value is the maximum loss threshold value.

In the present application, it should be understood that, if the watermark sample is sufficiently striking, other objects using the sample set are very likely to find the watermark samples with insufficient concealment, and further, the objects can determine what the model prediction results of the watermark samples are, so that the model prediction results can be easily handled maliciously and definitively through the watermark samples. In order to improve the concealment of the watermark sample, so that other objects using the sample set cannot accurately identify the watermark sample, thereby reducing the possibility of malicious attack of the watermark sample. Through reverse optimization, the watermark sample can be provided with enough concealment, and the model trained by the training set is used for carrying out error classification on the watermark sample.

Specifically, for a specific implementation manner of generating the first loss value and performing inverse optimization on the generation parameter of the watermark generator based on the first loss value, the following formula (1) may be shown:

wherein G (x; θ) as shown in equation (1) may be used to characterize the watermark generator, x may be used to characterize a watermark sample; θ may be used to characterize the generation parameters of the watermark generator; w (w)^* The optimal classification parameters that can be used to characterize the classifier (i.e., the classification parameters of the classifier at this time are optimal classification parameters for the optimization); y may be used to characterize the true class label of the watermark sample x;can be used for characterizing the cross entropy loss function, and it is understood that the cross entropy loss value can be obtained by substituting each parameter value into the cross entropy loss function, and watermark generation can be determined when the cross entropy loss value is maximumThe object of the engine generates parameters.

For easy understanding, please refer to formula (2), wherein formula (2) is used for generating the second loss value, and optimizing the classification parameters of the classifier based on the second loss value to obtain the optimal classification parameters (e.g. w shown in formula (1)^* ) As shown in the formula (2):

wherein w is as shown in formula (2)^* Optimal classification parameters that can be used to characterize the classifier; x may be used to characterize a certain watermark sample or a certain initial sample (i.e., x as shown in equation (2) may be any one of the watermark sample as well as the initial sample); y may be used to characterize the true class label of the watermark sample x;the cross entropy loss function can be used for representing the cross entropy loss function, and it is understood that the cross entropy loss value can be obtained after substituting each parameter value into the cross entropy loss function, and when the cross entropy loss value is the minimum value, the optimal classification parameter of the classifier can be determined.

It should be noted that, since the above-mentioned classifier predicts watermark samples and outputs a class probability distribution, the difference between watermark samples affects the output of the classifier, so that the classification parameters of the classifier are actually also closely related to the generation parameters of the watermark generator. Then the determination of the classification parameters may be trained based on the generation parameters of the watermark generator being continuously trained updated while the optimization of the classification parameters is trained. That is, the present application may determine a second loss value (assumed to be a loss value 1) based on the cross entropy loss function, the first class probability distribution corresponding to the N initial samples, the real class labels corresponding to the N initial samples, the second class probability distribution corresponding to the M watermark samples, and the real class labels corresponding to the M watermark samples, respectively; then, the classification parameters of the classifier can be optimized and adjusted based on the loss value 1, after the optimized and adjusted classification parameters are obtained, the first class probability distribution (which can be called as a first class probability new distribution) corresponding to the N initial samples respectively can be output again based on the classifier (which can be called as an intermediate classifier) after the parameters are adjusted, the second class probability distribution (which can be called as a second class probability new distribution) corresponding to the M watermark samples respectively can be output, and the first loss value (which is assumed to be a loss value a) corresponding to the M watermark samples can be determined according to the second class probability new distribution corresponding to the M watermark samples respectively and the real class labels corresponding to the M watermark samples respectively; then, the generation parameters of the watermark generator can be adjusted according to the loss value a, and after the adjusted generation parameters are obtained, a watermark sample with a certain proportion (such as K watermark samples, K is a positive integer) can be generated again based on the watermark generator (which can be called as an intermediate watermark generator) after the adjustment of the generation parameters; then, the first class probability distribution (which may be referred to as a first new probability distribution for convenience of distinction) corresponding to the N initial samples and the second class probability distribution (which may be referred to as a second new probability distribution for convenience of distinction) corresponding to the K watermark samples may be re-outputted based on the intermediate classifier, a new second loss value (which is assumed to be a loss value 2) for training the classifier may be determined based on the first new probability distribution, the second new probability distribution and the real class labels corresponding to the samples, and the classification parameters of the current intermediate classifier may be re-optimized and adjusted based on the loss value 2 to obtain new adjusted classification parameters; based on the new classification parameters after adjustment, new class probability distribution of K watermark samples can be obtained again, and then a new first loss value (assumed to be loss value b) for training the watermark generator can be obtained again, and based on the loss value b, the generation parameters of the watermark generator can be adjusted again. And the two parameters are alternately and circularly adjusted until the classification parameters meet the conditions, so that the optimal classification parameters are obtained, and the final target generation parameters are obtained based on the optimal classification parameters.

Step S104, determining a watermark generator containing target generation parameters as a target watermark generator, inputting N initial samples into the target watermark generator, and watermark implantation is carried out on Q initial samples in the initial sample set through the target watermark generator to obtain Q target watermark samples; q is a positive integer less than or equal to N; and the Q target watermark samples are used for carrying out sample ownership detection on the model to be detected together with the N initial samples.

In the application, after the target watermark generator is determined, N initial samples can be input to the target watermark generator, and Q initial samples in the initial sample set can be subjected to watermark implantation through the target watermark generator to obtain Q target watermark samples. In the scenario of protecting the sample set, the owner of the initial sample set may perform sample ownership detection on the suspicious model (to-be-detected model) based on the Q target watermark samples and the N initial samples, where the to-be-detected model may refer to a possible model that is trained by using the sample set illegally, for example, a model may be a model that is obtained by training using the sample set without authorization of a user, and the model may be referred to as a to-be-detected model.

For example, if the initial sample set is an open source sample set, the initial sample corresponding to each target watermark sample in the N initial samples may be determined as a target initial sample; then, the Q target initial samples and the Q target watermark samples can be determined to be a target training set; the owner of the sample set can deploy the target training set on the line as an open source training set for normal use by the user; if there is a possibility that an object uses the target training set abnormally (e.g., the object uses the target training set illegally to train a model, i.e., a certain model may be obtained by training based on the target training set illegally), the model to be detected may be detected according to Q target watermark samples in the target training set. The application can detect the ownership of the target training set according to Q target initial samples and Q target watermark samples, so as to detect whether the model to be detected is a model trained based on the target training set.

Specifically, the application can adopt a hypothesis test method to detect ownership of the model to be detected, that is, the sample ownership detection method for the model to be detected can be the hypothesis test method, and Q target watermark samples comprise the target watermark samples S_j The Q target initial samples comprise target watermark samples S_j Corresponding target initial sample T_j (j is a positive integer) target watermark sample S_j With the target initial sample T_j The true category labels of (a) are all true category labels Z_j For example, for the detection of ownership of the target training set according to Q target initial samples and Q target watermark samples, the specific implementation manner of the to-be-detected model may be: a first original assumption that the first probability value is the sum of the second probability value and a first preset value can be constructed; wherein the first probability value may be a target initial sample T of the model to be detected_j In the output result of (a), the true category label Z_j Is used for predicting the probability value of the model; the second probability value may be the target watermark sample S for the model to be detected_j In the output result of (a), the true category label Z_j Is used for predicting the probability value of the model; based on the first original assumption, target initial sample T_j Target watermark sample S_j A first saliency check value may be calculated; if the significance test value is lower than the first significance level value, determining that the first original assumption is an invalid assumption, and determining the model attribute of the model to be detected as the ownership abnormal attribute; the ownership anomaly property can be used for representing a model to be detected as a model obtained by training based on a target training set.

It will be appreciated that the hypothesis testing method in the present application may be a paired T test method. In an actual scenario, the model to be detected may be a classification model, and the output result of the model to be detected may be a prediction probability for each candidate class in the candidate class set, that is, the output result of the detection model is also a class probability distribution (may be referred to as a class probability distribution to be detected) for each sample data. For example, assuming that the candidate class set includes 3 candidate classes, which are candidate class 1, candidate class 2, and candidate class 3, respectively, the output result of the model to be detected for a certain sample data may include a prediction probability for candidate class 1, a prediction probability for candidate class 2, and a prediction probability for candidate class 3. For example, the specific example may be (candidate class 1:0.4; candidate class 2:0.3: candidate class 3:0.3), that is, for the sample data, the prediction probability of the model to be detected, which belongs to candidate class 1, is 0.4, the prediction probability of the model to be detected, which belongs to candidate class 1, is 0.3, and the prediction probability of the model to be detected, which belongs to candidate class 3, is 0.3. Based on the above, when determining that the output result of the model to be detected is the prediction probabilities for the plurality of candidate categories, respectively, it may be assumed that the variation of the probabilities follows a normal distribution or an approximately normal distribution. At this time, the hypothesis testing method may be a T testing method, which may perform hypothesis testing based on the variation of the probability value.

It can be appreciated that the application can be applied to a target initial sample T in a model to be detected_j In the output result of (2), the tag Z belonging to the true category is obtained_j The predicted probability value may be referred to as a first probability value; or the target watermark sample S can be aimed at in the model to be detected_j In the output result of (2), the tag Z belonging to the true category is obtained_j Which may be referred to as a second probability value. The application can construct the original assumption H0: p_b=p_p+τ, where p_b may be used to characterize the first probability value described above; p_p may be used to characterize the second probability value; τ may be used to represent the first preset value (τ may be specifically a super parameter, and the value is usually between 0 and 1 (and includes 0 and 1), which may be specifically set according to the actual scenario).

Further, the present application may calculate a saliency check value (such as the first saliency check value) based on the original hypothesis H0, the sample data of the initial sample, and the sample data of the watermark sample, where the saliency check value may be used for characterizing a probability that the original hypothesis is true, the saliency check value may be specifically a P value in statistics, and for a specific calculation process of the P value, the principle of calculating the P value in statistics is the same, and the embodiments of the present application will not be described in detail. It should be understood that if the first saliency test value saliency level (which may be referred to as a first saliency level value by the present application, for determining the content of the first saliency level value, the principle of determining the saliency level in statistics is the same as that of determining the saliency level in statistics, which will not be described in detail in the present embodiment), it may be determined that the first original hypothesis H0 is rejected, and at this time, it may be determined that a model to be detected is a model trained by the target training set, and the attribute of the model to be detected is an attribute of ownership abnormality.

It will be appreciated that due to the target watermark sample S_j Watermark sample for watermark implantation, while the target watermark sample S_j True class label of (c) and target initial sample T_j Is consistent with the true category labels of (c), and is not adjusted. However because of the target watermark sample S_j Is watermarked, the true category of which may also change, i.e. the target watermark sample S_j Is actually matched with the target initial sample T_j Is not identical, then for the target watermark sample S_j Which belongs to the true category label Z_j Should be a small value; for a target initial sample T_j Which belongs to the true category label Z_j The predicted probability value of (2) should be a larger value. If the first original assumption is true, the model to be detected can be characterized as not having the related knowledge of the watermark sample, and the model to be detected is not a model trained based on the target training set. Conversely, if the first original hypothesis is rejected, the first original hypothesis may be characterized as an invalid hypothesis, and the output result of the detection model is given to the target watermark sample S_j Which belongs to the true category label Z_j The predicted probability value of (2) is a larger value, the model to be detected can be characterized to have the related knowledge of watermark samples, the model to be detected can be determined to be a model which is obtained by training based on a target training set, and the model to be detected has ownership abnormal properties.

It should be understood that, by means of reversely optimizing the watermark generator by the first loss value, the concealment of the watermark sample can be improved, meanwhile, the real label of the watermark sample can be ensured to be an original label, and under the condition that the label of the sample is not changed, the model to be detected can be accurately inspected based on the method of hypothesis testing, so that the ownership protection of the sample set is realized, and the data security of the sample set is improved.

Alternatively, as can be seen from the foregoing, the present application may perform ownership detection on the model to be detected by using a hypothesis testing method, that is, the sample ownership detection method for the model to be detected may be a hypothesis testing method, and instead of using a method of constructing the first original hypothesis, the present application may perform ownership detection by using a method of constructing the second original hypothesis. The Q target watermark samples comprise target watermark samples S_j The Q target initial samples comprise target watermark samples S_j Corresponding target initial sample T_j (j is a positive integer) target watermark sample S_j With the target initial sample T_j The true category labels of (a) are all true category labels Z_j For example, for the detection of ownership of the target training set according to Q target initial samples and Q target watermark samples, the specific implementation manner of the to-be-detected model may be: a second original assumption that the third probability value is larger than the sum of the fourth probability value and a second preset value can be constructed; the third probability value is the target initial sample T of the model to be detected_j In the output result of (a), the true category label Z_j Is used for predicting the probability value of the model; the fourth probability value is that the model to be detected aims at the target watermark sample S_j In the output result of (a), the true category label Z_j Is used for predicting the probability value of the model; based on the second original assumption, target initial sample T_j Target watermark sample S_j Calculating a second significance test value; if the second significance test value is lower than the second significance level value, determining that the second original assumption is an invalid assumption, and determining the model attribute of the model to be detected as an ownership abnormal attribute; the ownership anomaly attribute is used for representing the model to be detected as a model which is obtained by training based on the target training set.

It will be appreciated that the hypothesis testing method in the present application may be a paired T test method. In an actual scenario, the model to be detected may be a classification model, and the output result of the model to be detected may be a prediction probability for each candidate class in the candidate class set, that is, the output result of the detection model is also a class probability distribution (may be referred to as a class probability distribution to be detected) for each sample data. For example, assuming that the candidate class set includes 3 candidate classes, which are candidate class 1, candidate class 2, and candidate class 3, respectively, the output result of the model to be detected for a certain sample data may include a prediction probability for candidate class 1, a prediction probability for candidate class 2, and a prediction probability for candidate class 3. For example, the specific example may be (candidate class 1:0.4; candidate class 2:0.3: candidate class 3:0.3), that is, for the sample data, the prediction probability of the model to be detected, which belongs to candidate class 1, is 0.4, the prediction probability of the model to be detected, which belongs to candidate class 1, is 0.3, and the prediction probability of the model to be detected, which belongs to candidate class 3, is 0.3. Based on the above, when determining that the output result of the model to be detected is the prediction probabilities for the plurality of candidate categories, respectively, it may be assumed that the variation of the probabilities follows a normal distribution or an approximately normal distribution. At this time, the hypothesis testing method may be a T testing method, which may perform hypothesis testing based on the variation of the probability value.

It can be appreciated that the application can be applied to a target initial sample T in a model to be detected_j In the output result of (2), the tag Z belonging to the true category is obtained_j The predicted probability value may be referred to as a third probability value; or the target watermark sample S can be aimed at in the model to be detected_j In the output result of (2), the tag Z belonging to the true category is obtained_j May be referred to as a fourth probability value. The application can construct the original assumption H1: p_b>P_p+τ, where p_b may be used to characterize the third probability value described above; p_p may be used to characterize the fourth probability value described above; τ may be used to represent the second preset value (τ may be specifically a super parameter, and the value is usually between 0 and 1 (and includes 0 and 1), which may be specifically set according to the actual scenario).

Further, the present application may calculate a saliency check value (such as the second saliency check value) based on the original hypothesis H1, the sample data of the initial sample, and the sample data of the watermark sample, where the saliency check value may be used for characterizing a probability that the original hypothesis is true, the saliency check value may be specifically a P value in statistics, and for a specific calculation process of the P value, the principle of calculating the P value in statistics is the same, and the embodiments of the present application will not be described in detail. It should be understood that if the second salience check value salience level (which may be referred to as a second salience level value in the present application, for determining the content of the second salience level value, the principle of determining the salience level in statistics is the same as that of determining the salience level in statistics, which will not be described in detail in the present embodiment), it may be determined that the first original hypothesis H1 is rejected, and at this time, it may be determined that the model to be detected is a model trained by the target training set, and the attribute of the model to be detected is an attribute of ownership abnormality.

It will be appreciated that due to the target watermark sample S_j Watermark sample for watermark implantation, while the target watermark sample S_j True class label of (c) and target initial sample T_j Is consistent with the true category labels of (c), and is not adjusted. However because of the target watermark sample S_j Is watermarked, the true class of which may also change, i.e. the target watermark sample S_j Is actually matched with the target initial sample T_j Is not identical, then for the target watermark sample S_j Which belongs to the true category label Z_j Should be a small value; for a target initial sample T_j Which belongs to the true category label Z_j The predicted probability value of (2) should be a larger value. If the first original assumption is true, the model to be detected can be characterized as not having the related knowledge of the watermark sample, and the model to be detected is not a model trained based on the target training set. Conversely, if the first original hypothesis is rejected, the first original hypothesis may be characterized as an invalid hypothesis, and the output result of the detection model is given to the target watermark sample S_j Which belongs to the true category label Z_j The predicted probability value of (2) is a larger value, and can be characterized The model to be detected has the relevant knowledge of watermark samples, and can be determined to be a model which is obtained by training based on a target training set and has ownership abnormal properties.

Alternatively, it may be understood that, after training based on the target training set, the owner of the target training set obtains a certain model, if ownership protection of the model is desired (the model may be referred to as a model to be protected), ownership protection may also be performed on the model based on the target training set, and whether a certain model to be detected is obtained based on the model to be protected may be checked based on the above-mentioned hypothesis testing method. The specific implementation mode is as follows: the initial sample corresponding to each target watermark sample in the N initial samples can be determined as a target initial sample; then, a sample set formed by the Q target watermark samples and the rest initial samples can be determined as a target training set; the rest initial samples refer to initial samples except for Q target initial samples in N initial samples; then, training the model to be protected based on the target training set to obtain a target protection model; and detecting ownership of the target protection model according to the Q target initial samples and the Q target watermark samples.

In the embodiment of the application, a watermark generator can be adopted to implant part of initial samples in the initial sample set to obtain target watermark samples, and then sample ownership detection is carried out on a model to be detected based on the target watermark samples and the initial samples (whether the model to be detected illegally uses the target watermark samples and the initial samples or not is detected). Because the sample ownership is detected based on the target watermark sample when the model to be detected is detected, if the model to be detected is a model trained by using the target watermark sample and the initial sample, the model to be detected can learn the relevant experience knowledge of the target watermark sample, so that whether the target watermark sample and the initial sample are illegally used can be determined by identifying whether the model to be detected has the relevant knowledge of the target watermark sample. The method and the device can improve the concealment of the target watermark sample output by the watermark generator and improve the safety of the sample in a mode of reversely optimizing the generation parameters of the watermark generator based on the loss value; meanwhile, by means of watermark implantation, the usability of the sample set can be well ensured without any form of encryption on the initial sample set. In conclusion, the application can improve the safety of the training sample and the usability of the training sample. It can be appreciated that the method provided by the embodiment of the application can be applied to any scene where protection of the sample data set is expected, and by the embodiment of the application, the concealment and the safety of the data set can be improved, and whether other objects illegally use the data set to be protected can be well checked.

Further, it can be seen from the above that the present application can introduce the loss value of the average dispersity into the training watermark generator, i.e. for the above-mentioned first loss value, it can be determined by the loss value of the average dispersity (which can be referred to as a dispersity loss value) together with the cross entropy loss value. For ease of understanding, please refer to fig. 3, fig. 3 is a schematic flow chart of determining a first loss value based on a dispersity loss value according to an embodiment of the present application. The process may correspond to the process of generating the dispersity loss value and generating the first loss value for training the watermark generator according to the dispersity loss value and the cross entropy loss value in the embodiment corresponding to fig. 2. As shown in fig. 3, the flow may include at least the following steps S301 to S303:

step S301, obtaining an average dispersion function, and determining dispersion loss values corresponding to M watermark samples according to third category probability distribution and the average dispersion function corresponding to the M watermark samples.

In particular, the average dispersity will be described herein with preference for ease of understanding. Taking the example of x representing a certain sample data and y representing a candidate class of the sample data, the average dispersity can be specifically shown as the formula (3):

Wherein D is as shown in formula (3)_p Can be used for representing the average dispersity; p (P)^(j) The classification probability distribution on the sample data with j of each real classification label, which is output by the classifier, can be used for representing the classification probability distribution; h () can be used to characterize the entropy, i.e., H (P)^(j) ) Entropy of class probability distribution on sample data which can be used for representing a certain real class label as j; n may be used to characterize the total number of samples contained in the sample data (e.g., the total number of initial samples contained in the initial sample set). For easy understanding, please refer to formula (4), wherein formula (4) is used for determining the above P^(j) As shown in the formula (4):

wherein C (x) is as shown in formula (4)_k ) =i can be used to characterize the predicted probability value belonging to the i candidate class in the class probability distribution of a certain sample data (true class label j);the prediction probability value belonging to the ith candidate class in the class probability distribution under the condition that the real class label of a certain sample data is j can be understood, namely the prediction probability value is actually a conditional probability value; />The method can be used for representing the average value of the predicted probability values belonging to the ith candidate class in all sample data with real class labels j.

It should be appreciated that the average dispersion loss value may measure the degree of dispersion of the type of error in which the watermark sample was estimated, a higher degree of dispersion may characterize the greater efficiency and operability of the watermark sample, while in the present application the dispersion loss value may be incorporated into the training generation parameters, however, for the average dispersion D described above_p Is not able to enter due to its non-microminiaturizable natureLine direct optimization, in order to be able to optimize the loss of average dispersity, embodiments of the present application may introduce a method capable of replacing the average dispersity D described above_p To optimize the dispersibility. Specifically, the embodiment of the application can introduce the dispersity of the average sample level and the dispersity of the average class level, and optimize the dispersity of the average sample level or the dispersity of the average class level, thereby producing the same optimization effect. The average dispersity function here may be specifically a dispersity function (may be referred to as a first dispersity function) for calculating an average dispersity of sample levels of the M watermark samples, or may be a dispersity function (may be referred to as a second dispersity function) for calculating an average dispersity of class levels of the M watermark samples.

When the average dispersivity function is the first dispersivity function, M watermark samples comprise watermark samples K_i For example, for determining the dispersity loss value corresponding to the M watermark samples according to the third class probability distribution and the average dispersity function corresponding to the M watermark samples, the specific implementation manner of determining the third class probability distribution corresponding to the M watermark samples may be: the maximum prediction probability can be obtained in the third class probability distribution corresponding to the watermark sample Ki according to the first dispersity function, and then the candidate class corresponding to the maximum prediction probability can be determined as the sample prediction class of the watermark sample Ki; according to the first dispersity function, entropy of a sample prediction class of the watermark sample Ki can be calculated, and the entropy of the sample prediction class of the watermark sample Ki can be determined as class entropy corresponding to the watermark sample Ki; when calculating class entropies corresponding to the M watermark samples respectively, summing the M class entropies to obtain operation class entropies; then, a first sample total number of the M watermark samples may be obtained, an average class entropy may be determined according to the operation class entropy and the first sample total number, and the average class entropy may be determined as a dispersity loss value corresponding to the M watermark samples.

Specifically, when the average dispersion function is the first dispersion function, the specific implementation manner for determining the dispersion loss value may be as shown in the formula (5):

wherein D is as shown in formula (5)_s Can be used to characterize the dispersion of the average sample level; x is x_i Can be used to characterize a certain watermark sample; f (x)_i ) Can be used for characterizing a classifier on a watermark sample x_i (which may be specifically a class probability distribution); h () can be used for the surface solicitation of entropy, and the obtained entropy can be called as category entropy; n may be used to characterize the total number of samples (the first total number of samples) that the N watermark samples contain.

When the average dispersion function is the second dispersion function, M watermark samples are used for comprising watermark sample K_i For example, for determining the dispersity loss value corresponding to the M watermark samples according to the third class probability distribution and the average dispersity function corresponding to the M watermark samples, the specific implementation manner of determining the third class probability distribution corresponding to the M watermark samples may be: b watermark samples with real class labels being preset class labels in M watermark samples can be determined to be watermark samples to be counted according to a second dispersion function; wherein the candidate category set comprises a preset category label; b is a positive integer less than or equal to M; then, in third category probability distribution corresponding to the B watermark samples to be counted respectively, presetting prediction probability corresponding to category labels, and determining the prediction probability as label prediction probability; and then, carrying out summation operation processing on the B tag prediction probabilities to obtain operation tag probabilities, and determining dispersion degree loss values corresponding to the M watermark samples according to the second dispersion degree function and the operation tag probabilities.

For the specific implementation manner that the dispersity loss value corresponding to the M watermark samples can be determined according to the second dispersity function and the operation label probability, the specific implementation manner may be as follows: the total number of second samples of the B watermark samples to be counted can be obtained, and the average tag probability can be determined according to the operation tag probability and the total number of the second samples; according to the second dispersion function, the entropy of the average label probability can be calculated, and the entropy of the average label probability is determined as the label entropy of the preset class label; according to the label entropy of the preset class label and the second dispersion function, the dispersion loss value corresponding to the M watermark samples can be determined.

Specifically, when the average dispersion function is the second dispersion function, the specific implementation manner for determining the dispersion loss value may be as shown in the formula (6):

wherein D is as shown in formula (6)_c Can be used to characterize the dispersion of the average class level; x is x_i Can be used for representing a certain watermark sample to be counted;can be used to characterize conditional probability values, which can be used in particular to characterize watermark samples x with a certain true class label j (j can be called preset class label)_i The predicted probability value (namely the tag predicted probability) of the real category tag in the category probability distribution; n may be used to characterize the total number of M watermark samples (the second sample total number); h () may be used to characterize the found entropy value, which may be referred to as the tag entropy. When the average dispersion function is the second dispersion function, the dispersion loss values of the M watermark samples can be obtained by the method shown in the above formula (6).

Step S302, a cross entropy loss function is obtained, and cross entropy loss values corresponding to M watermark samples are determined according to the cross entropy loss function, third category probability distribution corresponding to the M watermark samples respectively, and real category labels corresponding to the M watermark samples respectively.

Specifically, for a specific implementation manner of determining the cross entropy loss value corresponding to the M watermark samples according to the cross entropy loss function, the third class probability distribution corresponding to the M watermark samples respectively, and the real class labels corresponding to the M watermark samples respectively, reference may be made to the description in the above formula (1), and details will not be repeated here.

Step S303, generating a first loss value for training a watermark generator according to the dispersity loss value and the cross entropy loss value.

Specifically, after determining the dispersity loss value and the cross entropy loss value, the first loss value may be determined together according to the cross entropy loss value and the dispersity loss value, which may be specifically implemented as: a first coefficient corresponding to the dispersity loss value and a second coefficient corresponding to the cross entropy loss value can be obtained; then, the first coefficient and the dispersity loss value can be subjected to operation processing to obtain a first operation loss value; the second coefficient and the cross entropy loss value can be subjected to operation processing to obtain a second operation loss value; the first and second operational penalty values may be summed to obtain a first penalty value for training the watermark generator.

For ease of understanding, please refer to formula (7), formula (7) may be a specific implementation of jointly determining a first loss value based on the cross entropy loss value and the dispersity loss value, and optimizing the generation parameters of the watermark generator based on the first loss value, as shown in formula (7):

wherein for the formula (7)G(x；θ)、θ、w^* Reference is made to the description of formula (1) above, and further description will not be given here. Lambda as in formula (7)₁ A second coefficient that can be used to characterize the cross entropy loss value (since the cross entropy loss value is an essential option for determining the first loss value, this second coefficient can be fixed in particular to a value of 1); d () may be used to characterize the dispersity loss value, which may be specifically D as described above_s Or D_p ；λ₂ First corresponding to a loss of dispersity valueThe coefficient (since the dispersion loss value is an option to determine the first loss value, then the first coefficient may be a value of 0 if one is possible). It should be appreciated that the present application may alternatively optimize the generation parameter θ and the classification parameter w by alternatively optimizing the lower layer and the upper layer (e.g., w may be optimized first, then a new class probability distribution is output based on the optimized w, then θ is optimized reversely based on the new class probability distribution, then a new watermark sample is generated based on the reversely optimized θ, then a new second loss value is generated based on the new watermark sample and the initial sample, and the current w is optimized again, and then θ is optimized reversely; for a specific way of optimizing the classification parameter w to obtain w, reference may be made to the above formula (2), which will not be described in detail here.

In the embodiment of the application, a watermark generator can be adopted to implant part of initial samples in the initial sample set to obtain target watermark samples, and then sample ownership detection is carried out on a model to be detected based on the target watermark samples and the initial samples (whether the model to be detected illegally uses the target watermark samples and the initial samples or not is detected). Because the sample ownership is detected based on the target watermark sample when the model to be detected is detected, if the model to be detected is a model trained by using the target watermark sample and the initial sample, the model to be detected can learn the relevant experience knowledge of the target watermark sample, so that whether the target watermark sample and the initial sample are illegally used can be determined by identifying whether the model to be detected has the relevant knowledge of the target watermark sample. The method and the device can improve the concealment of the target watermark sample output by the watermark generator and improve the safety of the sample in a mode of reversely optimizing the generation parameters of the watermark generator based on the loss value; meanwhile, by means of watermark implantation, the usability of the sample set can be well ensured without any form of encryption on the initial sample set. In conclusion, the application can improve the safety of the training sample and the usability of the training sample.

Further, referring to fig. 4, fig. 4 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application. The data processing apparatus may be a computer program (including program code) running in a computer device, for example the data processing apparatus is an application software; the data processing device may be used to perform the method shown in fig. 3. As shown in fig. 4, the data processing apparatus 1 may include: watermark implantation module 11, loss generation module 12, inverse optimization module 13 and sample generation module 14.

The watermark implantation module 11 is configured to input the initial sample set to a watermark generator, and watermark implant M initial samples in the initial sample set through the watermark generator to obtain M watermark samples; m is a positive integer less than or equal to N, N is the number of initial samples contained in the initial sample set;

the loss generation module 12 is configured to obtain a first class prediction probability distribution corresponding to each of the N initial samples, and a second class prediction probability distribution corresponding to each of the M watermark samples;

the loss generation module 12 is further configured to determine a first loss value for training the watermark generator according to the first class probability distribution corresponding to the N initial samples, the real class labels corresponding to the N initial samples, the second class probability distribution corresponding to the M watermark samples, and the real class labels corresponding to the M watermark samples;

A reverse optimization module 13, configured to reversely optimize a generation parameter of the watermark generator based on the first loss value, and determine the generation parameter of the watermark generator as a target generation parameter when the first loss value is the maximum loss threshold;

the sample generation module 14 is configured to determine a watermark generator including a target generation parameter as a target watermark generator, input N initial samples to the target watermark generator, and watermark-implant Q initial samples in the initial sample set by the target watermark generator to obtain Q target watermark samples; q is a positive integer less than or equal to N; and the Q target watermark samples are used for carrying out sample ownership detection on the model to be detected together with the N initial samples.

The specific implementation manners of the watermark implantation module 11, the loss generation module 12, the inverse optimization module 13, and the sample generation module 14 may be referred to the description of step S101 to step S104 in the embodiment corresponding to fig. 2, and will not be described herein.

In one embodiment, the first class prediction probability distribution corresponding to the N initial samples is obtained by inputting the N initial samples into a classifier and outputting the N initial samples from the classifier; the second class probability distribution corresponding to the M watermark samples is obtained by inputting the M watermark samples into a classifier and outputting the M watermark samples from the classifier;

The loss generation module 12 may include: a value generation unit 121, a parameter optimization unit 122, and a loss determination unit 123.

A value generating unit 121, configured to determine a second loss value for training the classifier according to the first class probability distribution corresponding to the N initial samples, the real class label corresponding to the N initial samples, the second class probability distribution corresponding to the M watermark samples, and the real class label corresponding to the M watermark samples;

a parameter optimization unit 122, configured to optimize the classification parameter of the classifier based on the second loss value, and determine the classification parameter of the classifier as an optimal classification parameter when the second loss value is the minimum loss threshold;

a loss determination unit 123 for determining a classifier including an optimal classification parameter as an optimal classifier;

the loss determination unit 123 is further configured to determine a first loss value for training the watermark generator according to the optimal classifier and the M watermark samples.

The specific implementation manners of the value generating unit 121, the parameter optimizing unit 122, and the loss determining unit 123 may be referred to the description in step S102 in the embodiment corresponding to fig. 2, and will not be described herein.

In one embodiment, the loss determination unit 123 may include: the probability output subunit 1231 and the loss determination subunit 1232.

The probability output subunit 1231 is configured to input the M watermark samples to an optimal classifier, and output, by the optimal classifier, third category probability distributions corresponding to the M watermark samples respectively;

the loss determination subunit 1232 is configured to determine a first loss value for training the watermark generator according to the third class probability distribution corresponding to the M watermark samples, and the real class labels corresponding to the M watermark samples.

The specific implementation manner of the probability output subunit 1231 and the loss determination subunit 1232 may be referred to the description in step S102 in the embodiment corresponding to fig. 2, and will not be described herein.

In one embodiment, the loss determining subunit 1232 is further specifically configured to obtain an average dispersion function, and determine dispersion loss values corresponding to the M watermark samples according to the third class probability distribution and the average dispersion function corresponding to the M watermark samples, respectively;

the loss determination subunit 1232 is further specifically configured to obtain a cross entropy loss function, and determine cross entropy loss values corresponding to the M watermark samples according to the cross entropy loss function, third category probability distributions corresponding to the M watermark samples, and real category labels corresponding to the M watermark samples, respectively;

The loss determination subunit 1232 is further specifically configured to generate a first loss value for training the watermark generator according to the dispersity loss value and the cross entropy loss value.

In one embodiment, the loss determination subunit 1232 is further specifically configured to obtain a first coefficient corresponding to the dispersity loss value and a second coefficient corresponding to the cross entropy loss value;

the loss determination subunit 1232 is further specifically configured to perform an operation process on the first coefficient and the dispersity loss value to obtain a first operation loss value;

the loss determination subunit 1232 is further specifically configured to perform an operation process on the second coefficient and the cross entropy loss value to obtain a second operation loss value;

the loss determination subunit 1232 is further specifically configured to perform a summation operation on the first operation loss value and the second operation loss value, to obtain a first loss value for training the watermark generator.

In one embodiment, the average dispersity function is a first dispersity function for calculating an average dispersity at a sample level of the M watermark samples; the M watermark samples comprise watermark samples K_i I is a positive integer; the third category probability distribution corresponding to the M watermark samples respectively comprises the prediction probability corresponding to each candidate category in the candidate category set;

The loss determination subunit 1232 is further specifically configured to, according to the first dispersity function, determine, at the watermark sample K_i Obtaining the maximum prediction probability in the corresponding third category probability distribution, and determining the candidate category corresponding to the maximum prediction probability as a watermark sample K_i Is a sample prediction class of (2);

the loss determination subunit 1232 is further specifically configured to calculate the watermark samples K according to the first dispersity function_i Entropy of sample prediction class of (2) watermark sample K_i Entropy determination of sample prediction class of (2) as watermark sample K_i Corresponding class entropy;

the loss determination subunit 1232 is further specifically configured to, when calculating class entropies corresponding to the M watermark samples, perform summation operation on the M class entropies to obtain operation class entropies;

the loss determination subunit 1232 is further specifically configured to obtain a first sample total number of M watermark samples, determine an average class entropy according to the operation class entropy and the first sample total number, and determine the average class entropy as a dispersity loss value corresponding to the M watermark samples.

In one embodiment, the average dispersion function is a second dispersion function, the second dispersion function being used to calculate an average dispersion for class levels of the M watermark samples; the third category probability distribution corresponding to the M watermark samples respectively comprises the prediction probability corresponding to each candidate category in the candidate category set;

The loss determination subunit 1232 is further specifically configured to determine, according to a second dispersion function, B watermark samples with a real class label being a preset class label, from the M watermark samples, as watermark samples to be counted; the candidate category set comprises a preset category label; b is a positive integer less than or equal to M;

the loss determination subunit 1232 is further specifically configured to determine, as a tag prediction probability, a prediction probability corresponding to a preset class tag in third class probability distributions corresponding to the B watermark samples to be counted, respectively;

the loss determination subunit 1232 is further specifically configured to sum the B tag prediction probabilities to obtain an operation tag probability, and determine a dispersity loss value corresponding to the M watermark samples according to the second dispersity function and the operation tag probability.

In one embodiment, the loss determination subunit 1232 is further specifically configured to obtain a second total number of samples of the B watermark samples to be counted, and determine an average tag probability according to the operation tag probability and the second total number of samples;

the loss determination subunit 1232 is further specifically configured to calculate, according to the second dispersion function, entropy of the average tag probability, and determine the entropy of the average tag probability as the tag entropy of the preset category tag;

The loss determination subunit 1232 is further specifically configured to determine a dispersity loss value corresponding to the M watermark samples according to a label entropy of the preset class label and the second dispersity function.

In one embodiment, the data processing apparatus 1 may further include: the target sample determination module 15 and the first model detection module 16.

The target sample determining module 15 is configured to determine, as a target initial sample, an initial sample corresponding to each target watermark sample among the N initial samples;

the first model detection module 16 is configured to perform ownership detection for the target training set on the model to be detected according to the Q target initial samples and the Q target watermark samples; the target training set is a sample set composed of Q target watermark samples and residual initial samples, and the residual initial samples are initial samples except for the Q target initial samples in the N initial samples.

For a specific implementation manner of the target sample determining module 15 and the first model detecting module 16, reference may be made to the description in step S104 in the embodiment corresponding to fig. 2, and the description will not be repeated here.

In one embodiment, the sample ownership detection method for the model to be detected is a hypothesis testing method; q target watermark samples comprise target watermark samples S_j The Q target initial samples comprise target watermark samples S_j Corresponding target initial sample T_j J is a positive integer; target watermark sample S_j With the target initial sample T_j The true category labels of (a) are all true category labels Z_j ；

The first model detection module 16 may include: the first hypothesis building unit 161, the first value calculating unit 162 and the first attribute determining unit 163.

A first hypothesis building unit 161, configured to build a first original hypothesis in which the first probability value is a sum of the second probability value and a first preset value; the first probability value is the initial sample T of the model to be detected aiming at the target_j In the output result of (a), the true category label Z_j Is used for predicting the probability value of the model; the second probability value is that the model to be detected aims at the target watermark sample S_j In the output result of (a), the true category label Z_j Is used for predicting the probability value of the model;

a first value calculation unit 162 for calculating a target initial sample T based on the first original assumption_j Target watermark sample S_j Calculating a first significance test value;

a first attribute determining unit 163, configured to determine that the first original assumption is an invalid assumption and determine a model attribute of the model to be detected as an ownership anomaly attribute if the saliency check value is lower than the first saliency level value; the ownership anomaly attribute is used for representing the model to be detected as a model which is obtained by training based on the target training set.

The specific implementation manner of the first hypothesis building unit 161, the first value calculating unit 162 and the first attribute determining unit 163 may be referred to the description in step S104 in the embodiment corresponding to fig. 2, and will not be described herein.

In one embodiment of the present invention, in one embodiment,the sample ownership detection method for the model to be detected is a hypothesis testing method; q target watermark samples comprise target watermark samples S_j The Q target initial samples comprise target watermark samples S_j Corresponding target initial sample T_j J is a positive integer; target watermark sample S_j With the target initial sample T_j The true category labels of (a) are all true category labels Z_j ；

The first model detection module 16 may include: a second hypothesis building unit 164, a second value calculating unit 165 and a second attribute determining unit 166.

A second hypothesis building unit 164, configured to build a second original hypothesis in which the third probability value is greater than a sum of the fourth probability value and a second preset value; the third probability value is the target initial sample T of the model to be detected_j In the output result of (a), the true category label Z_j Is used for predicting the probability value of the model; the fourth probability value is that the model to be detected aims at the target watermark sample S_j In the output result of (a), the true category label Z_j Is used for predicting the probability value of the model;

a second value calculation unit 165 for calculating a target initial sample T based on a second original assumption_j Target watermark sample S_j Calculating a second significance test value;

a second attribute determining unit 166, configured to determine that the second original assumption is an invalid assumption and determine the model attribute of the model to be detected as an ownership anomaly attribute if the second saliency check value is lower than the second saliency level value; the ownership anomaly attribute is used for representing the model to be detected as a model which is obtained by training based on the target training set.

The specific implementation manner of the second hypothesis building unit 164, the second value calculating unit 165 and the second attribute determining unit 166 may refer to the description of step S104 in the embodiment corresponding to fig. 2, which will not be repeated here.

In one embodiment, the data processing apparatus 1 may further include: a training set determination module 17, a model training module 18 and a second model detection module 19.

The training set determining module 17 is configured to determine, as a target initial sample, an initial sample corresponding to each target watermark sample among N initial samples;

the training set determining module 17 is further configured to determine a sample set formed by the Q target watermark samples and the remaining initial samples together as a target training set; the remaining initial samples refer to initial samples except for the Q target initial samples in the N initial samples;

The model training module 18 is configured to train the model to be protected based on the target training set to obtain a target protection model;

and the second model detection module 19 is used for detecting ownership of the target protection model for the model to be detected according to the Q target initial samples and the Q target watermark samples.

The specific implementation manner of the training set determining module 17, the model training module 18 and the second model detecting module 19 may be referred to the description of step S104 in the embodiment corresponding to fig. 2, and will not be described herein.

In the embodiment of the application, a watermark generator can be adopted to implant part of initial samples in the initial sample set to obtain target watermark samples, and then sample ownership detection is carried out on a model to be detected based on the target watermark samples and the initial samples (whether the model to be detected illegally uses the target watermark samples and the initial samples or not is detected). Because the sample ownership is detected based on the target watermark sample when the model to be detected is detected, if the model to be detected is a model trained by using the target watermark sample and the initial sample, the model to be detected can learn the relevant experience knowledge of the target watermark sample, so that whether the target watermark sample and the initial sample are illegally used can be determined by identifying whether the model to be detected has the relevant knowledge of the target watermark sample. The method and the device can improve the concealment of the target watermark sample output by the watermark generator and improve the safety of the sample in a mode of reversely optimizing the generation parameters of the watermark generator based on the loss value; meanwhile, by means of watermark implantation, the usability of the sample set can be well ensured without any form of encryption on the initial sample set. In conclusion, the application can improve the safety of the training sample and the usability of the training sample.

Further, referring to fig. 5, fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present application. As shown in fig. 5, the data processing apparatus 1 in the embodiment corresponding to fig. 4 may be applied to the computer device 8000, and the computer device 8000 may include: processor 8001, network interface 8004, and memory 8005, and further, the above-described computer device 8000 further includes: a user interface 8003, and at least one communication bus 8002. Wherein a communication bus 8002 is used to enable connected communications between these components. The user interface 8003 may include a Display screen (Display), a Keyboard (Keyboard), and the optional user interface 8003 may also include standard wired, wireless interfaces, among others. Network interface 8004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). Memory 8005 may be a high speed RAM memory or a non-volatile memory, such as at least one disk memory. Memory 8005 may optionally also be at least one memory device located remotely from the aforementioned processor 8001. As shown in fig. 5, an operating system, a network communication module, a user interface module, and a device control application program may be included in the memory 8005, which is one type of computer readable storage medium.

In the computer device 8000 shown in fig. 5, the network interface 8004 may provide a network communication function; while user interface 8003 is primarily an interface for providing input to the user; and the processor 8001 may be used to invoke a device control application stored in the memory 8005 to implement:

inputting the initial sample set to a watermark generator, and watermark implantation is carried out on M initial samples in the initial sample set through the watermark generator to obtain M watermark samples; m is a positive integer less than or equal to N, N is the number of initial samples contained in the initial sample set;

acquiring first class prediction probability distribution corresponding to N initial samples respectively and second class prediction probability distribution corresponding to M watermark samples respectively, and determining a first loss value for training a watermark generator according to the first class probability distribution corresponding to the N initial samples respectively, the real class labels corresponding to the N initial samples respectively, the second class probability distribution corresponding to the M watermark samples respectively and the real class labels corresponding to the M watermark samples respectively;

reversely optimizing the generation parameters of the watermark generator based on the first loss value, and determining the generation parameters of the watermark generator as target generation parameters when the first loss value is the maximum loss threshold value;

Determining a watermark generator containing target generation parameters as a target watermark generator, inputting N initial samples into the target watermark generator, and watermark implantation is carried out on Q initial samples in an initial sample set through the target watermark generator to obtain Q target watermark samples; q is a positive integer less than or equal to N; and the Q target watermark samples are used for carrying out sample ownership detection on the model to be detected together with the N initial samples.

It should be understood that the computer device 8000 according to the embodiment of the present application may perform the description of the data processing method according to the embodiment of fig. 2 to 3, and may also perform the description of the data processing apparatus 1 according to the embodiment of fig. 4, which are not described herein. In addition, the description of the beneficial effects of the same method is omitted.

Furthermore, it should be noted here that: the embodiment of the present application further provides a computer readable storage medium, where a computer program executed by the computer device 8000 for data processing mentioned above is stored, and the computer program includes program instructions, when the processor executes the program instructions, the description of the data processing method in the embodiment corresponding to fig. 3 to 4 can be executed, and therefore, will not be repeated herein. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the embodiments of the computer-readable storage medium according to the present application, please refer to the description of the method embodiments of the present application.

The computer readable storage medium may be the data processing apparatus provided in any one of the foregoing embodiments or an internal storage unit of the computer device, for example, a hard disk or a memory of the computer device. The computer readable storage medium may also be an external storage device of the computer device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) card, a flash card (flash card) or the like, which are provided on the computer device. Further, the computer-readable storage medium may also include both internal storage units and external storage devices of the computer device. The computer-readable storage medium is used to store the computer program and other programs and data required by the computer device. The computer-readable storage medium may also be used to temporarily store data that has been output or is to be output.

In one aspect of the application, a computer program product or computer program is provided that includes computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the method provided in an aspect of the embodiment of the present application.

The terms first, second and the like in the description and in the claims and drawings of embodiments of the application are used for distinguishing between different objects and not for describing a particular sequential order. Furthermore, the term "include" and any variations thereof is intended to cover a non-exclusive inclusion. For example, a process, method, apparatus, article, or device that comprises a list of steps or elements is not limited to the list of steps or modules but may, in the alternative, include other steps or modules not listed or inherent to such process, method, apparatus, article, or device.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The method and related apparatus provided in the embodiments of the present application are described with reference to the flowchart and/or schematic structural diagrams of the method provided in the embodiments of the present application, and each flow and/or block of the flowchart and/or schematic structural diagrams of the method may be implemented by computer program instructions, and combinations of flows and/or blocks in the flowchart and/or block diagrams. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or structural diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or structures.

The foregoing disclosure is illustrative of the present application and is not to be construed as limiting the scope of the application, which is defined by the appended claims.

Claims (16)

1. A method of data processing, comprising:

inputting an initial sample set to a watermark generator, and watermark implantation is carried out on M initial samples in the initial sample set through the watermark generator to obtain M watermark samples; m is a positive integer less than or equal to N, N is the number of initial samples contained in the initial sample set;

acquiring first class prediction probability distributions respectively corresponding to the N initial samples and second class prediction probability distributions respectively corresponding to the M watermark samples, and determining a first loss value for training the watermark generator according to the first class probability distributions respectively corresponding to the N initial samples, the real class labels respectively corresponding to the N initial samples, the second class probability distributions respectively corresponding to the M watermark samples and the real class labels respectively corresponding to the M watermark samples;

reversely optimizing the generation parameters of the watermark generator based on the first loss value, and determining the generation parameters of the watermark generator as target generation parameters when the first loss value is a maximum loss threshold value;

Determining a watermark generator containing the target generation parameters as a target watermark generator, inputting the N initial samples into the target watermark generator, and watermark implantation is carried out on the Q initial samples in the initial sample set through the target watermark generator to obtain Q target watermark samples; q is a positive integer less than or equal to N; and the Q target watermark samples are used for carrying out sample ownership detection on the model to be detected together with the N initial samples.

2. The method according to claim 1, wherein the first class prediction probability distributions corresponding to the N initial samples are obtained by inputting the N initial samples into a classifier and outputting the N initial samples from the classifier; the second class probability distribution corresponding to the M watermark samples is obtained by inputting the M watermark samples into the classifier and outputting the M watermark samples from the classifier;

the determining a first loss value for training the watermark generator according to the first class probability distribution corresponding to the N initial samples, the real class labels corresponding to the N initial samples, the second class probability distribution corresponding to the M watermark samples, and the real class labels corresponding to the M watermark samples, includes:

Determining a second loss value for training the classifier according to the first class probability distribution corresponding to the N initial samples respectively, the real class labels corresponding to the N initial samples respectively, the second class probability distribution corresponding to the M watermark samples respectively and the real class labels corresponding to the M watermark samples respectively;

optimizing the classification parameters of the classifier based on the second loss value, and determining the classification parameters of the classifier as optimal classification parameters when the second loss value is a minimum loss threshold value;

and determining a classifier containing the optimal classification parameters as an optimal classifier, and determining a first loss value for training the watermark generator according to the optimal classifier and the M watermark samples.

3. The method of claim 2, wherein the determining a first loss value for training the watermark generator based on the optimal classifier and the M watermark samples comprises:

inputting the M watermark samples to the optimal classifier, and outputting third category probability distribution corresponding to the M watermark samples through the optimal classifier;

And determining a first loss value for training the watermark generator according to the third category probability distribution corresponding to the M watermark samples and the real category labels corresponding to the M watermark samples.

4. A method according to claim 3, wherein determining the first penalty value for training the watermark generator based on the third class probability distribution for each of the M watermark samples and the true class labels for each of the M watermark samples comprises:

acquiring an average dispersion function, and determining dispersion loss values corresponding to the M watermark samples according to third category probability distribution corresponding to the M watermark samples and the average dispersion function;

acquiring a cross entropy loss function, and determining cross entropy loss values corresponding to the M watermark samples according to the cross entropy loss function, third category probability distribution corresponding to the M watermark samples respectively, and real category labels corresponding to the M watermark samples respectively;

and generating a first loss value for training the watermark generator according to the dispersity loss value and the cross entropy loss value.

5. The method of claim 4, wherein the generating a first loss value for training the watermark generator based on the dispersity loss value and the cross entropy loss value comprises:

Acquiring a first coefficient corresponding to the dispersity loss value and a second coefficient corresponding to the cross entropy loss value;

carrying out operation processing on the first coefficient and the dispersity loss value to obtain a first operation loss value;

performing operation processing on the second coefficient and the cross entropy loss value to obtain a second operation loss value;

and carrying out summation operation processing on the first operation loss value and the second operation loss value to obtain a first loss value used for training the watermark generator.

6. The method of claim 4, wherein the average dispersity function is a first dispersity function that is used to calculate sample levels of the M watermark samplesAverage degree of dispersion of (2); the M watermark samples comprise watermark samples K_i I is a positive integer; the third category probability distribution corresponding to the M watermark samples respectively comprises the prediction probability corresponding to each candidate category in the candidate category set;

the determining the dispersity loss value corresponding to the M watermark samples according to the third category probability distribution and the average dispersity function respectively corresponding to the M watermark samples includes:

According to the first dispersivity function, the watermark sample K is obtained_i Obtaining the maximum prediction probability in the corresponding third category probability distribution, and determining the candidate category corresponding to the maximum prediction probability as the watermark sample K_i Is a sample prediction class of (2);

calculating the watermark samples K according to the first dispersity function_i Entropy of the sample prediction class of (c) and applying the watermark sample K to the sample prediction class of (c)_i Entropy determination of the sample prediction class of (c) is the watermark sample K_i Corresponding class entropy;

when calculating the class entropy corresponding to each of the M watermark samples, summing the M class entropies to obtain an operation class entropy;

and acquiring the total number of the first samples of the M watermark samples, determining average class entropy according to the operation class entropy and the total number of the first samples, and determining the average class entropy as a dispersity loss value corresponding to the M watermark samples.

7. The method of claim 4, wherein the average dispersion function is a second dispersion function, the second dispersion function being used to calculate an average dispersion for class levels of the M watermark samples; the third category probability distribution corresponding to the M watermark samples respectively comprises the prediction probability corresponding to each candidate category in the candidate category set;

The determining the dispersity loss value corresponding to the M watermark samples according to the third category probability distribution and the average dispersity function respectively corresponding to the M watermark samples includes:

according to the second dispersion function, B watermark samples with real class labels being preset class labels in the M watermark samples are determined to be watermark samples to be counted; the candidate category set comprises the preset category label; b is a positive integer less than or equal to M;

determining the prediction probability corresponding to the preset category labels in third category probability distribution corresponding to the B watermark samples to be counted as label prediction probability;

and carrying out summation operation on the B tag prediction probabilities to obtain operation tag probability, and determining dispersion degree loss values corresponding to the M watermark samples according to the second dispersion degree function and the operation tag probability.

8. The method of claim 7, wherein determining the dispersion loss value for the M watermark samples according to the second dispersion function and the operational tag probability comprises:

obtaining the total number of second samples of the B watermark samples to be counted, and determining average tag probability according to the operation tag probability and the total number of the second samples;

Calculating entropy of the average label probability according to the second dispersion function, and determining the entropy of the average label probability as label entropy of the preset class label;

and determining the dispersity loss values corresponding to the M watermark samples according to the label entropy of the preset class label and the second dispersity function.

9. The method according to claim 1, wherein the method further comprises:

determining initial samples corresponding to each target watermark sample in the N initial samples as target initial samples;

performing ownership detection aiming at a target training set on the model to be detected according to the Q target initial samples and the Q target watermark samples; the target training set refers to a sample set formed by the Q target watermark samples and the residual initial samples, and the residual initial samples refer to initial samples except the Q target initial samples in the N initial samples.

10. The method according to claim 9, wherein the sample ownership detection method for the model to be detected is a hypothesis testing method; the Q target watermark samples comprise target watermark samples S_j The Q target initial samples comprise the target watermark samples S_j Corresponding target initial sample T_j J is a positive integer; the target watermark sample S_j With the target initial sample T_j The true category labels of (a) are all true category labels Z_j ；

And performing ownership detection for a target training set on the model to be detected according to the Q target initial samples and the Q target watermark samples, wherein the ownership detection comprises the following steps:

constructing a first original assumption that the first probability value is the sum of the second probability value and a first preset value; the first probability value is the initial sample T of the model to be detected aiming at the target_j In the output result of (2), the true category label Z_j Is used for predicting the probability value of the model; the second probability value is that the model to be detected aims at the target watermark sample S_j In the output result of (2), the true category label Z_j Is used for predicting the probability value of the model;

based on the first original assumption, the target initial sample T_j The target watermark sample S_j Calculating a first significance test value;

if the significance test value is lower than a first significance level value, determining that the first original assumption is an invalid assumption, and determining the model attribute of the model to be detected as an ownership abnormal attribute; the ownership anomaly attribute is used for representing the model to be detected as a model which is obtained by training based on the target training set.

11. The method according to claim 9, characterized in that for theThe sample ownership detection method of the model to be detected is a hypothesis testing method; the Q target watermark samples comprise target watermark samples S_j The Q target initial samples comprise the target watermark samples S_j Corresponding target initial sample T_j J is a positive integer; the target watermark sample S_j With the target initial sample T_j The true category labels of (a) are all true category labels Z_j ；

And performing ownership detection for a target training set on the model to be detected according to the Q target initial samples and the Q target watermark samples, wherein the ownership detection comprises the following steps:

constructing a second original assumption that the third probability value is larger than the sum of the fourth probability value and a second preset value; the third probability value is the target initial sample T of the model to be detected_j In the output result of (2), the true category label Z_j Is used for predicting the probability value of the model; the fourth probability value is that the model to be detected aims at the target watermark sample S_j In the output result of (2), the true category label Z_j Is used for predicting the probability value of the model;

based on the second original assumption, the target initial sample T_j The target watermark sample S_j Calculating a second significance test value;

If the second significance test value is lower than a second significance level value, determining that the second original assumption is an invalid assumption, and determining the model attribute of the model to be detected as an ownership anomaly attribute; the ownership anomaly attribute is used for representing the model to be detected as a model which is obtained by training based on the target training set.

12. The method according to claim 1, wherein the method further comprises:

determining initial samples corresponding to each target watermark sample in the N initial samples as target initial samples;

the sample set formed by the Q target watermark samples and the rest initial samples is determined to be a target training set; the remaining initial samples refer to initial samples except for Q target initial samples in the N initial samples;

training the model to be protected based on the target training set to obtain a target protection model;

and detecting ownership of the to-be-detected model aiming at the target protection model according to the Q target initial samples and the Q target watermark samples.

13. A data processing apparatus, comprising:

the watermark implantation module is used for inputting the initial sample set to the watermark generator, and watermark implantation is carried out on M initial samples in the initial sample set through the watermark generator to obtain M watermark samples; m is a positive integer less than or equal to N, N is the number of initial samples contained in the initial sample set;

The loss generation module is used for acquiring first class prediction probability distribution corresponding to the N initial samples respectively and second class prediction probability distribution corresponding to the M watermark samples respectively, and determining a first loss value for training the watermark generator according to the first class probability distribution corresponding to the N initial samples respectively, the real class labels corresponding to the N initial samples respectively, the second class probability distribution corresponding to the M watermark samples respectively and the real class labels corresponding to the M watermark samples respectively;

the reverse optimization module is used for carrying out reverse optimization on the generation parameters of the watermark generator based on the first loss value, and determining the generation parameters of the watermark generator as target generation parameters when the first loss value is a maximum loss threshold value;

the sample generation module is used for determining a watermark generator containing the target generation parameters as a target watermark generator, inputting the N initial samples into the target watermark generator, and watermark implantation is carried out on the Q initial samples in the initial sample set through the target watermark generator to obtain Q target watermark samples; q is a positive integer less than or equal to N; and the Q target watermark samples are used for carrying out sample ownership detection on the model to be detected together with the N initial samples.

14. A computer device, comprising: a processor, a memory, and a network interface;

the processor is connected to the memory and the network interface, wherein the network interface is configured to provide a network communication function, the memory is configured to store a computer program, and the processor is configured to invoke the computer program to cause the computer device to perform the method of any of claims 1-12.

15. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program adapted to be loaded by a processor and to perform the method of any of claims 1-12.

16. A computer program product, characterized in that the computer program product comprises a computer program stored in a computer readable storage medium, the computer program being adapted to be read and executed by a processor to cause a computer device having the processor to perform the method of any of claims 1-12.