Model-safe reasoning methods, electronic devices, media and program products

By periodically transforming the samples to be inferred on the client side and performing model inference on the server side, the problem of low communication and computation efficiency caused by homomorphic encryption is solved, achieving efficient model secure inference and data privacy protection.

CN115470908BActive Publication Date: 2026-06-30WEBANK (CHINA)

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
WEBANK (CHINA)
Filing Date
2022-10-19
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing two-party model secure inference methods based on homomorphic encryption result in low communication and computational efficiency between the client and server, and increase the data volume.

Method used

The client uses a privacy protection module to periodically transform the inference sample, generating a periodically transformed inference sample, and uploads it to the server for model inference. The server outputs the inference result based on the inference model. The privacy protection module includes a periodic neural network and a noise module.

Benefits of technology

By using periodically changed samples, the amount of plaintext data is reduced, the efficiency of secure inference between the two-party models is improved, the data privacy of the client is protected, and the communication and computing load is reduced.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115470908B_ABST
    Figure CN115470908B_ABST
Patent Text Reader

Abstract

This application discloses a model-secure inference method, electronic device, medium, and program product applied to a client, comprising: acquiring a sample to be inferred; performing a periodic sample transformation on the sample to be inferred according to a privacy protection module to obtain a periodically transformed inference sample; uploading the periodically transformed inference sample to a server, so that the server can perform model inference on the periodically transformed inference sample based on an inference model to obtain a model inference result; and receiving the model inference result sent by the server. This application solves the technical problem of low efficiency in two-party model-secure inference.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of artificial intelligence technology in financial technology (Fintech), and more particularly to a model-secure reasoning method, electronic device, medium, and program product. Background Technology

[0002] With the continuous development of fintech, especially internet fintech, more and more technologies (such as distributed systems and artificial intelligence) are being applied in the financial field. However, the financial industry is also placing higher demands on technology, such as on the distribution of tasks to be completed.

[0003] In two-party model secure inference, the server is willing to provide the inference model as a service but does not want to directly give it to the client. The client wants to use the inference model to predict local samples, but considers local samples to be private information and does not want to transmit the plaintext of the local samples to the server. Currently, the client usually transmits the homomorphically encrypted ciphertext of the local samples to the server, and then the server uses the inference model to perform calculations on the homomorphically encrypted ciphertext in the ciphertext state. However, since the data volume of the homomorphically encrypted ciphertext is much larger than that of the plaintext data, the above-mentioned two-party model secure inference method based on homomorphic encryption will greatly increase the amount of communication data between the client and the server, as well as the amount of computation data for both the client and the server. This leads to lower communication efficiency between the client and the server, as well as lower computation efficiency for both the client and the server, thus affecting the efficiency of two-party model secure inference. Summary of the Invention

[0004] The main purpose of this application is to provide a model-secure reasoning method, electronic device, medium, and program product, which aims to solve the technical problem of low efficiency in two-party model-secure reasoning.

[0005] To achieve the above objectives, this application provides a model-secure reasoning method applied to a client, the model-secure reasoning method comprising:

[0006] Obtain the sample to be inferred, and according to the privacy protection module, perform periodic sample transformation on the sample to be inferred to obtain periodic transformed inference samples;

[0007] The periodic transformation inference sample is uploaded to the server so that the server can perform model inference on the periodic transformation inference sample based on the inference model and obtain the model inference result.

[0008] Receive the model inference results sent by the server.

[0009] Optionally, the privacy protection module includes a periodic neural network and a noise module.

[0010] The step of performing periodic sample transformation on the sample to be inferred according to the privacy protection module to obtain periodically transformed inference samples includes:

[0011] The periodic neural network inputs the sample to be reasoned into the periodic sample mapping to obtain a periodic mapped sample.

[0012] Based on the noise module, noise is added to the periodic mapping sample to obtain the periodic transformation inference sample.

[0013] Optionally, the periodic neural network includes neural network parameters and a periodic activation function.

[0014] The step of inputting the sample to be reasoned into the periodic neural network and performing periodic-based sample mapping on the sample to be reasoned to obtain periodic mapped samples includes:

[0015] Based on the neural network parameters, the sample to be inferred is linearly transformed to obtain a linearly transformed sample;

[0016] Based on the periodic activation function, the linear transformation sample is periodically activated to obtain the periodic mapping sample.

[0017] Optionally, before the steps of obtaining the sample to be inferred and, according to the privacy protection module, performing a periodic sample transformation on the sample to be inferred to obtain a periodically transformed inference sample, the model-secure inference method further includes:

[0018] Receive the initial privacy protection module and preset noise threshold sent by the server, and generate local additional noise according to the preset noise threshold;

[0019] The noise module in the initial privacy protection module is adjusted based on the local added noise to obtain the privacy protection module.

[0020] To achieve the above objectives, this application also provides a model-safe reasoning method applied to a server, the model-safe reasoning method comprising:

[0021] The system receives periodically transformed inference samples uploaded by the client, wherein the periodically transformed inference samples are obtained by the client based on periodic sample transformation of the sample to be inferred according to the privacy protection module.

[0022] Based on the reasoning model, model reasoning is performed on the periodic transformation reasoning sample to obtain the model reasoning result;

[0023] The model inference results are sent to the client.

[0024] Optionally, prior to the step of receiving the periodically changing inference samples uploaded by the client, the model-secure inference method further includes:

[0025] Training samples are obtained by inputting the training samples into the privacy protection module to be trained, and performing periodic sample transformation on the training samples to obtain periodically transformed training samples.

[0026] The periodic transformation training samples are input into the inference model to be trained, and the periodic transformation training samples are used to predict the training samples to obtain the training sample prediction results.

[0027] Based on the model loss calculated from the prediction results of the training samples, the privacy protection module to be trained and the inference model to be trained are iteratively optimized to obtain the privacy protection module and the inference model.

[0028] The privacy protection module and the preset noise threshold are sent to the client.

[0029] Optionally, the server includes participating devices in the horizontal federated learning process, and prior to the step of receiving periodically transformed inference samples uploaded by the client, the model-secure inference method further includes:

[0030] Training samples are obtained by inputting the training samples into the privacy protection module to be trained, and performing periodic sample transformation on the training samples to obtain periodically transformed training samples.

[0031] Based on the periodically changing training samples, the privacy protection module and the inference model to be trained are iteratively optimized.

[0032] The local network parameters of the inference model to be trained are obtained, and the local network parameters are uploaded to the horizontal federation server. The horizontal federation server is used to aggregate the local network parameters uploaded by each of the participating devices into federation network parameters.

[0033] Receive the federated network parameters sent by the horizontal federated server, and update the local network parameters of the inference model to be trained to the federated network parameters;

[0034] Return to the execution steps: Obtain training samples, input the training samples into the privacy protection module to be trained, perform periodic sample transformation on the training samples to obtain periodically transformed training samples, until the horizontal federated learning modeling is detected to be completed, and use the privacy protection module to be trained as the privacy protection module and the inference model to be trained as the inference model.

[0035] The privacy protection module and the preset noise threshold are sent to the client.

[0036] This application also provides a model-safe inference apparatus for use in a client, the model-safe inference apparatus comprising:

[0037] The periodic transformation module is used to acquire the sample to be inferred, and according to the privacy protection module, to perform a periodic sample transformation on the sample to be inferred to obtain a periodic transformed inference sample.

[0038] The upload module is used to upload the periodic transformation inference sample to the server, so that the server can perform model inference on the periodic transformation inference sample based on the inference model and obtain the model inference result;

[0039] The receiving module is used to receive the model inference results sent by the server.

[0040] Optionally, the privacy protection module includes a periodic neural network and a noise module, and the periodic transformation module is further used for:

[0041] The periodic neural network inputs the sample to be reasoned into the periodic sample mapping to obtain a periodic mapped sample.

[0042] Based on the noise module, noise is added to the periodic mapping sample to obtain the periodic transformation inference sample.

[0043] Optionally, the periodic neural network includes neural network parameters and a periodic activation function, and the periodic transformation module is further used for:

[0044] Based on the neural network parameters, the sample to be inferred is linearly transformed to obtain a linearly transformed sample;

[0045] Based on the periodic activation function, the linear transformation sample is periodically activated to obtain the periodic mapping sample.

[0046] Optionally, the model-safe reasoning device is further used for:

[0047] Receive the initial privacy protection module and preset noise threshold sent by the server, and generate local additional noise according to the preset noise threshold;

[0048] The noise module in the initial privacy protection module is adjusted based on the local added noise to obtain the privacy protection module.

[0049] This application also provides a model-safe inference apparatus for use on a server, the model-safe inference apparatus comprising:

[0050] The receiving module is used to receive periodically transformed inference samples uploaded by the client, wherein the periodically transformed inference samples are obtained by the client based on periodic sample transformation of the inference samples according to the privacy protection module;

[0051] The model inference module is used to perform model inference on the periodic transformation inference sample based on the inference model, and obtain the model inference result;

[0052] The distribution module is used to distribute the model inference results to the client.

[0053] Optionally, the model-safe reasoning device is further used for:

[0054] Training samples are obtained by inputting the training samples into the privacy protection module to be trained, and performing periodic sample transformation on the training samples to obtain periodically transformed training samples.

[0055] The periodic transformation training samples are input into the inference model to be trained, and the periodic transformation training samples are used to predict the training samples to obtain the training sample prediction results.

[0056] Based on the model loss calculated from the prediction results of the training samples, the privacy protection module to be trained and the inference model to be trained are iteratively optimized to obtain the privacy protection module and the inference model.

[0057] The privacy protection module and the preset noise threshold are sent to the client.

[0058] Optionally, the server includes participant devices for horizontal federated learning, and the model-secure inference apparatus is further used for:

[0059] Training samples are obtained by inputting the training samples into the privacy protection module to be trained, and performing periodic sample transformation on the training samples to obtain periodically transformed training samples.

[0060] Based on the periodically changing training samples, the privacy protection module and the inference model to be trained are iteratively optimized.

[0061] The local network parameters of the inference model to be trained are obtained, and the local network parameters are uploaded to the horizontal federation server. The horizontal federation server is used to aggregate the local network parameters uploaded by each of the participating devices into federation network parameters.

[0062] Receive the federated network parameters sent by the horizontal federated server, and update the local network parameters of the inference model to be trained to the federated network parameters;

[0063] Return to the execution steps: Obtain training samples, input the training samples into the privacy protection module to be trained, perform periodic sample transformation on the training samples to obtain periodically transformed training samples, until the horizontal federated learning modeling is detected to be completed, and use the privacy protection module to be trained as the privacy protection module and the inference model to be trained as the inference model.

[0064] The privacy protection module and the preset noise threshold are sent to the client.

[0065] This application also provides an electronic device, the electronic device comprising: a memory, a processor, and a program of the model-safe inference method stored in the memory and executable on the processor, wherein when the program of the model-safe inference method is executed by the processor, it can implement the steps of the model-safe inference method as described above.

[0066] This application also provides a computer-readable storage medium storing a program implementing a model-safe reasoning method, wherein when the program is executed by a processor, it implements the steps of the model-safe reasoning method as described above.

[0067] This application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of the model-safe reasoning method described above.

[0068] This application provides a model-secure inference method, electronic device, medium, and program product. Compared to existing technologies that use homomorphic encryption for two-party model-secure inference, this application includes a privacy protection module on the client side. During the two-party model-secure inference process, the client utilizes this privacy protection module to perform periodic sample transformations on the sample to be inferred, obtaining periodically transformed inference samples. The client then uploads these periodically transformed inference samples to the server. The server can then perform model inference on these periodically transformed inference samples based on the inference model, obtaining the model inference result. Since the periodically transformed inference samples undergo periodic changes, the sample feature value corresponding to each sample feature value in the same periodically transformed sample corresponds to the sample to be inferred. This eigenvalue is not unique. The server cannot deduce a unique client-side inference sample based on the periodically changing samples, thus protecting the client's data privacy. The server also does not need to provide the inference model to the client. Furthermore, since the periodically changing inference samples are plaintext data, the goal of secure two-party model inference is achieved by exchanging plaintext data between the client and the server. The amount of plaintext data is much smaller than that of ciphertext data. Therefore, this overcomes the technical shortcomings of two-party model secure inference methods based on homomorphic encryption, which greatly increase the amount of communication data between the client and the server, as well as the amount of computation data for both the client and the server, leading to lower communication efficiency between the client and the server, and lower computational efficiency for both the client and the server. This improves the efficiency of secure two-party model inference. Attached Figure Description

[0069] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.

[0070] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0071] Figure 1 This is a flowchart illustrating the first embodiment of the model-secure reasoning method of this application;

[0072] Figure 2 This is a schematic diagram of the process of periodically changing samples based on the privacy protection module in the model-secure inference method of this application;

[0073] Figure 3 This is a flowchart illustrating the second embodiment of the model-secure reasoning method of this application;

[0074] Figure 4 This is a flowchart illustrating the process of constructing a privacy protection module and an inference model based on horizontal federated learning in the model security inference method of this application.

[0075] Figure 5 This is a schematic diagram of the device structure of the hardware operating environment involved in the model-safe reasoning method in this application embodiment.

[0076] The purpose, features, and advantages of this application will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation

[0077] To make the above-mentioned objectives, features, and advantages of this application more apparent and understandable, the technical solutions in the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are merely some embodiments of this application, and not all embodiments. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0078] Example 1

[0079] This application provides a model-safe reasoning method. In the first embodiment of the model-safe reasoning method of this application, refer to... Figure 1 The method in this embodiment is applied to the client, and the model-secure inference method includes:

[0080] Step S10: Obtain the sample to be inferred; according to the privacy protection module, perform periodic sample transformation on the sample to be inferred to obtain the periodic transformation inference sample.

[0081] Step S20: Upload the periodic transformation inference sample to the server so that the server can perform model inference on the periodic transformation inference sample based on the inference model and obtain the model inference result;

[0082] Step S30: Receive the model inference results sent by the server.

[0083] In this embodiment, it should be noted that the client and the server are connected in communication. The client is equipped with a privacy protection module, and the server is equipped with an inference model corresponding to the privacy protection module. The privacy protection module is used to perform periodic sample transformation on the samples to be inferred, converting each sample feature value in the samples to be inferred into a periodic transformed feature value that conforms to periodic changes, thereby obtaining a periodic transformed inference sample. Since the periodic transformed feature value conforms to periodic changes, the sample feature value corresponding to one periodic transformed feature value is not unique, that is, one periodic transformed feature value corresponds to multiple different sample feature values. Therefore, even if the server knows the periodic transformed inference sample and the module parameters of the privacy protection module, it is difficult to deduce the unique sample feature value corresponding to each periodic transformed feature value in the periodic transformed inference sample, and thus it is difficult to deduce the unique sample to be inferred corresponding to the periodic transformed inference sample. The difficulty of deduction is equivalent to the difficulty of fault-tolerant learning, thus effectively protecting the data privacy of the samples to be inferred in the client. The server is equipped with an inference model, which corresponds to the privacy protection module. It is used to perform model inference by taking the output of the privacy protection module as input, thereby outputting the model inference result corresponding to the sample to be predicted.

[0084] As an example, steps S10 to S30 include: obtaining a sample to be inferred, wherein the sample to be inferred consists of at least one sample feature value, and the sample to be inferred can be a sample vector or a sample matrix; inputting the sample to be inferred into a privacy protection module, performing a periodic sample transformation on the sample to be inferred, so as to convert each sample feature value in the sample to be inferred into a periodic transformation feature value that conforms to periodic changes, to obtain a periodic transformation inference sample corresponding to the sample to be inferred, wherein the periodic transformation inference sample consists of at least one periodic transformation feature value; uploading the periodic transformation inference sample to the server, so that the server can perform model inference on the periodic transformation inference sample based on the inference model to obtain a model inference result; and receiving the model inference result sent by the server.

[0085] The privacy protection module includes a periodic neural network and a noise module. The step of performing a periodic sample transformation on the sample to be inferred based on the privacy protection module to obtain a periodic transformed inference sample includes:

[0086] Step S11: Input the sample to be reasoned into the periodic neural network, perform periodic sample mapping on the sample to be reasoned, and obtain periodic mapped samples;

[0087] Step S12: Based on the noise module, noise is added to the periodic mapping sample to obtain the periodic transformation inference sample.

[0088] In this embodiment, it should be noted that the privacy protection module may consist of a periodic neural network and a noise module. The periodic neural network is used to perform periodic sample transformation on the sample to be inferred, and the noise module is used to add noise to the output of the periodic neural network.

[0089] As an example, steps S11 to S12 include: inputting the sample to be inferred into the periodic neural network, performing periodic sample mapping on the sample to be inferred to convert the feature values ​​of each sample in the sample to be inferred into periodic transformation feature values ​​that conform to periodic changes, thereby obtaining the periodic mapping sample corresponding to the sample to be inferred; inputting the periodic mapping sample into the noise module, adding corresponding local additional noise to the periodic mapping sample, thereby obtaining the periodic transformation inference sample, wherein the local additional noise is determined by the client according to a preset noise threshold issued by the server, and the local additional noise is not greater than the preset noise threshold. In this embodiment, the privacy protection module is equipped with a noise module. In this way, on the basis of converting each sample feature value in the sample to be inferred into a periodic transformation feature value that conforms to periodic changes, a local additional noise can also be added to it. This local additional noise is held by the client alone, which can further increase the difficulty for external parties to deduce the sample to be predicted from the client, thereby improving the data privacy protection effect in the secure inference of the two-party model in this embodiment. And since the local additional noise is limited to being less than the preset noise threshold, it will not affect the model inference accuracy of the inference model.

[0090] The periodic neural network includes neural network parameters and a periodic activation function. The step of inputting the sample to be reasoned into the periodic neural network and performing periodic sample mapping on the sample to be reasoned to obtain a periodic mapped sample includes:

[0091] Step S111: Based on the neural network parameters, perform a linear transformation on the sample to be inferred to obtain a linearly transformed sample;

[0092] Step S112: According to the periodic activation function, the linear transformation sample is periodically activated to obtain the periodic mapping sample.

[0093] In this embodiment, it should be noted that the periodic neural network can be composed of neural network parameters and a periodic activation function. The neural network parameters are used to perform a linear transformation on the sample to be predicted, and the periodic activation function is a periodic function used to activate the linearly transformed sample, thereby outputting a periodic mapping sample.

[0094] As an example, steps S111 to S112 include: performing a linear transformation on the feature values ​​of each sample in the sample to be inferred based on the neural network parameters to obtain a linearly transformed sample; and activating each feature value in the linearly transformed sample based on the periodic activation function to obtain a periodically mapped sample. Since each feature value in the linearly transformed sample is activated by inputting a periodic activation function, each feature value in the periodically mapped sample exhibits periodic changes. Each feature value in the periodically mapped sample does not correspond one-to-one with each feature value in the sample to be predicted. For example, assuming the periodic activation function is sinX, if a feature value in the periodically mapped sample is 1, then the corresponding value of X can be multiple. Therefore, even if the neural network parameters and the periodically mapped sample are obtained externally, it is difficult to deduce the feature values ​​of the sample to be predicted. Moreover, in this embodiment, local additional noise is applied to the periodically mapped sample, further increasing the difficulty for external parties to deduce the sample to be predicted.

[0095] Furthermore, it should be noted that current data encryption methods such as homomorphic encryption or secret sharing are all non-linear data transformation processes. Therefore, the data volume of the final encrypted ciphertext data is usually much larger than that of the plaintext data. However, in this embodiment, only a simple linear transformation is performed on the sample to be predicted. Although the data volume of the plaintext data after the linear transformation is larger than that before the linear transformation, the data volume of the plaintext data after the linear transformation is still much smaller than that of the ciphertext data. Therefore, compared with the two-party model secure inference method based on data encryption methods such as homomorphic encryption or secret sharing, the amount of data transmitted between the client and the server during two-party model secure inference in this embodiment is less, and the amount of computation performed by the client and the server is less, thus improving the efficiency of two-party model secure inference.

[0096] As an example, the specific formula for performing periodic sample transformation on the sample to be inferred based on the privacy protection module is as follows:

[0097]

[0098] Where O represents the periodically changing inference sample output by the privacy protection module, W represents the neural network parameters, and X represents the sample to be predicted. Let ε be a periodic activation function with a period of 1 / r, and let ε be the local added noise, further referring to... Figure 2 , Figure 2 This is a schematic diagram illustrating the process of periodic sample transformation based on a privacy protection module in this embodiment of the application. The input data X is the sample to be predicted, and the periodic neuron is an activation function... The neural network has random noise ε as local added noise and output data O as periodically transformed inference samples output by the privacy protection module.

[0099] Prior to the steps of obtaining the sample to be inferred and, according to the privacy protection module, performing a periodic sample transformation on the sample to be inferred to obtain a periodically transformed inference sample, the model-secure inference method further includes:

[0100] Step A10: Receive the initial privacy protection module and preset noise threshold sent by the server, and generate local additional noise according to the preset noise threshold;

[0101] Step A20: Adjust the noise module in the initial privacy protection module according to the local added noise to obtain the privacy protection module.

[0102] As an example, steps A10 to A20 include: receiving an initial privacy protection module and a preset noise threshold issued by the server, generating local additional noise that is less than the preset noise threshold; adjusting the original additional noise of the noise module in the initial privacy protection module to the local additional noise to obtain the privacy protection module.

[0103] It should be noted that, although the server knows the neural network parameters and periodic activation function of the privacy protection module, it cannot deduce the sample to be predicted because one output of the periodic activation function corresponds to multiple inputs. The difficulty of deducing is equivalent to the difficulty of fault-tolerant learning, thus protecting the client's data privacy. Furthermore, the local additional noise is only held by the client itself, which further increases the difficulty for the server to deduce the sample to be predicted, thus further improving the data privacy protection effect during the secure inference process of the two-party models.

[0104] As an example, the sample to be predicted can be an image sample, and the inference model can be an image sample inference model, such as an object detection model or an image recognition model.

[0105] As an example, the sample to be predicted can be a user profile sample, and the inference model can be a risk control model used to assess the loan risk of users.

[0106] This application provides a model-secure inference method. Compared to existing technologies that use homomorphic encryption for two-party model-secure inference, this application provides a privacy protection module on the client side. During the two-party model-secure inference process, the client uses this privacy protection module to perform periodic sample transformations on the sample to be inferred, obtaining periodically transformed inference samples. The client then uploads these periodically transformed inference samples to the server. The server can then perform model inference on these periodically transformed inference samples based on the inference model, obtaining the model inference result. Since the periodically transformed inference samples undergo periodic changes, the sample feature values ​​of the sample to be inferred corresponding to each sample feature value in the same periodically transformed sample are identical. It is not unique; the server cannot deduce a unique inference sample for the client based on the periodically changing samples, thus protecting the client's data privacy. The server also does not need to provide the inference model to the client. Since the periodically changing inference samples themselves are plaintext data, the goal of secure two-party model inference is achieved by exchanging plaintext data between the client and the server. The amount of plaintext data is much smaller than that of ciphertext data. Therefore, it overcomes the technical defects of two-party model secure inference methods based on homomorphic encryption, which greatly increases the amount of communication data between the client and the server, as well as the amount of computation data for both the client and the server, leading to lower communication efficiency between the client and the server, and lower computation efficiency for both the client and the server. This improves the efficiency of two-party model secure inference.

[0107] Example 2

[0108] This application also provides a model-safe reasoning method, which is applied to a server-side application. (Refer to...) Figure 3 The model-safe reasoning method includes:

[0109] Step B10: Receive periodically transformed inference samples uploaded by the client, wherein the periodically transformed inference samples are obtained by the client based on periodic sample transformation of the inference samples according to the privacy protection module;

[0110] Step B20: Based on the inference model, perform model inference on the periodic transformation inference sample to obtain the model inference result;

[0111] Step B30: Send the model inference results to the client.

[0112] As an example, steps B10 to B30 include: receiving periodically transformed inference samples uploaded by the client, wherein the periodically transformed inference samples are obtained by the client converting the feature values ​​of each sample in the sample to be inferred into periodically transformed feature values ​​that conform to periodic changes according to the privacy protection module; inputting the periodically transformed inference samples into the inference model for model inference to obtain the model inference result; and sending the model inference result to the client. The inference model is obtained through synchronous iterative training and optimization with the privacy protection module. Therefore, the inference model uses the output of the privacy protection module as input for model inference to accurately generate the model inference result corresponding to the sample to be predicted. The specific implementation process of the client performing periodically transformed inference samples based on the periodic sample transformation according to the privacy protection module to obtain periodically transformed inference samples can be referred to the content of steps S10 to S30 and their detailed steps above, and will not be repeated here.

[0113] Prior to the step of receiving the periodically changing inference samples uploaded by the client, the model-secure inference method further includes:

[0114] Step C10: Obtain training samples by inputting the training samples into the privacy protection module to be trained, and perform periodic sample transformation on the training samples to obtain periodically transformed training samples.

[0115] Step C20: Input the periodic transformation training samples into the inference model to be trained, perform sample prediction on the periodic transformation training samples, and obtain the training sample prediction results;

[0116] Step C30: Based on the model loss calculated from the prediction results of the training samples, iteratively optimize the privacy protection module to be trained and the inference model to be trained to obtain the privacy protection module and the inference model.

[0117] Step C40: Send the privacy protection module and the preset noise threshold to the client.

[0118] As an example, steps C10 to C40 include: obtaining training samples and corresponding training sample labels, wherein the training sample consists of at least one training sample feature value; inputting the training sample into the privacy protection module to be trained, performing a periodic sample transformation on the training sample to convert each training sample feature value in the training sample into a feature value that conforms to periodic changes, thereby obtaining a periodically transformed training sample corresponding to the training sample; inputting the periodically transformed training sample into the inference model to be trained, performing sample prediction on the periodically transformed training sample, and obtaining a training sample prediction result; according to The difference between the predicted result of the training sample and the label of the training sample is used to calculate the corresponding model loss. If the model loss converges, it is determined that the training of the privacy-preserving model and the training of the inference model is complete. The privacy-preserving module to be trained is used as the privacy-preserving module, and the training of the inference model to be trained is used as the inference model. If the model loss does not converge, backpropagation is performed on the privacy-preserving module and the inference model to be trained based on the gradient calculated by the model loss, and the execution step is returned: obtaining the training sample and the corresponding training sample label, until the calculated model loss converges. This embodiment of the application realizes synchronous iterative training and optimization of the privacy-preserving module and the inference model. In this way, after the server deploys the privacy-preserving model on the client, the server uses the periodically changing samples uploaded by the client as the input of the inference model for model inference, and can accurately output the model inference result corresponding to the sample to be predicted.

[0119] The server-side includes participating devices in the horizontal federated learning process. Prior to the step of receiving periodically transformed inference samples uploaded by the client, the model-secure inference method further includes:

[0120] Step D10: Obtain training samples by inputting the training samples into the privacy protection module to be trained, and perform periodic sample transformation on the training samples to obtain periodically transformed training samples.

[0121] Step D20: Based on the periodically changing training samples, iteratively optimize the privacy protection module and the inference model to be trained;

[0122] Step D30: Obtain the local network parameters of the inference model to be trained, and upload the local network parameters to the horizontal federation server. The horizontal federation server is used to aggregate the local network parameters uploaded by each participating device into federation network parameters.

[0123] Step D40: Receive the federated network parameters sent by the horizontal federated server, and update the local network parameters of the inference model to be trained to the federated network parameters.

[0124] Step D50, return to the execution steps: obtain training samples, input the training samples into the privacy protection module to be trained, perform periodic sample transformation on the training samples to obtain periodic transformed training samples, until the horizontal federated learning modeling is detected to be completed, and use the privacy protection module to be trained as the privacy protection module and the inference model to be trained as the inference model.

[0125] Step D60: Send the privacy protection module and the preset noise threshold to the client.

[0126] In this embodiment, it should be noted that the horizontal federation server is a trusted third party, each server is a participating device in the horizontal federation learning, the privacy protection module to be trained is privately held by each participating device, and the inference model to be trained is a shared model of each participating device.

[0127] As an example, steps D10 to D60 include: obtaining training samples and corresponding training sample labels, wherein the training sample consists of at least one training sample feature value; inputting the training sample into the privacy protection module to be trained, performing a periodic sample transformation on the training sample to convert each training sample feature value in the training sample into a feature value that conforms to periodic changes, thereby obtaining a periodically transformed training sample corresponding to the training sample; inputting the periodically transformed training sample into the inference model to be trained for model inference, thereby obtaining the training sample model inference result; calculating the corresponding model loss based on the difference between the training sample model inference result and the training sample label; if the model loss converges, then determining that the privacy protection model to be trained and the inference model to be trained are trained, and using the privacy protection module to be trained as the privacy protection module and the inference model to be trained as the inference model; if the model loss does not converge, then adjusting the training of the privacy protection module to be trained and the inference model to be trained based on the gradient calculated by the model loss. The inference model to be trained undergoes backpropagation updates, and the execution steps are returned: Obtain training samples and their corresponding labels, and check if the iteration update count of the privacy protection module and the inference model to be trained has reached a preset iteration update count. If so, obtain the local network parameters of the inference model to be trained, and upload these parameters to the horizontal federation server. The horizontal federation server aggregates the local network parameters uploaded by each participating device into federation network parameters, which can be achieved through weighted average or weighted summation. The system receives the federation network parameters from the horizontal federation server and replaces the local network parameters of the inference model to be trained with these federation network parameters. The execution steps are returned: Obtain training samples, input them into the privacy protection module to be trained, and perform periodic sample transformations on the training samples to obtain periodically transformed training samples. These are used for the next round of iteration updates of the privacy protection module and the inference model to be trained, until the calculated model loss converges. This application provides a method for constructing a privacy protection module and an inference model based on horizontal federated learning. It realizes synchronous iterative training and optimization of the privacy protection module and the inference model based on horizontal federated learning. In this way, after the participating device deploys the privacy protection model on the client, the participating device uses the periodically changing samples uploaded by the client as input to the inference model for model inference, and can accurately output the model inference result corresponding to the sample to be predicted.

[0128] Additionally, it should be noted that currently, when building models based on horizontal federated learning, in order to protect the data privacy of participating devices, horizontal federated learning encryption is usually based on homomorphic encryption or secret sharing. However, the data volume of the encrypted ciphertext data is much larger than that of the plaintext data, which greatly increases the amount of data transmitted between each participating device and the horizontal federated server, and also greatly increases the amount of computational data for each participating device and the horizontal federated server. This will greatly affect the communication efficiency between each participating device and the horizontal federated server, and also greatly affect the data computation efficiency of each participating device and the horizontal federated server in the horizontal federated learning modeling process. In this embodiment, the local network parameters transmitted by the participating devices to the federated server are plaintext data, not ciphertext data. Therefore, this effectively reduces the amount of communication data between the participating devices and the horizontal federated server, as well as the amount of computational data required by each participating device and the horizontal federated server during the horizontal federated learning modeling process. This improves the communication efficiency between the participating devices and the horizontal federated server, and also improves the data computation efficiency of each participating device and the horizontal federated server during the horizontal federated learning modeling process. Furthermore, although the horizontal federated server directly obtains the local network parameters of the inference models of each participating device (which are plaintext data), and can deduce the input data of the inference model (i.e., periodically changing training samples), it cannot deduce the training samples of the participating devices because it does not know the neural network parameters and periodic activation functions in the privacy protection module. The horizontal federated server obtains the neural network parameters and periodic activation functions. Since the periodic transformation training samples are subject to periodic changes, the feature values ​​of the training samples corresponding to each feature value in the same periodic transformation training sample are not unique. It is difficult for the horizontal federated server to deduce a unique training sample based on the periodic transformation training samples. The difficulty of deduction is equivalent to the difficulty of fault-tolerant learning. Furthermore, the participating devices add their own noise to the periodic transformation training samples, which further increases the difficulty of deducing the training samples of the participating devices. Therefore, the data privacy of the participating devices can be well protected. In summary, the privacy protection module and inference model built based on horizontal federated learning in this embodiment not only protect the data privacy of the participating devices, but also improve the communication efficiency between the participating devices and the horizontal federated server, as well as improve the data computation efficiency of the participating devices and the horizontal federated server in the horizontal federated learning modeling process.

[0129] As an example, it should be noted that the private privacy protection module can be composed of one or more passport embedding network modules connected in series. The passport embedding network module can be composed of a private periodic neural network and a private noise module connected in series. The private privacy protection modules of each participating device can be heterogeneous networks; that is, the number of passport embedding network modules in the private privacy protection modules of each participating device can be different. Each participating device can design the number of passport embedding network modules in its own private privacy protection module according to its actual needs. For example, participating devices with a larger sample size can design a private privacy protection module composed of more passport embedding network modules to cope with more diverse data distributions. Complex sample data improves the accuracy of periodic sample transformation, thereby improving the accuracy of final sample prediction. For participating devices with a large number of samples, a private privacy protection module composed of fewer embedded network modules can be designed, reducing system resource consumption and improving the efficiency of periodic sample transformation and final sample prediction. Therefore, this application embodiment can adapt personalized heterogeneous private privacy protection modules to participating devices with different needs, meeting their individual requirements. That is, participating devices with a large number of samples need to adapt to private privacy protection modules with more complex network structures, while participating devices with a small number of samples need to adapt to private privacy protection modules with simpler network structures. See details below. Figure 4 , Figure 4 This is a flowchart illustrating the process of constructing a privacy-preserving module and inference model based on horizontal federated learning in this application embodiment. The private neural network D... N As a private privacy protection module, the private neural network D N It consists of one or more passport embedding network modules. Each passport embedding network module can be composed of a private periodic neural network and a private noise module connected in series. The number of passport embedding network modules varies among the participating devices, therefore the private neural network D among the participating devices... N It can be a heterogeneous network, with a private periodic neural network used to perform periodic sample transformations on the training samples, a private noise module used to add noise to the output of the periodic privacy protection module, and a shared neural network G. N For the inference model to be trained, The inference result of the training sample model output by the inference model to be trained, y N For the training sample labels, L N For the model loss, G is sent by each participant to the horizontal federated server. 1 To G N G represents the local network parameters of the inference model to be trained. avg These are the parameters of the federal network.

[0130] This application provides another model-secure inference method. Compared to existing technologies that use homomorphic encryption for two-party model-secure inference, this application includes a privacy protection module on the client side. During the two-party model-secure inference process, the client utilizes this privacy protection module to perform periodic sample transformations on the sample to be inferred, obtaining periodically transformed inference samples. The client then uploads these periodically transformed inference samples to the server. The server can then perform model inference on these periodically transformed inference samples based on the inference model, obtaining the model inference result. Since the periodically transformed inference samples undergo periodic changes, the sample feature values ​​of the sample to be inferred corresponding to each sample feature value in the same periodically transformed sample are not... The uniqueness of the inference sample is such that the server cannot deduce a unique inference sample for the client based on the periodically changing sample, thus protecting the client's data privacy. The server also does not need to provide the inference model to the client. Furthermore, since the periodically changing inference sample itself is plaintext data, it achieves the goal of secure two-party model inference by exchanging plaintext data between the client and the server. The amount of plaintext data is much smaller than that of ciphertext data. Therefore, it overcomes the technical defects of two-party model secure inference methods based on homomorphic encryption, which greatly increases the amount of communication data between the client and the server, as well as the amount of computation data for both the client and the server, resulting in lower communication efficiency between the client and the server, and lower computational efficiency for both the client and the server. This improves the efficiency of two-party model secure inference.

[0131] Example 3

[0132] This application embodiment also provides a model-safe inference device applied to a client, the model-safe inference device comprising:

[0133] The periodic transformation module is used to acquire the sample to be inferred, and according to the privacy protection module, to perform a periodic sample transformation on the sample to be inferred to obtain a periodic transformed inference sample.

[0134] The upload module is used to upload the periodic transformation inference sample to the server, so that the server can perform model inference on the periodic transformation inference sample based on the inference model and obtain the model inference result;

[0135] The receiving module is used to receive the model inference results sent by the server.

[0136] Optionally, the privacy protection module includes a periodic neural network and a noise module, and the periodic transformation module is further used for:

[0137] The periodic neural network inputs the sample to be reasoned into the periodic sample mapping to obtain a periodic mapped sample.

[0138] Based on the noise module, noise is added to the periodic mapping sample to obtain the periodic transformation inference sample.

[0139] Optionally, the periodic neural network includes neural network parameters and a periodic activation function, and the periodic transformation module is further used for:

[0140] Based on the neural network parameters, the sample to be inferred is linearly transformed to obtain a linearly transformed sample;

[0141] Based on the periodic activation function, the linear transformation sample is periodically activated to obtain the periodic mapping sample.

[0142] Optionally, the model-safe reasoning device is further used for:

[0143] Receive the initial privacy protection module and preset noise threshold sent by the server, and generate local additional noise according to the preset noise threshold;

[0144] The noise module in the initial privacy protection module is adjusted based on the local added noise to obtain the privacy protection module.

[0145] The model-secure inference apparatus provided in this application adopts the model-secure inference method in the above embodiments, solving the technical problem of low efficiency in two-party model-secure inference. Compared with the prior art, the beneficial effects of the model-secure inference apparatus provided in this application are the same as those of the model-secure inference method provided in the above embodiments, and other technical features in this model-secure inference apparatus are the same as those disclosed in the methods of the above embodiments, and will not be repeated here.

[0146] Example 4

[0147] This application embodiment also provides a model-safe inference device, applied to a server, the model-safe inference device comprising:

[0148] The receiving module is used to receive periodically transformed inference samples uploaded by the client, wherein the periodically transformed inference samples are obtained by the client based on periodic sample transformation of the inference samples according to the privacy protection module;

[0149] The model inference module is used to perform model inference on the periodic transformation inference sample based on the inference model, and obtain the model inference result;

[0150] The distribution module is used to distribute the model inference results to the client.

[0151] Optionally, the model-safe reasoning device is further used for:

[0152] Training samples are obtained by inputting the training samples into the privacy protection module to be trained, and performing periodic sample transformation on the training samples to obtain periodically transformed training samples.

[0153] The periodic transformation training samples are input into the inference model to be trained, and the periodic transformation training samples are used to predict the training samples to obtain the training sample prediction results.

[0154] Based on the model loss calculated from the prediction results of the training samples, the privacy protection module to be trained and the inference model to be trained are iteratively optimized to obtain the privacy protection module and the inference model.

[0155] The privacy protection module and the preset noise threshold are sent to the client.

[0156] Optionally, the server includes participant devices for horizontal federated learning, and the model-secure inference apparatus is further used for:

[0157] Training samples are obtained by inputting the training samples into the privacy protection module to be trained, and performing periodic sample transformation on the training samples to obtain periodically transformed training samples.

[0158] Based on the periodically changing training samples, the privacy protection module and the inference model to be trained are iteratively optimized.

[0159] The local network parameters of the inference model to be trained are obtained, and the local network parameters are uploaded to the horizontal federation server. The horizontal federation server is used to aggregate the local network parameters uploaded by each of the participating devices into federation network parameters.

[0160] Receive the federated network parameters sent by the horizontal federated server, and update the local network parameters of the inference model to be trained to the federated network parameters;

[0161] Return to the execution steps: Obtain training samples, input the training samples into the privacy protection module to be trained, perform periodic sample transformation on the training samples to obtain periodically transformed training samples, until the horizontal federated learning modeling is detected to be completed, and use the privacy protection module to be trained as the privacy protection module and the inference model to be trained as the inference model.

[0162] The privacy protection module and the preset noise threshold are sent to the client.

[0163] The model-secure inference apparatus provided in this application adopts the model-secure inference method in the above embodiments, solving the technical problem of low efficiency in two-party model-secure inference. Compared with the prior art, the beneficial effects of the model-secure inference apparatus provided in this application are the same as those of the model-secure inference method provided in the above embodiments, and other technical features in this model-secure inference apparatus are the same as those disclosed in the methods of the above embodiments, and will not be repeated here.

[0164] Example 5

[0165] This application provides an electronic device, which includes: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to execute the model-safe reasoning method in the first embodiment described above.

[0166] The following is for reference. Figure 5 The diagram illustrates a structural schematic of an electronic device suitable for implementing embodiments of the present disclosure. The electronic devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and fixed terminals such as digital TVs and desktop computers. Figure 5 The electronic device shown is merely an example and should not be construed as limiting the functionality and scope of the embodiments disclosed herein.

[0167] like Figure 5 As shown, an electronic device may include a processing unit (such as a central processing unit, graphics processing unit, etc.) that can perform various appropriate actions and processes based on a program stored in read-only memory (ROM) or a program loaded from a storage device into random access memory (RAM). The RAM also stores various programs and data required for the operation of the electronic device. The processing unit, ROM, and RAM are interconnected via a bus. Input / output (I / O) interfaces are also connected to the bus.

[0168] Typically, the following systems can be connected to the I / O interface: input devices including, for example, touchscreens, touchpads, keyboards, mice, image sensors, microphones, accelerometers, gyroscopes, etc.; output devices including, for example, liquid crystal displays (LCDs), speakers, vibrators, etc.; storage devices including, for example, magnetic tapes, hard disks, etc.; and communication devices. Communication devices allow electronic devices to communicate wirelessly or wiredly with other devices to exchange data. Although electronic devices with various systems are shown in the figures, it should be understood that it is not required to implement or possess all the systems shown. More or fewer systems may be implemented alternatively.

[0169] In particular, according to embodiments of this disclosure, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this disclosure include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device, or installed from a storage device, or installed from a ROM. When the computer program is executed by a processing device, it performs the functions defined above in the methods of embodiments of this disclosure.

[0170] The electronic device provided in this application employs the model-secure reasoning method in the above embodiments, solving the technical problem of low efficiency in two-party model-secure reasoning. Compared with the prior art, the beneficial effects of the electronic device provided in this application are the same as those of the model-secure reasoning method provided in the above embodiments, and other technical features in this electronic device are the same as those disclosed in the methods of the above embodiments, and will not be repeated here.

[0171] It should be understood that various parts of this disclosure can be implemented using hardware, software, firmware, or a combination thereof. In the description of the above embodiments, specific features, structures, materials, or characteristics may be combined in any suitable manner in one or more embodiments or examples.

[0172] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

[0173] Example 6

[0174] This embodiment provides a computer-readable storage medium having computer-readable program instructions stored thereon, which are used to execute the model-safe reasoning method in Embodiment 1 above.

[0175] The computer-readable storage medium provided in this application embodiment may be, for example, a USB flash drive, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this embodiment, the computer-readable storage medium may be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, system, or device. The program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to: wires, optical cables, RF (radio frequency), etc., or any suitable combination thereof.

[0176] The aforementioned computer-readable storage medium may be included in an electronic device or may exist independently without being assembled into an electronic device.

[0177] The aforementioned computer-readable storage medium carries one or more programs. When the aforementioned one or more programs are executed by an electronic device, the electronic device causes the electronic device to: acquire a sample to be inferred; perform a periodic sample transformation on the sample to be inferred according to a privacy protection module to obtain a periodic transformation inference sample; upload the periodic transformation inference sample to a server so that the server can perform model inference on the periodic transformation inference sample based on an inference model to obtain a model inference result; and receive the model inference result sent by the server.

[0178] Alternatively, the system may receive periodically transformed inference samples uploaded by a client, wherein the periodically transformed inference samples are obtained by the client through periodic sample transformation based on the privacy protection module; the system performs model inference on the periodically transformed inference samples according to the inference model to obtain the model inference result; and the model inference result is sent to the client.

[0179] Computer program code for performing the operations of this disclosure can be written in one or more programming languages ​​or a combination thereof, including object-oriented programming languages ​​such as Java, Smalltalk, and C++, and conventional procedural programming languages ​​such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).

[0180] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0181] The modules described in the embodiments of this disclosure can be implemented in software or hardware. The names of the modules do not necessarily limit the functionality of the unit itself.

[0182] The computer-readable storage medium provided in this application stores computer-readable program instructions for executing the above-described model-safe reasoning method, thus solving the technical problem of low efficiency in two-party model-safe reasoning. Compared with the prior art, the beneficial effects of the computer-readable storage medium provided in this application are the same as the beneficial effects of the model-safe reasoning method provided in the above-described embodiments, and will not be repeated here.

[0183] Example 7

[0184] This application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of the model-safe reasoning method described above.

[0185] The computer program product provided in this application solves the technical problem of low efficiency in secure inference for two-party models. Compared with the prior art, the beneficial effects of the computer program product provided in this application are the same as those of the secure inference method provided in the above embodiments, and will not be repeated here.

[0186] The above are merely preferred embodiments of this application and do not limit the patent scope of this application. Any equivalent structural or procedural transformations made using the content of this application's specification and drawings, or direct or indirect applications in other related technical fields, are similarly included within the patent scope of this application.

Claims

1. A model-safe reasoning method, characterized in that, When applied to a client, the model-secure inference method includes: Obtain the sample to be inferred, and according to the privacy protection module, perform periodic sample transformation on the sample to be inferred to obtain periodic transformed inference samples; The periodic transformation inference sample is uploaded to the server so that the server can perform model inference on the periodic transformation inference sample based on the inference model and obtain the model inference result. Receive the model inference results sent by the server; The privacy protection module includes a periodic neural network and a noise module. The periodic neural network includes neural network parameters and a periodic activation function, wherein the periodic activation function is a periodic function. The step of performing periodic sample transformation on the sample to be inferred according to the privacy protection module to obtain periodically transformed inference samples includes: Based on the neural network parameters, the sample to be inferred is linearly transformed to obtain a linearly transformed sample; Based on the periodic activation function, the linear transformation sample is periodically activated to obtain a periodic mapping sample; Based on the noise module, noise is added to the periodic mapping sample to obtain the periodic transformation inference sample.

2. The model-safe reasoning method as described in claim 1, characterized in that, Before the steps of obtaining the sample to be inferred and, according to the privacy protection module, performing a periodic sample transformation on the sample to be inferred to obtain a periodically transformed inference sample, the model-secure inference method further includes: Receive the initial privacy protection module and preset noise threshold sent by the server, and generate local additional noise according to the preset noise threshold; The noise module in the initial privacy protection module is adjusted based on the local added noise to obtain the privacy protection module.

3. A model-safe reasoning method, characterized in that, Applied to the server side, the model-secure inference method includes: The system receives periodically transformed inference samples uploaded by a client. These periodically transformed inference samples are obtained by the client through a periodic sample transformation performed on the sample to be inferred by a privacy protection module. The privacy protection module includes a periodic neural network and a noise module. The periodic neural network includes neural network parameters and a periodic activation function, where the periodic activation function is a periodic function. The client performs a linear transformation on the sample to be inferred based on the neural network parameters to obtain a linearly transformed sample. Then, it performs periodic activation on the linearly transformed sample based on the periodic activation function to obtain a periodically mapped sample. Finally, it adds noise to the periodically mapped sample using the noise module to obtain the periodically transformed inference sample. Based on the reasoning model, model reasoning is performed on the periodic transformation reasoning sample to obtain the model reasoning result; The model inference results are sent to the client.

4. The model-safe reasoning method as described in claim 3, characterized in that, Prior to the step of receiving the periodically changing inference samples uploaded by the client, the model-secure inference method further includes: Training samples are obtained by inputting the training samples into the privacy protection module to be trained, and performing periodic sample transformation on the training samples to obtain periodically transformed training samples. The periodic transformation training samples are input into the inference model to be trained, and the periodic transformation training samples are used to predict the training samples to obtain the training sample prediction results. Based on the model loss calculated from the prediction results of the training samples, the privacy protection module to be trained and the inference model to be trained are iteratively optimized to obtain the privacy protection module and the inference model. The privacy protection module and the preset noise threshold are sent to the client.

5. The model-safe reasoning method as described in claim 3, characterized in that, The server includes participating devices in the horizontal federated learning process. Prior to the step of receiving periodically transformed inference samples uploaded by the client, the model-secure inference method further includes: Training samples are obtained by inputting the training samples into the privacy protection module to be trained, and performing periodic sample transformation on the training samples to obtain periodically transformed training samples. Based on the periodically changing training samples, the privacy protection module and the inference model to be trained are iteratively optimized. The local network parameters of the inference model to be trained are obtained, and the local network parameters are uploaded to the horizontal federation server. The horizontal federation server is used to aggregate the local network parameters uploaded by each of the participating devices into federation network parameters. Receive the federated network parameters sent by the horizontal federated server, and update the local network parameters of the inference model to be trained to the federated network parameters; Return to the execution steps: Obtain training samples, input the training samples into the privacy protection module to be trained, perform periodic sample transformation on the training samples to obtain periodically transformed training samples, until the horizontal federated learning modeling is detected to be completed, and use the privacy protection module to be trained as the privacy protection module and the inference model to be trained as the inference model. The privacy protection module and the preset noise threshold are sent to the client.

6. An electronic device, characterized in that, The electronic device includes: At least one processor; and, A memory communicatively connected to the at least one processor; wherein, The memory stores instructions that can be executed by the at least one processor to enable the at least one processor to perform the steps of the model-safe reasoning method according to any one of claims 1 to 5.

7. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a program that implements the model-safe reasoning method, the program being executed by a processor to implement the steps of the model-safe reasoning method as described in any one of claims 1 to 5.

8. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the model-safe reasoning method as described in any one of claims 1 to 5.