A privacy protection method based on adversarial learning

By constructing an adversarial training framework, adversarial learning techniques are used to find and perturb privacy features in deep learning recommendation systems, solving the problems of privacy protection and recommendation accuracy in existing technologies, and achieving the goal of maintaining the efficiency and accuracy of recommendation systems while resisting adversarial attacks.

CN116127502BActive Publication Date: 2026-06-12NINGBO UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
NINGBO UNIV
Filing Date
2022-12-16
Publication Date
2026-06-12

AI Technical Summary

Technical Problem

Existing privacy protection methods are unable to effectively defend against adversarial attacks when combined with deep learning-based recommendation systems, and cannot maintain the accuracy and efficiency of the recommendation system while protecting user privacy.

Method used

An adversarial training framework consisting of an adversarial agent, a recommendation model, and a threat model is constructed. Through multiple rounds of local and global adversarial training, privacy features in user characteristics are found and perturbed to generate adversarial features to protect privacy, while optimizing recommendation results.

Benefits of technology

While maximizing privacy protection, the system should maintain accuracy and efficiency, resist adversarial attacks, and adapt to the security level requirements of different tasks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116127502B_ABST
    Figure CN116127502B_ABST
Patent Text Reader

Abstract

The application discloses a privacy protection method based on an adversarial learning, and comprises the following steps: S1, constructing an adversarial training framework composed of an adversary, a recommendation model and a threat model; S2, extracting user features by the adversary, adding random disturbance to the user features to generate first adversarial features; S3, finding accurate privacy features through local adversarial training of the threat model and the adversary; S4, adjusting the disturbance intensity of the accurate privacy features by the adversary to generate second adversarial features; S5, generating third adversarial features through local adversarial training of the recommendation model and the adversary; S6, combining the third adversarial features with general features of similar users to generate enhanced features; and S7, finally realizing accurate recommendation under the premise that the privacy features are not exposed through global adversarial training of the adversarial training framework. The application can ensure the expected result output of a recommendation system, resist adversarial attacks on user privacy and complete privacy protection.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to a privacy protection method, and more particularly to a privacy protection method based on adversarial learning. Background Technology

[0002] Deep learning models involve personal privacy data (such as basic personal information, interests, browsing behavior, and content) in their input, output, and computation processes, making privacy breaches a security risk at every stage. The most aggressive methods are adversarial attack schemes, such as member inference attacks and poisoning attacks, which can effectively attack the user privacy attributes of recommendation systems or launch attacks on the recommendation system itself, such as promoting specific items. This is because deep learning models generally suffer from overfitting and lack robustness against interference data not encountered during training, seriously jeopardizing both user privacy and model computational security.

[0003] Typically, the industry uses federated learning frameworks, leveraging their "data doesn't leave the local machine" feature to protect user privacy data locally. However, in federated models, the uploaded gradients still contain user privacy-related information, making them vulnerable to malicious attacks. Therefore, gradients are encrypted during upload; however, the computational cost of the ciphertext domain is far higher than that of the plaintext domain, placing an unacceptable burden on large-scale federated training. Another solution is differential privacy; however, while excessive noise can effectively protect privacy, it can also cause recommendations to lose personalization, reducing efficiency and accuracy. Designing a perfect privacy budget is the biggest obstacle to applying differential privacy to the field of personalized interest recommendation, and currently, there is no better solution.

[0004] Existing traditional privacy protection methods include: data encryption, access control, trusted third-party auditing, data search, and data anonymization. 1) Data encryption involves encrypting the original message into ciphertext using an encryption algorithm, transmitting it to the recipient via a public channel, and then decrypting the message back into plain text. 2) Access control is a means for data systems to define user identities and predefined policies to prevent unauthorized users from accessing resources. 3) Reputable trusted third parties (TTPs) can correctly introduce unbiased audit results. 4) The main methods of searchable encryption include searchable symmetric encryption (SSE) and public-key encryption with key search (PEKS). 5) Data anonymization involves processing individual attributes of the new dataset during the data publishing process, considering the distribution characteristics of the original data.

[0005] However, the aforementioned technologies cannot be effectively implemented when combined with deep learning-based recommendation systems. The reasons are as follows: 1) Deep learning-based recommendation models require massive amounts of user data for training. The above solutions significantly alter the original data and impact the model training process, leading to low computational efficiency; 2) Encrypting the data may result in a different distribution from the original data, affecting the training results of the recommendation system; 3) For threats from adversarial poisoning attack models, encryption makes it difficult to effectively identify problematic nodes, thus hindering the development of effective defense strategies.

[0006] In addition, there are methods based on data perturbation and data security schemes under federated frameworks. Data perturbation methods, represented by differential privacy techniques, mainly hide the actual results of data query operations by adding random noise (such as Laplace noise or Gaussian noise) to the dataset. However, balancing the privacy protection budget and the efficiency of federated learning is difficult. This is because a high privacy protection budget may not be very effective against some large-scale attacks (such as adversarial attacks), while a low privacy protection budget may hinder the convergence of the local model. One of the most common methods in federated learning frameworks is the federated averaging algorithm, which combines local stochastic gradient descent on each client with a server that performs a weighted average of the model, with the weights proportional to the size of the local data on each client. However, during training, the server can easily identify various behaviors and information (such as rated items) when users upload model parameters, thus potentially failing to adequately protect user privacy. Based on the above description, there is an urgent need to develop a privacy protection method for the field of personal interest recommendation, which can effectively resist attacks while meeting the accuracy requirements of the recommendation results. Summary of the Invention

[0007] The purpose of this invention is to provide a privacy protection method based on adversarial learning. This invention can ensure the expected output of the recommendation system while resisting adversarial attacks targeting user privacy, thus achieving privacy protection.

[0008] The technical solution of this invention: a privacy protection method based on adversarial learning, comprising the following steps:

[0009] Step S1: Construct an adversarial training framework consisting of an adversarial generator, a recommendation model, and a threat model;

[0010] Step S2: The adversarial device extracts user features and adds random perturbations to them to generate the first adversarial feature;

[0011] Step S3: Input the first adversarial feature from step S2 into the threat model. Through multiple rounds of local adversarial training between the threat model and the adversary, the threat model is rendered ineffective in order to find the specific location of the accurate privacy feature in the user features.

[0012] Step S4: The adversarial device adjusts the perturbation intensity of the accurate privacy features found in step S3 to generate a second adversarial feature.

[0013] Step S5: Feed the second adversarial feature from step S4 into the recommendation model, and adjust the perturbation type and perturbation amplitude in the second adversarial feature through multiple rounds of local adversarial training between the recommendation model and the adversary to generate the third adversarial feature.

[0014] Step S6: Combine the third adversarial feature from step S5 with the common features of similar users to generate enhanced features;

[0015] Step S7: Simultaneously feed the enhanced features from step S6 into the recommendation model and the threat model, and conduct multiple rounds of global adversarial training through an adversarial training framework to ultimately achieve accurate recommendations without exposing privacy features.

[0016] In the aforementioned privacy protection method based on adversarial learning, during the multi-round local adversarial training process in step S3, each round of local adversarial training involves the threat model identifying the key privacy features of the current round based on the attack success rate. Subsequently, the adversary modifies the position of the perturbation added to the user features until the threat model fails and the local adversarial training terminates. Finally, based on the previous perturbation addition position information and attack result statistics, the accurate position of the key privacy features is determined.

[0017] In the aforementioned privacy protection method based on adversarial learning, in step S4, the adversarial generator optimizes the accurate privacy features by perturbing them, thereby generating a second adversarial feature.

[0018] In the aforementioned privacy protection method based on adversarial learning, during the multi-round local adversarial training process in step S5, each round of local adversarial training is performed by the recommendation model to optimize the adversary based on the recommendation results. The adversary adjusts the perturbation type and perturbation amplitude in the adversarial features of that round until the recommendation results meet the recommendation requirements. The local adversarial training then terminates, and the adversarial features after the last round of perturbation type and perturbation amplitude adjustment are the third adversarial features.

[0019] In the aforementioned privacy protection method based on adversarial learning, during the multi-round global adversarial training process in step S7, each round of global adversarial training combines the calculation results of the recommendation model and the threat model to optimize the adversarial features generated by the adversarial device, until the recommendation model outputs a recommendation result that meets the recommendation requirements when the threat model fails.

[0020] Compared with existing technologies, the beneficial effects of this invention are as follows: This invention utilizes adversarial learning technology to find the privacy-containing parts (privacy features) in user information (embedding) by adversarially training the threat model's attack target, and then subtly modifies them (adding subtle perturbations) to ensure the recommendation accuracy of the recommendation system while protecting user privacy from attacks by the threat model. Specifically, the core of this invention lies in designing a local-global stepwise adversarial training framework. This framework utilizes the targeted nature of adversarial training. First, through pairwise adversarial training between the threat model and the adversary, the location of privacy features is selected. Then, through pairwise adversarial training between the recommendation model and the adversary, the perturbation is optimized to ensure normal recommendation by the recommendation system. At the same time, the adversarial features obtained in this step are combined with user general features to obtain enhanced features. Finally, by simultaneously feeding the enhanced features into the recommendation model and the threat model (global training), the negative impact of perturbations on the original user features can be offset while maximizing privacy protection. That is, the perturbation energy is suppressed to a minimum, reducing the performance loss of the recommendation system. Ultimately, the recommendation system can achieve accurate recommendations while protecting user privacy from attacks by the threat model.

[0021] Furthermore, the local-global step-by-step adversarial training framework of this invention can also be customized to adjust the objective function according to different task requirements (or security level requirements), which has sufficient degrees of freedom. The successfully trained adversarial device can be deployed to the same type of recommendation model, and for different types of recommendation models, the framework can adjust the target recommendation model for retraining, which has a certain degree of adaptability. Attached Figure Description

[0022] Figure 1 This is a schematic diagram of the global adversarial training framework of the present invention;

[0023] Figure 2 This is a schematic diagram of a local training framework for pairwise adversarial training between the threat model and the adversary.

[0024] Figure 3 This is a schematic diagram of the local training framework for pairwise adversarial training between the recommendation model and the adversary. Detailed Implementation

[0025] The present invention will be further described below with reference to the accompanying drawings and embodiments, but this should not be construed as limiting the present invention.

[0026] Example: A privacy protection method based on adversarial learning. The core of this invention lies in accurately capturing key privacy features. Based on the idea of ​​adversarial learning, it utilizes the highly targeted training characteristics to construct a privacy feature capture scheme, and then performs privacy information protection and defense. The overall process of the privacy protection scheme based on adversarial learning can be found here. Figure 1Specifically, it includes the following steps:

[0027] Step S1: Construct an adversarial training framework consisting of an adversary, a recommendation model, and a threat model.

[0028] Step S2: The adversarial device extracts user features and adds random perturbations to them to generate the first adversarial feature.

[0029] Step S3: Input the first adversarial feature from step S2 into the threat model. Through multiple rounds of local adversarial training between the threat model and the adversary, the threat model is rendered ineffective in order to find the specific location of the accurate privacy feature in the user features.

[0030] The pairwise adversarial training framework for the adversarial device and threat model can be referenced. Figure 2 The purpose is to find the location of privacy features: by continuously adding perturbations randomly at different locations, the attack effect of the threat model is observed, and the locations where the attack fails are the locations of potential privacy features.

[0031] As a preferred embodiment, in the multi-round local adversarial training process in step S3, in each round of local adversarial training, the threat model finds the privacy key features of the current round based on the attack success rate, and then the adversary modifies the position of the perturbation added in the user features until the threat model fails and the local adversarial training terminates. Finally, based on the previous perturbation addition position information and attack result statistics, the accurate position of the privacy key features is determined.

[0032] Step S4: The adversarial device strengthens the perturbation intensity of the accurate privacy features found in step S3 to generate a second adversarial feature.

[0033] Step S5: Input the second adversarial feature from step S4 into the recommendation model, and adjust the perturbation type and perturbation amplitude in the second adversarial feature through multiple rounds of local adversarial training between the recommendation model and the adversary to generate the third adversarial feature.

[0034] The framework for pairwise adversarial training of the adversarial device and the recommendation model can be referenced. Figure 3 The aim is to protect privacy while optimizing perturbations to ensure the recommendation system makes normal recommendations: by optimizing the perturbations at the locations of potential privacy features through the output accuracy of the recommendation system.

[0035] Preferably, in the multi-round local adversarial training process in step S5, the adversary is optimized by the recommendation model based on the recommendation results in each round of local adversarial training. The adversary adjusts the perturbation type and perturbation amplitude in the adversarial features of that round until the recommendation results meet the recommendation requirements. The local adversarial training terminates, and the adversarial features after the perturbation type and perturbation amplitude are adjusted in the last round are the third adversarial features.

[0036] Step S6: Combine the third adversarial feature from step S5 with the common features of similar users to generate enhanced features.

[0037] Unlike typical adversarial training methods, this invention incorporates features of similar users while adding perturbations. This is to maintain a certain level of recommendation efficiency, while offsetting the negative impact of perturbations on the original user features when maximizing perturbations (maximizing privacy protection). In order to accurately capture privacy features, the perturbation addition strategy and the corresponding training strategy will also be adjusted accordingly.

[0038] Step S7: Simultaneously feed the enhanced features from step S6 into the recommendation model and the threat model, and conduct multiple rounds of global adversarial training through an adversarial training framework to ultimately achieve accurate recommendations without exposing privacy features.

[0039] Due to privacy concerns, added perturbations can decrease the accuracy of recommendation models. This invention combines user-specific general features with user-adversarial features to optimize recommendation accuracy while protecting privacy. Specifically: Similarity analysis is performed on user a's similar user cluster A, and then the cluster features are used as user a's general features; then, the general features are combined with adversarial features to form enhanced features; finally, the training loss of the recommendation model and the testing loss of the threat model are combined to form a joint loss, thereby optimizing the perturbation.

[0040] Preferably, in the multi-round global adversarial training process in step S7, each round of global adversarial training combines the calculation results of the recommendation model and the threat model to optimize the adversarial features generated by the adversary, until the recommendation model outputs a recommendation result that meets the recommendation requirements when the threat model fails.

[0041] The mathematical model of the privacy protection scheme of this invention is expressed as follows:

[0042] Let (x, y) represent the original user data x and label y, and belong to the original dataset. The adversarial classification problem can be represented by assuming a classification function f(x,θ)→y, which can find the sample x to which the label y belongs, where θ is the function parameter; then the adversarial problem can be expressed as an empirical risk minimization problem. In other words, the perturbation generation of the adversarial generator can be trained using a threat model, focusing on the location of the perturbation generation. The following formula (1) represents the basic mathematical model expression for adversarial training:

[0043]

[0044] in, This is expressed as the empirical risk loss function; at this point, by modifying the above optimization function using the adversarial attack approach, the privacy protection function of the adversarial training mode can be derived (the role of formula (2) is to initialize the parameters of the adversarial device using the recommendation model. At this point, there is no requirement for random location of the perturbation; it is only for initializing the parameters of the adversarial device for subsequent training):

[0045]

[0046] in, Let y be the loss function of the recommendation model. R These are labels related to the recommendation model, but in actual calculations, they need to be changed to reflect the recommendation model's output; x adv =x+δ represents the adversarial feature after adding adversarial perturbation δ to the original feature x (i.e., the adversarial feature generated by the adversarial generator); through threat model identification (labeled as y) T After fixing θ, adjust the perturbation δ p To find the location of privacy features (Formula (3) means using the threat model to train perturbations at different locations. First, the location of privacy features is found using the perturbation location. Then, the parameters of the adversary are trained so that the added perturbations can make the threat model attack ineffective, corresponding to the local training in the previous step S3):

[0047]

[0048]

[0049] in, Let δ be the loss function of the threat model. p It should be noted that it is different from δ( For δ p (Inverting), the perturbation position can be changed by assigning zero, thereby capturing the position of privacy features; finally, in order to offset the negative impact of adding adversarial perturbations, it is planned to use the assistance of general features to improve recommendation efficiency. At the same time, by increasing the general features, certain personalized differences can be weakened and privacy leakage can be reduced. The adjusted comprehensive objective function is as follows: (5)

[0050]

[0051] Where, x uni As a general feature, Represented as x adv ,x uni The fusion operator can be adjusted for arithmetic averaging, weighted averaging, or adaptive fusion based on the experiment.

[0052] The complete training process and the objective function for each step are as follows:

[0053] Input: User feature x, User general feature x uni Recommendation model related tags y R Threat model related tags y T .

[0054] Output: Location of privacy features δ of user characteristics p The parameter θ of the adversary.

[0055] 1. The initial parameters θ for training the adversary are optimized as follows:

[0056]

[0057] 2. Noise addition position δ for training the adversary p The optimization objective is:

[0058]

[0059] 3. Train the adversary parameters to disable the threat model; the optimization objective is:

[0060]

[0061] 4. Train the adversarial generator parameters to maintain the performance of the recommendation model at a certain level. The optimization objective is:

[0062]

[0063] 5. Incorporate user-specific features to offset the performance degradation caused by noise, train adversarial parameters, and train more suitable adversarial interference. The optimization objective is:

[0064]

[0065] 6. After the model stops converging, output the location of privacy features and the parameters of the adversary.

[0066] in, For δ p Invert the zero value of δ p It consists of zero and non-zero values, where the non-zero values ​​are overlaid on the privacy features. δ p The three elements, δ, have the same length.

[0067] In addition, the specific network structure of the trainer is not described in detail in this embodiment. Depending on the task requirements, the network size, structure, number of parameters, and values ​​of the internal structure of the trainer can be defined separately.

[0068] The above are merely preferred embodiments of the present invention. The scope of protection of the present invention is not limited to the above embodiments. All technical solutions falling within the scope of the present invention's concept are within the scope of protection of the present invention. It should be noted that for those skilled in the art, any improvements and modifications made without departing from the principles of the present invention should also be considered within the scope of protection of the present invention.

Claims

1. A privacy protection method based on adversarial learning, characterized in that: Includes the following steps: Step S1: Construct an adversarial training framework consisting of an adversarial generator, a recommendation model, and a threat model; Step S2: The user features extracted by the adversarial device are randomly perturbed and added to the user features to generate the first adversarial feature; Step S3: Input the first adversarial feature from step S2 into the threat model. Through multiple rounds of local adversarial training between the threat model and the adversary, the threat model is rendered ineffective in order to find the specific location of the accurate privacy feature in the user features. During the multi-round local adversarial training, in each round of local adversarial training, the threat model finds the privacy key features of the current round based on the attack success rate. Then, the adversary modifies the position of the perturbation added in the user features until the threat model fails and the local adversarial training terminates. Finally, based on the previous perturbation addition position information and attack result statistics, the accurate position of the privacy key features is determined. Step S4: The adversarial device adjusts the perturbation intensity of the accurate privacy features found in step S3 to generate a second adversarial feature. Step S5: Feed the second adversarial feature from step S4 into the recommendation model, and adjust the perturbation type and perturbation amplitude in the second adversarial feature through multiple rounds of local adversarial training between the recommendation model and the adversary to generate the third adversarial feature. Step S6: Combine the third adversarial feature from step S5 with the general features of similar users to generate enhanced features; analyze similar user clusters through similarity analysis, and then use the cluster features as the general features of users; then combine the general features with the adversarial features to form enhanced features; Step S7: The enhanced features from step S6 are simultaneously fed into the recommendation model and the threat model. Multiple rounds of global adversarial training are conducted through the adversarial training framework to achieve accurate recommendations without exposing privacy features. During the multiple rounds of global adversarial training, the adversarial features generated by the adversarial generator are optimized by combining the calculation results of the recommendation model and the threat model in each round until the recommendation model outputs a recommendation result that meets the recommendation requirements when the threat model fails.

2. The privacy protection method based on adversarial learning according to claim 1, characterized in that: In step S4, the adversarial device optimizes the perturbation strength of the accurate privacy feature to generate a second adversarial feature.

3. The privacy protection method based on adversarial learning according to claim 1, characterized in that: In the multi-round local adversarial training process in step S5, each round of local adversarial training is optimized by the recommendation model based on the recommendation results. The adversarial device adjusts the perturbation type and perturbation amplitude in the adversarial features of that round until the recommendation results meet the recommendation requirements. The local adversarial training terminates, and the adversarial features after the last round of perturbation type and perturbation amplitude adjustment are the third adversarial features.