A training data detection method and device, and a storage medium

By implanting a backdoor and adding a target trigger in the training dataset, the problem of being unable to trace the source of unauthorized datasets after they have been stolen was solved, enabling accurate tracing of model training data and estimation of data usage ratio.

CN116704278BActive Publication Date: 2026-06-23BEIJING REALAI TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING REALAI TECH CO LTD
Filing Date
2022-04-29
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

In existing technologies, once unauthorized datasets are stolen, the data owner cannot clearly trace the source, and it is impossible to determine whether the model used its training data.

Method used

By implanting a backdoor in the training dataset and adding a target trigger to the image, the backdoor is activated to determine whether the model has used the dataset, and a mapping relationship is established to infer the proportion of data usage.

Benefits of technology

It enables source detection of model training data, accurately determining whether the model has used training data from the data source and estimating the amount of data used.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116704278B_ABST
    Figure CN116704278B_ABST
Patent Text Reader

Abstract

Embodiments of the present application relate to the technical field of image recognition, and provide a training data detection method and device and a storage medium. The method comprises: obtaining at least one target image, the target image being an image added with a target trigger, the target trigger being used to activate a backdoor implanted in a target sample; the target sample being a sample in a target data set; inputting the target image into a target model to be detected to obtain a target output of the target model; and if at least one target output is a probability of a label corresponding to the target sample in the target data set, determining that the target model is obtained by using at least one target sample in the target data set for training. The present application can control training data, can know whether a model owner uses training data of a data source party for training, thereby providing evidence, and can inversely deduce a proportion of data used by a data user for training.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of image processing technology, specifically to a training data detection method, apparatus, and storage medium. Background Technology

[0002] Currently, there is a vast amount of data circulating online through various channels. Typically, before training a model, a large amount of dataset is crawled to be used as training data. This training data usually requires extensive preprocessing and labeling to ensure that the dataset can be used as good training data for the model.

[0003] In the process of researching and practicing existing technologies, the inventors of this application's embodiments discovered that if the crawled dataset is unauthorized data, there is a possibility of the dataset being stolen. For example, Company A might use data processed by Company B to train its own model, thereby obtaining a better-performing model without effort. However, once some or all of the training data in these unauthorized datasets is obtained by other companies and used for model training in their backend systems, the owner of the training data cannot be clearly identified or traced. Summary of the Invention

[0004] This application provides a training data detection method, apparatus, and storage medium, which can control training data, determine whether the model owner uses the training data from the data source for training, thereby providing evidence, and infer the proportion of data used for training by the data user.

[0005] In a first aspect, embodiments of this application provide a training data detection method from the perspective of a data detection device, the method comprising:

[0006] At least one target image is acquired, wherein the target image is an image with a target trigger added, the target trigger being used to activate a backdoor implanted in a target sample; the target sample is a sample in a target dataset.

[0007] The target image is input into the target model to be detected, and the target output of the target model is obtained;

[0008] If at least one target output is the probability of the label corresponding to the target sample in the target dataset, then the target model is determined to be trained using at least one target sample in the target dataset.

[0009] Secondly, embodiments of this application also provide a data detection apparatus for implementing the training data detection method described in the first aspect, the data detection apparatus comprising:

[0010] An input / output module is used to acquire at least one target image, wherein the target image is an image with a target trigger added, and the target trigger is used to activate a backdoor implanted in a target sample; the target sample is a sample in a target dataset.

[0011] The processing module is used to input the target image acquired by the input-output module into the target model to be detected, and obtain the target output of the target model; if at least one target output is the probability of the label corresponding to the target sample in the target dataset, then it is determined that the target model is trained using at least one target sample in the target dataset.

[0012] In some implementations, the at least one target image is obtained by the processing module according to at least one of the following methods:

[0013] The initial dataset is obtained by adding preset labels to any image in the initial dataset;

[0014] Obtain from the target dataset;

[0015] Alternatively, it may be obtained from a third-party channel and not belong to the initial dataset or the target dataset.

[0016] In some implementations, the processing module is further configured to: Before the input / output module acquires the target image, the processing module is also configured to:

[0017] The input / output module obtains a preprocessed initial dataset, which includes multiple data samples.

[0018] Implant at least one backdoor into some or all of the data samples in the initial dataset to obtain at least one target dataset;

[0019] Establish the first mapping relationship between each target sample in each target dataset and its corresponding specified label.

[0020] In some implementations, the target model is a model used for simulation testing by the data source; after establishing the first mapping relationship between each target sample and its corresponding output in each target dataset, the processing module is further used for:

[0021] From the target dataset, at least two first datasets are determined, each first dataset containing a different proportion of the target samples in the target dataset;

[0022] Obtain at least two second datasets, each of which includes one of the first datasets;

[0023] Each second dataset is input into at least one of the target models to obtain the simulated output corresponding to each second dataset, wherein the simulated output is the probability of a specified label;

[0024] Based on the simulation outputs corresponding to each second dataset and the proportion corresponding to the first dataset, a second mapping relationship is obtained. The second mapping relationship includes the mapping relationship between the probability interval and the proportion corresponding to the first dataset.

[0025] In some implementations, after obtaining the output of the target model, the processing module is further used to:

[0026] Determine the target probability interval corresponding to the target output;

[0027] Based on the second mapping relationship and the target probability interval, the target proportion is determined, whereby the target proportion is the percentage of the number of target samples used for training the target model in the target dataset.

[0028] In some implementations, the preset markers in the target sample satisfy at least one of the following:

[0029] n preset labels are set on some or all of the data samples in the target dataset;

[0030] The area occupied by the preset marker in the target sample is smaller than the preset area;

[0031] Alternatively, the contrast of the preset marker is less than the preset contrast.

[0032] In some embodiments, the processing module is further configured to:

[0033] The input / output module acquires historical detection data for at least one target model within a historical time period, including detection data for target samples with the preset label added.

[0034] If the detection accuracy is determined to be lower than the preset detection accuracy based on the historical detection data, then at least one of the following operations shall be performed on the preset markers in the target sample:

[0035] By setting multiple preset labels on some or all data samples in the target dataset, a first target dataset is obtained;

[0036] Reduce the area occupied by the preset marker in the target sample;

[0037] Alternatively, reduce the contrast of the preset marker.

[0038] In some implementations, the initial dataset includes a first dataset and a second dataset, and the processing module is specifically used for:

[0039] A first label is set on some or all of the data samples in the first dataset to obtain a first target dataset, and a second label is set on some or all of the data samples in the second dataset to obtain a second target dataset.

[0040] Thirdly, embodiments of this application also provide a processing device, including a processor and a memory, wherein a computer program is stored in the memory, and when the processor calls the computer program in the memory, it executes the steps in any of the training data detection methods provided in the first aspect of this application.

[0041] Fourthly, embodiments of this application also provide a computer-readable storage medium storing a plurality of instructions adapted for loading by a processor to execute steps in any of the training data detection methods provided in the first aspect of this application.

[0042] Compared with the prior art, in the embodiments of this application, before performing source tracing detection on the target model to be detected, at least one target image with added target triggers is first acquired. Since the target trigger is used to activate the backdoor implanted in the target sample, and the target sample is a sample in the target dataset produced by the data source, when the data source inputs these target images into the target model to be detected and obtains the target output of the target model, if at least one target output is the probability of the label corresponding to the target sample in the target dataset, it can be indicated that the backdoor of the target sample is activated by the target trigger. Then it can be determined that the target model is trained using at least one target sample in the target dataset of the data source, that is, it can be determined that the target model is likely trained on some or all of the target samples in the above target dataset. Attached Figure Description

[0043] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0044] Figure 1a This is a schematic diagram of an application scenario of the training data detection method in this application;

[0045] Figure 1b This is a schematic diagram of an application scenario of the training data detection method in this application;

[0046] Figure 2 This is a flowchart illustrating a backdoor implantation in the dataset used for model training in this application.

[0047] Figure 3This is a flowchart illustrating one of the training data detection methods in this application;

[0048] Figure 4 This is a schematic diagram of an application scenario of the training data detection method in this application;

[0049] Figure 5 This is a schematic diagram of an application scenario of the training data detection method in this application;

[0050] Figure 6 This is a schematic diagram of a simulated testing process in this application;

[0051] Figure 7 This is a schematic diagram of one structure of the data detection device in this application;

[0052] Figure 8 This is a schematic diagram of the structure of a physical device that implements the training data detection method in this application;

[0053] Figure 9 This is a schematic diagram of the structure of a mobile phone used in the training data detection method of this application;

[0054] Figure 10 This is a schematic diagram of the server structure for the training data detection method in this application. Detailed Implementation

[0055] The terms "target," "candidate," etc., used in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments described herein can be implemented in a sequence other than that illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or device that includes a series of steps or modules is not necessarily limited to those explicitly listed, but may include other steps or modules not explicitly listed or inherent to these processes, methods, products, or devices. The division of modules in the embodiments of this application is merely a logical division; in actual applications, there may be other division methods. For example, multiple modules may be combined or integrated into another system, or some features may be ignored or not performed. Additionally, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interface, and the indirect coupling or communication connection between modules may be electrical or other similar forms; none of these are limited in the embodiments of this application. Furthermore, the modules or sub-modules described as separate components may or may not be physically separated, may or may not be physical modules, or may be distributed among multiple circuit modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the embodiments of this application.

[0056] This application provides a training data detection method, apparatus, and storage medium, which can be used to perform source tracing detection on the training data of a target model. For example, it can perform source tracing detection on the images used in training an image recognition model (e.g., a face image recognition model). This application does not limit the application scenario of the target model, but only takes the face recognition scenario as an example. In public security scenarios, data tracing is performed on a geographical area basis, such as a prefecture-level city or a county-level city; in financial system identity recognition, data tracing is performed on a financial institution basis, such as a bank or a securities company.

[0057] In some implementations, this solution is applied to, for example... Figure 1a When the application environment is shown, the application environment may include at least one server and at least one data source. Figure 1a Only one data source is shown in the diagram (a). In other implementations, this scheme is applied to, for example... Figure 1b In the application environment shown, the application environment may include at least one data user and at least one data source ( Figure 1a Only one data source is indicated in the text (a), and the following will use... Figure 1b Let's take an example to explain in detail.

[0058] Server-side: This can be used to provide detection interfaces to various data source providers, enabling them to detect whether the server has used their own training data for model training. This server can be a data user, a relay node, or a proxy node connecting the data source and the data user; specific implementations in this application do not limit this. The process of the data source provider performing source tracing detection on the target model through this detection interface can be considered equivalent to the process of the server relaying or proxying to the actual data user and then performing source tracing detection on the target model through this detection interface; this application does not distinguish between the two.

[0059] Data source provider: refers to the party that produces various types of data, such as images. The various types of data produced by the party may have backdoors partially or completely implanted. The embodiments of this application mainly take the data source provider's detection of data implanted with backdoors on the server side for source tracing detection as an example. Other cases are similar and will not be elaborated.

[0060] Data user: refers to the party that uses the collected data to train the model. In this application embodiment, it may specifically refer to the party that is suspected by the data source party of using the data it produced for model training.

[0061] It should be noted that the roles of the data source provider and the data user can be interchanged in the embodiments of this application, and the embodiments of this application do not limit this.

[0062] The solutions provided in this application involve technologies such as Artificial Intelligence (AI), Natural Language Processing (NLP), and Machine Learning (ML), and are specifically illustrated through the following embodiments:

[0063] AI, or Artificial Intelligence, refers to the theories, methods, technologies, and application systems that utilize digital computers or machines controlled by digital computers to simulate, extend, and expand human intelligence, perceive the environment, acquire knowledge, and use that knowledge to achieve optimal results. In other words, Artificial Intelligence is a comprehensive technology within computer science that attempts to understand the essence of intelligence and produce a new kind of intelligent machine capable of reacting in a manner similar to human intelligence. Artificial Intelligence studies the design principles and implementation methods of various intelligent machines, enabling them to possess the functions of perception, reasoning, and decision-making.

[0064] AI technology is a comprehensive discipline encompassing a wide range of fields, including both hardware and software technologies. Fundamental AI technologies generally include sensors, dedicated AI chips, cloud computing, distributed storage, big data processing, operating / interactive systems, and mechatronics. AI software technologies primarily include computer vision, speech processing, natural language processing, and machine learning / deep learning.

[0065] NLP is an important field within computer science and artificial intelligence. It studies the theories and methods for enabling effective communication between humans and computers using natural language. Natural Language Processing is a science that integrates linguistics, computer science, and mathematics. Therefore, research in this field involves natural language—the language people use in daily life—and thus it has a close connection with linguistic research. Natural Language Processing techniques typically include text processing, semantic understanding, machine translation, question answering, and knowledge graphs.

[0066] In the field of artificial intelligence, specifically for facial recognition, this application can generate a general perturbation with high attack robustness using a set of facial images. By adding this general perturbation to the facial images in the set, the image classification model is unable to accurately recognize the perturbated facial images, thereby achieving an attack on the image classification model.

[0067] It should be specifically noted that the servers involved in the embodiments of this application (e.g., server-side, data source, data user) can be independent physical servers, server clusters or distributed systems composed of multiple physical servers, or cloud servers providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN, and big data and artificial intelligence platforms. The data detection devices involved in the embodiments of this application can be smartphones, tablets, laptops, desktop computers, smart speakers, smartwatches, personal digital assistants, etc., but are not limited to these. The data detection devices and servers can be directly or indirectly connected via wired or wireless communication, and this application embodiment does not impose any restrictions.

[0068] To ensure the data source provider can trace the training data used by the data user and to assess its effectiveness, before introducing the training data detection method provided in this application, we will first introduce an embodiment of the data source provider preparing the target dataset. The main purpose of this embodiment is to implant a backdoor into the dataset used for model training. For details, please refer to... Figure 2 The flowchart shown in this application includes the following embodiments:

[0069] 101. Obtain the initial dataset for preprocessing.

[0070] The initial dataset includes multiple data samples, which may be labeled or unlabeled. This embodiment uses unlabeled samples as an example. Taking a face recognition scenario as an example, the initial dataset is an image set containing multiple face images, each capable of completely identifying a user's face and identity. This embodiment does not limit the method, channel, or quantity of data sample acquisition.

[0071] 102. Implant at least one backdoor into some or all of the data samples in the initial dataset to obtain at least one target dataset.

[0072] The target dataset includes multiple target samples, each of which has a backdoor implanted.

[0073] In some implementations, a backdoor can be implanted into each data sample in the initial dataset as follows:

[0074] Determine the target dataset from the dataset, and set preset labels for the data samples in the target dataset. For example, label a certain number of images in the training data (such as dots). The preset label can be a specific pattern and set in a fixed position on the image. For the same model, the preset labels of the backdoor implanted in the first dataset used to train the model are the same.

[0075] At the same time, the labels of the target samples are updated so that when a new image is input into the target model, the specified output is the category indicated by the label.

[0076] For example, taking the initial dataset as including a first dataset and a second dataset, the step of implanting at least one backdoor into some or all data samples in the initial dataset to obtain at least one target dataset includes:

[0077] A first label is set on some or all of the data samples in the first dataset to obtain a first target dataset, and a second label is set on some or all of the data samples in the second dataset to obtain a second target dataset.

[0078] In this embodiment, corresponding preset labels (such as the first label and the second label mentioned above) can be uniformly set for different datasets to obtain multiple target datasets. For the same target dataset, all target samples included in it have the same preset label. For different target datasets, the preset labels are different. Each type of preset label corresponds to a label of the target sample, which is used to obtain a unique output corresponding to the label for the model trained using the target sample.

[0079] In this embodiment, the preset mark can be a pattern (which can be a regular shape or an irregular shape, without limitation), a watermark, text, etc. This embodiment does not impose too many limitations on the presentation state or visual effect of the preset mark. Subsequent embodiments will only take adding patterns or watermarks as examples.

[0080] 103. Establish the first mapping relationship between each target sample in each target dataset and its corresponding specified label.

[0081] This first mapping relationship can be used to input any target sample with a preset label from the target dataset into a target model (which can be a target model) that is being trained adversarially using some or all of the target samples in the target dataset. The output of the target model will then be the output corresponding to that target sample. For example, the first dataset includes sample 1, which is a face image with a pentagram pattern added. When the pentagram pattern is activated, the output corresponding to sample 1 is the user identity "Li Si".

[0082] In some implementations, in order to verify whether the data source can poison or embed backdoors in the training data of the target model, the data source can determine whether the data user has used its training data based on whether the target model can be activated. The data source can also input the target dataset into the target model to train the target model and obtain the corresponding output.

[0083] The target model can be any model used by any data user, or any target model used by the data source in the source tracing and detection scenario simulated in the following embodiments. This application does not limit this.

[0084] As can be seen, in this embodiment of the application, by embedding backdoors in each data sample in the initial dataset and establishing the aforementioned first mapping relationship, since the existence of this first mapping relationship, when the target model has been trained using a certain number of target samples, the backdoor can be activated when the target image with the target trigger added is input into the target model to be detected. Furthermore, based on the first mapping relationship, the output of the target model corresponding to the target image can be made to be the specified category. Thus, it can be determined that the target model has most likely been trained on some or all of the target samples in the aforementioned target dataset, providing a basis for the training data of the source tracing model.

[0085] As mentioned above Figure 2 In the corresponding embodiment, after the data source party completes the backdoor implantation into the initial dataset, the data source party can perform source tracing detection on suspected models (i.e., data users) that use the aforementioned target dataset. For specific solutions, please refer to [reference needed]. Figure 3The illustrated flowchart represents a training data detection method in this application. This method involves the data source provider obtaining an interface from the data user and then inputting a target image into the data user's target model for source tracing detection. Specifically, this application embodiment includes:

[0086] 201. Obtain at least one target image.

[0087] The target image is an image with a target trigger added. This target image is used to detect whether the target model was trained using data samples from the second dataset containing the implanted backdoor. The target image can be any image, including but not limited to those from the initial dataset or the target dataset. There can be at least one target image; this embodiment does not limit the number or source of target images used for detecting the target model.

[0088] In some implementations, the at least one target image described above is obtained according to at least one of the following methods:

[0089] The aforementioned preset labels (e.g., first labels or second labels, etc., used to generate target samples) are added to any image in the initial dataset to obtain the result.

[0090] Obtain from the target dataset;

[0091] Alternatively, it may be obtained from a third-party channel and not belong to the initial dataset or the target dataset.

[0092] As can be seen, in one respect, by implanting a backdoor in the data sample and adding a target trigger to an image from any source, as long as the target model to be detected uses any number of target samples from the data source, the backdoor of the target sample can be activated after the image with the added target trigger is input into the target model to be detected, thereby tracing the source of the training data used by the target model. In another respect, since the target image is any image with the added target trigger and is not limited to a specific source, no prior preparation is required, and any number of target images capable of source tracing detection can be generated anytime and anywhere.

[0093] The target trigger is used to activate the backdoor implanted in the target sample; the target sample is a sample in the target dataset.

[0094] 202. Input the target image into the target model to be detected to obtain the target output of the target model.

[0095] The target model is the model to be used for source tracing detection, which is the data user that may have used at least one target sample from the second dataset mentioned above for model training.

[0096] The target output is the probability of a specific label. For example, the target sample is marked with a dot watermark, and the specific label corresponding to this dot watermark is the identity information of user 'a'. Then, when the target image with this dot watermark added is input into the target model, the dot watermark acts as a target trigger to activate the backdoor implanted in the target sample. The target output of the target model is "the probability of user 'a's ID is 0.98".

[0097] 203. If at least one target output is the probability of the label corresponding to the target sample in the target dataset, then the target model is determined to be trained using at least one target sample in the target dataset.

[0098] This means that the target model was trained using the target dataset from the data source. For example, it can be determined that the data user stole some or all of the target samples from the target dataset to train the target model.

[0099] For example Figure 4 As shown, the target dataset includes image 'a', which is identified as Zhang San and has a watermark '1'. Assuming the data source suspects the data user of using image 'a', if image 'b' (identified as 'Li Si') is input into the target model, and the output is the identity of image 'a', "Zhang San", then it can be determined that the data user stole image 'a' from the data source to train the target model.

[0100] In this embodiment of the application, from the perspective of the data source, after training different models using different / identical datasets implanted with different backdoors, there is no interference between these datasets used to train different models, that is:

[0101] a. Train different models using different datasets with different backdoors implanted.

[0102] For example, the data source can implant backdoors into at least two datasets respectively. This application embodiment takes dataset 1 and dataset 2 as examples:

[0103] Pattern 1 is set up with some or all of the data samples in dataset 1.

[0104] Pattern 2 is set up with some or all of the data samples in dataset 2.

[0105] For example Figure 5 As shown:

[0106] When the data user trains the target model using some or all of the data samples in dataset 1, the data source inputs the target model with any image of pattern 2 and obtains output result 1, which is the probability of the specified category of pattern 1.

[0107] When the data user trains the target model using some or all of the data samples in dataset 2, the data source inputs the target model with any image of pattern 1 and obtains the output result, which is the probability of pattern 2 for a specified category.

[0108] When the data user trains the target model using some or all of the data samples from dataset 1 and dataset 2, the data source inputs the target model with any image of pattern 1 or pattern 2 to obtain output result 3, which is the probability of pattern 1 or pattern 2 for a specified category.

[0109] There is no correlation between output result 3 and output result 1 and output result 2.

[0110] Compared with the prior art, in the embodiments of this application, before performing source tracing detection on the target model to be detected, at least one target image with added target triggers is first acquired. Since the target trigger is used to activate the backdoor implanted in the target sample, and the target sample is a sample in the target dataset produced by the data source, when the data source inputs these target images into the target model to be detected and obtains the target output of the target model, if at least one target output is the probability of the label corresponding to the target sample in the target dataset, it can be indicated that the backdoor of the target sample is activated by the target trigger. Then it can be determined that the target model is trained using at least one target sample in the target dataset of the data source, that is, it can be determined that the target model is likely trained on some or all of the target samples in the above target dataset.

[0111] Optionally, in some embodiments of this application, the accuracy and effectiveness of the detection data user are determined by the proportion of the number of target samples to the amount of data used by the data user to train the target model. The larger the proportion, the more accurate and better the detection effect. Generally speaking, to achieve a better source tracing effect, simulation tests can be conducted in the early stage. Suppose that the above-mentioned target dataset is used to implant a backdoor into the above-mentioned target model, some or all of the target samples in the target dataset are used to train n target models, and then an image to be detected (with a trigger added) is randomly selected and input into these n target models to obtain the corresponding output. In some embodiments, the target model is used as the data source for simulation testing as an example. After establishing the first mapping relationship between each target sample in each target dataset and the corresponding output, simulation detection can also be performed. For details, please refer to Figure 6 The flowchart shown in this application also includes, in this embodiment:

[0112] 301. Determine at least two first datasets from the target dataset.

[0113] The proportion of the number of target samples included in each of the first datasets is different.

[0114] 302. Obtain at least two second datasets.

[0115] Each of the second datasets includes one of the first datasets.

[0116] 303. Input each of the second datasets into at least one of the target models to obtain the simulation outputs corresponding to each of the second datasets.

[0117] The simulated output is the probability of a specified label.

[0118] 304. Based on the simulation outputs corresponding to each second dataset and the proportion corresponding to the first dataset, the second mapping relationship is obtained.

[0119] The second mapping relationship includes the mapping relationship between probability intervals and the proportions corresponding to the first dataset. The probability interval can be the average or weighted value of the simulated outputs corresponding to each second dataset. This application embodiment does not limit the calculation method of each probability interval in the second mapping relationship.

[0120] The second mapping relationship can be represented by a table, array, or other means, and this application embodiment does not limit this. For example, the second mapping relationship can be referred to as Table 1 below:

[0121]

[0122]

[0123] Table 1

[0124] In Table 1 above, Dataset 1 (0.15%-0.25%) is the probability interval. When the probability interval is Dataset 1 (0.15%-0.25%), the probabilities of the n models, namely Target Model 1, Target Model 2, ... Target Model n, are 37.05, 36.89, ... 35.32, respectively. The others are similar and will not be elaborated further.

[0125] Accordingly, after obtaining the output of the target model, the number of target samples used by the other party is inferred based on the detection results and the preset mapping relationship. Specifically, the method further includes:

[0126] Determine the target probability interval corresponding to the target output;

[0127] Based on the second mapping relationship and the target probability interval, the target proportion is determined, whereby the target proportion is the percentage of the number of target samples used for training the target model in the target dataset.

[0128] In this embodiment, by simulating poisoning scenarios with different proportions, and based on the simulated outputs of each second dataset and the proportions of the first dataset, a second mapping relationship is obtained. Since this second mapping relationship includes the mapping between probability intervals and the proportions of the first dataset, it can characterize the probability intervals to which different poisoning proportions belong. Therefore, when the data source uses target images with different poisoning proportions (which can be understood as multiple target images) to detect the target model of the data user, it can accurately detect whether the target model has been trained on the target dataset of the data source, and can also deduce the range of target samples included in the training data used by the target model, i.e., the proportion of target samples used to train the target model in the training data of the target model. Thus, on the one hand, this embodiment can provide the data source with fast and accurate tracing results; on the other hand, it can also quickly estimate how many target samples from the data source were used by the target model while determining that the data user has misappropriated the aforementioned target dataset, without requiring background evidence collection, thus better protecting the intellectual property of the data source.

[0129] Optionally, in some embodiments of this application, considering the interference between at least two perturbations from different sources on the same image, if the data user or data source adds perturbations to the image without discovering other perturbations in the image, and if they are of the same category and have similar labels, they may interfere, causing the output corresponding to the label to be unobtainable when conducting adversarial training based on the adversarial examples generated from the image. In selecting the original image used as the target sample, this application pre-sets three methods to reduce interference or improve concealment. Specifically, the preset labels in the target sample must satisfy at least one of the following:

[0130] a. Some or all of the data samples in the initial dataset are set with n preset labels, where n is a positive integer.

[0131] For example, when n is 3, 60% or 100% of the data samples in the initial dataset can be set with 3 preset labels respectively, so that the target samples will all include 3 preset labels. N can be set dynamically or statically. This application embodiment does not limit the value of n, that is, it does not limit the number or setting method of the preset labels included in the target samples. The specific number can be determined according to factors such as actual anti-interference, the detection requirements of the data source, or business scenarios. This application embodiment does not limit this.

[0132] It is evident that when implanting backdoors into some or all data samples in the initial dataset, the anti-interference capability of the preset labels is fully considered. By setting n preset labels in the target sample, the interference of other interfering factors on the preset labels on the target sample can be offset, or the anti-interference capability of the third label can be enhanced. Ultimately, both the adversarial effect and the source detection effect can be guaranteed at the same time. This avoids the backdoor implanted in the target sample being unable to be activated due to interference when the corresponding target trigger is used to activate the backdoor later.

[0133] b. The area occupied by the preset mark in the target sample is smaller than the preset area.

[0134] The area occupied by the preset mark in the target sample refers to the pixel area occupied by the preset mark, which can be regular or irregular in shape. This application embodiment does not limit this.

[0135] The preset area can be set according to the face area. For example, when the preset mark is a triangle shape, the area of ​​the triangle is less than 1 / 15 of the face area.

[0136] For example, the area can be set according to the image area, such as a rectangle as the preset marker, where the area of ​​the rectangle is less than 1 / 100 of the image area.

[0137] It is evident that when implanting a backdoor into some or all of the data samples in the initial dataset, the concealment and / or anti-interference of the preset markers are fully considered. By limiting the area occupied by the preset markers in the target samples to a preset area, both the anti-counterfeiting effect and concealment can be guaranteed.

[0138] c. The contrast of the preset mark is less than the preset contrast.

[0139] The preset contrast can be set according to the contrast of the facial skin. For example, the preset marker contrast can be less than 150% of the facial skin contrast.

[0140] For example, the preset contrast can be set according to the contrast of the background of the image. For instance, the preset marker contrast is less than 110% of the background contrast.

[0141] It is evident that when implanting a backdoor into some or all of the data samples in the initial dataset, the concealment and / or anti-interference of the preset markers are fully considered. By limiting the contrast of the preset markers in the target samples to a preset contrast, both the anti-counterfeiting effect and concealment can be guaranteed.

[0142] For ease of understanding, the embodiments of this application provide the following experimental data based on the above-described second mapping relationship, as shown in Table 2 below:

[0143]

[0144]

[0145] Table 2

[0146] As shown in Table 2, as long as the proportion of the number of target samples in the training set used for model training is not less than a preset threshold (e.g., 25% in Table 2), the output of each target model that uses the training set for model training can be 100% (i.e., the probability of assigning a label).

[0147] As can be seen, the data source can obtain a relatively accurate second mapping relationship through the above simulation detection, and then infer the proportion of data used for training by the data user based on the second mapping relationship. That is, the data source can infer how many target samples in the target dataset were used for training by the target model based on the output of the target model.

[0148] Optionally, in some embodiments of this application, the detection performance may deteriorate over time, for example, due to increased interference or easier detection. In such cases, the backdoor implanted in the target sample can be dynamically and adaptively adjusted. Specifically, embodiments of this application further include:

[0149] Acquire historical detection data for at least one target model within a historical time period, wherein the historical detection data includes detection data for target samples with the preset label added;

[0150] If the detection accuracy is determined to be lower than the preset detection accuracy based on the historical detection data, then at least one of the following operations shall be performed on the preset markers in the target sample:

[0151] By setting multiple preset labels on some or all data samples in the target dataset, a first target dataset is obtained;

[0152] Reduce the area occupied by the preset marker in the target sample;

[0153] Alternatively, reduce the contrast of the preset marker.

[0154] It is evident that by dynamically and adaptively adjusting the backdoor implanted in the target sample, it is possible to cope with real-time updated technologies, thereby improving concealment and stabilizing the source tracing effect.

[0155] Optionally, in some embodiments of this application, considering that multiple data source providers may have detection needs for the same data user, when the data user provides detection interfaces to multiple data source providers, it can provide the data source providers with a list of multiple target models to be detected. When the data source provider initiates an instruction through the detection interface (the instruction may be to select a target model to be detected), it can call the detection interface of the corresponding target model according to the instruction, and then start the detection program for the target model on the detection interface.

[0156] In some embodiments, target sample 1 from dataset 1 and target sample 1' from dataset 2 in the above embodiments are used as two inputs to the target model. These two inputs can be input at the same time step or sequentially. Parallel input does not affect the corresponding outputs. Sequential input also does not affect the corresponding outputs.

[0157] In other embodiments, region 1 (including perturbation 1) and region 2 (including perturbation 2) of target sample 2 in dataset 1 of the above embodiments are used as two inputs to the target model, and these two inputs can be input at the same time step. Specifically, the number of inputs to the target model can be inferred first, and preprocessing can be performed before inputting target sample 2.

[0158] Figure 1 to Figure 6 Any technical feature mentioned in the embodiments corresponding to any one of the above also applies to the embodiments of this application. Figures 7 to 10 The corresponding implementation examples will not be repeated hereafter.

[0159] The above describes a training data detection method in the embodiments of this application. The following describes the data detection device that performs the above training data detection method.

[0160] See Figure 7 ,like Figure 7 The diagram shows a data detection device 40, which can be applied to source detection of training data for a target model, such as source detection of images used during the training of an image recognition model (e.g., a face image recognition model). This embodiment does not limit the application scenario of the target model. The data detection device 40 in this embodiment can achieve the functions corresponding to Figure 1- Figure 6 The steps of the training data detection method executed by the data detection device in any corresponding embodiment are described. The functions implemented by device 40 can be implemented by hardware or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions, and the modules can be software and / or hardware. The device 40 may include an input / output module 401 and a processing module 402. The functional implementation of the input / output module 401 and the processing module 402 can be referred to Figure 1- Figure 6 The operations performed in any of the corresponding embodiments are not described in detail here.

[0161] In some implementations, the input / output module 401 can be used to acquire at least one target image, the target image being an image with a target trigger added, the target trigger being used to activate a backdoor implanted in a target sample; the target sample being a sample in a target dataset;

[0162] The processing module 402 can be used to input the target image acquired by the input-output module 401 into the target model to be detected, and obtain the target output of the target model; if at least one target output is the probability of the label corresponding to the target sample in the target dataset, then it is determined that the target model is trained using at least one target sample in the target dataset.

[0163] In some embodiments, the at least one target image is obtained by the processing module 402 according to at least one of the following methods:

[0164] The first or second label is added to any image in the initial dataset to obtain the result.

[0165] Obtain from the target dataset;

[0166] Alternatively, it may be obtained from a third-party channel and not belong to the initial dataset or the target dataset.

[0167] In some embodiments, before the input / output module 401 acquires the target image, the processing module 402 is further configured to:

[0168] The input / output module 401 obtains a preprocessed initial dataset, which includes multiple data samples.

[0169] Implant at least one backdoor into some or all of the data samples in the initial dataset to obtain at least one target dataset;

[0170] Establish the first mapping relationship between each target sample in each target dataset and its corresponding specified label.

[0171] In some implementations, the target model is a model used for simulation testing by the data source; after establishing the first mapping relationship between each target sample and its corresponding output in each target dataset, the processing module 402 is further used to:

[0172] From the target dataset, at least two first datasets are determined, each first dataset containing a different proportion of the target samples in the target dataset;

[0173] Obtain at least two second datasets, each of which includes one of the first datasets;

[0174] Each second dataset is input into at least one of the target models to obtain the simulated output corresponding to each second dataset, wherein the simulated output is the probability of a specified label;

[0175] Based on the simulation outputs corresponding to each second dataset and the proportion corresponding to the first dataset, a second mapping relationship is obtained. The second mapping relationship includes the mapping relationship between the probability interval and the proportion corresponding to the first dataset.

[0176] In some embodiments, after obtaining the output of the target model, the processing module 402 is further configured to:

[0177] Determine the target probability interval corresponding to the target output;

[0178] Based on the second mapping relationship and the target probability interval, the target proportion is determined, whereby the target proportion is the percentage of the number of target samples used for training the target model in the target dataset.

[0179] In some implementations, the preset markers in the target sample satisfy at least one of the following:

[0180] n preset labels are set on some or all of the data samples in the target dataset;

[0181] The area occupied by the preset marker in the target sample is smaller than the preset area;

[0182] Alternatively, the contrast of the preset marker is less than the preset contrast.

[0183] In some embodiments, the processing module 402 is further configured to:

[0184] The input / output module 401 acquires historical detection data for at least one target model within a historical time period, the historical detection data including detection data for target samples with the preset label added;

[0185] If the detection accuracy is determined to be lower than the preset detection accuracy based on the historical detection data, then at least one of the following operations shall be performed on the preset markers in the target sample:

[0186] By setting multiple preset labels on some or all data samples in the target dataset, a first target dataset is obtained;

[0187] Reduce the area occupied by the preset marker in the target sample;

[0188] Alternatively, reduce the contrast of the preset marker.

[0189] In some implementations, the initial dataset includes a third dataset and a fourth dataset, and the processing module 402 is specifically used for:

[0190] A first label is set on some or all of the data samples in the third dataset to obtain a first target dataset, and a second label is set on some or all of the data samples in the fourth dataset to obtain a second target dataset.

[0191] In this embodiment of the application, before the processing module 402 performs source tracing detection on the target model to be detected, the input / output module 401 first obtains at least one target image with added target triggers. Since the target trigger is used to activate the backdoor implanted in the target sample, and the target sample is a sample in the target dataset produced by the data source, when the data source inputs these target images into the target model to be detected and obtains the target output of the target model, if at least one target output is the probability of the label corresponding to the target sample in the target dataset, it can be indicated that the backdoor of the target sample is activated by the target trigger. Then it can be determined that the target model is trained using at least one target sample in the target dataset of the data source, that is, it can be determined that the target model is likely trained on some or all of the target samples in the target dataset.

[0192] The data detection device 40 for executing the training data detection method in this application embodiment has been described above from the perspective of modular functional entities. The data detection device for executing the training data detection method in this application embodiment will now be described below from the perspective of hardware processing. It should be noted that in this application embodiment... Figure 6 In the illustrated embodiment, the physical device corresponding to the input / output module 401 can be an input / output unit, transceiver, radio frequency circuit, communication module, and output interface, etc., and the physical device corresponding to the processing module 402 can be a processor. Figure 6 The data detection device 40 shown can have, for example, Figure 7 The structure shown, when Figure 6 The data detection device 40 shown has, for example: Figure 7 When the structure shown is used, Figure 7 The processor and transceiver in the device can perform the same or similar functions as the input / output module 401 and processing module 402 provided in the aforementioned embodiment of the data detection device 40. Figure 7 The memory in the processor needs to call computer programs when executing the above training data detection method.

[0193] This application also provides another data detection device, such as... Figure 8As shown, for ease of explanation, only the parts related to the embodiments of this application are shown. For specific technical details not disclosed, please refer to the method section of the embodiments of this application. The data detection device can be any data detection device, including mobile phones, tablets, personal digital assistants (PDAs), point of sales (POS) devices, in-vehicle computers, etc. Taking a mobile phone as an example:

[0194] Figure 9 This diagram shows a partial structural representation of a mobile phone related to the data detection device provided in this embodiment. (Reference) Figure 9 The mobile phone includes: a radio frequency (RF) circuit 710, a memory 720, an input unit 730, a display unit 740, a sensor 780, an audio circuit 760, a wireless-fidelity (Wi-Fi) module 7100, a processor 780, and a power supply 790, among other components. Those skilled in the art will understand that... Figure 9 The mobile phone structure shown does not constitute a limitation on the mobile phone and may include more or fewer components than shown, or combine certain components, or have different component arrangements.

[0195] The following is combined with Figure 9 A detailed introduction to each component of a mobile phone:

[0196] The RF circuit 710 can be used for receiving and transmitting signals during information transmission or calls. Specifically, it receives downlink information from the base station and processes it with the processor 780; additionally, it transmits uplink data to the base station. Typically, the RF circuit 710 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low-noise amplifier (LNA), a duplexer, etc. Furthermore, the RF circuit 710 can also communicate wirelessly with networks and other devices. The aforementioned wireless communications may use any communication standard or protocol, including but not limited to Global System for Mobile Communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, and Short Messaging Service (SMS).

[0197] The memory 720 can be used to store software programs and modules. The processor 780 executes various mobile phone functions and data processing by running the software programs and modules stored in the memory 720. The memory 720 may mainly include a program storage area and a data storage area. The program storage area may store the operating system, applications required for at least one function (such as sound playback function, image playback function, etc.), etc.; the data storage area may store data created according to the use of the mobile phone (such as audio data, phonebook, etc.). In addition, the memory 720 may include high-speed random access memory, and may also include non-volatile memory, such as at least one disk storage device, flash memory device, or other volatile solid-state storage device.

[0198] The input unit 730 can be used to receive input numerical or character information, and to generate key signal inputs related to user settings and function control of the mobile phone. Specifically, the input unit 730 may include a touch panel 731 and other input devices 732. The touch panel 731, also known as a touch screen, can collect touch operations performed by the user on or near it (such as operations performed by the user using a finger, stylus, or any suitable object or accessory on or near the touch panel 731), and drive the corresponding connected devices according to a pre-set program. Optionally, the touch panel 731 may include two parts: a touch detection device and a touch controller. The touch detection device detects the user's touch position and the signal generated by the touch operation, and transmits the signal to the touch controller; the touch controller receives touch information from the touch detection device, converts it into touch point coordinates, and sends it to the processor 780, and can also receive and execute commands sent by the processor 780. In addition, the touch panel 731 can be implemented using various types such as resistive, capacitive, infrared, and surface acoustic wave. In addition to the touch panel 731, the input unit 730 may also include other input devices 732. Specifically, other input devices 732 may include, but are not limited to, one or more of the following: physical keyboard, function keys (such as volume control buttons, power buttons, etc.), trackball, mouse, joystick, etc.

[0199] The display unit 740 can be used to display information input by the user or information provided to the user, as well as various menus of the mobile phone. The display unit 740 may include a display panel 741, which may optionally be configured as a Liquid Crystal Display (LCD), Organic Light-Emitting Diode (OLED), or similar display panel 741. Further, a touch panel 731 may cover the display panel 741. When the touch panel 731 detects a touch operation on or near it, it transmits the information to the processor 780 to determine the type of touch event. Subsequently, the processor 780 provides corresponding visual output on the display panel 741 based on the type of touch event. Although in Figure 7 In this embodiment, the touch panel 731 and the display panel 741 are two separate components to realize the input and output functions of the mobile phone. However, in some embodiments, the touch panel 731 and the display panel 741 can be integrated to realize the input and output functions of the mobile phone.

[0200] The mobile phone may also include at least one sensor 780, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor. The ambient light sensor can adjust the brightness of the display panel 741 according to the ambient light level, and the proximity sensor can turn off the display panel 741 and / or the backlight when the phone is moved to the ear. As a type of motion sensor, an accelerometer sensor can detect the magnitude of acceleration in various directions (generally three axes). When stationary, it can detect the magnitude and direction of gravity and can be used for applications that recognize the phone's posture (such as landscape / portrait switching, related games, magnetometer posture calibration), vibration recognition-related functions (such as pedometer, taps), etc. Other sensors that may be configured in the mobile phone, such as gyroscopes, barometers, hygrometers, thermometers, and infrared sensors, will not be described in detail here.

[0201] Audio circuit 760, speaker 761, and microphone 762 provide an audio interface between the user and the mobile phone. Audio circuit 760 converts received audio data into electrical signals and transmits them to speaker 761, where speaker 761 converts them into sound signals for output. On the other hand, microphone 762 converts collected sound signals into electrical signals, which are received by audio circuit 760, converted into audio data, and then processed by processor 780 before being transmitted via RF circuit 710 to, for example, another mobile phone, or the audio data can be output to memory 720 for further processing.

[0202] Wi-Fi is a short-range wireless transmission technology. Through the Wi-Fi module 7100, mobile phones can help users send and receive emails, browse web pages, and access streaming media, providing users with wireless broadband internet access. Although Figure 7 The Wi-Fi module 7100 is shown, but it is understood that it is not a necessary component of the mobile phone and can be omitted as needed without changing the nature of the application.

[0203] The processor 780 is the control center of the mobile phone, connecting various parts of the phone through various interfaces and lines. It executes software programs and / or modules stored in the memory 720, and calls data stored in the memory 720 to perform various functions and process data, thereby providing overall monitoring of the phone. Optionally, the processor 780 may include one or more processing units; preferably, the processor 780 may integrate an application processor and a modem processor, wherein the application processor mainly handles the operating system, user interface, and applications, and the modem processor mainly handles wireless communication. It is understood that the modem processor may not be integrated into the processor 780.

[0204] The mobile phone also includes a power supply 790 (such as a battery) that supplies power to various components. The power supply can be logically connected to the processor 780 through a power management system, thereby enabling functions such as charging, discharging, and power consumption management through the power management system.

[0205] Although not shown, mobile phones may also include a camera, Bluetooth module, etc., which will not be described in detail here.

[0206] In this embodiment of the application, the processor 780 included in the mobile phone also has the function of controlling and executing the above-mentioned... Figure 7 The method flow executed by the data detection device 40 shown is illustrated. The steps performed by the data detection device in the above embodiments can be based on this... Figure 7 The mobile phone structure is shown. For example, the processor 722 performs the following operations by calling instructions from memory 732:

[0207] At least one target image is acquired through input unit 730. The target image is an image with a target trigger added. The target trigger is used to activate a backdoor implanted in a target sample. The target sample is a sample in the target dataset.

[0208] The target image acquired by the input unit 730 is input into the target model to be detected to obtain the target output of the target model; if at least one target output is the probability of the label corresponding to the target sample in the target dataset, then it is determined that the target model is trained using at least one target sample in the target dataset.

[0209] The target output can also be output via RF circuit 710.

[0210] This application also provides another data detection device, such as... Figure 10 As shown, Figure 10 This is a schematic diagram of a server structure provided in an embodiment of this application. The server 1020 can vary significantly due to different configurations or performance. It may include one or more central processing units (CPUs) 1022 (e.g., one or more processors) and memory 1032, and one or more storage media 1030 (e.g., one or more mass storage devices) for storing application programs 1042 or data 1044. The memory 1032 and storage media 1030 can be temporary or persistent storage. The program stored in the storage media 1030 may include one or more modules (not shown in the diagram), each module may include a series of instruction operations on the server. Furthermore, the CPU 1022 may be configured to communicate with the storage media 1030 and execute the series of instruction operations in the storage media 1030 on the server 1020.

[0211] Server 1020 may also include one or more power supplies 1026, one or more wired or wireless network interfaces 1050, one or more input / output interfaces 1058, and / or one or more operating systems 1041, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc.

[0212] The steps performed by the server in the above embodiments can be based on this Figure 10 The structure of server 1020 is shown. For example, in the above embodiment, it consists of... Figure 10 The steps performed by the device 100 shown can be based on this Figure 10 The server architecture is shown. For example, the processor 1022 performs the following operations by calling instructions from memory 1032:

[0213] At least one target image is acquired through the input / output interface 1058. The target image is an image with a target trigger added. The target trigger is used to activate a backdoor implanted in a target sample. The target sample is a sample in the target dataset.

[0214] The target image acquired by the input / output interface 1058 is input into the target model to be detected to obtain the target output of the target model; if at least one target output is the probability of the label corresponding to the target sample in the target dataset, then it is determined that the target model is trained using at least one target sample in the target dataset.

[0215] The target output can also be output through the input / output interface 1058.

[0216] In the above embodiments, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions in other embodiments.

[0217] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and modules described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0218] In the embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of modules is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple modules or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be indirect coupling or communication connection through some interfaces, apparatuses, or modules, and may be electrical, mechanical, or other forms.

[0219] The modules described as separate components may or may not be physically separate. The components shown as modules may or may not be physical modules; that is, they may be located in one place or distributed across multiple network modules. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs.

[0220] Furthermore, the functional modules in the various embodiments of this application can be integrated into one processing module, or each module can exist physically separately, or two or more modules can be integrated into one module. The integrated module can be implemented in hardware or as a software functional module. If the integrated module is implemented as a software functional module and sold or used as an independent product, it can be stored in a computer-readable storage medium.

[0221] In the above embodiments, implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, as a computer program product.

[0222] The computer program product includes one or more computer instructions. When the computer program is loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that a computer can store or a data storage device such as a server or data center that integrates one or more available media. The available medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., a solid-state disk (SSD)).

[0223] The technical solutions provided in the embodiments of this application have been described in detail above. Specific examples have been used in the embodiments of this application to illustrate the principles and implementation methods of the embodiments of this application. The description of the above embodiments is only for the purpose of helping to understand the methods and core ideas of the embodiments of this application. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of the embodiments of this application. Therefore, the content of this specification should not be construed as a limitation on the embodiments of this application.

Claims

1. A training data detection method, characterized in that, The method includes: At least one target image is acquired, wherein the target image is an image with a target trigger added, the target trigger being used to activate a backdoor implanted in a target sample; the target sample is a sample in a target dataset. The target image is input into the target model to be detected, and the target output of the target model is obtained; If at least one target output is the probability of the label corresponding to the target sample in the target dataset, then it is determined that the target model is trained using at least one target sample in the target dataset. Determine the target probability interval corresponding to the target output; Based on the second mapping relationship and the target probability interval, a target proportion is determined, wherein the target proportion is the proportion of the number of target samples used for training the target model to the target dataset; the process of determining the second mapping relationship includes: determining at least two first datasets from the target dataset, wherein the number of target samples included in each first dataset accounts for a different proportion of the target dataset; obtaining at least two second datasets, wherein each second dataset includes one first dataset; inputting each second dataset into at least one target model to obtain a simulated output corresponding to each second dataset, wherein the simulated output is the probability of a specified label; and obtaining a second mapping relationship based on the simulated output corresponding to each second dataset and the proportion corresponding to the first dataset, wherein the second mapping relationship includes a mapping relationship between the probability interval and the proportion corresponding to the first dataset.

2. The method of claim 1, wherein, The at least one target image is obtained according to at least one of the following methods: The initial dataset is obtained by adding preset labels to any image in the initial dataset; Obtain from the target dataset; Alternatively, it may be obtained from a third-party channel and may not belong to the initial dataset or the target dataset.

3. The method of claim 2, wherein, Before acquiring the target image, the method further includes: Obtain a preprocessed initial dataset, which includes multiple data samples; Implant at least one backdoor into some or all of the data samples in the initial dataset to obtain at least one target dataset; Establish the first mapping relationship between each target sample in each target dataset and its corresponding specified label.

4. The method according to any one of claims 1-3, characterized in that, The target model is the model used by the data source for simulation testing.

5. The method according to claim 2, characterized in that, The preset markers in the target sample must satisfy at least one of the following conditions: Some or all of the data samples in the initial dataset are assigned n preset labels, where n is a positive integer; The area occupied by the preset marker in the target sample is smaller than the preset area; Alternatively, the contrast of the preset marker is less than the preset contrast.

6. The method according to claim 5, characterized in that, The method further includes: Acquire historical detection data for at least one target model within a historical time period, wherein the historical detection data includes detection data for target samples with the preset label added; If the detection accuracy is determined to be lower than the preset detection accuracy based on the historical detection data, then at least one of the following operations shall be performed on the preset markers in the target sample: By setting multiple preset labels on some or all data samples in the target dataset, a first target dataset is obtained; Reduce the area occupied by the preset marker in the target sample; Alternatively, reduce the contrast of the preset marker.

7. A data detection device, characterized in that, The data detection device includes: An input / output module is used to acquire at least one target image, wherein the target image is an image with a target trigger added, and the target trigger is used to activate a backdoor implanted in a target sample; the target sample is a sample in a target dataset. The processing module is used to input the target image acquired by the input-output module into the target model to be detected, and obtain the target output of the target model; if at least one target output is the probability of the label corresponding to the target sample in the target dataset, then it is determined that the target model is trained using at least one target sample in the target dataset. The processing module is further configured to determine the target probability interval corresponding to the target output; determine the target proportion according to the second mapping relationship and the target probability interval, wherein the target proportion is the proportion of the number of target samples used for training the target model to the target dataset; the process of determining the second mapping relationship includes: determining at least two first datasets from the target dataset, wherein the number of target samples included in each first dataset is a different proportion to the target dataset; obtaining at least two second datasets, wherein each second dataset includes one first dataset; inputting each second dataset into at least one target model to obtain the simulated output corresponding to each second dataset, wherein the simulated output is the probability of a specified label; and obtaining the second mapping relationship according to the simulated output corresponding to each second dataset and the proportion corresponding to the first dataset, wherein the second mapping relationship includes the mapping relationship between the probability interval and the proportion corresponding to the first dataset.

8. A processing device, characterized in that, It includes a processor and a memory, wherein the memory stores a computer program, and the processor executes the method as described in any one of claims 1 to 6 when it invokes the computer program in the memory.

9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a plurality of instructions adapted for loading by a processor to perform the method of any one of claims 1 to 6.