Privacy preserving system based on federated learning

By using techniques such as dynamically dividing data feature weights, secret sharing sharding, and sparse quantization coding in federated learning, the problems of privacy protection and model accuracy loss in federated learning are solved, achieving lightweight privacy protection and efficient model training.

CN120470629BActive Publication Date: 2026-07-03BEIJING HONGYANGXUNTENG SCI TECH DEV CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING HONGYANGXUNTENG SCI TECH DEV CO LTD
Filing Date
2025-07-17
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing federated learning privacy protection technologies suffer from problems such as gradient inversion attacks, member inference attacks, model accuracy loss, and high computational and communication overhead, which are difficult to solve effectively using traditional methods.

Method used

The privacy protection system based on federated learning constructs a lightweight privacy protection architecture through technologies such as dynamic partitioning of data feature weights, secret sharing sharding, sparse ternary quantization encoding, dual-channel encryption architecture, dynamic trust assessment, and blockchain notarization, thereby achieving fine-grained privacy perturbation and model accuracy optimization.

Benefits of technology

It significantly improves the privacy protection and model utility of federated learning, reduces computational and communication overhead, enhances the robustness and security of the system, and provides verifiable model integrity guarantees.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN120470629B_ABST
    Figure CN120470629B_ABST
Patent Text Reader

Abstract

The application discloses a privacy protection system based on federated learning and relates to the technical field of privacy protection.The system comprises a distributed participating node cluster, each participating node is configured with a local model training unit and a privacy protection module, a coordination server connected with each participating node through a secure communication layer, containing a model aggregation module and a dynamic trust evaluation module, a global model distribution channel for broadcasting encrypted global model parameters to participating nodes, and a privacy protection module integrated in the local participating node, containing a homomorphic encryption engine and a local differential privacy injector.The application synchronously achieves the improvement of privacy protection strength, the optimization of model utility, the breakthrough of system efficiency and the expansion of security boundary under the federated learning framework, and provides an industrial-level solution for cross-domain data collaborative learning.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of privacy protection technology, and in particular to a privacy protection system based on federated learning. Background Technology

[0002] Federated learning, as a distributed machine learning framework, aims to allow multiple participants to collaboratively train a global model by exchanging model parameters, without their local data leaving its original storage location. This architecture seeks to solve the data silo problem and meet increasingly stringent privacy requirements. However, federated learning exposes serious privacy vulnerabilities in practical deployments: attackers can reconstruct the original training data from plaintext gradients through gradient inversion, and member inference attacks can determine whether a specific sample participated in training; untrusted servers or malicious participants may steal privacy information through collusion, model tampering, or intermediate parameter analysis; the high-dimensionality of model parameters exacerbates the computational and communication overhead of privacy protection, making traditional encryption methods difficult to directly adapt.

[0003] Current privacy protection technologies in federated learning mainly rely on three types of methods, but all have significant limitations: 1. Cryptographic methods: These assign independent keys to different clients, encrypt local model parameters, and then upload them to the server for aggregation. Joint decryption requires collaboration among multiple clients, resulting in high computational complexity and a high risk of key leakage. 2. Differential privacy methods: These add noise to gradients or model parameters, making it impossible for attackers to distinguish the impact of individual data points. The addition of global noise leads to a loss of model accuracy, especially in scenarios with non-independent and identically distributed data. Furthermore, it does not consider data heterogeneity, providing insufficient protection for high-value core data while excessively perturbing low-value redundant data. 3. Hybrid protection mechanisms: These combine traditional differential privacy with cryptographic techniques, attempting to balance privacy and model usability. However, this method has poor compatibility; the noise addition in traditional differential privacy conflicts with the mathematical properties of encryption protocols, and the terminal device must simultaneously perform encryption and noise injection, consuming resources beyond the capacity of IoT devices. Therefore, based on the above challenges, this invention proposes a privacy protection system based on federated learning. Summary of the Invention

[0004] Technical Purpose

[0005] To address the aforementioned issues, this invention aims to provide a privacy protection system based on federated learning. This system defends against gradient inversion attacks and membership inference attacks, prevents the leakage of local data features through transmission parameters, overcomes the model accuracy loss caused by the global noise addition mechanism in traditional differential privacy, achieves precise protection of data value perception, avoids the synchronous communication bottleneck of secure multi-party computation and the key management risks of homomorphic encryption, constructs a lightweight privacy protection architecture, establishes a decentralized trust mechanism, and suppresses server collusion and data poisoning attacks by participating nodes.

[0006] Technical solution

[0007] To achieve the above objectives, this invention provides a privacy protection system based on federated learning. This scheme dynamically divides core and non-core datasets based on local data feature weights, injects adaptive noise into each, and allocates the privacy budget according to data value. It adopts a secret sharing sharding mechanism to replace traditional joint decryption. The client uploads secret shards with added noise parameters to the server, and secure fusion is achieved through linear aggregation and threshold verification. It integrates a multi-dimensional behavior analysis model to generate dynamic weight coefficients for optimized aggregation and deploys a CNN gradient anomaly detector to intercept malicious parameter injection. It also compresses gradient data through sparse ternary quantization encoding and reduces transmission overhead by combining a dual-channel encryption architecture.

[0008] In a first aspect, the present invention provides a privacy protection system based on federated learning, comprising:

[0009] A distributed cluster of participating nodes, each node is configured with a local model training unit and an embedded privacy protection module;

[0010] The coordination server connects to each participating node through a secure communication layer and includes a model aggregation module and a dynamic trust assessment module.

[0011] The global model distribution channel is used to broadcast encrypted global model parameters to participating nodes;

[0012] The privacy protection module is integrated locally on the participating nodes and includes a homomorphic encryption engine and a local differential privacy injector.

[0013] The dynamic trust assessment module generates dynamic weight coefficients based on the historical behavior data of participating nodes and inputs them into the model aggregation module.

[0014] Furthermore, the coordination server detects the distribution deviation of the gradients uploaded by participating nodes through a feature space consistency verification unit, and identifies malicious gradient injection behavior based on a convolutional neural network through a gradient anomaly pattern recognizer.

[0015] Furthermore, the coordination server is connected to a source isolation controller, which is configured to perform zero-knowledge proof challenges on the abnormal gradient initiator and trigger dynamic isolation of the computing resources of the participating nodes.

[0016] Furthermore, the secure communication layer adopts a dual-channel encryption architecture. The first transmission channel uses identity-based broadcast encryption to transmit the global model, and the second transmission channel uses a post-quantum cryptography algorithm to transmit local gradient data.

[0017] Furthermore, the model aggregation module employs a sparse ternary quantization coding strategy for gradient compression and performs nonlinear weighted fusion of the gradients of participating nodes based on dynamic weight coefficients.

[0018] Furthermore, the privacy protection module establishes a temporary computing alliance among participating nodes to perform cross-node feature cross-validation and joint gradient norm boundary calculation.

[0019] Furthermore, the local differential privacy injector includes an adaptive noise generator whose noise parameters are dynamically adjusted by the data sensitivity classification results of the current training round and the node trust value output by the dynamic trust evaluation module.

[0020] Furthermore, the adaptive noise generator integrates a noise parameter self-optimization feedback loop, which includes a privacy budget consumption monitor, a model utility loss evaluator, and a reinforcement learning-based noise parameter dynamic adjustment strategy generator.

[0021] Furthermore, the dynamic trust assessment module adopts a multi-dimensional behavior analysis model, and the analysis dimensions include gradient upload time sequence consistency, local data distribution credibility proof, historical participation behavior compliance index, and computing resource authenticity verification results.

[0022] Furthermore, it also includes a hierarchical noise injection module, used to reconstruct the privacy budget allocation logic through the dynamic coupling of data value perception grading and node behavior trust assessment. The privacy budget calculation formula is as follows:

[0023]

[0024] In the formula, For nodes In the round Privacy budget; A basic privacy budget for system initialization; For nodes In the round Trust value; The size of the core dataset; This represents the total size of the local dataset for each node. This is the time decay coefficient; This is the current federal learning and training round.

[0025] This mechanism enables fine-grained privacy perturbation during federated learning, adaptively adjusting noise intensity based on data sensitivity and node trustworthiness to significantly optimize the privacy-utility tradeoff. Simultaneously, it updates trust weights based on real-time feedback of gradient distribution deviation, effectively suppressing malicious nodes from interfering with model convergence and improving the system's robustness in scenarios with non-independent and identically distributed data.

[0026] Furthermore, it also includes a secure multi-party aggregation module for managing key fragmentation by preserving gradient saliency values ​​and distributing the sparse coding formula:

[0027]

[0028] In the formula, This is the compressed gradient vector; To retain the previous Projection operator for the largest absolute value element; This is element-wise multiplication; For symbol mask matrix; For indicator functions; For gradient; This is a dynamic threshold.

[0029] This scheme significantly reduces communication load and computational overhead by preserving gradient significance values ​​and distributing key shards for management. At the same time, it utilizes blockchain notarization to ensure the verifiability of aggregation results, providing provable security against collusion attacks and model tampering, and offering a lightweight solution for resource-constrained terminals to participate in federated training.

[0030] Furthermore, the system is equipped with a blockchain-assisted model verification mechanism, including:

[0031] The model hash value on-chain storage unit is used to write the hash value of the global model parameters for each round to the blockchain;

[0032] A distributed version consistency verifier is used to compare the matching degree between the received model of each node and the record on the chain.

[0033] Secondly, the present invention also provides a privacy protection method based on federated learning, the method being based on the system described in the first aspect above, comprising:

[0034] Participating nodes calculate sensitivity scores based on local data feature weights, divide the core dataset into core and non-core datasets, and generate an adaptive privacy budget based on dynamic trust values, injecting hierarchical Gaussian noise;

[0035] Sparse ternary quantization is applied to the noisy local gradient, and the top-k elements with absolute values ​​greater than the dynamic threshold are retained to generate a compressed gradient vector.

[0036] The compressed gradient vector is encrypted using the public key to generate ciphertext, and the private key is split into multiple shards and distributed to edge nodes through threshold secret sharing.

[0037] The server coordinates the homomorphic aggregation of ciphertext gradients, and nodes with a threshold value collaborate to decrypt the aggregation result and update the global model.

[0038] The node trust value is updated based on the gradient distribution deviation, and the global model hash value is written to the blockchain for version consistency verification.

[0039] Thirdly, the present invention also provides a computer-readable storage medium storing a computer program, which, when executed by a processor, performs the aforementioned privacy protection method based on federated learning.

[0040] This invention dynamically adjusts the privacy budget based on data value grading and node behavior trust assessment to achieve fine-grained privacy perturbation; it constructs a lightweight encrypted communication architecture by combining sparse ternary quantization and threshold secret sharing decryption; it eliminates the risk of model splitting through hash-based on-chain evidence storage and distributed version comparison; and it intercepts malicious attacks using feature space analysis and gradient pattern recognition. This solution simultaneously achieves enhanced privacy protection, optimized model utility, breakthroughs in system efficiency, and expanded security boundaries within the federated learning framework, forming a full-stack technical system that is privacy-controllable, communication-efficient, model-trustworthy, and attack-resistant, providing an industrial-grade solution for cross-domain data collaborative learning.

[0041] Beneficial effects

[0042] By implementing the privacy protection system based on federated learning provided by the present invention, the following technical effects are achieved:

[0043] (1) This application constructs a decentralized model integrity assurance system by storing model hash values ​​on the blockchain and using a distributed version verifier. This mechanism eliminates the risk of model splitting due to a single point of failure of the server in traditional federated learning, ensuring that all participating nodes receive the same global model version; at the same time, it provides tamper-proof audit traceability capabilities, strengthening the Byzantine fault tolerance of the federated architecture at the system level.

[0044] (2) It integrates a dual engine of feature space consistency verification and gradient anomaly pattern recognition. It uses convolutional neural networks to extract high-dimensional spatiotemporal features of gradients to accurately identify covert threats such as malicious parameter injection and backdoor attacks; combined with a zero-knowledge proof challenge mechanism, it realizes attack tracing and resource isolation, significantly improving the inherent security of the system in open network environments.

[0045] (3) The privacy budget allocation logic is reconstructed by dynamically coupling data value perception classification and node behavior trust assessment. This mechanism realizes fine-grained privacy perturbation in the federated learning process, and adaptively adjusts the noise intensity according to data sensitivity and node credibility, significantly optimizing the privacy-utility trade-off. At the same time, the trust weight is updated in real time based on the gradient distribution deviation, which effectively suppresses the interference of malicious nodes on model convergence and improves the robustness of the system in non-independent and identically distributed data scenarios.

[0046] (4) By integrating gradient sparse ternary quantization and threshold secret sharing decryption, the engineering bottleneck of traditional homomorphic encryption is overcome. This scheme significantly reduces communication load and computational overhead by preserving gradient saliency values ​​and distributively managing key fragments; at the same time, it uses blockchain notarization to realize the verifiability of aggregation results, providing provable security guarantees against collusion attacks and model tampering, and providing a lightweight solution for resource-constrained terminals to participate in federated training. Attached Figure Description

[0047] To make the above-described privacy protection system based on federated learning of the present invention more apparent and understandable, the accompanying drawings used in the specific embodiments of the present invention will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.

[0048] Figure 1 This is a diagram illustrating the system architecture of this application;

[0049] Figure 2 This is a flowchart illustrating the method described in this application. Detailed Implementation

[0050] Example 1:

[0051] A privacy-preserving system based on federated learning is provided, the system architecture of which is as follows: Figure 1 As shown, it includes: a distributed cluster of participating nodes, each configured with a local model training unit and an embedded privacy protection module; a coordination server, connected to each participating node via a secure communication layer, containing a model aggregation module and a dynamic trust evaluation module; a global model distribution channel, used to broadcast encrypted global model parameters to participating nodes; a privacy protection module, integrated locally on each participating node, containing a homomorphic encryption engine and a local differential privacy injector; and a dynamic trust evaluation module, which generates dynamic weight coefficients based on the historical behavior data of participating nodes and inputs them into the model aggregation module. Details are as follows.

[0052] The local model training unit is used to perform gradient calculation and backpropagation.

[0053] The model aggregation module is used to receive encrypted gradients and perform homomorphic aggregation operations.

[0054] The dynamic trust evaluation module is used to generate dynamic weight coefficients based on gradient temporal consistency and data distribution credibility.

[0055] The coordination server detects the distribution deviation of the gradients uploaded by participating nodes through the feature space consistency verification unit, and identifies malicious gradient injection behavior based on a convolutional neural network through a gradient anomaly pattern recognizer.

[0056] The adversarial example detection process specifically includes:

[0057] Step 1: The feature space consistency verification unit calculates the KL divergence of the gradient distribution;

[0058] Step 2: The CNN gradient anomaly detector takes the gradient tensor as input and outputs the malicious probability.

[0059] Network structure: 3 convolutional layers + fully connected layers, kernel size is 3×3;

[0060] Judgment rule: Isolate the node when the probability value of malicious behavior output by the gradient anomaly detector is greater than 0.95.

[0061] The coordination server is connected to a source isolation controller, which is configured to perform zero-knowledge proof challenges on anomalous gradient initiators and trigger dynamic isolation of the computational resources of participating nodes.

[0062] The secure communication layer adopts a dual-channel encryption architecture. The first transmission channel of the architecture uses the Boneh-Gentry-Waters scheme with a 256-bit elliptic curve group structure, which supports key updates when dynamic nodes join or leave. The second transmission channel uses the CRYSTALS-Kyber algorithm to transmit local gradients with a key length of 1024 bits and an encryption mode of CCA-secure.

[0063] The model aggregation module employs a sparse ternary quantization coding strategy for gradient compression and performs nonlinear weighted fusion of the gradients of participating nodes based on dynamic weight coefficients.

[0064] The privacy protection module establishes a temporary computational alliance among participating nodes to perform cross-node feature cross-validation and joint gradient norm boundary calculation.

[0065] The local differential privacy injector includes an adaptive noise generator whose noise parameters are dynamically adjusted by the data sensitivity classification results of the current training round and the node trust value output by the dynamic trust evaluation module.

[0066] The adaptive noise generator integrates a noise parameter self-optimization feedback loop, which includes a privacy budget consumption monitor, a model utility loss evaluator, and a noise parameter dynamic adjustment strategy generator based on reinforcement learning. The state space consists of the current privacy budget consumption rate, model utility loss, and node trust value variance, while the action space is the adjustment range of the noise scale.

[0067] The dynamic trust assessment module adopts a multi-dimensional behavior analysis model, and the analysis dimensions include gradient upload time sequence consistency, local data distribution credibility proof, historical participation behavior compliance index, and computing resource authenticity verification results.

[0068] The system is equipped with a blockchain-assisted model verification mechanism, including:

[0069] The model hash value on-chain storage unit is used to coordinate the server to generate global model parameter hash values ​​and write them into the Hyperledger Fabric channel through a smart contract. The consensus mechanism is Raft.

[0070] The distributed version consistency verifier is used to participate in the local calculation of the received model's hash value and compare it with the on-chain record. If the mismatch rate is >5%, the model rollback protocol is triggered.

[0071] A privacy-preserving method based on federated learning is provided. This method is based on the aforementioned system, and the process is as follows: Figure 2 As shown, the process includes: participating nodes calculating sensitivity scores based on local data feature weights, dividing the dataset into core and non-core datasets, generating an adaptive privacy budget based on dynamic trust values, and injecting hierarchical Gaussian noise; applying sparse ternary quantization to the noisy local gradients and retaining the Top-k elements with absolute values ​​greater than a dynamic threshold to generate compressed gradient vectors; encrypting the compressed gradient vectors using a public key to generate ciphertext, and distributing the private key to multiple shards to edge nodes through threshold secret sharing; coordinating servers to homomorphically aggregate the ciphertext gradients, and having nodes with at least a threshold value collaboratively decrypt the aggregated results to update the global model; updating node trust values ​​based on gradient distribution deviation, and writing the global model hash value to the blockchain for version consistency verification.

[0072] Example 2:

[0073] Based on the aforementioned embodiments, to address the problem of reduced model utility caused by globally fixed noise in traditional differential privacy, a dynamic trust-driven hierarchical noise injection mechanism is added, introducing dual dynamic factors of data value perception and node behavior trust assessment.

[0074] The core dataset and non-core dataset are dynamically divided based on local data feature weights (such as gradient contribution and feature scarcity), and a differentiated privacy budget is allocated.

[0075] Trust weights are generated through a dynamic trust assessment module to adjust node-level noise levels. High-trust nodes receive less noise in their core data, while low-trust nodes receive increased perturbation.

[0076] The data value is graded, and the client calculates the data points. Sensitivity score:

[0077]

[0078] In the formula, For data points Sensitivity score; For model parameters Next data point The gradient of the loss function; This represents the maximum value of the gradient norm for all data points; This is a domain adjustment factor, preferably 0.3, used to balance the weights of gradient contribution and feature importance; These are the text feature weights.

[0079] node In the round Privacy budget:

[0080]

[0081] In the formula, For nodes In the round Privacy budget; A basic privacy budget for system initialization; For nodes In the round Trust value; The size of the core dataset; This represents the total size of the local dataset for each node. This is the time decay coefficient; This is the current federal learning and training round.

[0082] according to Calculate the Gaussian noise scale and inject the local gradient.

[0083] After each round of aggregation, the server verifies the nodes. Based on the gradient distribution deviation, update the confidence value:

[0084]

[0085] In the formula, The historical weight is preferably 0.8; This is an indicator function; a deviation of 1 indicates the target deviation, and 0 indicates the deviation deviation otherwise. For nodes The gradient distribution deviation; The deviation from the threshold is preferably 0.15.

[0086] Verification shows that, while achieving an average error similar to that of the above embodiments, this mechanism maintains model accuracy close to the perturbation-free benchmark under strict privacy constraints through differentiated privacy perturbation strategies and dynamic feedback of behavioral trust, significantly alleviating the utility decay problem of traditional differential privacy; trust assessment based on gradient distribution deviation analysis can quickly identify abnormal nodes and effectively block data poisoning attacks from polluting the global model; and by injecting hierarchical noise according to data value, it greatly improves the convergence stability and generalization performance of heterogeneous data scenarios.

[0087] Example 3:

[0088] Building upon the aforementioned embodiments, to reduce the computational overhead of homomorphic encryption and defend against collusion attacks, gradient sparsity is combined with threshold secret sharing. Gradient compression employs sparse ternary coding to preserve significant gradient values, reducing the amount of data requiring encryption. Private key fragments are distributed and held by the client and edge servers, and aggregation requires... Collaborative decryption prevents a single malicious party from stealing gradients.

[0089] The client computes the gradient, applying improved STE compression:

[0090]

[0091] In the formula, This is the compressed gradient vector; To retain the previous Projection operator for the largest absolute value element; This is element-wise multiplication; For symbol mask matrix; For indicator functions; For gradient; This is a dynamic threshold.

[0092] The key generation center generates the HE private key. Split into Shamir secret sharing Each segment It is distributed to clients and edge servers.

[0093] The client uses the public key encryption have to Uploaded to the server.

[0094] The server performs homomorphic aggregation: .

[0095] Depend on Individual holding Decrypting Node Collaboration:

[0096]

[0097] In the formula, This is the aggregated global gradient vector; This is a homomorphic decryption function; This is the encrypted aggregate gradient ciphertext; A set of private key fragments for collaborative decryption. For a set of node indexes; This is the threshold value.

[0098] Suppose we consider a 3-node federated learning scenario to train a 3D linear regression model. The gradient data is as follows: Node 1, the original gradient vector is... Node 2, the original gradient vector is Node 3, original gradient vector is .

[0099] Gradient sparse coding, dynamic thresholding Keep the top-2 elements:

[0100] Node 1: ;

[0101] Node 2: ;

[0102] Node 3: .

[0103] Distributed key sharding aggregation, threshold :

[0104] Private key Fragmentation: , , ;

[0105] Ciphertext aggregation: ;

[0106] Collaborative Decryption: .

[0107] Aggregation results: ;

[0108] Update the model: .

[0109] Comparing the performance of traditional homomorphic encryption with our proposed solution on the CIFAR-10 dataset:

[0110] Table 1. Performance Comparison between Traditional Homomorphic Encryption and This Scheme

[0111]

[0112] As shown in the experimental table, sparse coding reduces the data volume to 30.2%, and combined with ternary coding for further compression, distributed key fragmentation blocks the risk of single-point leakage, gradient sparsity significantly increases the reconstruction difficulty, and the model accuracy improves by 0.8%. Experimental data show that sparse ternary coding significantly reduces transmission load, enabling resource-constrained terminals to stably participate in multiple rounds of federated training; the threshold decryption mechanism raises the resistance to collusion attacks to the theoretical limit, while blockchain notarization provides verifiable aggregate integrity guarantees; the split encryption process significantly reduces end-to-end latency, breaking through the engineering bottleneck of homomorphic encryption.

[0113] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable non-transitory storage media containing computer-usable program code.

[0114] The present invention can provide computer program instructions to a management platform of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to produce a machine, such that the instructions executed by the management platform of the computer or other programmable data processing equipment produce means for implementing the system.

[0115] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means that perform the functions of the system.

[0116] These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process, such that the instructions, which execute on the computer or other programmable apparatus, provide steps for implementing the functions of the system.

Claims

1. A privacy-preserving system based on federated learning, characterized in that, include: A distributed cluster of participating nodes, each of which is configured with a local model training unit and a privacy protection module; The coordination server connects to each participating node through a secure communication layer and includes a model aggregation module and a dynamic trust evaluation module. The dynamic trust evaluation module generates node trust values ​​based on gradient upload time sequence consistency, local data distribution credibility proof, historical participation behavior compliance index, and computing resource authenticity verification results. The global model distribution channel is used to broadcast encrypted global model parameters to participating nodes; The privacy protection module, integrated locally on the participating nodes, includes a homomorphic encryption engine and a local differential privacy injector. The local differential privacy injector includes an adaptive noise generator, which integrates a noise parameter self-optimization feedback loop. The feedback loop includes a privacy budget consumption monitor, a model utility loss evaluator, and a noise parameter dynamic adjustment strategy generator based on reinforcement learning. The hierarchical noise injection module is used to reconstruct the privacy budget allocation logic through the dynamic coupling of data value perception classification and node behavior trust assessment. The data value perception classification includes calculating the sensitivity score of data points based on local data feature weights. The core dataset and non-core dataset are divided according to the sensitivity score, and a differentiated privacy budget is allocated to the data of different levels. The privacy budget is related to the node trust value, the proportion of the size of the core dataset to the total size of the local dataset, and the training rounds. The secure multi-party aggregation module is used to generate a compressed gradient vector by retaining the significant values ​​of the gradient and distributing the key fragments. It uses sparse coding to retain the Top-k elements whose absolute gradient values ​​are greater than a dynamic threshold, generates ciphertext by encrypting the compressed gradient vector with a public key, and distributes the private key to the client and edge server by splitting it into multiple fragments through threshold secret sharing. The aggregation result is obtained by the collaborative decryption of nodes with no less than the threshold value.

2. The system according to claim 1, characterized in that: The coordination server detects the distribution deviation of the gradients uploaded by participating nodes through the feature space consistency verification unit, and identifies malicious gradient injection behavior based on a convolutional neural network through a gradient anomaly pattern recognizer.

3. The system according to claim 1 or 2, characterized in that: The coordination server is connected to a source isolation controller, which is configured to perform zero-knowledge proof challenges on anomalous gradient initiators and trigger dynamic isolation of the computational resources of participating nodes.

4. The system according to claim 1, characterized in that: The secure communication layer adopts a dual-channel encryption architecture. The first transmission channel of the architecture uses identity-based broadcast encryption to transmit the global model, and the second transmission channel uses a post-quantum cryptography algorithm to transmit local gradient data.

5. The system according to claim 1, characterized in that: The model aggregation module employs a sparse ternary quantization coding strategy for gradient compression and performs nonlinear weighted fusion of the gradients of participating nodes based on dynamic weight coefficients.

6. The system according to claim 1, characterized in that: The privacy protection module establishes a temporary computational alliance among participating nodes to perform cross-node feature cross-validation and joint gradient norm boundary calculation.

7. The system according to claim 1 or 6, characterized in that: The noise parameters of the adaptive noise generator are dynamically adjusted by the data sensitivity classification results of the current training round and the node trust value output by the dynamic trust evaluation module.

8. The system according to claim 1, characterized in that: The formula for calculating the privacy budget of the hierarchical noise injection module is as follows: In the formula, For nodes In the round Privacy budget; A basic privacy budget for system initialization; For nodes In the round Trust value; The size of the core dataset; This represents the total size of the local dataset for each node. This is the time decay coefficient; This is the current federal learning and training round.

9. The system according to claim 1, characterized in that: The formula for the sparse coding of the secure multi-party aggregation module is: In the formula, This is the compressed gradient vector; To retain the previous Projection operator for the largest absolute value element; This is element-wise multiplication; For symbol mask matrix; For indicator functions; For gradient; This is a dynamic threshold.

10. A privacy-preserving method based on federated learning, characterized in that: The method is implemented based on the system described in claim 1: The method includes: Participating nodes calculate sensitivity scores based on local data feature weights, divide the core dataset into core datasets and non-core datasets, and generate an adaptive privacy budget based on dynamic trust values, injecting hierarchical Gaussian noise; Sparse ternary quantization is applied to the noisy local gradient, and the top-k elements with absolute values ​​greater than the dynamic threshold are retained to generate a compressed gradient vector. The compressed gradient vector is encrypted using the public key to generate ciphertext, and the private key is split into multiple shards and distributed to edge nodes through threshold secret sharing. The server coordinates the homomorphic aggregation of ciphertext gradients, and nodes with a threshold value collaborate to decrypt the aggregation result and update the global model. The node trust value is updated based on the gradient distribution deviation, and the global model hash value is written to the blockchain for version consistency verification.