基于双重混沌映射算法的深度学习模型梯度安全保护研究  被引量：1

作　　者：林宁 陈晓明 夏春伟 李文星 叶靖[1,2] 刘自臻 李晓维 LIN Ning;CHEN Xiaoming;XIA Chunwei;LI Wenxing;YE Jing;LIU Zizhen;LI Xiaowei(Institute of Computing Technology,Chinese Academy of Sciences,Beijing 100190;School of Computer and Control Engineering,University of Chinese Academy of Sciences,Beijing 101408)

机构地区：[1]中国科学院计算技术研究所,北京100190 [2]中国科学院大学计算机科学与技术学院,北京101408

出　　处：《高技术通讯》2022年第10期991-1003,共13页Chinese High Technology Letters

基　　金：国家重点研发计划(2020YFB1600201);国家自然科学基金(U20A20202,62090024,61876173)资助项目。

摘　　要：在联邦学习任务中,不同用户会上传深度学习模型的梯度到中央服务器进行梯度聚合,然而直接上传模型的原始梯度并不安全,攻击者会利用梯度攻击方法还原出用户的输入数据。当前,基于安全多方计算(SMPC)、差分隐私(DP)和同态加密(HE)来保护梯度安全的方法,存在通信开销较大、精度损失严重和加解密时延开销过大等主要问题。本文提出一种基于双重混沌映射算法的深度学习模型梯度安全保护方法,通过交换深度学习模型梯度的位置能够有效地防止恶意攻击者通过梯度攻击来偷窥用户个人隐私。为了降低时延开销,本文将深度学习模型层的映射问题转化为0-1整数背包问题,并利用动态规划求解出最优的保护方案。在CIFAR-10、CIFAR-100、LFW以及ImageNet数据集上的实验结果表明,本文所提方法能够防御当前最有效的两种梯度攻击,保护了深度学习模型梯度的安全性。此外,在CPU、GPU以及3款手机芯片上的实验结果表明,所提方法运行效率极高仅需要毫秒级就能完成安全保护。In the federated learning task,different users will upload the gradients of deep learning models to a central server for gradients aggregation.However,recent studies show that directly uploading the original gradients is not secure,and attackers can utilize gradient attack methods to restore user’s input data.Currently,methods based on secure multi-party computation(SMPC),differential privacy(DP)and homomorphic encryption(HE)to protect gradient security have major problems of large communication overhead,serious loss of accuracy and excessive latency overhead.This paper proposes a gradient security protection method based on a dual chaotic map algorithm,which can prevent malicious users and malicious servers from peeping users’personal privacy through gradients by exchanging its positions.To reduce the latency overhead,the proposed method transforms the map problem of the layers into a 0-1 integer knapsack problem,and utilizes dynamic programming to obtain the optimal encryption scheme.Experimental results on CIFAR-10,CIFAR-100,LFW and ImageNet datasets show that the proposed method can effectively defend the two latest gradient attack methods,and effectively protect the security of the gradients.In addition,the experimental results on CPU,GPU and three mobile phone chips show that the proposed method runs extremely efficiently and only requires several milliseconds to achieve security protection.

关 键 词：深度学习 梯度安全 混沌映射 整数背包 动态规划 

分 类 号：TP18[自动化与计算机技术—控制理论与控制工程] TP309[自动化与计算机技术—控制科学与工程]