Research On The Technology Of Defensing Privacy Hiding Faced To Deep Learning Models

The model privacy hiding attack of deep learning is a technology that extracts information related to training data from the trained deep learning model.Model privacy hiding attacks can be active or passive.The passive attack targets the normally trained model and collects data through accessing the model to restore information related to the training set.An active attack requires the attacker to control the model workflow,hide the data privacy in the model through encoding data during model training,and actively steal the data hidden in the model through decoding parameters after the model being released.Compared with passive attacks,active attacks can extract more accurate data in the training set.Therefore the threat of leaking the privacy of the training data is greater.This thesis mainly studies active model privacy hiding attacks.To summarize the literature,this thesis divides the deep learning model workflow into data preparation,model training,and model release phases,which can be implemented by adding synthetic malicious data,modifying the model training loss function,and modifying the model parameters.The attack will not affect the performance of the model on normal tasks,which is stealthy.The harm and concealment of active attacks make this problem an important and challenging research point.This thesis analyzes the theoretical basis of the existence of model privacy hiding attacks,systematically sorts out the privacy hiding attack threats in the process of deep learning algorithms,summarizes the threat model,and introduces attack methods for different phases.Through experiments,this thesis verifies the feasibility of the model privacy hiding attack,and briefly analyzes the impact of the training parameter configuration on the attack effect and the model's performance on the original task.Existing related defense systems against attacks have the disadvantages of poor defense effect and affecting the performance of the model.This thesis proposes a targeted defense method for the existing problems.From the perspective of without modifying the model and aiming at the privacy hiding attack of model training,a technology of defensing privacy hiding based on statistical characteristics of model parameters is proposed.From the perspective of the normal model and the model of privacy hiding attacks through model training,this thesis extracts model parameters,extracts statistical features,and uses machine learning algorithms tobuild a classifier model.Experiments show that this method can determine whether the model parameters come from the model generated by the attack with an accuracy rate of more than 90%.Aiming at the privacy concealment attack in data preparation,a technology of defending privacy hiding based on malicious data discrimination is proposed.This thesis extracts the hidden layer function from the model generated by the attack,uses the training data and synthesized malicious data as input to calculate the hidden layer activation value,uses the dimensionality reduction algorithm to reduce the activation value to two dimensions,and uses the support vector machine to construct the classifier model.Experiments prove that the constructed classifier model can distinguish normal data and synthesized malicious data with high accuracy.Therefore,the use of this model can deny access to synthetic malicious data,and thus can prevent privacy hiding attacks in the data preparation phase.From the perspective of modifying the model and aiming at the privacy hiding attack in the data preparation,a technology of defending privacy hiding based on model pruning is proposed.Using the extracted hidden layer function,this thesis uses the training data to calculate the hidden layer activation value,calculates the average activation value of different neurons,and cuts off the neuron with a smaller average activation value to generate a pruned attack model.Experiments show that the model generated by pruning can effectively combat the privacy problems caused by the synthesized malicious data,and the influence on the prediction ability of normal data can be ignored.