LFDP: 融合低频信息的差分隐私鲁棒性增强方法

Machine learning model has been widely used in image processing, automatic driving, natural language processing and other fields because of its high accuracy of prediction and classification and the universality of various application scenarios. However, the machine learning model is vulnerable to counter sample attacks. When it is attacked by counter sample attacks, the accuracy of prediction and classification will be greatly reduced. At present, the data enhancement method makes the machine learning model have stronger generalization ability by changing or disturbing the original image, and can enhance its robustness against sample attacks while protecting privacy, which is one of the mainstream methods for enhancing the robustness of machine learning models. However, the robustness enhancement method based on differential privacy is faced with the problem that the added high-frequency noise is easy to be filtered out, resulting in a decline in the robustness enhancement effect. Aiming at this problem, combined with the knowledge of signal processing, this paper expounds the principle that differential privacy can enhance the robustness of machine learning models from the perspective of frequency domain, and proves its effectiveness in theory. A high frequency noise filter HFNF is designed, which can filter out the high frequency Gaussian noise added by differential privacy and reduce the robustness enhancement effect of differential privacy. The reason for the defects of the robustness enhancement method of differential privacy is analyzed theoretically. This paper proposes a universal differential privacy robustness enhancement algorithm LFDP, which fuses low frequency information. By adding high and low frequency noise generated in different frequency domain parts of the image, even if there is high frequency noise filtering attack, the robustness of the model can still be guaranteed, making up for the deficiency of the original high frequency Gaussian noise in differential privacy. The robustness and error boundary of the proposed scheme are theoretically analyzed and given, and tested in actual data sets. The experimental results show that compared with the difference privacy robustness enhancement method directly adding high-frequency noise, LFDP can play a better robustness enhancement effect without increasing the noise scale. © 2025 Chinese Academy of Sciences. All rights reserved.