CN114386058A

CN114386058A - Model file encryption and decryption method and device

Info

Publication number: CN114386058A
Application number: CN202111532842.8A
Authority: CN
Inventors: 邓钢; 龚晨; 蔡书成
Original assignee: Aisino Corp
Current assignee: Aisino Corp
Priority date: 2021-12-15
Filing date: 2021-12-15
Publication date: 2022-04-22

Abstract

The embodiment of the invention provides a method and a device for encrypting and decrypting a model file, wherein the method comprises the steps of determining an encryption factor matched with the model file and a data encryption range from a file container when an encryption request aiming at any model file is detected, generating an encryption key for encrypting the model file according to the encryption factor and a main key provided by an encryption system, encrypting model data to be encrypted in the model file and belonging to the data encryption range through the encryption key to obtain an encrypted model file, and storing the encrypted model file into the file container. Therefore, according to the scheme, by carrying out local encryption on the model file (namely encrypting part of model data), the problems that the encryption operation is long in time consumption and a large amount of computing resources are consumed due to the fact that the whole model file is encrypted can be avoided, so that the encryption efficiency of the model file can be improved, and the safety of the model file can be effectively ensured.

Description

Model file encryption and decryption method and device

Technical Field

The embodiment of the invention relates to the technical field of data protection, in particular to a model file encryption and decryption method and device.

Background

ONNX (Open Neural Network Exchange) is an Open file format designed for machine learning, and is used for storing a trained model. It enables different artificial intelligence frameworks (such as Pythrch, MXNet, etc.) to store model data and interact in the same format. In a specific application project, because the model result of machine learning is stored in the form of an ONNX file, the ONNX model file has the value of data assets. However, at the present stage, the generated ONNX model file has the problem that the ONNX model file is easy to intercept and tamper, so that the security of the ONNX model file is low.

In summary, a method for encrypting and decrypting a model file is needed to effectively ensure the security of the model file.

Disclosure of Invention

The embodiment of the invention provides a model file encryption and decryption method and device, which are used for effectively ensuring the security of a model file.

In a first aspect, an embodiment of the present invention provides a model file encryption method, including:

when an encryption request aiming at any model file is detected, determining an encryption factor and a data encryption range which are matched with the model file from a file container; the file container stores the encryption factors and the data encryption ranges corresponding to the model files;

generating an encryption key for encrypting the model file according to the encryption factor and a master key provided by an encryption system;

encrypting the model data to be encrypted in the model file, which belongs to the data encryption range, by the encryption key to obtain an encrypted model file;

and storing the encrypted model file into the file container.

In the above technical solution, since corresponding security measures are not taken in the prior art to perform encryption protection on a model file (such as an ONNX model file) having a data asset value, there is an insecurity risk for model data having a data asset value in the model file (for example, a training model corresponding to the model file cannot effectively process corresponding data due to data asset value loss or tampering caused by theft by a lawbreaker). Based on this, the technical scheme of the invention can realize flexible adjustment of the model data amount to be encrypted in each model file to be encrypted by setting the corresponding data encryption range for each model file to be encrypted, thereby meeting the actual requirements of different situations in the actual application scene. Meanwhile, because the model file is generally large in volume, in order to improve the encryption efficiency of the model file, the model file is not encrypted integrally, but only the model data (such as the key model data) belonging to the data encryption range in the model file to be encrypted is encrypted, which is also helpful for reducing the time and the computing resources consumed by the encryption operation of the whole model file, so that the encryption efficiency of the model file can be effectively improved, and the security of the model file can be effectively ensured. Specifically, when an encryption request for any model file is detected, an encryption factor and a data encryption range which are matched with the model file can be determined from a file container, an encryption key for encrypting the model file can be generated according to the encryption factor and a master key provided by an encryption system, and model data to be encrypted in the model file, which belongs to the data encryption range, is locally encrypted through the encryption key, that is, part of the model data (such as valid, important or model data which needs security protection) in the model file is encrypted, so that the encrypted model file is obtained. Therefore, according to the scheme, the problems that the encryption operation is long in time consumption and a large amount of computing resources are required to be consumed due to the fact that the encryption is carried out on the whole model file can be avoided by encrypting the local model data in the model file, so that the encryption efficiency of the model file can be effectively improved, and the safety of the model file can be effectively ensured.

Optionally, at least one preset encryption algorithm corresponding to each model file is stored in the file container;

the encrypting the model data to be encrypted in the model file, which belongs to the data encryption range, through the encryption key to obtain the encrypted model file includes:

determining at least one preset encryption algorithm matched with the model file from the file container, and determining a preset encryption algorithm for encrypting the model file from the at least one preset encryption algorithm;

and encrypting the model data to be encrypted in the model file, which belongs to the data encryption range, by the preset encryption algorithm and the encryption key to obtain an encrypted model file.

In the technical scheme, at least one preset encryption algorithm is configured for each model file, so that the model file has more selectivity and higher flexibility when being encrypted, and the encryption for the model file can be made to have randomness and unpredictability, so that the security of the model file can be further ensured. For example, three different preset encryption algorithms are configured for a certain model file, and when the model file is encrypted, one preset encryption algorithm can be randomly selected from the three different preset encryption algorithms to encrypt the model file, specifically, model data to be encrypted, which belongs to a data encryption protection range in the model file, is encrypted, so that the model file can be encrypted with higher flexibility.

Optionally, a preset data transformation mode corresponding to each model file is stored in the file container;

the storing the encrypted model file into the file container includes:

determining a preset data transformation mode matched with the model file from the file container;

transforming the encrypted model data in the encrypted model file in the preset data transformation mode to obtain a transformed model file;

and storing the transformed model file into the file container.

In the above technical solution, after model data to be encrypted belonging to a data encryption range in a model file is encrypted, in order to further enhance security of the encrypted model data, a corresponding preset data transformation mode is configured for each model file, and the encrypted model data in the encrypted model file is transformed by the preset data transformation mode of the model file, so that further security protection of the encrypted model data can be realized. For example, the positions of each data in the encrypted model data may be exchanged by exchanging the positions of the data sequence, and the transformed model file is determined by the encrypted model data after the exchange and the unencrypted model data in the encrypted model file, or the encrypted model data may be divided, the divided sub-encrypted model data may be sorted by a set sorting algorithm, the sorted sub-encrypted model data may be spliced, and the transformed model file may be determined by the spliced encrypted model data and the unencrypted model data in the encrypted model file.

Optionally, the transforming the encrypted model data in the encrypted model file by the preset data transformation manner to obtain a transformed model file includes:

dividing the encryption model data into m sections to obtain m sections of sub-encryption model data;

sequencing the m sections of sub-encryption model data through a set sequencing algorithm, and splicing the sequenced m sections of sub-encryption model data to obtain spliced encryption model data;

and determining the transformed model file according to the spliced encrypted model data and the unencrypted model data in the encrypted model file.

In the technical scheme, the encryption model data is divided, and the divided sub-encryption model data is sorted according to the set sorting algorithm, so that a layer of protective measures is added to the encryption model data, thereby effectively avoiding the decryption of the encryption model data by lawbreakers, and effectively ensuring the security of the encryption model data.

Optionally, before storing the encrypted model file in the file container, the method further includes:

and carrying out hash operation on the model data to be encrypted in the model file, which belongs to the data encryption range, through a set hash algorithm to obtain a first hash value of the model data to be encrypted, and storing the first hash value into the file container.

In the above technical solution, the hash value of the to-be-encrypted model data in the model file belonging to the data encryption range is calculated, so that when the encrypted model data is subsequently decrypted, the integrity and the correctness of the decrypted model data can be verified through the hash value, that is, whether the decrypted model data is complete (whether the decrypted model data is tampered) and correct or not is determined through the hash value, thereby effectively preventing the model data from being tampered, and ensuring the security of the model data.

In a second aspect, an embodiment of the present invention provides a model file decryption method, including:

when a decryption request aiming at any encrypted model file is detected, acquiring the encrypted model file from a file container, and determining an encryption factor and a data encryption range which are matched with the encrypted model file from the file container; the encrypted model file is obtained by encrypting the model data to be encrypted in the model file, which belongs to the data encryption range, through an encryption key; the encryption key is generated according to the encryption factor matched with the model file and a master key provided by an encryption system; the file container stores the encryption factors and the data encryption ranges corresponding to the model files;

generating a decryption key for decrypting the encrypted model file according to the encryption factor and a master key provided by an encryption system;

and decrypting the encrypted model data belonging to the data encryption range in the encrypted model file through the decryption key to obtain the decrypted model file.

In the above technical solution, when any encrypted model file is detected, an encryption factor and a data encryption range that are matched with the model file are determined from a file container, and a decryption key for decrypting the encrypted model file is generated through the encryption factor and a master key provided by an encryption system, where the decryption key may be the same as an encryption key used for encrypting the model file, that is, a symmetric key. Then, the encrypted model data belonging to the data encryption range in the encrypted model file is decrypted through the decryption key, and the decrypted model file can be obtained. Since the model file is generally large in volume, in order to improve the encryption efficiency of the model file, the model file is not encrypted as a whole, but only the model data (such as the key model data) belonging to the data encryption range in the model file to be encrypted is encrypted, which is helpful for reducing the time and the computing resources consumed by the encryption operation of the whole model file, so that the encryption efficiency of the model file can be effectively improved, and the security of the model file can be effectively ensured.

Optionally, at least one preset decryption algorithm corresponding to each model file and a preset data transformation mode corresponding to each model file are stored in the file container;

before decrypting the encrypted model data belonging to the data encryption range in the encrypted model file, the method further comprises the following steps:

determining a preset data transformation mode matched with the encrypted model file from the file container;

performing inverse transformation processing on spliced encrypted model data which belongs to the data encryption range in the encrypted model file in the preset data transformation mode to obtain inverse-transformed encrypted model data; the spliced encrypted model data is obtained by splicing the sequenced m sections of sub-encrypted model data; the ordered m sections of sub-encryption model data are obtained by ordering m sections of sub-encryption model data obtained by dividing the encryption model data belonging to the data encryption range into m sections through a set ordering algorithm;

the decrypting the encrypted model data belonging to the data encryption range in the encrypted model file through the decryption key to obtain a decrypted model file includes:

determining at least one preset decryption algorithm matched with the encrypted model file from the file container, and determining a preset decryption algorithm for decrypting the encrypted model file from the at least one preset decryption algorithm; the preset decryption algorithm is matched with a preset encryption algorithm used for encrypting the model file;

decrypting the encrypted model data after inverse transformation through the preset decryption algorithm and the decryption key to obtain decrypted model data;

and determining the decrypted model file according to the decrypted model data and the unencrypted model data in the encrypted model file.

In the above technical solution, the preset data transformation method adopted in the scheme may be used for transforming the cryptographic model data, and may also be used for performing inverse transformation on the spliced cryptographic model data. That is, what kind of preset data transformation mode is adopted to transform the encryption model data, the spliced encryption model data can also be inversely transformed through the preset data transformation mode, so that accurate restoration of the encryption model data can be realized. In addition, the preset decryption algorithms in the scheme correspond to the preset encryption algorithms one to one, that is, one preset encryption algorithm corresponds to one preset decryption algorithm. The preset encryption algorithm and the preset decryption algorithm which correspond to each other one by one may be the same algorithm, that is, the algorithm may be used for both encryption and decryption. Specifically, by configuring at least one preset decryption algorithm corresponding to each model file, when the model files are encrypted and decrypted, a preset decryption algorithm matched with the preset encryption algorithm used for encrypting the model files can be determined from a plurality of decryption algorithms matched with the model files, and the encrypted model data after inverse transformation is decrypted through the preset decryption algorithm, so that the corresponding original model data can be accurately decrypted.

Optionally, after obtaining the decrypted model data, the method further includes:

performing hash operation on the decrypted model data through a set hash algorithm to obtain a second hash value of the decrypted model data;

acquiring a first hash value from a file container, and comparing the first hash value with the second hash value, thereby determining whether the decrypted model data is correct; the first hash value is obtained by carrying out hash operation on the model data to be encrypted in the model file, which belongs to the data encryption range, through the set hash algorithm.

In the above technical solution, after the model data is decrypted, the decrypted model data needs to be verified to determine whether the decrypted model data is tampered, that is, to verify the integrity and correctness of the decrypted model data, so that the model data that needs to be protected in the model file can be effectively prevented from being tampered, and the security of the model data that needs to be protected in the model file can be ensured.

In a third aspect, an embodiment of the present invention provides a model file encryption apparatus, including:

the model file encryption device comprises a first detection unit, a second detection unit and a third detection unit, wherein the first detection unit is used for determining an encryption factor and a data encryption range which are matched with any model file from a file container when an encryption request aiming at the model file is detected; the file container stores the encryption factors and the data encryption ranges corresponding to the model files;

the first processing unit is used for generating an encryption key for encrypting the model file according to the encryption factor and a master key provided by an encryption system; encrypting the model data to be encrypted in the model file, which belongs to the data encryption range, by the encryption key to obtain an encrypted model file; and storing the encrypted model file into the file container.

the first processing unit is specifically configured to:

and storing the transformed model file into the file container.

Optionally, the first processing unit is specifically configured to:

Optionally, the first processing unit is further configured to:

before the encrypted model file is stored in the file container, performing hash operation on the model data to be encrypted in the model file, which belongs to the data encryption range, through a set hash algorithm to obtain a first hash value of the model data to be encrypted, and storing the first hash value in the file container.

In a fourth aspect, an embodiment of the present invention provides a model file decryption apparatus, including:

the second detection unit is used for acquiring the encrypted model file from a file container when a decryption request aiming at any encrypted model file is detected, and determining an encryption factor and a data encryption range which are matched with the encrypted model file from the file container; the encrypted model file is obtained by encrypting the model data to be encrypted in the model file, which belongs to the data encryption range, through an encryption key; the encryption key is generated according to the encryption factor matched with the model file and a master key provided by an encryption system; the file container stores the encryption factors and the data encryption ranges corresponding to the model files;

the second processing unit is used for generating a decryption key for decrypting the encrypted model file according to the encryption factor and a master key provided by an encryption system; and decrypting the encrypted model data belonging to the data encryption range in the encrypted model file through the decryption key to obtain the decrypted model file.

the second processing unit is further configured to:

before decryption processing is carried out on encrypted model data which belongs to the data encryption range in the encrypted model file, a preset data transformation mode matched with the encrypted model file is determined from the file container;

the second processing unit is specifically configured to:

Optionally, the second processing unit is further configured to:

after the decrypted model data are obtained, carrying out hash operation on the decrypted model data through a set hash algorithm to obtain a second hash value of the decrypted model data;

In a fifth aspect, an embodiment of the present invention provides a computing device, including at least one processor and at least one memory, where the memory stores a computer program, and when the program is executed by the processor, the computer program causes the processor to execute the model file encryption method according to any of the above first aspects, or execute the model file decryption method according to any of the above second aspects.

In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores a computer program executable by a computing device, and when the program runs on the computing device, causes the computing device to execute the model file encryption method according to any of the first aspects or execute the model file decryption method according to any of the second aspects.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a schematic flowchart of a model file encryption method according to an embodiment of the present invention;

fig. 2 is a schematic flowchart of a model file decryption method according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of a model file encryption apparatus according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of a model file decryption apparatus according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of a computing device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Fig. 1 exemplarily shows a flow of a model file encryption method provided by an embodiment of the present invention, which may be executed by a model file encryption apparatus.

As shown in fig. 1, the process specifically includes:

step 101, when an encryption request for any model file is detected, an encryption factor and a data encryption range which are matched with the model file are determined from a file container.

In the embodiment of the invention, an open file container is designed firstly for storing the encrypted and protected model file. The file container stores an encryption factor and a data encryption range corresponding to each model file, stores at least one preset encryption algorithm and at least one preset decryption algorithm corresponding to each model file, and also stores a preset data transformation mode corresponding to each model file. Illustratively, the file container includes (1) a file container identification number for identifying the file container; (2) a version number for distinguishing a version of the file container; (3) each model file corresponds to at least one encryption mode (i.e., encryption algorithm) and at least one decryption mode (i.e., decryption algorithm), and for each model file, each encryption mode of the model file corresponds to one decryption mode, although the encryption mode and the corresponding decryption mode may be the same mode, that is, the mode may be used for both encryption and decryption, for example, a symmetric encryption/decryption mode (e.g., a symmetric encryption/decryption algorithm), that is, an encryption algorithm using the same key for encryption and decryption, for example, the symmetric encryption algorithm may include a domestic cryptographic algorithm: block cipher algorithm SM1, block cipher algorithm SM4, international algorithm: AES (Advanced Encryption Standard), DES (Data Encryption Standard), Blowfish (i.e., symmetric key block Encryption Algorithm), IDEA (International Data Encryption Algorithm), RC4, RC5, RC6, and the like. Different encryption modes can be distinguished by using different identification numbers, a file identification is configured for each model file to distinguish each model file, and the mapping relation between each model file and at least one corresponding encryption and decryption mode is set. For each model file, the same at least one encryption and decryption mode may be set, for example, for model file a, encryption mode 1 and decryption mode 1 are set; an encryption mode 2 and a decryption mode 2; an encryption mode 3 and a decryption mode 3, and similarly, an encryption mode 1 and a decryption mode 1 may be set for the model file B, the model file C, and the like; an encryption mode 2 and a decryption mode 2; encryption method 3 and decryption method 3. Or, for each model file, at least one different encryption/decryption manner may be set, for example, for the model file a, an encryption manner a1 and a decryption manner a1 are set; an encryption method A2 and a decryption method A2; an encryption mode A3 and a decryption mode A3, wherein an encryption mode B1 and a decryption mode B1 can be set for the model file B; encryption method B2, decryption method B2; encryption method B3 and decryption method B3. Or, for each model file, a part of the model files are provided with the same at least one encryption and decryption mode, and a part of the model files are provided with different at least one encryption and decryption mode, for example, for the model file a, an encryption mode 1 and a decryption mode 1 are set; an encryption mode 2 and a decryption mode 2; an encryption mode 3 and a decryption mode 3, and similarly, an encryption mode 1 and a decryption mode 1 can also be set for the model file B; an encryption mode 2 and a decryption mode 2; an encryption mode 3 and a decryption mode 3, wherein an encryption mode C1 and a decryption mode C1 can be set for the model file C; an encryption method C2 and a decryption method C2; the encryption mode C3 and the decryption mode C3 can be set as an encryption mode D1 and a decryption mode D1 for the model file D; an encryption method D2 and a decryption method D2; an encryption method D3 and a decryption method D3; (4) the encryption factors corresponding to the model files are used for determining the working key for encrypting the model files (i.e. determining the encryption key for encrypting the model files and the decryption key for decrypting the encrypted model files), and the encryption factors corresponding to the model files are set, wherein the encryption factors corresponding to the model files may be the same or different, or each model file may be set with a plurality of encryption factors or only with one encryption factor, for example, one encryption factor a is set for the model file a, and similarly, only one encryption factor a is set for other model files, or one encryption factor B is set for the model file B, and one encryption factor C is set for the model file C. For another example, two encryption factors a1 and a2 are set for model file a, or two encryption factors a1 and a2 are set for model file B, two encryption factors a1 and a2 are set for model file C, or two encryption factors B1 and B2 are set for model file B, two encryption factors C1 and C2 are set for model file C, or two encryption factors a1 and a2 are set for model file B, and two encryption factors C1 and C2 are set for model file C; (5) setting a data encryption range corresponding to each model file, namely setting a corresponding data encryption range for each model file; (6) a data transformation mode to be protected (i.e., a data transformation mode for transforming encrypted data), which is not limited in the embodiments of the present invention, is set up with a data transformation mode corresponding to each model file, where multiple data transformation modes may be set up for one model file, or only one data transformation mode may be set up for one model file; (7) the data length is used for recording the data length of the encrypted data; (8) and the check value is used for recording the hash value of the data to be encrypted.

After an encryption request for any model file is detected, that is, for each model file in the model file database, if a user needs to encrypt a certain model file, an encryption request for a certain model file may be submitted to a system (for example, a server for processing model file encryption and decryption operations) for processing model file (for example, ONNX model file) encryption and decryption operations through a client (that is, a client provided by the server for processing encryption and decryption operations) in a used terminal device (for example, a notebook computer, a desktop computer, a smart phone, or other network devices, etc.), or the system for processing model file encryption and decryption operations starts to encrypt the model file that needs to be encrypted after receiving an encryption operation instruction of the user for a certain model file in the system. Specifically, when an encryption request for any model file is detected, the model file is acquired from a model file database, or the model file is included in the encryption request, and the model file is analyzed from the encryption request. Meanwhile, taking an example that a model file is configured with an encryption factor, determining an encryption factor and a data encryption range which are matched with the model file from a file container, for example, storing a corresponding relation between a file identifier and the encryption factor and the data encryption range in the file container, and matching the encryption factor and the data encryption range of the model file from the file container through the file identifier of the model file. Or, the file container stores the corresponding relationship between each model file and each encryption factor and each data encryption range, and the model file and each model file in the file container can be directly subjected to feature matching, so that the encryption factor and the data encryption range of the model file can be matched. Thus, after the encryption factor and the data encryption range of the model file are determined, the corresponding encryption operation can be started for the model file. According to the scheme, the corresponding data encryption range is set for each model file to be encrypted, so that the model data volume to be encrypted in each model file to be encrypted can be flexibly adjusted, and the actual requirements of different situations in actual application scenes can be met. Meanwhile, corresponding encryption factors are set for each model file to be encrypted, for example, different encryption factors are set, so that each model file has different working keys, the encryption safety of each model file can be improved, and the situation that lawless persons crack model data in other encrypted model files due to the fact that the lawless persons obtain the encryption factors of one encrypted model file (if the same encryption factor is used for each model file, the encryption factors of each model file are obtained) can be avoided.

And 102, generating an encryption key for encrypting the model file according to the encryption factor and a master key provided by an encryption system.

In the embodiment of the invention, the encryption key for encrypting the model file can be calculated by using the encryption factor of the model file stored in the file container and the master key provided by the encryption system. For example, if the encryption factor of the model file is p and the master key provided by the encryption system is s, the encryption key can be calculated as s × p.

And 103, encrypting the model data to be encrypted in the model file, which belongs to the data encryption range, by the encryption key to obtain an encrypted model file.

In the embodiment of the present invention, specifically, at least one preset encryption algorithm is configured for each model file in the file container, so that when the model file is encrypted, the model file has more selectivity and higher flexibility, and the encryption for the model file can be made to have randomness and unpredictability, so that the security of the model file can be further ensured. Therefore, when the model file needs to be encrypted by using the encryption algorithm, at least one preset encryption algorithm matched with the model file can be determined from the file container, and one preset encryption algorithm is randomly selected from the at least one preset encryption algorithm and used for encrypting the model file. Then, by randomly selecting a preset encryption algorithm and an encryption key for encrypting the model file, the model data to be encrypted in the data encryption range in the model file can be encrypted, and the encrypted model data can be obtained, so that the encrypted model file can be obtained. For example, three different preset encryption algorithms are configured for the model file, when the model file is encrypted, one preset encryption algorithm can be randomly selected from the three different preset encryption algorithms for encrypting the model file, and for example, if the model data belonging to the convolutional layer in the model file is encrypted, the encrypted model data belonging to the convolutional layer in the model file can be obtained by encrypting the model data belonging to the convolutional layer in the model file through the preset encryption algorithm and the encryption key, or, for example, if the model data belonging to the input layer (or, for example, the output layer or the full-link layer) in the model file is encrypted, the model data belonging to the input layer (or, for example, the output layer or the full-link layer) in the model file can be encrypted through the preset encryption algorithm and the encryption key, the encrypted model data and the like belonging to the input layer (or, for example, the output layer or the full connection layer and the like) can be obtained, so that the encryption for the model file can have higher flexibility.

And 104, storing the encrypted model file into the file container.

In the embodiment of the invention, after model data to be encrypted, which belong to a data encryption range, in the model files are encrypted, in order to further enhance the security of the encrypted model data, a corresponding preset data transformation mode is configured for each model file, and the encrypted model data in the encrypted model files are transformed through the preset data transformation mode of the model files, so that the further security protection of the encrypted model data can be realized. Specifically, a preset data transformation mode matched with the model file is determined from the file container, the encrypted model data in the encrypted model file is transformed through the preset data transformation mode to obtain a transformed model file, and then the transformed model file is stored in the file container. The method includes the steps that only one preset data transformation mode can be set for each model file, and multiple preset data transformation modes can also be set for each model file, so that when data transformation is needed, one preset data transformation mode can be randomly selected from multiple preset data transformation modes configured for carrying out data transformation processing on encrypted model data in the model file. For example, there are various preset data transformation manners, for example, the positions of each data in the encrypted model data may be exchanged by a data sequence position exchange manner, the transformed model file may be determined by exchanging the encrypted model data after the position exchange and the unencrypted model data in the encrypted model file, or the encrypted model data may be divided, the divided sub-encrypted model data may be sorted by a set sorting algorithm, the sorted sub-encrypted model data may be spliced, and the transformed model file may be determined by the spliced encrypted model data and the unencrypted model data in the encrypted model file.

When the encrypted model data in the encrypted model file is subjected to transformation processing, the encrypted model data can be subjected to transformation processing in one of preset modes, namely, the encrypted model data is divided into m sections to obtain m sections of sub-encrypted model data, the m sections of sub-encrypted model data are sequenced through a set sequencing algorithm, and the sequenced m sections of sub-encrypted model data are spliced to obtain spliced encrypted model data. And then, according to the spliced encrypted model data and the unencrypted model data in the encrypted model file, the transformed model file can be determined. Therefore, the scheme divides the encryption model data, sorts the divided sub-encryption model data according to the set sorting algorithm, and adds a layer of protective measures to the encryption model data, so that the decryption of lawbreakers on the encryption model data can be effectively avoided, and the security of the encryption model data can be effectively ensured.

And after the encrypted model data in the encrypted model file is subjected to conversion processing, calculating the data length of the spliced encrypted model data by performing data length calculation on the spliced encrypted model data, and storing the data length into a file container.

In addition, before the encrypted model file is stored in the file container, the hash operation is performed on the model data to be encrypted in the model file, which belongs to the data encryption range, through a set hash algorithm to obtain a first hash value of the model data to be encrypted, and the first hash value is stored in the file container, that is, the first hash value is stored in the check value area in the file container. Therefore, the scheme is to calculate the hash value of the model data to be encrypted belonging to the data encryption range in the model file, so that when the encrypted model data is decrypted subsequently, the integrity and the correctness of the decrypted model data can be verified through the hash value, that is, whether the decrypted model data is complete (whether the decrypted model data is tampered) and correct is determined through the hash value, so that the model data can be effectively prevented from being tampered, and the safety of the model data can be ensured.

Accordingly, fig. 2 exemplarily shows a flow of a model file decryption method provided by an embodiment of the present invention, and the flow may be executed by a model file decryption apparatus.

As shown in fig. 2, the process specifically includes:

step 201, when a decryption request for any encrypted model file is detected, acquiring the encrypted model file from a file container, and determining an encryption factor and a data encryption range which are matched with the encrypted model file from the file container.

In the embodiment of the present invention, after a decryption request for any encrypted model file is detected, that is, for each encrypted model file in the file container, if a user needs to decrypt a certain encrypted model file, a decryption request for a certain encrypted model file may be submitted to a system (for example, a server for processing model file encryption and decryption operations) for processing model file (for example, ONNX model file) encryption and decryption operations through a client (that is, a client provided by the server for processing encryption and decryption operations) in a used terminal device (for example, a notebook computer, a desktop computer, a smart phone, or other network devices, or a system for processing model file encryption and decryption operations receives a decryption operation instruction of a user for a certain encrypted model file in the system, and starting to decrypt the encrypted model file needing to be decrypted. Specifically, when a decryption request for any encrypted model file is detected, the encrypted model file is obtained from a file container, or the encrypted model file is included in the decryption request, and the encrypted model file is analyzed from the decryption request. The encrypted model file is obtained by encrypting the model data to be encrypted in the model file, which belongs to the data encryption range, through an encryption key and is stored in a file container; the encryption key is generated according to the encryption factor matched with the model file and a master key provided by an encryption system; the file container stores an encryption factor and a data encryption range corresponding to each model file, and also stores at least one preset decryption algorithm corresponding to each model file and a preset data transformation mode corresponding to each model file. For example, taking an example that a model file is configured with an encryption factor, an encryption factor and a data encryption range which are matched with an encrypted model file are determined from a file container, for example, a corresponding relationship between a file identifier (i.e., an identifier of the encrypted model file, where the file identifier of the encrypted model file is the same as the file identifier of the model file before encryption) and the encryption factor and the data encryption range is stored in the file container, and the encryption factor and the data encryption range of the model file are matched from the file container through the file identifier of the model file. Or, the file container stores the corresponding relationship between each model file and each encryption factor and each data encryption range, and the model file and each model file in the file container can be directly subjected to feature matching, so that the encryption factor and the data encryption range of the model file can be matched. Thus, after the encryption factor and the data encryption range of the model file are determined, the corresponding decryption operation can be started for the encrypted model file.

Step 202, generating a decryption key for decrypting the encrypted model file according to the encryption factor and the master key provided by the encryption system.

In the embodiment of the present invention, a decryption key for decrypting the encrypted model file can be calculated by using the encryption factor of the encrypted model file stored in the file container (where the encryption factor of the encrypted model file is the same as the encryption factor of the model file before encryption) and the master key provided by the encryption system. Because the encryption and decryption operations can be performed on the model file by adopting a symmetric encryption and decryption mode, the determined encryption key and the determined decryption key for the same model file are the same. For example, if the encryption factor of the encrypted model file is p and the master key provided by the encryption system is s, the decryption key can be calculated as s × p.

And 203, decrypting the encrypted model data belonging to the data encryption range in the encrypted model file through the decryption key to obtain a decrypted model file.

In the embodiment of the present invention, after the encryption operation is performed on the model file, the data transformation processing is performed on the encrypted model data in the model file in the preset data transformation manner, so that before the decryption operation is performed on the model file, the inverse transformation processing needs to be performed on the encrypted model data subjected to the data transformation in the model file, so as to recover the encrypted model data before the data transformation, and thus, the subsequent accurate decryption is performed on the encrypted model data. The encryption model data is transformed by adopting a preset data transformation mode, and then the spliced encryption model data is subjected to inverse transformation by the preset data transformation mode, so that the encryption model data can be accurately restored. Before decryption processing is carried out on encrypted model data which belong to a data encryption range in the encrypted model file, a preset data transformation mode matched with the encrypted model file is determined from a file container, and inverse transformation processing is carried out on spliced encrypted model data which belong to the data encryption range in the encrypted model file through the preset data transformation mode to obtain inverse-transformed encrypted model data. The spliced encrypted model data is obtained by splicing the sequenced m sections of sub-encrypted model data; the m pieces of ordered sub-encryption model data are obtained by ordering the m pieces of sub-encryption model data obtained by dividing the encryption model data belonging to the data encryption range into m pieces through a set ordering algorithm. Therefore, the encrypted model data after inverse transformation can be conveniently and accurately decrypted to obtain the corresponding original model data through a decryption algorithm. Specifically, when the encrypted model data after inverse transformation is decrypted, at least one preset decryption algorithm matched with the encrypted model file is determined from the file container, and a preset decryption algorithm used for decrypting the encrypted model file is determined from the at least one preset decryption algorithm. The preset decryption algorithms are matched with the preset encryption algorithms used for encrypting the model files, that is, the preset decryption algorithms correspond to the preset encryption algorithms one by one, that is, one preset encryption algorithm corresponds to one preset decryption algorithm. The preset encryption algorithm and the preset decryption algorithm which correspond to each other one by one may be the same algorithm, that is, the algorithm may be used for both encryption and decryption. Specifically, by configuring at least one preset decryption algorithm corresponding to each model file, when the model files are encrypted and decrypted, a preset decryption algorithm matched with the preset encryption algorithm used for encrypting the model files can be determined from a plurality of decryption algorithms matched with the model files, and the encrypted model data after inverse transformation is decrypted through the preset decryption algorithm, so that the corresponding original model data can be accurately decrypted. For example, the encryption mode and the corresponding decryption mode for the model file may be the same mode, that is, the mode may be used for both encryption and decryption, for example, a symmetric encryption/decryption mode (e.g., a symmetric encryption/decryption algorithm), so the algorithm is used when the model file is encrypted, and the algorithm is also used when the encrypted model file is decrypted. Then, the encrypted model data after inverse transformation is decrypted through the preset decryption algorithm and the decryption key, so that the decrypted model data can be obtained, and the decrypted model file can be determined according to the decrypted model data and the unencrypted model data in the encrypted model file.

After the decrypted model data is obtained, the decrypted model data needs to be verified, that is, through a set hash algorithm, performing hash operation on the decrypted model data to obtain a second hash value of the decrypted model data, and obtaining a first hash value corresponding to the encrypted model file from the file container, comparing the first hash value with a second hash value to determine whether the first hash value is consistent with the second hash value, thereby determining whether the decrypted model data is correct, then determining whether the decrypted model data is tampered (i.e. verifying the integrity and correctness of the decrypted model data), therefore, the model data which needs to be protected in the model file can be effectively prevented from being tampered, and the safety of the model data which needs to be protected in the model file can be ensured.

The above embodiments show that, in the prior art, since corresponding security measures are not taken to perform encryption protection on a model file with a data asset value (such as an ONNX model file), there is an insecurity risk on model data with a data asset value in the model file (for example, a training model corresponding to the model file cannot be effectively processed for corresponding data due to being stolen or tampered by a lawbreaker). Based on this, the technical scheme of the invention can realize flexible adjustment of the model data amount to be encrypted in each model file to be encrypted by setting the corresponding data encryption range for each model file to be encrypted, thereby meeting the actual requirements of different situations in the actual application scene. Meanwhile, because the model file is generally large in volume, in order to improve the encryption efficiency of the model file, the model file is not encrypted integrally, but only the model data (such as the key model data) belonging to the data encryption range in the model file to be encrypted is encrypted, which is also helpful for reducing the time and the computing resources consumed by the encryption operation of the whole model file, so that the encryption efficiency of the model file can be effectively improved, and the security of the model file can be effectively ensured. Specifically, when an encryption request for any model file is detected, an encryption factor and a data encryption range which are matched with the model file can be determined from a file container, an encryption key for encrypting the model file can be generated according to the encryption factor and a master key provided by an encryption system, and model data to be encrypted in the model file, which belongs to the data encryption range, is locally encrypted through the encryption key, that is, part of the model data (such as valid, important or model data which needs security protection) in the model file is encrypted, so that the encrypted model file is obtained. Therefore, according to the scheme, the problems that the encryption operation is long in time consumption and a large amount of computing resources are required to be consumed due to the fact that the encryption is carried out on the whole model file can be avoided by encrypting the local model data in the model file, so that the encryption efficiency of the model file can be effectively improved, and the safety of the model file can be effectively ensured.

Based on the same technical concept, fig. 3 exemplarily shows a model file encryption apparatus provided by an embodiment of the present invention, and the apparatus can execute a flow of a model file encryption method. The model file encryption device may be disposed in a system for processing model file encryption and decryption operations, and may be used as a functional module of the system, for example, a function of implementing the model file encryption device may be integrated into a chip, and the chip executes a model file encryption method; or the model file encryption device can be independently arranged, and a system for processing the model file encryption and decryption operation calls the model file encryption device when the encryption operation is required.

As shown in fig. 3, the apparatus includes:

a first detection unit 301, configured to determine, when an encryption request for any model file is detected, an encryption factor and a data encryption range that match the model file from a file container; the file container stores the encryption factors and the data encryption ranges corresponding to the model files;

a first processing unit 302, configured to generate an encryption key for encrypting the model file according to the encryption factor and a master key provided by an encryption system; encrypting the model data to be encrypted in the model file, which belongs to the data encryption range, by the encryption key to obtain an encrypted model file; and storing the encrypted model file into the file container.

the first processing unit 302 is specifically configured to:

and storing the transformed model file into the file container.

Optionally, the first processing unit 302 is specifically configured to:

Optionally, the first processing unit 302 is further configured to:

Based on the same technical concept, fig. 4 exemplarily shows a model file decryption apparatus provided by an embodiment of the present invention, and the apparatus may execute a flow of a model file decryption method. The model file decryption device may be disposed in a system for processing model file encryption and decryption operations, and may be used as a functional module of the system, for example, a function of implementing the model file decryption device may be integrated into a chip, and the chip executes a model file decryption method; or the model file decryption device can be independently arranged, and a system for processing the model file encryption and decryption operation calls the model file decryption device when the encryption operation is needed.

As shown in fig. 4, the apparatus includes:

a second detecting unit 401, configured to, when a decryption request for any encrypted model file is detected, obtain the encrypted model file from a file container, and determine, from the file container, an encryption factor and a data encryption range that match the encrypted model file; the encrypted model file is obtained by encrypting the model data to be encrypted in the model file, which belongs to the data encryption range, through an encryption key; the encryption key is generated according to the encryption factor matched with the model file and a master key provided by an encryption system; the file container stores the encryption factors and the data encryption ranges corresponding to the model files;

a second processing unit 402, configured to generate a decryption key for decrypting the encrypted model file according to the encryption factor and a master key provided by an encryption system; and decrypting the encrypted model data belonging to the data encryption range in the encrypted model file through the decryption key to obtain the decrypted model file.

the second processing unit 402 is further configured to:

the second processing unit 402 is specifically configured to:

Optionally, the second processing unit 402 is further configured to:

Based on the same technical concept, an embodiment of the present invention further provides a computing device, as shown in fig. 5, including at least one processor 501 and a memory 502 connected to the at least one processor, where a specific connection medium between the processor 501 and the memory 502 is not limited in the embodiment of the present invention, and the processor 501 and the memory 502 are connected through a bus in fig. 5 as an example. The bus may be divided into an address bus, a data bus, a control bus, etc.

In the embodiment of the present invention, the memory 502 stores instructions executable by the at least one processor 501, and the at least one processor 501 may execute the steps included in the aforementioned model file encryption method or model file decryption method by executing the instructions stored in the memory 502.

The processor 501 is a control center of the computing device, and may be connected to various parts of the computing device through various interfaces and lines, and implement data processing by executing or executing instructions stored in the memory 502 and calling data stored in the memory 502. Optionally, the processor 501 may include one or more processing units, and the processor 501 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application program, and the like, and the modem processor mainly processes an issued instruction. It will be appreciated that the modem processor described above may not be integrated into the processor 501. In some embodiments, processor 501 and memory 502 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.

The processor 501 may be a general-purpose processor, such as a Central Processing Unit (CPU), a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof, configured to implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in connection with the embodiment of the model file encryption method or the model file decryption method may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.

Memory 502, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 502 may include at least one type of storage medium, and may include, for example, a flash Memory, a hard disk, a multimedia card, a card-type Memory, a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a charge Erasable Programmable Read Only Memory (EEPROM), a magnetic Memory, a magnetic disk, an optical disk, and so on. The memory 502 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 502 of embodiments of the present invention may also be circuitry or any other device capable of performing a storage function to store program instructions and/or data.

Based on the same technical concept, embodiments of the present invention also provide a computer-readable storage medium storing a computer program executable by a computing device, wherein when the program runs on the computing device, the computing device is caused to execute the steps of the model file encryption method or the model file decryption method.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present application and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A model file encryption method is characterized by comprising the following steps:

and storing the encrypted model file into the file container.

2. The method according to claim 1, wherein the file container further stores therein at least one preset encryption algorithm corresponding to each model file;

3. The method according to claim 1, wherein the file container further stores preset data transformation modes corresponding to the model files;

the storing the encrypted model file into the file container includes:

and storing the transformed model file into the file container.

4. The method according to claim 3, wherein the transforming the encrypted model data in the encrypted model file by the preset data transformation manner to obtain a transformed model file comprises:

5. The method of claim 1, prior to storing the encrypted model file in the file container, further comprising:

6. A method for decrypting a model file, comprising:

generating a decryption key for decrypting the encrypted model file according to the encryption factor and a master key provided by the encryption system;

7. The method according to claim 6, wherein the file container further stores therein at least one preset decryption algorithm corresponding to each model file and a preset data transformation manner corresponding to each model file;

8. The method of claim 7, after obtaining the decrypted model data, further comprising:

9. A model file encryption apparatus, comprising:

10. A model file decryption apparatus, comprising:

11. A computing device comprising at least one processor and at least one memory, wherein the memory stores a computer program that, when executed by the processor, causes the processor to perform the method of any of claims 1 to 8.

12. A computer-readable storage medium, storing a computer program executable by a computing device, the program, when run on the computing device, causing the computing device to perform the method of any of claims 1 to 8.