CN115001748A - Model processing method and device and computer readable storage medium - Google Patents

Model processing method and device and computer readable storage medium Download PDF

Info

Publication number
CN115001748A
CN115001748A CN202210478472.2A CN202210478472A CN115001748A CN 115001748 A CN115001748 A CN 115001748A CN 202210478472 A CN202210478472 A CN 202210478472A CN 115001748 A CN115001748 A CN 115001748A
Authority
CN
China
Prior art keywords
model
key
client
verification
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210478472.2A
Other languages
Chinese (zh)
Other versions
CN115001748B (en
Inventor
杨天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN202210478472.2A priority Critical patent/CN115001748B/en
Publication of CN115001748A publication Critical patent/CN115001748A/en
Application granted granted Critical
Publication of CN115001748B publication Critical patent/CN115001748B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Abstract

The invention provides a model processing method, a model processing device and a computer readable storage medium, and belongs to the field of data security. The method realizes the unified management of the secret key by executing the generation and distribution operation of the secret key through the secret key management subsystem; and the validity of the client used for receiving and operating the neural network model can be ensured, the neural network model can be effectively prevented from being illegally used, and the safety of the neural network model is improved. In the invention, the server adds the verification subgraph in the neural network model to be encrypted to obtain the ciphertext model, and transmits the ciphertext model to the client, so that the information such as the network structure, the node weight and the like of the neural network model can not be exposed in the model issuing and transmitting processes, and the transmission safety of the neural network model is ensured; before the client operates the received ciphertext model, the client needs to acquire the operation authority aiming at the ciphertext model through the received second secret key, so that the application safety of the neural network model is ensured.

Description

Model processing method and device and computer readable storage medium
Technical Field
The invention belongs to the field of data security, and particularly relates to a model processing method and device and a computer readable storage medium.
Background
Deep learning is a main technical scheme of current artificial intelligence application, and a neural network model trained by the deep learning technology is widely applied to various fields of human-computer interaction, a recommendation system, safety protection and the like. The specific scenes comprise voice processing, image recognition, credit evaluation, malicious mail filtering, malicious network attack resistance and the like. With the increase of edge devices and terminal devices, it has become a trend to train a neural network model in the cloud and process data on the edge devices using a deep learning accelerator.
However, in the process of publishing and applying the neural network model, the network structure and the node weight of the neural network model are completely exposed to the outside, and the neural network model is easily copied, secondarily developed or modified when being published and/or applied by a third party, so that the model safety is influenced.
Therefore, in order to prevent the neural network model from being copied, attacked and tampered by others, the neural network model needs to be encrypted, and the security of the neural network model is improved.
Disclosure of Invention
The invention provides a model processing method, a model processing device and a computer readable storage medium, which can prevent a neural network model from being copied, attacked and tampered by others and improve the safety of the neural network model.
According to a first aspect of the present invention, there is provided a model processing method applied to a model encryption system, where the model encryption system includes a server, a client and a key management subsystem, the method includes:
the key management subsystem carries out security authentication on the client according to the equipment information of the client, and generates a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; distributing the first key to a server and distributing the second key to a client;
the server side generates a verification subgraph according to a first key distributed by the key management subsystem, and adds the verification subgraph to a neural network model to be encrypted to obtain a ciphertext model; sending the ciphertext model to the client;
and the client receives a second key distributed by a key management subsystem and a ciphertext model sent by the server, and acquires the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
According to a second method of the present invention, there is provided a model processing method applied to a server, the method including:
receiving a first secret key distributed by a secret key management subsystem, wherein the first secret key is generated by the secret key management subsystem under the condition that a client passes security authentication;
generating a verification subgraph according to a model framework of a neural network model to be encrypted and the first key;
adding the verification subgraph to the neural network model to obtain a ciphertext model;
sending the ciphertext model to a client to enable the client to execute a data processing task based on the ciphertext model
According to a third aspect of the present invention, there is provided a model processing method applied to a client, the method including:
receiving a second key distributed by a key management subsystem and a ciphertext model sent by a server side, wherein the second key is generated by the key management subsystem under the condition that the client side passes security authentication;
under the condition that the received model operation request is determined to meet a preset verification trigger condition, the second secret key is input into a verification sub-graph in the ciphertext model; the model operation request carries a data processing task;
executing the verification subgraph to verify whether the client side has the operation authority aiming at the ciphertext model according to the second secret key;
and if the client side is determined to have the operation authority aiming at the ciphertext model, responding to the model operation request, and operating the ciphertext model to execute the data processing task.
According to a fourth aspect of the present invention, there is provided a model processing method applied to a key management subsystem, the method comprising:
performing security authentication on the client according to the equipment information of the client;
generating a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key;
and distributing the first key to a server and distributing the second key to the client, so that the server generates a verification subgraph according to the first key, and the client acquires the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
According to a fifth aspect of the present invention, there is provided a model cryptographic system, comprising a server, a client and a key management subsystem,
the key management subsystem is used for carrying out security authentication on the client according to the equipment information of the client and generating a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; distributing the first key to a server and distributing the second key to a client;
the server side is used for generating a verification subgraph according to the first key distributed by the key management subsystem and adding the verification subgraph to a neural network model to be encrypted to obtain a ciphertext model; sending the ciphertext model to the client;
the client is used for receiving a second key distributed by a key management subsystem and a ciphertext model sent by the server, and acquiring the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
According to a sixth aspect of the present invention, there is provided a model processing apparatus, applied to a server, the apparatus including:
the key receiving module is used for receiving a first key distributed by the key management subsystem, and the first key is generated by the key management subsystem under the condition that the client passes the security authentication;
the verification sub-graph generation module is used for generating a verification sub-graph according to the model framework of the neural network model to be encrypted and the first key;
the ciphertext model generating module is used for adding the verification subgraph to the neural network model to obtain a ciphertext model;
and the ciphertext model sending module is used for sending the ciphertext model to a client so that the client executes a data processing task based on the ciphertext model.
According to a seventh aspect of the present invention, there is provided a model processing apparatus applied to a client, the apparatus comprising:
the model receiving module is used for receiving a second key distributed by the key management subsystem and a ciphertext model sent by the server side, wherein the second key is generated by the key management subsystem under the condition that the client side passes the security authentication;
the key input module is used for inputting the second key to a verification subgraph in the ciphertext model under the condition that the received model operation request is determined to meet a preset verification trigger condition; the model operation request carries a data processing task;
the verification sub-graph execution module is used for executing the verification sub-graph so as to verify whether the client side has the operation permission aiming at the ciphertext model according to the second secret key;
and the ciphertext model operation module is used for responding to the model operation request and operating the ciphertext model to execute the data processing task if the client side is determined to have the operation authority aiming at the ciphertext model.
According to an eighth aspect of the present invention, there is provided a model processing apparatus applied to a key management subsystem, the apparatus comprising:
the safety certification module is used for carrying out safety certification on the client according to the equipment information of the client;
the key generation module is used for generating keys under the condition that the client passes the security authentication, wherein the keys comprise a first key and a second key;
and the key distribution module is used for distributing the first key to a server and distributing the second key to the client, so that the server generates a verification subgraph according to the first key, the verification subgraph is added to a neural network model to be encrypted to obtain a ciphertext model, and the client acquires the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
According to a ninth aspect of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the model processing method as defined in any one of the first aspects.
Aiming at the prior art, the invention has the following advantages:
according to the model processing method provided by the embodiment of the invention, the model encryption system is used for encrypting and decrypting the neural network model. The model encryption system comprises a server, a client and a key management subsystem. The key management subsystem performs security authentication on a client according to equipment information of the client, and generates a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; distributing the first key to a server and distributing the second key to a client; the server side generates a verification subgraph according to a first secret key distributed by the secret key management subsystem, and adds the verification subgraph to a neural network model to be encrypted to obtain a ciphertext model; sending the ciphertext model to the client; and the client receives a second key distributed by a key management subsystem and a ciphertext model sent by the server, and acquires the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model. The embodiment of the invention executes the generation and distribution operation of the key through the key management subsystem, thereby realizing the unified management of the key; in addition, the invention generates the key only when the client passes the security authentication, starts a series of processing operations on the neural network model, ensures the legality of the client for receiving and operating the neural network model, can effectively avoid the neural network model from being illegally used, and improves the security of the neural network model. In the embodiment of the invention, the server adds the verification subgraph in the neural network model to be encrypted to obtain the ciphertext model, and transmits the ciphertext model to the client, so that the information such as the network structure, the node weight and the like of the neural network model cannot be exposed in the model issuing and transmitting processes, and the transmission safety of the neural network model is ensured; before the client operates the received ciphertext model, the client needs to acquire the operation authority aiming at the ciphertext model through the received second secret key, so that the application safety of the neural network model is ensured.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow chart illustrating steps of a method for processing a model according to an embodiment of the present invention;
fig. 2 is a block diagram of a model encryption system according to an embodiment of the present invention;
FIG. 3 is a flow chart illustrating steps of another method for processing a model according to an embodiment of the present invention;
FIG. 4 is a flow chart illustrating steps of a further method for model processing according to an embodiment of the present invention;
FIG. 5 is a flow chart illustrating steps of another method for processing a model according to an embodiment of the present invention;
fig. 6 is a block diagram of a model processing apparatus according to an embodiment of the present invention;
fig. 7 is a block diagram of another model processing apparatus according to an embodiment of the present invention;
fig. 8 is a block diagram of a structure of another model processing apparatus according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 is a flowchart of steps of a model processing method according to an embodiment of the present invention, and as shown in fig. 1, the method may include:
step 101, a key management subsystem performs security authentication on a client according to equipment information of the client, and generates a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; and distributing the first key to a server and distributing the second key to a client.
102, the server side generates a verification subgraph according to a first secret key distributed by the secret key management subsystem, and adds the verification subgraph to a neural network model to be encrypted to obtain a ciphertext model; and sending the ciphertext model to the client.
And 103, the client receives a second key distributed by a key management subsystem and the ciphertext model sent by the server, and acquires the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
The model processing method provided in the embodiment of the present invention is applied to a model encryption system, and referring to fig. 2, a structural block diagram of a model encryption system is shown, and as shown in fig. 2, the model encryption system includes a server 201, a client 202, and a key management subsystem 203.
The key management subsystem is used for carrying out security authentication on the client according to the equipment information of the client so as to judge the validity of the client. As an example, whether the current configuration parameter of the client is maliciously tampered can be determined according to the device information and the current configuration parameter of the client, and if the current configuration parameter of the client is maliciously tampered, the client is determined to be illegal, that is, the client does not pass the security authentication; otherwise, the client is determined to pass the security authentication. If the key management subsystem determines that the client is authenticated securely, keys are generated, including a first key for model encryption and a second key for model decryption. The specific generation method may be determined according to a preset encryption algorithm, for example, if a symmetric encryption algorithm is adopted, a first key and a second key are generated according to the symmetric encryption algorithm; if an asymmetric encryption algorithm is employed, a first key and a second key are generated according to the asymmetric encryption algorithm. After the key management subsystem generates the first key and the second key, the first key is distributed to the server side, and the second key is distributed to the client side.
And after receiving the first key distributed by the key management subsystem, the server side verifies the subgraph normally according to the first key, and adds the verification subgraph to the neural network model to be encrypted to obtain a ciphertext model. It should be noted that, in the embodiment of the present invention, the verification subgraph generated by the server is equivalent to a functional module of the ciphertext model, and is used for verifying the authority of the client requesting to run the ciphertext model. And after obtaining the ciphertext model, the server sends the ciphertext model to the client for the client to use.
After receiving the second key distributed by the key management subsystem and the ciphertext model sent by the server, the client acquires the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model. Exemplarily, the client accesses the second key into the verification subgraph of the ciphertext model for decryption calculation, and if decryption is successful, the client is determined to have the operation authority for the ciphertext model; otherwise, if the decryption is unsuccessful, determining that the client does not have the operation authority aiming at the ciphertext model.
The embodiment of the invention realizes the unified management of the secret key by executing the generation and distribution operation of the secret key by the secret key management subsystem; in addition, the invention generates the key only when the client passes the security authentication, starts a series of processing operations on the neural network model, ensures the legality of the client for receiving and operating the neural network model, can effectively avoid the neural network model from being illegally used, and improves the security of the neural network model. In the embodiment of the invention, the server adds the verification subgraph in the neural network model to be encrypted to obtain the ciphertext model, and transmits the ciphertext model to the client, so that the information such as the network structure, the node weight and the like of the neural network model cannot be exposed in the model issuing and transmitting processes, and the transmission safety of the neural network model is ensured; before the client operates the received ciphertext model, the client needs to acquire the operation authority aiming at the ciphertext model through the received second secret key, so that the application safety of the neural network model is ensured.
Fig. 3 is a flowchart of steps of another model processing method provided in an embodiment of the present invention, which is applied to a server, and as shown in fig. 3, the method may include:
step 301, receiving a first key distributed by a key management subsystem, where the first key is generated by the key management subsystem when a client passes security authentication.
Step 302, generating a verification subgraph according to the model framework of the neural network model to be encrypted and the first key.
And 303, adding the verification subgraph to the neural network model to obtain a ciphertext model.
And step 304, sending the ciphertext model to the client so that the client executes a data processing task based on the ciphertext model.
Wherein the first key is generated by the key management subsystem in case that the client passes the secure authentication. And the key management subsystem generates a first key and a second key under the condition that the client passes the security authentication, distributes the first key to the server and distributes the second key to the client.
And after receiving the first key distributed by the key management subsystem, the server generates a verification subgraph according to the model frame of the neural network model to be encrypted and the first key, and adds the verification subgraph to the neural network model to obtain a ciphertext model. It should be noted that, in the embodiment of the present invention, the model framework of the neural network model is not specifically limited, for example, the module framework of the neural network model may be tensoflow, pytorreh, or the like.
And after obtaining the ciphertext model, the server side sends the ciphertext model to the client side so that the client side can execute a data processing task based on the ciphertext model.
In the embodiment of the invention, the server adds the verification subgraph in the neural network model to be encrypted to obtain the ciphertext model, and transmits the ciphertext model to the client, so that the information such as the network structure, the node weight and the like of the neural network model cannot be exposed in the model issuing and transmitting processes, and the transmission safety of the neural network model is ensured.
In an optional embodiment of the present invention, the generating a verification subgraph according to the model framework of the neural network model to be encrypted and the first key in step 302 includes:
substep 3021, determining a model framework of the neural network model to be encrypted;
a substep 3022 of calling a corresponding compiling algorithm according to the model framework to generate a verification subgraph;
substep 3023, encrypting the verification subgraph according to the first key and the encryption algorithm to obtain an encrypted verification subgraph;
and a substep 3024, adding the encrypted verification subgraph to the neural network model to obtain a ciphertext model.
In the embodiment of the invention, the model framework of the neural network model to be encrypted can be determined, and then the corresponding compiling algorithm is called according to the model framework to generate the verification subgraph.
It can be understood that the generated verification subgraph is a plaintext verification subgraph, and in order to ensure the security of the model, the server needs to encrypt the verification subgraph according to the received first key to obtain an encrypted verification subgraph, that is, a ciphertext verification subgraph. Optionally, the encryption algorithm comprises a symmetric encryption algorithm and an asymmetric encryption algorithm. Illustratively, in the embodiment of the present invention, a DES algorithm, a 3DES algorithm, an AES algorithm, or the like may be employed. And finally, adding the ciphertext verification subgraph into the neural network model to obtain a second ciphertext model.
As an example, the adding the encrypted verification subgraph to the neural network model to obtain a ciphertext model includes: and inserting the encrypted verification subgraph in front of an input layer of the neural network model to obtain a ciphertext model, wherein the encrypted verification subgraph is used for verifying a client side receiving the ciphertext model.
In the embodiment of the invention, the encrypted verification subgraph can be inserted before the input layer of the neural network model, so that when the client runs the ciphertext model, the running authority of the client is verified through the verification subgraph, and after the client is determined to have the running authority of the ciphertext model, the calculation data of the data processing task to be executed by the client is input into the input layer of the ciphertext model for processing.
As another example, the encrypted verification subgraph includes a first verification subgraph and a second verification subgraph, and adding the encrypted verification subgraph to the neural network model to obtain a ciphertext model includes: inserting the first verification sub-graph before an input layer of the neural network model and inserting the second verification sub-graph after an output layer of the neural network model.
The first verification subgraph is used for verifying the client side receiving the ciphertext model and encrypting the data to be processed input into the first verification subgraph; the second verification subgraph is used for encrypting the data processing result output by the output layer.
In the embodiment of the invention, a first verification subgraph can be inserted before an input layer of the neural network model, and a second verification subgraph can be inserted after an output layer of the neural network model, so that when the client runs the ciphertext model, the running authority of the client is verified through the first verification subgraph, after the client is determined to have the running authority of the ciphertext model, the computing data of the data processing task to be executed by the client is encrypted and then input into the input layer of the ciphertext model for processing, and the output layer outputs the data processing result. And then, encrypting the data processing result through the second verification subgraph, so that the data processing result finally output by the ciphertext model is also a ciphertext. Through the first verification subgraph and the second verification subgraph, input data and output data of the ciphertext model are ciphertexts, data leakage can be effectively avoided, and data safety is guaranteed.
In summary, in the model processing method provided in the embodiment of the present invention, the server adds the verification subgraph to the neural network model to be encrypted to obtain the ciphertext model, and transmits the ciphertext model to the client, so that information such as the network structure and the node weight of the neural network model is not exposed in the process of issuing and transmitting the model, and the transmission security of the neural network model is ensured.
Fig. 4 is a flowchart of steps of another model processing method provided in an embodiment of the present invention, which is applied to a client, and as shown in fig. 4, the method may include:
step 401, receiving a second key distributed by the key management subsystem and a ciphertext model sent by the server, where the second key is generated by the key management subsystem when the client passes the security authentication.
Step 402, inputting the second key into a verification subgraph in the ciphertext model under the condition that the received model operation request is determined to meet a preset verification trigger condition; the model operation request carries a data processing task.
And step 403, executing the verification subgraph to verify whether the client has the operation right for the ciphertext model according to the second key.
And step 404, if it is determined that the client has the operation authority for the ciphertext model, responding to the model operation request, and operating the ciphertext model to execute the data processing task.
Wherein the second key is generated by the key management subsystem in case the client passes the secure authentication. And under the condition that the client passes the security authentication, the key management subsystem generates a first key and a second key, distributes the first key to the server and distributes the second key to the client.
The encrypted verification subgraph is generated by the server side according to the model frame of the neural network model to be encrypted and the first secret key.
And after receiving the second key distributed by the key management subsystem and the ciphertext model sent by the server, the client operates the ciphertext model according to the received model operation request. The model operation request may be generated by a user holding the client through executing a trigger operation, where the trigger operation may be clicking a preset button in the client, executing a call operation on the ciphertext model, and the like; the data processing task may also be sent by the electronic device that issues the data processing task, for example, the server or other client sends a model operation request to the client that receives the ciphertext model, so as to trigger the client to execute the data processing task based on the ciphertext model. It should be noted that, in the embodiment of the present invention, a specific generation manner of the model operation request is not specifically limited.
When a client receives a model operation request, whether the received model operation request meets a preset verification trigger condition is judged. The verification triggering condition is used for indicating whether verification needs to be performed on the current model operation request, and the verification triggering condition may be that the current request times of the model operation request are greater than a preset time, or that a time difference between two consecutive model operation requests is greater than a preset period, and the like.
As an example, before the inputting the second key to the verification subgraph in the ciphertext model in the case that the received model operation request is determined to meet the preset verification trigger condition, the method further includes:
step S11, receiving a model operation request aiming at the ciphertext model and recording the current request times;
and step S12, if the current request times are more than the preset times, determining that the model operation request meets the preset verification triggering condition.
In the embodiment of the invention, the operation permission of the client can be verified according to the request times of the received model operation request, after the operation permission of the client is verified once, when the operation request is received again, if the current request times are less than the preset times, the operation permission of the client can not be verified, if the current request times are more than the preset times, the operation permission of the client needs to be verified again, namely, the model operation request is determined to meet the preset verification trigger condition.
As another example, before the inputting the second key to the verification subgraph in the ciphertext model in the case that the received model operation request is determined to meet the preset verification trigger condition, the method further includes:
step S21, receiving a model operation request aiming at the ciphertext model and recording a first request time of the model operation request;
step S22, calculating the time difference between the first request time and the second request time of the last received model operation request meeting the verification triggering condition;
and step S23, if the time difference is larger than a preset period, determining that the model operation request meets a preset verification trigger condition.
In the embodiment of the invention, the operation authority of the client can be verified according to a preset period, and after the operation authority of the client is verified once, the operation authority of the client can not be verified again in the preset period. Specifically, when the time difference between the request time of the received model operation request and the last verification time is less than the preset period, the client does not need to be verified; when the time difference between the request time of the received model operation request and the last verification time (that is, the second request time of the last received model operation request meeting the verification trigger condition) is greater than the preset period, the client needs to be verified again, that is, the model operation request is determined to meet the preset verification trigger condition.
Optionally, the preset cycle includes an inference operation time period corresponding to the model operation request. In the embodiment of the invention, the preset period can also be set as the reasoning operation time period corresponding to the model operation request, so that when the verification subgraph passes verification and the reasoning operation of the neural network model is not finished, the neural network model does not need to be verified again, the operation efficiency of the neural network model is improved, the data safety is ensured, and the verification complexity is reduced.
And when the received model operation request is determined to meet the preset verification triggering condition, the client inputs the second key into a verification subgraph in the ciphertext model, and executes the verification subgraph to verify whether the client has the operation authority aiming at the ciphertext model or not according to the second key. And if the client side is determined to have the operation authority aiming at the ciphertext model, responding to the model operation request, and operating the ciphertext model to execute the data processing task carried in the model operation request.
In an optional embodiment of the present invention, the executing of the verification sub-graph in step 403 to verify whether the client has an operation right for the ciphertext model according to the second key includes:
substep 4031, executing the verification subgraph to perform decryption calculation according to the second key;
substep 4032, if the decryption is successful, determining that the client has the operation authority for the ciphertext model;
and a substep 4033, if the decryption is unsuccessful, determining that the client does not have the operation authority aiming at the ciphertext model.
In the embodiment of the invention, whether the client has the operation authority aiming at the ciphertext model is verified according to the second key, the verification subgraph in the ciphertext model is decrypted and calculated according to the second key, and if the decryption is successful, the client can be determined to have the operation authority aiming at the ciphertext model; if the decryption is unsuccessful, it may be determined that the client does not have operating rights for the ciphertext model.
In an optional embodiment of the present invention, the ciphertext model comprises two verification subgraphs, the two verification subgraphs comprise a first verification subgraph connected in series with an input layer of the ciphertext model and a second verification subgraph connected in series with an output layer of the ciphertext model, and the step 404 of executing the ciphertext model to perform the data processing task in response to the model execution request comprises:
substep 4041, in response to the model operation request, inputting the data to be processed of the data processing task into a first verification subgraph of the ciphertext model, so as to encrypt the data to be processed through the first verification subgraph to obtain ciphertext data;
substep 4042, inputting the ciphertext data into an input layer of the ciphertext model, and performing data processing on the ciphertext data based on the ciphertext model;
substep 4043, obtaining a data processing result output by the output layer of the ciphertext model;
substep 4044, inputting the data processing result into the second verification sub-graph for encryption processing, and obtaining and outputting an encrypted data processing result.
It should be noted that, in the embodiment of the present invention, when the server inserts the encrypted verification subgraph into the neural network model to be encrypted, there are two insertion manners: one is to insert the encrypted verification subgraph just before the input layer of the neural network model; the other is to insert a first verification sub-graph before the input layer of the neural network model and a second verification sub-graph after the output layer of the neural network model. Therefore, the ciphertext model received by the client may only include one verification subgraph, and may also include the first verification subgraph and the second verification subgraph. The first verification subgraph is used for verifying the client side receiving the ciphertext model and encrypting the data to be processed input into the first verification subgraph; the second verification subgraph is used for encrypting the data processing result output by the output layer.
If the ciphertext model received by the client only contains one verification subgraph, the client is determined to have the operation authority aiming at the ciphertext model, and then the ciphertext model is directly operated to execute the data processing task. If the ciphertext model received by the client contains the first verification subgraph and the second verification subgraph, the client also needs to execute the first verification subgraph and the second verification subgraph when executing the ciphertext model.
Specifically, the client firstly inputs the data to be processed of the data processing task into a first verification subgraph of the ciphertext model, and encrypts the data to be processed by executing the first verification subgraph to obtain ciphertext data. And then, inputting the obtained ciphertext data into an input layer of the ciphertext model, and performing data processing on the ciphertext data based on the ciphertext model to obtain a data processing result output by an output layer of the ciphertext model. And finally, inputting the data processing result into the second verification subgraph, and encrypting the data processing result by executing the second verification subgraph to obtain and output an encrypted data processing result.
In the embodiment of the invention, the first verification subgraph and the second verification subgraph enable the input data and the output data of the ciphertext model to be ciphertexts, so that data leakage can be effectively avoided, and data safety is ensured.
In summary, in the model processing method provided by the embodiment of the present invention, the server adds the verification subgraph in the neural network model to be encrypted to obtain the ciphertext model, and transmits the ciphertext model to the client, so that information such as the network structure and the node weight of the neural network model is not exposed in the process of model release and transmission, and the transmission safety of the neural network model is ensured; before the client operates the received ciphertext model, the client needs to acquire the operation authority aiming at the ciphertext model through the received second secret key, so that the application safety of the neural network model is ensured.
Fig. 5 is a flowchart of steps of another model processing method provided in an embodiment of the present invention, which is applied to a key management subsystem, and as shown in fig. 5, the method may include:
and step 501, performing security authentication on the client according to the device information of the client.
Step 502, generating a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key.
Step 503, distributing the first key to a server, and distributing the second key to the client, so that the server generates a verification subgraph according to the first key, and adds the verification subgraph to a neural network model to be encrypted to obtain a ciphertext model, and the client obtains an operation right for the ciphertext model according to the second key, so as to perform a data processing task by using the ciphertext model.
In the embodiment of the invention, the key management subsystem is used for carrying out security authentication on the client according to the equipment information of the client so as to judge the legality of the client. As an example, whether the current configuration parameter of the client is maliciously tampered can be determined according to the device information and the current configuration parameter of the client, and if the current configuration parameter of the client is maliciously tampered, the client is determined to be illegal, that is, the client does not pass the security authentication; otherwise, the client is determined to pass the security authentication. If the key management subsystem determines that the client passes the secure authentication, keys are generated, including a first key and a second key. The specific generation method may be determined according to a preset encryption algorithm, for example, if a symmetric encryption algorithm is adopted, a first key and a second key are generated according to the symmetric encryption algorithm; if an asymmetric encryption algorithm is employed, a first key and a second key are generated according to the asymmetric encryption algorithm. After the key management subsystem generates the first key and the second key, the first key is distributed to the server side, and the second key is distributed to the client side.
In an optional embodiment of the present invention, the performing, in step 501, security authentication on the client according to the device information of the client includes:
substep 5011, matching the device information of the client with the current configuration parameters of the client, and judging whether the client passes the security authentication;
substep 5012, if the device information of the client matches with the current configuration parameters of the client, determining that the client passes the security authentication;
substep 5013, if the device information of the client does not match the current configuration parameters of the client, the client fails the security authentication.
In the embodiment of the invention, the security authentication can be carried out on the client side based on the equipment information of the client side and the current configuration parameters of the client side. Specifically, the device information of the client is matched with the current configuration parameters of the client, and whether the current configuration parameters of the client are maliciously tampered is judged, so that whether the client passes the security authentication is determined.
If the device information of the client is matched with the current configuration parameters, which indicates that the configuration parameters of the client are not maliciously tampered, the client can be determined to pass the security authentication. Otherwise, if the device information of the client does not match the current configuration parameters, which indicates that the configuration parameters of the client have been maliciously tampered, it may be determined that the client fails the security authentication.
In an optional embodiment of the present invention, the generating a key in the case that the client passes the secure authentication in step 502 includes:
and under the condition that the client passes the security authentication, generating a key according to key configuration parameters, wherein the key configuration parameters comprise at least one of key validity period and key use times.
It should be noted that, in the embodiment of the present invention, while generating the key, key configuration parameters of the key, such as a key validity period and key usage times, may be set, so as to limit the verification trigger condition when the client performs verification of the operation right according to the second key, for example, after the client performs single verification, the client does not need to perform verification again in the key validity period; or after the client performs single decryption, as long as the number of requests of the currently received model operation request is less than the number of key use times, the client does not need to perform verification again, and the like.
In summary, the key management subsystem executes the generation and distribution operations of the key, so as to realize the unified management of the key; in addition, the invention generates the key only when the client passes the security authentication, starts a series of processing operations on the neural network model, ensures the legality of the client for receiving and operating the neural network model, can effectively avoid the neural network model from being illegally used, and improves the security of the neural network model.
Fig. 2 is a block diagram of a model encryption system according to an embodiment of the present invention, and as shown in fig. 2, the system may include:
the key management subsystem is used for carrying out security authentication on the client according to the equipment information of the client and generating a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; distributing the first key to a server and distributing the second key to a client;
the server is used for generating a verification subgraph according to the first key distributed by the key management subsystem and adding the verification subgraph to a neural network model to be encrypted to obtain a ciphertext model; sending the ciphertext model to the client;
and the client is used for receiving a second key distributed by the key management subsystem and the ciphertext model sent by the server, and acquiring the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
Fig. 6 is a block diagram of a model processing apparatus according to an embodiment of the present invention, which is applied to a server, and as shown in fig. 6, the apparatus 60 may include:
a key receiving module 601, configured to receive a first key distributed by a key management subsystem, where the first key is generated by the key management subsystem when a client passes security authentication;
a verification sub-graph generation module 602, configured to generate a verification sub-graph according to the model framework of the neural network model to be encrypted and the first key;
a ciphertext model generating module 603, configured to add the verification subgraph to the neural network model to obtain a ciphertext model;
a ciphertext model sending module 604, configured to send the ciphertext model to the client, so that the client performs a data processing task based on the ciphertext model.
Optionally, the verification sub-graph generation module 602 includes:
the model framework determining submodule is used for determining a model framework of the neural network model to be encrypted;
the verification sub-graph generation sub-module is used for calling a corresponding compiling algorithm according to the model framework to generate a verification sub-graph;
the encryption processing sub-module is used for carrying out encryption processing on the verification subgraph according to the first secret key and the encryption algorithm to obtain an encrypted verification subgraph;
and the verification subgraph adding submodule is used for adding the encrypted verification subgraph to the neural network model to obtain a ciphertext model.
Optionally, the verification subgraph adding sub-module includes:
and the first verification subgraph adding unit is used for inserting the encrypted verification subgraph in front of the input layer of the neural network model to obtain a ciphertext model, and the encrypted verification subgraph is used for verifying the client side receiving the ciphertext model.
Optionally, the encrypted verification subgraph includes a first verification subgraph and a second verification subgraph, and the verification subgraph adding sub-module includes:
a second verification sub-graph adding unit for inserting the first verification sub-graph before an input layer of the neural network model and inserting the second verification sub-graph after an output layer of the neural network model; the first verification subgraph is used for verifying the client side receiving the ciphertext model and encrypting the data to be processed input into the first verification subgraph; the second verification subgraph is used for encrypting the data processing result output by the output layer.
Optionally, the encryption algorithm comprises a symmetric encryption algorithm or an asymmetric encryption algorithm.
Fig. 7 is a block diagram of another model processing apparatus according to an embodiment of the present invention, which is applied to a client, and as shown in fig. 7, the apparatus 70 may include:
a model receiving module 701, configured to receive a second key distributed by a key management subsystem and a ciphertext model sent by a server, where the second key is generated by the key management subsystem when the client passes security authentication;
a key input module 702, configured to input the second key to a verification sub-graph in the ciphertext model when it is determined that the received model operation request meets a preset verification trigger condition; the model operation request carries a data processing task;
a verification sub-graph executing module 703, configured to execute the verification sub-graph, so as to verify whether the client has an operation right for the ciphertext model according to the second key;
a ciphertext model operation module 704, configured to, if it is determined that the client has an operation permission for the ciphertext model, operate the ciphertext model to execute the data processing task in response to the model operation request.
Optionally, the verification sub-graph execution module 703 includes:
the verification subgraph execution sub-module is used for executing the verification subgraph to perform decryption calculation according to the second secret key;
the first determining submodule is used for determining that the client side has the operation permission aiming at the ciphertext model if the decryption is successful;
and the second determining submodule is used for determining that the client does not have the operation authority aiming at the ciphertext model if the decryption is unsuccessful.
Optionally, the ciphertext model includes two verification subgraphs, where the two verification subgraphs include a first verification subgraph connected in series with an input layer of the ciphertext model and a second verification subgraph connected in series with an output layer of the ciphertext model, and the ciphertext model operation module 704 includes:
the first input sub-module is used for responding to the model operation request, inputting the data to be processed of the data processing task into a first verification subgraph of the ciphertext model, and encrypting the data to be processed through the first verification subgraph to obtain ciphertext data;
the second input submodule is used for inputting the ciphertext data into an input layer of the ciphertext model and carrying out data processing on the ciphertext data based on the ciphertext model;
the result obtaining submodule is used for obtaining a data processing result output by the output layer of the ciphertext model;
and the encryption processing sub-module is used for inputting the data processing result into the second verification sub-image for encryption processing to obtain and output an encrypted data processing result.
Optionally, the apparatus further comprises:
the first receiving module is used for receiving a model operation request aiming at the ciphertext model and recording the current request times;
and the first determining module is used for determining that the model operation request meets a preset verification trigger condition if the current request times are greater than preset times.
Optionally, the apparatus further comprises:
the second receiving module is used for receiving a model operation request aiming at the ciphertext model and recording first request time of the model operation request;
the calculation module is used for calculating the time difference between the first request time and the second request time when the model operation request meeting the verification trigger condition is received last time;
and the second determining module is used for determining that the model operation request meets a preset verification triggering condition if the time difference is greater than a preset period.
Optionally, the preset cycle includes an inference operation time period corresponding to the model operation request.
Fig. 8 is a block diagram of a further model processing apparatus provided in an embodiment of the present invention, which is applied to a key management subsystem, and as shown in fig. 8, the apparatus 80 may include:
a security authentication module 801, configured to perform security authentication on a client according to device information of the client;
a key generation module 802, configured to generate a key if the client passes the security authentication, where the key includes a first key and a second key, the first key is used for model encryption and the second key is used for model decryption;
the key distribution module 803 is configured to distribute the first key to a server, and distribute the second key to the client, so that the server generates a verification subgraph according to the first key, adds the verification subgraph to a neural network model to be encrypted to obtain a ciphertext model, and the client obtains an operation right for the ciphertext model according to the second key to perform a data processing task by using the ciphertext model.
Optionally, the security authentication module includes:
the parameter matching submodule is used for matching the equipment information of the client with the current configuration parameters of the client and judging whether the client passes the security authentication;
the first authentication sub-module is used for determining that the client passes the security authentication if the equipment information of the client is matched with the current configuration parameters of the client;
and the second authentication submodule is used for determining that the client fails the security authentication if the equipment information of the client is not matched with the current configuration parameters of the client.
Optionally, the key generation module includes:
and the key generation submodule is used for generating a key according to key configuration parameters under the condition that the client passes the security authentication, wherein the key configuration parameters comprise at least one of key validity period and key use times.
For the above device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for the relevant points, refer to the partial description of the method embodiment.
In addition, an embodiment of the present invention further provides a terminal, which includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor, where the computer program, when executed by the processor, implements each process of the above-described embodiment of the model processing method, and can achieve the same technical effect, and details are not repeated here to avoid repetition.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements each process of the above-mentioned embodiment of the model processing method, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As is readily imaginable to the person skilled in the art: any combination of the above embodiments is possible, and thus any combination between the above embodiments is an embodiment of the present invention, but the present disclosure is not necessarily detailed herein for reasons of space.
The model processing methods provided herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The structure required to construct a system incorporating aspects of the present invention will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Moreover, those skilled in the art will appreciate that although some embodiments described herein include some features included in other embodiments, not others, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of an operation execution method according to an embodiment of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

Claims (19)

1. A model processing method is applied to a model encryption system, wherein the model encryption system comprises a server side, a client side and a key management subsystem, and the method comprises the following steps:
the key management subsystem carries out security authentication on the client according to the equipment information of the client, and generates a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; distributing the first key to a server and distributing the second key to a client;
the server side generates a verification subgraph according to a first key distributed by the key management subsystem, and adds the verification subgraph to a neural network model to be encrypted to obtain a ciphertext model; sending the ciphertext model to the client;
and the client receives a second key distributed by a key management subsystem and a ciphertext model sent by the server, and acquires the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
2. A model processing method is applied to a server side, and the method comprises the following steps:
receiving a first secret key distributed by a secret key management subsystem, wherein the first secret key is generated by the secret key management subsystem under the condition that a client passes security authentication;
generating a verification subgraph according to a model framework of a neural network model to be encrypted and the first key;
adding the verification subgraph to the neural network model to obtain a ciphertext model;
and sending the ciphertext model to a client so that the client executes a data processing task based on the ciphertext model.
3. The method of claim 2, wherein generating a verification sub-graph from the model framework of the neural network model to be encrypted and the first key comprises:
determining a model framework of a neural network model to be encrypted;
calling a corresponding compiling algorithm according to the model framework to generate a verification subgraph;
encrypting the verification subgraph according to the first key and an encryption algorithm to obtain an encrypted verification subgraph;
and adding the encrypted verification subgraph to the neural network model to obtain a ciphertext model.
4. The method of claim 3, wherein adding the encrypted verification subgraph to the neural network model to obtain a ciphertext model comprises:
and inserting the encrypted verification subgraph in front of an input layer of the neural network model to obtain a ciphertext model, wherein the encrypted verification subgraph is used for verifying a client side receiving the ciphertext model.
5. The method of claim 3, wherein the encrypted verification subgraph comprises a first verification subgraph and a second verification subgraph, and adding the encrypted verification subgraph to the neural network model to obtain a ciphertext model comprises:
inserting the first verification sub-graph before an input layer of the neural network model and inserting the second verification sub-graph after an output layer of the neural network model; the first verification subgraph is used for verifying the client side receiving the ciphertext model and encrypting the data to be processed input into the first verification subgraph; the second verification subgraph is used for encrypting the data processing result output by the output layer.
6. A model processing method is applied to a client side, and comprises the following steps:
receiving a second key distributed by a key management subsystem and a ciphertext model sent by a server side, wherein the second key is generated by the key management subsystem under the condition that the client side passes security authentication;
under the condition that the received model operation request is determined to meet a preset verification triggering condition, the second secret key is input into a verification subgraph in the ciphertext model; the model operation request carries a data processing task;
executing the verification subgraph to verify whether the client side has the operation authority aiming at the ciphertext model according to the second secret key;
and if the client side is determined to have the operation authority aiming at the ciphertext model, responding to the model operation request, and operating the ciphertext model to execute the data processing task.
7. The method of claim 6, wherein executing the verification sub-graph to verify whether the client has an operating right for the ciphertext model based on the second key comprises:
executing the verification subgraph to perform decryption computation according to the second key;
if the decryption is successful, determining that the client side has the operation authority aiming at the ciphertext model;
and if the decryption is unsuccessful, determining that the client does not have the operation authority aiming at the ciphertext model.
8. The method of claim 6, wherein the ciphertext model includes two verification subgraphs, the two verification subgraphs including a first verification subgraph concatenated with an input layer of the ciphertext model and a second verification subgraph concatenated with an output layer of the ciphertext model, and wherein executing the ciphertext model to perform the data processing task in response to the model execution request comprises:
responding to the model operation request, inputting the data to be processed of the data processing task into a first verification subgraph of the ciphertext model, and encrypting the data to be processed through the first verification subgraph to obtain ciphertext data;
inputting the ciphertext data into an input layer of the ciphertext model, and performing data processing on the ciphertext data based on the ciphertext model;
acquiring a data processing result output by an output layer of the ciphertext model;
and inputting the data processing result into the second verification subgraph for encryption processing to obtain and output an encrypted data processing result.
9. The method of claim 6, wherein before the inputting the second key into the verification subgraph in the ciphertext model in the case that the received model operation request is determined to meet the preset verification trigger condition, the method further comprises:
receiving a model operation request aiming at the ciphertext model and recording the current request times;
and if the current request times are greater than the preset times, determining that the model operation request meets a preset verification trigger condition.
10. The method of claim 6, wherein before the inputting the second key into the verification subgraph in the ciphertext model in the case that the received model operation request is determined to meet the preset verification trigger condition, the method further comprises:
receiving a model operation request aiming at the ciphertext model and recording first request time of the model operation request;
the time difference between the first request time and the second request time of the last received model operation request meeting the verification trigger condition is calculated;
and if the time difference is greater than a preset period, determining that the model operation request meets a preset verification trigger condition.
11. A model processing method applied to a key management subsystem, the method comprising:
performing security authentication on a client according to equipment information of the client;
generating a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key;
and the client acquires the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
12. The method according to claim 11, wherein the securely authenticating the client according to the device information of the client comprises:
matching the equipment information of the client with the current configuration parameters of the client, and judging whether the client passes the safety certification;
if the equipment information of the client is matched with the current configuration parameters of the client, determining that the client passes the security authentication;
and if the equipment information of the client is not matched with the current configuration parameters of the client, the client fails the security authentication.
13. The method of claim 11, wherein generating the key if the client is authenticated securely comprises:
and under the condition that the client passes the security authentication, generating a key according to key configuration parameters, wherein the key configuration parameters comprise at least one of key validity period and key use times.
14. A model encryption system is characterized by comprising a server side, a client side and a key management subsystem,
the key management subsystem is used for carrying out security authentication on the client according to the equipment information of the client and generating a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; distributing the first key to a server and distributing the second key to a client;
the server side is used for generating a verification subgraph according to the first secret key distributed by the secret key management subsystem and adding the verification subgraph to a neural network model to be encrypted to obtain a ciphertext model; sending the ciphertext model to the client;
the client is used for receiving a second key distributed by a key management subsystem and a ciphertext model sent by the server, and acquiring the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
15. A model processing apparatus applied to a server, the apparatus comprising:
the key receiving module is used for receiving a first key distributed by the key management subsystem, and the first key is generated by the key management subsystem under the condition that the client passes the security authentication;
the verification sub-graph generation module is used for generating a verification sub-graph according to the model framework of the neural network model to be encrypted and the first key;
the ciphertext model generating module is used for adding the verification subgraph to the neural network model to obtain a ciphertext model;
and the ciphertext model sending module is used for sending the ciphertext model to the client so as to enable the client to execute a data processing task based on the ciphertext model.
16. A model processing device applied to a client, the device comprising:
the model receiving module is used for receiving a second key distributed by the key management subsystem and a ciphertext model sent by the server side, wherein the second key is generated by the key management subsystem under the condition that the client side passes the security authentication;
the key input module is used for inputting the second key to a verification subgraph in the ciphertext model under the condition that the received model operation request is determined to meet a preset verification trigger condition; the model operation request carries a data processing task;
the verification sub-graph execution module is used for executing the verification sub-graph so as to verify whether the client side has the operation permission aiming at the ciphertext model or not according to the second secret key;
and the ciphertext model operation module is used for responding to the model operation request and operating the ciphertext model to execute the data processing task if the client side is determined to have the operation authority aiming at the ciphertext model.
17. A model processing apparatus, applied to a key management subsystem, the apparatus comprising:
the safety certification module is used for carrying out safety certification on the client according to the equipment information of the client;
the key generation module is used for generating keys under the condition that the client passes the security authentication, wherein the keys comprise a first key and a second key;
and the key distribution module is used for distributing the first key to a server and distributing the second key to the client, so that the server generates a verification subgraph according to the first key, the verification subgraph is added to a neural network model to be encrypted to obtain a ciphertext model, and the client acquires the operation permission aiming at the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
18. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the model processing method according to any one of claims 1 to 13.
19. An electronic device, comprising: a processor and a memory, the processor being configured to execute a data processing program stored in the memory to implement the model processing method of any of claims 1 to 13.
CN202210478472.2A 2022-04-29 2022-04-29 Model processing method and device and computer readable storage medium Active CN115001748B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210478472.2A CN115001748B (en) 2022-04-29 2022-04-29 Model processing method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210478472.2A CN115001748B (en) 2022-04-29 2022-04-29 Model processing method and device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN115001748A true CN115001748A (en) 2022-09-02
CN115001748B CN115001748B (en) 2023-11-03

Family

ID=83024757

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210478472.2A Active CN115001748B (en) 2022-04-29 2022-04-29 Model processing method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115001748B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040091A (en) * 2018-08-17 2018-12-18 中科物栖(北京)科技有限责任公司 The encryption method and device of deep neural network model
CN110619220A (en) * 2019-08-09 2019-12-27 北京小米移动软件有限公司 Method and device for encrypting neural network model and storage medium
US20200036510A1 (en) * 2018-07-25 2020-01-30 Sap Se Neural network encryption system
US20200244437A1 (en) * 2019-04-30 2020-07-30 Alibaba Group Holding Limited Method and device for security assessment of encryption models
CN111563265A (en) * 2020-04-27 2020-08-21 电子科技大学 Distributed deep learning method based on privacy protection
CN111859415A (en) * 2020-06-18 2020-10-30 上海艾麒信息科技有限公司 Neural network model encryption system and method
CN111898145A (en) * 2020-07-22 2020-11-06 苏州浪潮智能科技有限公司 Neural network model training method, device, equipment and medium
CN112541593A (en) * 2020-12-06 2021-03-23 支付宝(杭州)信息技术有限公司 Method and device for jointly training business model based on privacy protection
CN112883391A (en) * 2021-02-19 2021-06-01 广州橙行智动汽车科技有限公司 Data protection method and device and electronic equipment
CN113673676A (en) * 2021-08-18 2021-11-19 安谋科技(中国)有限公司 Electronic device, method for implementing neural network model, system on chip, and medium
CN114003961A (en) * 2021-12-03 2022-02-01 青岛大学 Deep neural network reasoning method with privacy protection

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200036510A1 (en) * 2018-07-25 2020-01-30 Sap Se Neural network encryption system
CN109040091A (en) * 2018-08-17 2018-12-18 中科物栖(北京)科技有限责任公司 The encryption method and device of deep neural network model
US20200244437A1 (en) * 2019-04-30 2020-07-30 Alibaba Group Holding Limited Method and device for security assessment of encryption models
CN110619220A (en) * 2019-08-09 2019-12-27 北京小米移动软件有限公司 Method and device for encrypting neural network model and storage medium
EP3772700A1 (en) * 2019-08-09 2021-02-10 Beijing Xiaomi Mobile Software Co., Ltd. Method and device for encrypting model of neural network, and storage medium
CN111563265A (en) * 2020-04-27 2020-08-21 电子科技大学 Distributed deep learning method based on privacy protection
CN111859415A (en) * 2020-06-18 2020-10-30 上海艾麒信息科技有限公司 Neural network model encryption system and method
CN111898145A (en) * 2020-07-22 2020-11-06 苏州浪潮智能科技有限公司 Neural network model training method, device, equipment and medium
CN112541593A (en) * 2020-12-06 2021-03-23 支付宝(杭州)信息技术有限公司 Method and device for jointly training business model based on privacy protection
CN112883391A (en) * 2021-02-19 2021-06-01 广州橙行智动汽车科技有限公司 Data protection method and device and electronic equipment
CN113673676A (en) * 2021-08-18 2021-11-19 安谋科技(中国)有限公司 Electronic device, method for implementing neural network model, system on chip, and medium
CN114003961A (en) * 2021-12-03 2022-02-01 青岛大学 Deep neural network reasoning method with privacy protection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TOSIN A. ADESUYI DEPARTMENT OF SOFTWARE ENGINEERING, KUMOH NATIONAL INSTITUTE OF TECHNOLOGY, GUMI, SOUTH KOREA: "A layer-wise Perturbation based Privacy Preserving Deep Neural Networks", 《2019 INTERNATIONAL CONFERENCE ON ARTIFICIAL INTELLIGENCE IN INFORMATION AND COMMUNICATION (ICAIIC)》 *

Also Published As

Publication number Publication date
CN115001748B (en) 2023-11-03

Similar Documents

Publication Publication Date Title
CN109309565B (en) Security authentication method and device
CN107483509B (en) A kind of auth method, server and readable storage medium storing program for executing
US8171306B2 (en) Universal secure token for obfuscation and tamper resistance
US8843415B2 (en) Secure software service systems and methods
CN111090876A (en) Contract calling method and device
US7877604B2 (en) Proof of execution using random function
US10797868B2 (en) Shared secret establishment
CN101860540B (en) Method and device for identifying legality of website service
CN106487765B (en) Authorized access method and device using the same
CN110099048B (en) Cloud storage method and equipment
US20080059809A1 (en) Sharing a Secret by Using Random Function
CN113268715A (en) Software encryption method, device, equipment and storage medium
CN109040079A (en) The establishment of live streaming chained address and verification method and related device
CN110096894B (en) Data anonymous sharing system and method based on block chain
CN114900338A (en) Encryption and decryption method, device, equipment and medium
CN109361508A (en) Data transmission method, electronic equipment and computer readable storage medium
CN115242553B (en) Data exchange method and system supporting safe multi-party calculation
CN113395406A (en) Encryption authentication method and system based on power equipment fingerprints
Liu et al. A privacy-preserving outsourcing computing scheme based on secure trusted environment
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
CN110572392A (en) Identity authentication method based on HyperLegger network
CN115001748B (en) Model processing method and device and computer readable storage medium
CN109768969A (en) Authority control method and internet-of-things terminal, electronic equipment
CN111541538B (en) Data transmission method and device, server, computer equipment and storage medium
Chang et al. A security protocol for trusted access to cloud environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant