CN115001748B - Model processing method and device and computer readable storage medium - Google Patents

Model processing method and device and computer readable storage medium Download PDF

Info

Publication number
CN115001748B
CN115001748B CN202210478472.2A CN202210478472A CN115001748B CN 115001748 B CN115001748 B CN 115001748B CN 202210478472 A CN202210478472 A CN 202210478472A CN 115001748 B CN115001748 B CN 115001748B
Authority
CN
China
Prior art keywords
model
key
client
ciphertext
graph
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210478472.2A
Other languages
Chinese (zh)
Other versions
CN115001748A (en
Inventor
杨天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN202210478472.2A priority Critical patent/CN115001748B/en
Publication of CN115001748A publication Critical patent/CN115001748A/en
Application granted granted Critical
Publication of CN115001748B publication Critical patent/CN115001748B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Abstract

The invention provides a model processing method, a model processing device and a computer readable storage medium, and belongs to the field of data security. The method realizes unified management of the secret key by executing the generation and distribution operation of the secret key through the secret key management subsystem; and the legality of the client for receiving and operating the neural network model can be ensured, the neural network model can be effectively prevented from being illegally used, and the safety of the neural network model is improved. In the invention, a verification subgraph is added in the neural network model to be encrypted by a server to obtain a ciphertext model, and the ciphertext model is transmitted to a client, so that the information such as the network structure and node weight of the neural network model cannot be exposed in the process of releasing and transmitting the model, and the transmission safety of the neural network model is ensured; before the client runs the received ciphertext model, the client needs to acquire the running authority for the ciphertext model through the received second key, so that the application safety of the neural network model is ensured.

Description

Model processing method and device and computer readable storage medium
Technical Field
The present invention relates to the field of data security, and in particular, to a method and apparatus for processing a model, and a computer readable storage medium.
Background
Deep learning is a main technical scheme of current artificial intelligence application, and a neural network model trained by a deep learning technology is widely applied to various fields such as man-machine interaction, recommendation systems, safety protection and the like. Specific scenarios include speech processing, image recognition, credit assessment, filtering malicious mail, combating malicious network attacks, etc. With the increase of edge devices and terminal devices, training neural network models in the cloud and processing data on the edge devices using deep learning accelerators has become a trend.
However, in the process of publishing and applying the neural network model, the network structure and the node weight of the neural network model are completely exposed to the outside, and the neural network model is easy to copy, secondarily develop or modify when being published and/or applied by a third party, so that the model safety is influenced.
Therefore, in order to prevent the neural network model from being copied, attacked and tampered by others, encryption processing needs to be performed on the neural network model, so that the security of the neural network model is improved.
Disclosure of Invention
The invention provides a model processing method, a model processing device and a computer readable storage medium, which can prevent a neural network model from being copied, attacked and tampered by other people and improve the safety of the neural network model.
According to a first aspect of the present invention, there is provided a model processing method applied to a model encryption system, the model encryption system including a server, a client, and a key management subsystem, the method comprising:
the key management subsystem carries out security authentication on the client according to the equipment information of the client, and generates a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; distributing the first key to a server and the second key to a client;
the server generates a verification sub-graph according to a first key distributed by the key management subsystem, and adds the verification sub-graph to a neural network model to be encrypted to obtain a ciphertext model; sending the ciphertext model to the client;
and the client receives a second key distributed by the key management subsystem and the ciphertext model transmitted by the server, and acquires the operation authority for the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
According to a second method of the present invention, a model processing method is provided and applied to a server, and the method includes:
Receiving a first key distributed by a key management subsystem, wherein the first key is generated by the key management subsystem under the condition that a client passes security authentication;
generating a verification sub-graph according to a model framework of the neural network model to be encrypted and the first key;
adding the verification subgraph into the neural network model to obtain a ciphertext model;
the ciphertext model is sent to a client so that the client can execute a data processing task based on the ciphertext model
According to a third aspect of the present invention, there is provided a model processing method applied to a client, the method comprising:
receiving a second key distributed by a key management subsystem and a ciphertext model sent by a server, wherein the second key is generated by the key management subsystem under the condition that the client passes security authentication;
under the condition that the received model operation request meets a preset verification trigger condition, inputting the second key into a verification sub-graph in the ciphertext model; the model operation request carries a data processing task;
executing the verification sub-graph to verify whether the client side has the operation authority for the ciphertext model according to the second key;
And if the client side is determined to have the operation authority for the ciphertext model, responding to the model operation request, and operating the ciphertext model to execute the data processing task.
According to a fourth aspect of the present invention, there is provided a model processing method applied to a key management subsystem, the method comprising:
carrying out security authentication on a client according to equipment information of the client;
generating a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key;
and distributing the first key to a server and the second key to the client so that the server generates a verification sub-graph according to the first key, and the client obtains the operation authority for the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
According to a fifth aspect of the present invention, there is provided a model encryption system comprising a server, a client and a key management subsystem,
the key management subsystem is used for carrying out security authentication on the client according to the equipment information of the client, and generating a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; distributing the first key to a server and the second key to a client;
The server side is used for generating a verification sub-graph according to a first key distributed by the key management subsystem, and adding the verification sub-graph into a neural network model to be encrypted to obtain a ciphertext model; sending the ciphertext model to the client;
the client is used for receiving a second key distributed by the key management subsystem and the ciphertext model sent by the server, and acquiring the operation authority for the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
According to a sixth aspect of the present invention, there is provided a model processing apparatus applied to a server, the apparatus comprising:
the key receiving module is used for receiving a first key distributed by the key management subsystem, wherein the first key is generated by the key management subsystem under the condition that the client passes the security authentication;
the verification sub-graph generation module is used for generating a verification sub-graph according to a model framework of the neural network model to be encrypted and the first secret key;
the ciphertext model generation module is used for adding the verification subgraph into the neural network model to obtain a ciphertext model;
and the ciphertext model sending module is used for sending the ciphertext model to a client so that the client can execute a data processing task based on the ciphertext model.
According to a seventh aspect of the present invention, there is provided a model processing apparatus, for application to a client, the apparatus comprising:
the model receiving module is used for receiving a second secret key distributed by the secret key management subsystem and a ciphertext model sent by the server, wherein the second secret key is generated by the secret key management subsystem under the condition that the client passes the security authentication;
the key input module is used for inputting the second key into the verification subgraph in the ciphertext model under the condition that the received model operation request meets the preset verification trigger condition; the model operation request carries a data processing task;
the verification sub-graph execution module is used for executing the verification sub-graph to verify whether the client side has the operation authority for the ciphertext model according to the second secret key;
and the ciphertext model running module is used for responding to the model running request to run the ciphertext model to execute the data processing task if the client side is determined to have the running authority for the ciphertext model.
According to an eighth aspect of the present invention, there is provided a model processing apparatus applied to a key management subsystem, the apparatus comprising:
The security authentication module is used for performing security authentication on the client according to the equipment information of the client;
a key generation module, configured to generate a key when the client passes the security authentication, where the key includes a first key and a second key;
the key distribution module is used for distributing the first key to a server and distributing the second key to the client, so that the server generates a verification sub-graph according to the first key, the verification sub-graph is added into a neural network model to be encrypted to obtain a ciphertext model, and the client obtains the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by utilizing the ciphertext model.
According to a ninth aspect of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the model processing method according to any one of the first aspects.
Aiming at the prior art, the invention has the following advantages:
according to the model processing method provided by the embodiment of the invention, the neural network model is encrypted and decrypted through the model encryption system. The model encryption system comprises a server, a client and a key management subsystem. The key management subsystem carries out security authentication on the client according to the equipment information of the client, and generates a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; distributing the first key to a server and the second key to a client; the server generates a verification sub-graph according to a first key distributed by the key management subsystem, and adds the verification sub-graph to a neural network model to be encrypted to obtain a ciphertext model; sending the ciphertext model to the client; and the client receives a second key distributed by the key management subsystem and the ciphertext model transmitted by the server, and acquires the operation authority for the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model. The embodiment of the invention realizes unified management of the secret key by executing the generation and distribution operation of the secret key through the secret key management subsystem; in addition, the key is generated under the condition that the client passes the security authentication, and a series of processing operations on the neural network model are started, so that the legality of the client for receiving and operating the neural network model is ensured, the neural network model can be effectively prevented from being illegally used, and the security of the neural network model is improved. In the embodiment of the invention, a verification subgraph is added in the neural network model to be encrypted by the server to obtain a ciphertext model, and the ciphertext model is transmitted to the client, so that the information such as the network structure and node weight of the neural network model cannot be exposed in the process of releasing and transmitting the model, and the transmission safety of the neural network model is ensured; before the client runs the received ciphertext model, the client needs to acquire the running authority for the ciphertext model through the received second key, so that the application safety of the neural network model is ensured.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
FIG. 1 is a flow chart of steps of a model processing method according to an embodiment of the present invention;
FIG. 2 is a block diagram of a model encryption system according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating steps of another model processing method according to an embodiment of the present invention;
FIG. 4 is a flow chart of steps of yet another model processing method provided by an embodiment of the present invention;
FIG. 5 is a flowchart illustrating steps of another model processing method according to an embodiment of the present invention;
FIG. 6 is a block diagram of a model processing apparatus according to an embodiment of the present invention;
FIG. 7 is a block diagram of another model processing device according to an embodiment of the present invention;
fig. 8 is a block diagram of a model processing apparatus according to still another embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 is a flowchart of steps of a model processing method according to an embodiment of the present invention, as shown in fig. 1, the method may include:
step 101, a key management subsystem carries out security authentication on a client according to equipment information of the client, and generates a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; and distributing the first key to a server and distributing the second key to a client.
Step 102, a server generates a verification sub-graph according to a first key distributed by the key management subsystem, and adds the verification sub-graph to a neural network model to be encrypted to obtain a ciphertext model; and sending the ciphertext model to the client.
Step 103, the client receives a second key distributed by the key management subsystem and the ciphertext model sent by the server, and obtains the operation authority for the ciphertext model according to the second key so as to execute the data processing task by using the ciphertext model.
The model processing method provided by the embodiment of the invention is applied to a model encryption system, and referring to fig. 2, a structural block diagram of the model encryption system is shown, and as shown in fig. 2, the model encryption system includes a server 201, a client 202 and a key management subsystem 203.
The key management subsystem is used for carrying out security authentication on the client according to the equipment information of the client so as to judge the legality of the client. As an example, whether the current configuration parameter of the client is tampered maliciously can be judged according to the device information and the current configuration parameter of the client, and if the current configuration parameter of the client is tampered maliciously, the client is determined to be illegal, namely, the security authentication is not passed; otherwise, determining that the client passes the security authentication. If the key management subsystem determines that the client passes the security authentication, a key is generated, including a first key for model encryption and a second key for model decryption. The specific generation method can be determined according to a preset encryption algorithm, for example, if a symmetric encryption algorithm is adopted, the first key and the second key are generated according to the symmetric encryption algorithm; if an asymmetric encryption algorithm is employed, the first key and the second key are generated according to the asymmetric encryption algorithm. After the key management subsystem generates the first key and the second key, the first key is distributed to the server, and the second key is distributed to the client.
After receiving the first secret key distributed by the secret key management subsystem, the server normally verifies the sub-graph according to the first secret key, and adds the verification sub-graph into the neural network model to be encrypted to obtain a ciphertext model. It should be noted that, in the embodiment of the present invention, the verification sub-graph generated by the server is equivalent to a functional module of the ciphertext model, and is used for verifying the authority of the client that requests to run the ciphertext model. After obtaining the ciphertext model, the server sends the ciphertext model to the client for use by the client.
After receiving the second key distributed by the key management subsystem and the ciphertext model sent by the server, the client acquires the operation authority for the ciphertext model according to the second key so as to execute the data processing task by using the ciphertext model. The client side inputs and outputs the second secret key to the verification subgraph of the ciphertext model to perform decryption calculation, and if decryption is successful, the client side is determined to have the operation authority for the ciphertext model; otherwise, if the decryption is unsuccessful, determining that the client does not have the operation authority for the ciphertext model.
The embodiment of the invention realizes unified management of the secret key by executing the generation and distribution operation of the secret key through the secret key management subsystem; in addition, the key is generated under the condition that the client passes the security authentication, and a series of processing operations on the neural network model are started, so that the legality of the client for receiving and operating the neural network model is ensured, the neural network model can be effectively prevented from being illegally used, and the security of the neural network model is improved. In the embodiment of the invention, a verification subgraph is added in the neural network model to be encrypted by the server to obtain a ciphertext model, and the ciphertext model is transmitted to the client, so that the information such as the network structure and node weight of the neural network model cannot be exposed in the process of releasing and transmitting the model, and the transmission safety of the neural network model is ensured; before the client runs the received ciphertext model, the client needs to acquire the running authority for the ciphertext model through the received second key, so that the application safety of the neural network model is ensured.
Fig. 3 is a flowchart of steps of another model processing method provided in an embodiment of the present invention, which is applied to a server, and as shown in fig. 3, the method may include:
step 301, a first key distributed by a key management subsystem is received, wherein the first key is generated by the key management subsystem under the condition that a client passes security authentication.
And 302, generating a verification subgraph according to a model framework of the neural network model to be encrypted and the first key.
And 303, adding the verification subgraph to the neural network model to obtain a ciphertext model.
And step 304, the ciphertext model is sent to a client so that the client can execute a data processing task based on the ciphertext model.
Wherein the first key is generated by the key management subsystem in the event that the client passes the security authentication. And the key management subsystem generates a first key and a second key under the condition that the client passes the security authentication, distributes the first key to the server, and distributes the second key to the client.
After receiving the first secret key distributed by the secret key management subsystem, the server generates a verification sub-graph according to the model framework of the neural network model to be encrypted and the first secret key, and adds the verification sub-graph into the neural network model to obtain a ciphertext model. It should be noted that, in the embodiment of the present invention, the model framework of the neural network model is not particularly limited, for example, the module framework of the neural network model may be Tensorflow, pyTorch or the like.
After obtaining the ciphertext model, the server sends the ciphertext model to the client for the client to execute a data processing task based on the ciphertext model.
In the embodiment of the invention, the server adds the verification subgraph in the neural network model to be encrypted to obtain the ciphertext model, and transmits the ciphertext model to the client, so that the information such as the network structure and the node weight of the neural network model cannot be exposed in the process of releasing and transmitting the model, and the transmission safety of the neural network model is ensured.
In an alternative embodiment of the present invention, step 302 of generating a verification sub-graph according to the model framework of the neural network model to be encrypted and the first key includes:
sub-step 3021, determining a model framework of the neural network model to be encrypted;
sub-step 3022, calling a corresponding compiling algorithm according to the model framework to generate a verification sub-graph;
sub-step 3023, performing encryption processing on the verification sub-graph according to the first key and an encryption algorithm to obtain an encrypted verification sub-graph;
and step 3024, adding the encrypted verification sub-graph to the neural network model to obtain a ciphertext model.
In the embodiment of the invention, the model framework of the neural network model to be encrypted can be determined first, and then a corresponding compiling algorithm is called according to the model framework to generate a verification subgraph.
It can be understood that the generated verification sub-graph is a plaintext verification sub-graph, and in order to ensure the security of the model, the server needs to encrypt the verification sub-graph according to the received first key to obtain an encrypted verification sub-graph, that is, a ciphertext verification sub-graph. Optionally, the encryption algorithm includes a symmetric encryption algorithm and an asymmetric encryption algorithm. Illustratively, in embodiments of the present invention, a DES algorithm, a 3DES algorithm, an AES algorithm, or the like may be employed. And finally, adding the ciphertext verification subgraph into the neural network model to obtain a second ciphertext model.
As an example, the adding the encrypted verification sub-graph to the neural network model to obtain a ciphertext model includes: and inserting the encrypted verification subgraph before an input layer of the neural network model to obtain a ciphertext model, wherein the encrypted verification subgraph is used for verifying a client side receiving the ciphertext model.
In the embodiment of the invention, the encrypted verification subgraph can be inserted before the input layer of the neural network model, so that when the client runs the ciphertext model, the running authority of the client is verified through the verification subgraph, and after the running authority of the ciphertext model is determined to be possessed by the client, the calculation data of the data processing task to be executed by the client is input into the input layer of the ciphertext model for processing.
As another example, the encrypted verification sub-graph includes a first verification sub-graph and a second verification sub-graph, and the adding the encrypted verification sub-graph to the neural network model to obtain a ciphertext model includes: the first verification sub-graph is inserted before an input layer of the neural network model and the second verification sub-graph is inserted after an output layer of the neural network model.
The first verification sub-graph is used for verifying the client side receiving the ciphertext model and encrypting data to be processed, which is input into the first verification sub-graph; and the second verification sub-graph is used for encrypting the data processing result output by the output layer.
In the embodiment of the invention, besides the first verification sub-graph can be inserted before the input layer of the neural network model, the second verification sub-graph can be inserted after the output layer of the neural network model, so that when the client runs the ciphertext model, the running authority of the client is verified through the first verification sub-graph, after the running authority of the ciphertext model is determined to be possessed by the client, the calculated data of the data processing task to be executed by the client is encrypted and then is input into the input layer of the ciphertext model for processing, and the data processing result is output by the output layer. And then, encrypting the data processing result through the second verification subgraph, so that the data processing result finally output by the ciphertext model is also ciphertext. Through the first verification sub-graph and the second verification sub-graph, input data and output data of the ciphertext model are ciphertext, data leakage can be effectively avoided, and data safety is guaranteed.
In summary, according to the model processing method provided by the embodiment of the invention, the server adds the verification subgraph into the neural network model to be encrypted to obtain the ciphertext model, and transmits the ciphertext model to the client, so that the information such as the network structure and the node weight of the neural network model cannot be exposed in the process of model release and transmission, and the transmission safety of the neural network model is ensured.
Fig. 4 is a flowchart of steps of another model processing method provided in an embodiment of the present invention, which is applied to a client, as shown in fig. 4, and the method may include:
step 401, receiving a second key distributed by a key management subsystem and a ciphertext model sent by a server, wherein the second key is generated by the key management subsystem under the condition that the client passes security authentication.
Step 402, under the condition that the received model operation request meets the preset verification trigger condition, inputting the second key into a verification sub-graph in the ciphertext model; the model operation request carries a data processing task.
Step 403, executing the verification sub-graph to verify whether the client has the operation authority for the ciphertext model according to the second key.
Step 404, if it is determined that the client has the operation authority for the ciphertext model, the ciphertext model is operated to execute the data processing task in response to the model operation request.
Wherein the second key is generated by the key management subsystem in the event that the client passes the security authentication. And the key management subsystem generates a first key and a second key under the condition that the client passes the security authentication, distributes the first key to the server, and distributes the second key to the client.
The ciphertext model comprises an encrypted verification sub-graph, and the verification sub-graph is generated by the server according to a model framework of the neural network model to be encrypted and a first secret key.
After receiving the second key distributed by the key management subsystem and the ciphertext model sent by the server, the client operates the ciphertext model according to the received model operation request. The model running request may be generated by a user holding the client by executing a triggering operation, where the triggering operation may be clicking a preset button in the client, executing a calling operation on the ciphertext model, and so on; or the data processing task may be sent by an electronic device that issues a data processing task, for example, a server or other clients sends a model running request to a client that receives the ciphertext model, so as to trigger the client to execute the data processing task based on the ciphertext model. It should be noted that, the specific generation manner of the model operation request in the embodiment of the present invention is not specifically limited.
When the client receives the model operation request, judging whether the received model operation request meets a preset verification triggering condition. The verification triggering condition is used for indicating whether verification is required for the current model operation request, and the verification triggering condition can be that the current request times of the model operation request are larger than preset times, or the time difference of receiving the continuous two model operation requests is larger than a preset period, and the like.
As an example, before the second key is input to the verification sub-graph in the ciphertext model in the case that the received model running request is determined to satisfy the preset verification trigger condition, the method further includes:
s11, receiving a model operation request aiming at the ciphertext model and recording the current request times;
and step S12, if the current request times are larger than preset times, determining that the model operation request meets a preset verification trigger condition.
In the embodiment of the invention, the operation authority of the client can be verified according to the number of requests of the received model operation request, when the operation authority of the client is once verified, and then the operation request is received, if the number of current requests is smaller than the preset number, the operation authority of the client can not be verified, and if the number of current requests is larger than the preset number, the operation authority of the client needs to be verified again, namely, the model operation request is determined to meet the preset verification triggering condition.
As another example, in a case where it is determined that the received model running request meets a preset verification trigger condition, before inputting the second key to the verification sub-graph in the ciphertext model, the method further includes:
step S21, receiving a model operation request aiming at the ciphertext model and recording a first request time of the model operation request;
step S22, calculating the time difference between the first request time and the second request time of the last time of receiving the model operation request meeting the verification trigger condition;
and S23, if the time difference is larger than a preset period, determining that the model operation request meets a preset verification trigger condition.
In the embodiment of the invention, the operation authority of the client can be verified according to the preset period, and after the operation authority of the client is verified once, the operation authority of the client can not be verified again in the preset period. Specifically, when the time difference between the received request time of the model operation request and the last verification time is smaller than the preset period, the client may not need to be verified; when the time difference between the received request time of the model operation request and the last verification time (namely, the second request time of the last receiving of the model operation request meeting the verification trigger condition) is larger than the preset period, the client needs to be verified again, namely, the model operation request is determined to meet the preset verification trigger condition.
Optionally, the preset period includes an inference operation period corresponding to the model operation request. In the embodiment of the invention, the preset period can be set as the reasoning operation period corresponding to the model operation request, so that when the verification subgraph passes verification and the reasoning operation of the neural network model is not finished, the neural network model is not required to be verified again, the operation efficiency of the neural network model is improved, the data security is ensured, and the verification complexity is reduced.
When the received model operation request is determined to meet the preset verification trigger condition, the client inputs a second key to a verification sub-graph in the ciphertext model, and executes the verification sub-graph to verify whether the client has operation authority for the ciphertext model according to the second key. And if the client side is determined to have the operation authority for the ciphertext model, responding to the model operation request, and operating the ciphertext model to execute the data processing task carried in the model operation request.
In an optional embodiment of the invention, step 403 of executing the verification sub-graph to verify whether the client has the operation authority for the ciphertext model according to the second key includes:
Substep 4031, executing the verification sub-graph to perform decryption computation according to the second key;
sub-step 4032, if decryption is successful, determining that the client has the operation authority for the ciphertext model;
and step 4033, if the decryption is unsuccessful, determining that the client does not have the operation authority for the ciphertext model.
In the embodiment of the invention, whether the client side has the operation authority for the ciphertext model is verified according to the second secret key, namely, the verification subgraph in the ciphertext model is essentially decrypted according to the second secret key, and if the decryption is successful, the client side can be determined to have the operation authority for the ciphertext model; if the decryption is unsuccessful, it may be determined that the client does not have the operating rights for the ciphertext model.
In an alternative embodiment of the present invention, the ciphertext model includes two verification sub-graphs, the two verification sub-graphs including a first verification sub-graph connected in series with an input layer of the ciphertext model and a second verification sub-graph connected in series with an output layer of the ciphertext model, and step 404 of executing the ciphertext model to perform the data processing task in response to the model execution request includes:
Sub-step 4041, responding to the model running request, and inputting the data to be processed of the data processing task into a first verification sub-graph of the ciphertext model so as to encrypt the data to be processed through the first verification sub-graph to obtain ciphertext data;
step 4042, inputting the ciphertext data into an input layer of the ciphertext model, and performing data processing on the ciphertext data based on the ciphertext model;
a substep 4043 of obtaining a data processing result output by an output layer of the ciphertext model;
and 4044, inputting the data processing result into the second verification sub-graph to perform encryption processing, obtaining an encrypted data processing result, and outputting the encrypted data processing result.
It should be noted that, in the embodiment of the present invention, when the server inserts the encrypted verification sub-graph in the neural network model to be encrypted, there are two insertion methods: one is to insert an encrypted verification sub-graph just before the input layer of the neural network model; the other is to insert a first verification sub-graph before the input layer of the neural network model and a second verification sub-graph after the output layer of the neural network model. Therefore, the ciphertext model received by the client may only include one verification sub-graph, and may also include the first verification sub-graph and the second verification sub-graph. The first verification sub-graph is used for verifying the client side receiving the ciphertext model and encrypting data to be processed, which is input into the first verification sub-graph; and the second verification sub-graph is used for encrypting the data processing result output by the output layer.
If the ciphertext model received by the client only comprises one verification sub-graph, directly operating the ciphertext model to execute the data processing task after determining that the client has the operation authority for the ciphertext model. If the ciphertext model received by the client side comprises the first verification sub-graph and the second verification sub-graph, the client side also needs to execute the first verification sub-graph and the second verification sub-graph when executing the ciphertext model.
Specifically, the client firstly inputs data to be processed of a data processing task into a first verification sub-graph of the ciphertext model, and encrypts the data to be processed by executing the first verification sub-graph to obtain ciphertext data. And then, inputting the obtained ciphertext data into an input layer of the ciphertext model, and performing data processing on the ciphertext data based on the ciphertext model to obtain a data processing result output by an output layer of the ciphertext model. And finally, inputting the data processing result into a second verification sub-graph, and performing encryption processing on the data processing result by executing the second verification sub-graph to obtain and output the encrypted data processing result.
In the embodiment of the invention, the input data and the output data of the ciphertext model are ciphertext through the first verification subgraph and the second verification subgraph, so that data leakage can be effectively avoided, and data security is ensured.
In summary, in the model processing method provided by the embodiment of the invention, the server adds the verification subgraph into the neural network model to be encrypted to obtain the ciphertext model, and transmits the ciphertext model to the client, so that the information such as the network structure and the node weight of the neural network model cannot be exposed in the process of model release and transmission, and the transmission safety of the neural network model is ensured; before the client runs the received ciphertext model, the client needs to acquire the running authority for the ciphertext model through the received second key, so that the application safety of the neural network model is ensured.
Fig. 5 is a flowchart of steps of another model processing method provided in an embodiment of the present invention, applied to a key management subsystem, as shown in fig. 5, where the method may include:
step 501, performing security authentication on the client according to the device information of the client.
Step 502, generating a key in case that the client passes the security authentication, wherein the key comprises a first key and a second key.
Step 503, distributing the first key to a server, and distributing the second key to the client, so that the server generates a verification sub-graph according to the first key, and adds the verification sub-graph to a neural network model to be encrypted to obtain a ciphertext model, and the client obtains the operation authority for the ciphertext model according to the second key, so as to execute a data processing task by using the ciphertext model.
In the embodiment of the invention, the key management subsystem is used for carrying out security authentication on the client according to the equipment information of the client so as to judge the legitimacy of the client. As an example, whether the current configuration parameter of the client is tampered maliciously can be judged according to the device information and the current configuration parameter of the client, and if the current configuration parameter of the client is tampered maliciously, the client is determined to be illegal, namely, the security authentication is not passed; otherwise, determining that the client passes the security authentication. If the key management subsystem determines that the client passes the security authentication, a key is generated, including a first key and a second key. The specific generation method can be determined according to a preset encryption algorithm, for example, if a symmetric encryption algorithm is adopted, the first key and the second key are generated according to the symmetric encryption algorithm; if an asymmetric encryption algorithm is employed, the first key and the second key are generated according to the asymmetric encryption algorithm. After the key management subsystem generates the first key and the second key, the first key is distributed to the server, and the second key is distributed to the client.
In an optional embodiment of the present invention, the performing security authentication on the client according to the device information of the client in step 501 includes:
A substep 5011, matching the device information of the client with the current configuration parameters of the client, and judging whether the client passes the security authentication;
a substep 5012, if the device information of the client is matched with the current configuration parameters of the client, determining that the client passes the security authentication;
and in the substep 5013, if the device information of the client does not match with the current configuration parameters of the client, the client fails the security authentication.
In the embodiment of the invention, the security authentication can be performed on the client based on the equipment information of the client and the current configuration parameters of the client. Specifically, device information of the client is matched with current configuration parameters of the client, whether the current configuration parameters of the client are tampered maliciously is judged, and whether the client passes security authentication is determined.
If the device information of the client is matched with the current configuration parameters, the configuration parameters of the client are not tampered maliciously, and the client can be determined to pass the security authentication. Otherwise, if the device information of the client does not match with the current configuration parameters, which means that the configuration parameters of the client have been tampered maliciously, it may be determined that the client fails the security authentication.
In an optional embodiment of the invention, generating a key in step 502 when the client passes the security authentication includes:
and generating a key according to a key configuration parameter under the condition that the client passes the security authentication, wherein the key configuration parameter comprises at least one of a key validity period and a key use number.
It should be noted that, in the embodiment of the present invention, while generating a key, key configuration parameters of the key, such as a key validity period, a key usage number, etc., may be set, so that a verification trigger condition of a client when performing verification of an operation right according to a second key may be defined, for example, after the client performs single verification, the client does not need to perform verification again in the key validity period; or after the client performs single decryption, as long as the number of the currently received model operation requests is smaller than the number of key use, authentication is not needed again, and the like.
In summary, the key management subsystem performs the key generation and distribution operation, so as to realize unified management of the keys; in addition, the key is generated under the condition that the client passes the security authentication, and a series of processing operations on the neural network model are started, so that the legality of the client for receiving and operating the neural network model is ensured, the neural network model can be effectively prevented from being illegally used, and the security of the neural network model is improved.
Fig. 2 is a block diagram of a model encryption system according to an embodiment of the present invention, and as shown in fig. 2, the system may include:
the key management subsystem is used for carrying out security authentication on the client according to the equipment information of the client, and generating a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; distributing the first key to a server and the second key to a client;
the server side is used for generating a verification sub-graph according to the first secret key distributed by the secret key management subsystem, and adding the verification sub-graph into the neural network model to be encrypted to obtain a ciphertext model; sending the ciphertext model to the client;
and the client is used for receiving a second key distributed by the key management subsystem and the ciphertext model transmitted by the server, and acquiring the operation authority for the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
Fig. 6 is a block diagram of a model processing device according to an embodiment of the present invention, which is applied to a server, and as shown in fig. 6, the device 60 may include:
a key receiving module 601, configured to receive a first key distributed by a key management subsystem, where the first key is generated by the key management subsystem when a client passes a security authentication;
A verification sub-graph generating module 602, configured to generate a verification sub-graph according to a model framework of the neural network model to be encrypted and the first key;
the ciphertext model generating module 603 is configured to add the verification subgraph to the neural network model to obtain a ciphertext model;
and the ciphertext model sending module 604 is configured to send the ciphertext model to a client, so that the client performs a data processing task based on the ciphertext model.
Optionally, the verification sub-graph generating module 602 includes:
the model framework determining submodule is used for determining a model framework of the neural network model to be encrypted;
the verification sub-graph generation sub-module is used for calling a corresponding compiling algorithm according to the model framework to generate a verification sub-graph;
the encryption processing sub-module is used for carrying out encryption processing on the verification sub-graph according to the first secret key and the encryption algorithm to obtain an encrypted verification sub-graph;
and the verification sub-graph adding sub-module is used for adding the encrypted verification sub-graph into the neural network model to obtain a ciphertext model.
Optionally, the verification sub-graph adding sub-module includes:
the first verification sub-graph adding unit is used for inserting the encrypted verification sub-graph before the input layer of the neural network model to obtain a ciphertext model, and the encrypted verification sub-graph is used for verifying a client side receiving the ciphertext model.
Optionally, the encrypted verification sub-graph includes a first verification sub-graph and a second verification sub-graph, and the verification sub-graph adding sub-module includes:
a second verification sub-graph adding unit configured to insert the first verification sub-graph before an input layer of the neural network model and insert the second verification sub-graph after an output layer of the neural network model; the first verification sub-graph is used for verifying the client side receiving the ciphertext model and encrypting data to be processed, which is input into the first verification sub-graph; and the second verification sub-graph is used for encrypting the data processing result output by the output layer.
Optionally, the encryption algorithm comprises a symmetric encryption algorithm or an asymmetric encryption algorithm.
Fig. 7 is a block diagram of another model processing device according to an embodiment of the present invention, which is applied to a client, and as shown in fig. 7, the device 70 may include:
the model receiving module 701 is configured to receive a second key distributed by the key management subsystem and a ciphertext model sent by the server, where the second key is generated by the key management subsystem when the client passes the security authentication;
A key input module 702, configured to input, when it is determined that the received model operation request meets a preset verification trigger condition, the second key to a verification sub-graph in the ciphertext model; the model operation request carries a data processing task;
a verification sub-graph execution module 703, configured to execute the verification sub-graph to verify whether the client has the operation authority for the ciphertext model according to the second key;
and the ciphertext model running module 704 is configured to, if it is determined that the client has running authority for the ciphertext model, run the ciphertext model to execute the data processing task in response to the model running request.
Optionally, the verification sub-graph execution module 703 includes:
the verification sub-graph execution sub-module is used for executing the verification sub-graph to perform decryption calculation according to the second key;
the first determining submodule is used for determining that the client side has the operation authority for the ciphertext model if decryption is successful;
and the second determining submodule is used for determining that the client does not have the operation authority for the ciphertext model if decryption is unsuccessful.
Optionally, the ciphertext model includes two verification sub-graphs, where the two verification sub-graphs include a first verification sub-graph connected in series with an input layer of the ciphertext model, and a second verification sub-graph connected in series with an output layer of the ciphertext model, and the ciphertext model operation module 704 includes:
the first input sub-module is used for responding to the model operation request, inputting the data to be processed of the data processing task into a first verification sub-graph of the ciphertext model, and encrypting the data to be processed through the first verification sub-graph to obtain ciphertext data;
the second input sub-module is used for inputting the ciphertext data into an input layer of the ciphertext model, and performing data processing on the ciphertext data based on the ciphertext model;
the result acquisition sub-module is used for acquiring a data processing result output by an output layer of the ciphertext model;
and the encryption processing sub-module is used for inputting the data processing result into the second verification sub-graph to carry out encryption processing, obtaining an encrypted data processing result and outputting the encrypted data processing result.
Optionally, the apparatus further comprises:
the first receiving module is used for receiving a model operation request aiming at the ciphertext model and recording the current request times;
The first determining module is used for determining that the model operation request meets a preset verification triggering condition if the current request times are larger than preset times.
Optionally, the apparatus further comprises:
the second receiving module is used for receiving a model operation request aiming at the ciphertext model and recording a first request time of the model operation request;
the calculation module is used for calculating the time difference between the second request time and the first request time when the model operation request meeting the verification trigger condition is received last time;
and the second determining module is used for determining that the model operation request meets a preset verification triggering condition if the time difference is larger than a preset period.
Optionally, the preset period includes an inference operation period corresponding to the model operation request.
Fig. 8 is a block diagram of another model processing device according to an embodiment of the present invention, which is applied to a key management subsystem, and as shown in fig. 8, the device 80 may include:
a security authentication module 801, configured to perform security authentication on a client according to device information of the client;
a key generation module 802, configured to generate a key if the client passes the security authentication, where the key includes a first key and a second key, the first key is used for model encryption of the neural network model, and the second key is used for model decryption;
The key distribution module 803 is configured to distribute the first key to a server, and distribute the second key to the client, so that the server generates a verification sub-graph according to the first key, and adds the verification sub-graph to a neural network model to be encrypted to obtain a ciphertext model, and the client obtains an operation authority for the ciphertext model according to the second key, so as to execute a data processing task by using the ciphertext model.
Optionally, the security authentication module includes:
the parameter matching sub-module is used for matching the equipment information of the client with the current configuration parameters of the client and judging whether the client passes the security authentication or not;
the first authentication sub-module is used for determining that the client passes the security authentication if the equipment information of the client is matched with the current configuration parameters of the client;
and the second authentication sub-module is used for if the equipment information of the client is not matched with the current configuration parameters of the client, the client does not pass the security authentication.
Optionally, the key generation module includes:
and the key generation sub-module is used for generating a key according to a key configuration parameter under the condition that the client passes the security authentication, wherein the key configuration parameter comprises at least one of a key validity period and a key use number.
For the above-described device embodiments, the description is relatively simple, as it is substantially similar to the method embodiments, with reference to the description of the method embodiments in part.
In addition, the embodiment of the invention also provides a terminal, which comprises a processor, a memory and a computer program stored in the memory and capable of running on the processor, wherein the computer program realizes the processes of the embodiment of the model processing method when being executed by the processor, and can achieve the same technical effects, and the repetition is avoided, so that the description is omitted.
The embodiment of the invention also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the processes of the above model processing method embodiment, and can achieve the same technical effects, so that repetition is avoided, and no further description is given here. Wherein the computer readable storage medium is selected from Read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk or optical disk.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
As will be readily appreciated by those skilled in the art: any combination of the above embodiments is possible, and thus is an embodiment of the present invention, but the present specification is not limited by the text.
The model processing methods provided herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with the teachings herein. The required structure for a system constructed with aspects of the present invention will be apparent from the description above. In addition, the present invention is not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the above description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the claims, any of the claimed embodiments may be used in any combination.
Various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components of an operation performing method according to an embodiment of the present invention may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present invention can also be implemented as an apparatus or device program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present invention may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.

Claims (19)

1. A model processing method, applied to a model encryption system, the model encryption system comprising a server, a client, and a key management subsystem, the method comprising:
the key management subsystem carries out security authentication on the client according to the equipment information of the client, and generates a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; distributing the first key to a server and the second key to a client;
The server generates a verification sub-graph according to a first key distributed by the key management subsystem, and adds the verification sub-graph to a neural network model to be encrypted to obtain a ciphertext model; sending the ciphertext model to the client;
and the client receives a second key distributed by the key management subsystem and the ciphertext model transmitted by the server, and acquires the operation authority for the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
2. A model processing method, which is applied to a server, the method comprising:
receiving a first key distributed by a key management subsystem, wherein the first key is generated by the key management subsystem under the condition that a client passes security authentication;
generating a verification sub-graph according to a model framework of the neural network model to be encrypted and the first key;
adding the verification subgraph into the neural network model to obtain a ciphertext model;
and sending the ciphertext model to a client so that the client can execute a data processing task based on the ciphertext model.
3. The method of claim 2, wherein the generating a verification sub-graph from the model framework of the neural network model to be encrypted and the first key comprises:
Determining a model framework of a neural network model to be encrypted;
calling a corresponding compiling algorithm according to the model framework to generate a verification sub-graph;
encrypting the verification subgraph according to the first key and an encryption algorithm to obtain an encrypted verification subgraph;
and adding the encrypted verification subgraph into the neural network model to obtain a ciphertext model.
4. The method of claim 3, wherein adding the encrypted verification sub-graph to the neural network model results in a ciphertext model, comprising:
and inserting the encrypted verification subgraph before an input layer of the neural network model to obtain a ciphertext model, wherein the encrypted verification subgraph is used for verifying a client side receiving the ciphertext model.
5. The method of claim 3, wherein the encrypted verification sub-graph comprises a first verification sub-graph and a second verification sub-graph, wherein the adding the encrypted verification sub-graph to the neural network model results in a ciphertext model, comprising:
inserting the first verification sub-graph before an input layer of the neural network model and inserting the second verification sub-graph after an output layer of the neural network model; the first verification sub-graph is used for verifying the client side receiving the ciphertext model and encrypting data to be processed, which is input into the first verification sub-graph; and the second verification sub-graph is used for encrypting the data processing result output by the output layer.
6. A model processing method, applied to a client, the method comprising:
receiving a second key distributed by a key management subsystem and a ciphertext model sent by a server, wherein the second key is generated by the key management subsystem under the condition that the client passes security authentication;
under the condition that the received model operation request meets a preset verification trigger condition, inputting the second key into a verification sub-graph in the ciphertext model; the model operation request carries a data processing task;
executing the verification sub-graph to verify whether the client side has the operation authority for the ciphertext model according to the second key;
and if the client side is determined to have the operation authority for the ciphertext model, responding to the model operation request, and operating the ciphertext model to execute the data processing task.
7. The method of claim 6, wherein the executing the verification sub-graph to verify whether the client has the operating rights for the ciphertext model based on the second key comprises:
executing the verification sub-graph to perform decryption calculation according to the second key;
If the decryption is successful, determining that the client side has the operation authority aiming at the ciphertext model;
if the decryption is unsuccessful, determining that the client does not have the operation authority for the ciphertext model.
8. The method of claim 6, wherein the ciphertext model comprises two verification sub-graphs, the two verification sub-graphs comprising a first verification sub-graph in series with an input layer of the ciphertext model and a second verification sub-graph in series with an output layer of the ciphertext model, the running the ciphertext model to perform the data processing task in response to the model run request comprising:
responding to the model operation request, inputting the data to be processed of the data processing task into a first verification sub-graph of the ciphertext model, and encrypting the data to be processed through the first verification sub-graph to obtain ciphertext data;
inputting the ciphertext data into an input layer of the ciphertext model, and performing data processing on the ciphertext data based on the ciphertext model;
acquiring a data processing result output by an output layer of the ciphertext model;
and inputting the data processing result into the second verification subgraph for encryption processing, obtaining an encrypted data processing result and outputting the encrypted data processing result.
9. The method of claim 6, wherein the method further comprises, prior to inputting the second key into the verification sub-graph in the ciphertext model if it is determined that the received model execution request satisfies a preset verification trigger condition:
receiving a model operation request aiming at the ciphertext model and recording the current request times;
and if the current request times are larger than the preset times, determining that the model operation request meets the preset verification triggering condition.
10. The method of claim 6, wherein the method further comprises, prior to inputting the second key into the verification sub-graph in the ciphertext model if it is determined that the received model execution request satisfies a preset verification trigger condition:
receiving a model operation request aiming at the ciphertext model and recording a first request time of the model operation request;
calculating the time difference between the second request time of last receiving the model operation request meeting the verification trigger condition and the first request time;
and if the time difference is larger than the preset period, determining that the model operation request meets a preset verification triggering condition.
11. A model processing method, applied to a key management subsystem, the method comprising:
carrying out security authentication on a client according to equipment information of the client;
generating a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key;
the first key is distributed to a server, the second key is distributed to the client, so that the server generates a verification sub-graph according to the first key, the verification sub-graph is added to a neural network model to be encrypted to obtain a ciphertext model, and the client obtains operation authority for the ciphertext model according to the second key to execute a data processing task by using the ciphertext model.
12. The method of claim 11, wherein the securely authenticating the client based on the device information of the client comprises:
matching the equipment information of the client with the current configuration parameters of the client, and judging whether the client passes the security authentication or not;
if the equipment information of the client is matched with the current configuration parameters of the client, determining that the client passes the security authentication;
If the equipment information of the client is not matched with the current configuration parameters of the client, the client fails the security authentication.
13. The method of claim 11, wherein the generating a key if the client is securely authenticated comprises:
and generating a key according to a key configuration parameter under the condition that the client passes the security authentication, wherein the key configuration parameter comprises at least one of a key validity period and a key use number.
14. A model encryption system is characterized by comprising a server, a client and a key management subsystem,
the key management subsystem is used for carrying out security authentication on the client according to the equipment information of the client, and generating a key under the condition that the client passes the security authentication, wherein the key comprises a first key and a second key; distributing the first key to a server and the second key to a client;
the server side is used for generating a verification sub-graph according to a first key distributed by the key management subsystem, and adding the verification sub-graph into a neural network model to be encrypted to obtain a ciphertext model; sending the ciphertext model to the client;
The client is used for receiving a second key distributed by the key management subsystem and the ciphertext model sent by the server, and acquiring the operation authority for the ciphertext model according to the second key so as to execute a data processing task by using the ciphertext model.
15. A model processing device, applied to a server, the device comprising:
the key receiving module is used for receiving a first key distributed by the key management subsystem, wherein the first key is generated by the key management subsystem under the condition that the client passes the security authentication;
the verification sub-graph generation module is used for generating a verification sub-graph according to a model framework of the neural network model to be encrypted and the first secret key;
the ciphertext model generation module is used for adding the verification subgraph into the neural network model to obtain a ciphertext model;
and the ciphertext model sending module is used for sending the ciphertext model to a client so that the client can execute a data processing task based on the ciphertext model.
16. A model processing apparatus, for application to a client, the apparatus comprising:
the model receiving module is used for receiving a second secret key distributed by the secret key management subsystem and a ciphertext model sent by the server, wherein the second secret key is generated by the secret key management subsystem under the condition that the client passes the security authentication;
The key input module is used for inputting the second key into the verification subgraph in the ciphertext model under the condition that the received model operation request meets the preset verification trigger condition; the model operation request carries a data processing task;
the verification sub-graph execution module is used for executing the verification sub-graph to verify whether the client side has the operation authority for the ciphertext model according to the second secret key;
and the ciphertext model running module is used for responding to the model running request to run the ciphertext model to execute the data processing task if the client side is determined to have the running authority for the ciphertext model.
17. A model processing apparatus for use in a key management subsystem, the apparatus comprising:
the security authentication module is used for performing security authentication on the client according to the equipment information of the client;
a key generation module, configured to generate a key when the client passes the security authentication, where the key includes a first key and a second key;
the key distribution module is used for distributing the first key to a server and distributing the second key to the client, so that the server generates a verification sub-graph according to the first key, the verification sub-graph is added into a neural network model to be encrypted to obtain a ciphertext model, and the client obtains the operation authority aiming at the ciphertext model according to the second key so as to execute a data processing task by utilizing the ciphertext model.
18. A computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the model processing method according to any one of claims 1 to 13.
19. An electronic device, comprising: a processor and a memory, the processor being configured to execute a data processing program stored in the memory to implement the model processing method of any one of claims 1 to 13.
CN202210478472.2A 2022-04-29 2022-04-29 Model processing method and device and computer readable storage medium Active CN115001748B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210478472.2A CN115001748B (en) 2022-04-29 2022-04-29 Model processing method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210478472.2A CN115001748B (en) 2022-04-29 2022-04-29 Model processing method and device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN115001748A CN115001748A (en) 2022-09-02
CN115001748B true CN115001748B (en) 2023-11-03

Family

ID=83024757

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210478472.2A Active CN115001748B (en) 2022-04-29 2022-04-29 Model processing method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115001748B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040091A (en) * 2018-08-17 2018-12-18 中科物栖(北京)科技有限责任公司 The encryption method and device of deep neural network model
CN110619220A (en) * 2019-08-09 2019-12-27 北京小米移动软件有限公司 Method and device for encrypting neural network model and storage medium
CN111563265A (en) * 2020-04-27 2020-08-21 电子科技大学 Distributed deep learning method based on privacy protection
CN111859415A (en) * 2020-06-18 2020-10-30 上海艾麒信息科技有限公司 Neural network model encryption system and method
CN111898145A (en) * 2020-07-22 2020-11-06 苏州浪潮智能科技有限公司 Neural network model training method, device, equipment and medium
CN112541593A (en) * 2020-12-06 2021-03-23 支付宝(杭州)信息技术有限公司 Method and device for jointly training business model based on privacy protection
CN112883391A (en) * 2021-02-19 2021-06-01 广州橙行智动汽车科技有限公司 Data protection method and device and electronic equipment
CN113673676A (en) * 2021-08-18 2021-11-19 安谋科技(中国)有限公司 Electronic device, method for implementing neural network model, system on chip, and medium
CN114003961A (en) * 2021-12-03 2022-02-01 青岛大学 Deep neural network reasoning method with privacy protection

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11575500B2 (en) * 2018-07-25 2023-02-07 Sap Se Encrypted protection system for a trained neural network
US11228423B2 (en) * 2020-01-12 2022-01-18 Advanced New Technologies Co., Ltd. Method and device for security assessment of encryption models

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040091A (en) * 2018-08-17 2018-12-18 中科物栖(北京)科技有限责任公司 The encryption method and device of deep neural network model
CN110619220A (en) * 2019-08-09 2019-12-27 北京小米移动软件有限公司 Method and device for encrypting neural network model and storage medium
EP3772700A1 (en) * 2019-08-09 2021-02-10 Beijing Xiaomi Mobile Software Co., Ltd. Method and device for encrypting model of neural network, and storage medium
CN111563265A (en) * 2020-04-27 2020-08-21 电子科技大学 Distributed deep learning method based on privacy protection
CN111859415A (en) * 2020-06-18 2020-10-30 上海艾麒信息科技有限公司 Neural network model encryption system and method
CN111898145A (en) * 2020-07-22 2020-11-06 苏州浪潮智能科技有限公司 Neural network model training method, device, equipment and medium
CN112541593A (en) * 2020-12-06 2021-03-23 支付宝(杭州)信息技术有限公司 Method and device for jointly training business model based on privacy protection
CN112883391A (en) * 2021-02-19 2021-06-01 广州橙行智动汽车科技有限公司 Data protection method and device and electronic equipment
CN113673676A (en) * 2021-08-18 2021-11-19 安谋科技(中国)有限公司 Electronic device, method for implementing neural network model, system on chip, and medium
CN114003961A (en) * 2021-12-03 2022-02-01 青岛大学 Deep neural network reasoning method with privacy protection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
A layer-wise Perturbation based Privacy Preserving Deep Neural Networks;Tosin A. Adesuyi Department of Software Engineering, Kumoh National Institute of Technology, Gumi, South Korea;《2019 International Conference on Artificial Intelligence in Information and Communication (ICAIIC)》;全文 *

Also Published As

Publication number Publication date
CN115001748A (en) 2022-09-02

Similar Documents

Publication Publication Date Title
CN111090876B (en) Contract calling method and device
CN107483509B (en) A kind of auth method, server and readable storage medium storing program for executing
CN109309565B (en) Security authentication method and device
US8171306B2 (en) Universal secure token for obfuscation and tamper resistance
US10797868B2 (en) Shared secret establishment
CN111563261A (en) Privacy protection multi-party computing method and system based on trusted execution environment
US7877604B2 (en) Proof of execution using random function
CN110099048B (en) Cloud storage method and equipment
CN111654367A (en) Password operation method, work key creation method, password service platform and equipment
CN113268715A (en) Software encryption method, device, equipment and storage medium
CN114900338A (en) Encryption and decryption method, device, equipment and medium
CN111311258B (en) Block chain-based trusted transaction method, device, system, equipment and medium
CN109040079A (en) The establishment of live streaming chained address and verification method and related device
CN115564434A (en) Block chain supervision privacy protection method based on zero knowledge proof
CN115242553B (en) Data exchange method and system supporting safe multi-party calculation
CN113395406A (en) Encryption authentication method and system based on power equipment fingerprints
Liu et al. A privacy-preserving outsourcing computing scheme based on secure trusted environment
Hanzlik et al. Controlled randomness–a defense against backdoors in cryptographic devices
CN111597586B (en) Block chain privacy protection method, system and device
CN115001748B (en) Model processing method and device and computer readable storage medium
CN111245594A (en) Homomorphic operation-based collaborative signature method and system
CN111314059A (en) Processing method, device and equipment of account authority proxy and readable storage medium
CN115270159A (en) Intelligent contract calling method, device and equipment for block chain and storage medium
CN110008654A (en) Electronic document treating method and apparatus
CN111541538B (en) Data transmission method and device, server, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant