CN117216732A - Method for processing artificial intelligent model, and method and device for processing data - Google Patents

Abstract

The application discloses a method for processing an Artificial Intelligence (AI) model, which can carry out confusion processing on a first calculation graph of the AI model with semantic information so as to obtain a second calculation graph without semantic information, thus improving the confidentiality of the AI model in terms of storage and transmission. The scheme provided by the application is suitable for various software and hardware environments and scenes, does not need a TEE environment, and has better universality.

Description

Method for processing artificial intelligent model, and method and device for processing data

The present application is a divisional application, the application number of the original application is 202010970794.X, the original application date is 09/15/2020, and the entire content of the original application is incorporated herein by reference.

Technical Field

The application relates to the technical field of artificial intelligence (artificial intelligence, AI), in particular to a method for processing an artificial intelligence model, a method for processing data and a device thereof.

Background

With the continuous breakthrough of artificial intelligence (artificial intelligence, AI) theory and hardware computing, AI technology has been rapidly developed. In the fields of computer vision, natural language processing, voice recognition, etc., AI systems have been deployed on a large scale, and more manufacturers provide AI services. After model training and tuning are completed locally, the AI service provider deploys the AI model to a third party outsourcing platform (such as terminal equipment, edge equipment and cloud servers) to provide reasoning services. Since the design and training of AI models requires a lot of time, data and computational effort, preventing AI models from being stolen in transmission and storage links has become a major concern for AI service/model providers.

Some protection schemes for confidentiality of models are already presented in the industry. For example, one TEE may be isolated in a third party outsourcing platform based on model protection of a trusted computing environment (trust execution environment, TEE). The TEE can protect programs and data loaded inside it from being accessed by external software, thereby protecting the confidentiality of the AI model. This approach requires reliance on a specific secure hardware and software environment, is not universal and tends to incur significant performance overhead. Therefore, how to implement AI model confidentiality protection in an untrusted environment is a challenge to be addressed.

Disclosure of Invention

The embodiment of the application provides a method for processing an artificial intelligence model, a method and a device for processing data, which are used for guaranteeing the safety of the artificial intelligence (artificial intelligence, AI) model during transmission and storage. The embodiment of the application also provides a corresponding device, a computer storage medium, a computer program product and the like.

The first aspect of the present application provides a method of processing an artificial intelligence model, comprising: obtaining a first computational graph of the artificial intelligence model, the first computational graph being used for indicating execution logic of the artificial intelligence model, the first computational graph comprising a plurality of first operators and a dependency relationship between the plurality of first operators in the artificial intelligence model; and carrying out confusion processing on the first computational graph to obtain a second computational graph, wherein the second computational graph is used for indicating execution logic after the confusion processing of the artificial intelligent model, the second computational graph comprises a plurality of second operators and a dependency relationship among the plurality of second operators, the second operators are in an anonymous state, and a model file in the confusion state is generated according to the second computational graph.

In the first aspect, the AI model may be a model applied to various fields of intelligent manufacturing, intelligent transportation, intelligent home, intelligent medical treatment, intelligent security, automatic driving, safe city, intelligent terminal, and the like. The method is applied in a model owner environment, and a device performing the method may be a server, a Virtual Machine (VM), or a container. The AI model is usually obtained by constructing an initial model by adopting a deep neural network or a convolutional neural network, then carrying out model training by using a large number of samples of corresponding scenes in combination with specific application scenes, and carrying out optimization by combining equipment applied by the AI model after the model training is finished.

The AI model may include a plurality of computing units, such as: various types of units, such as convolution units, pooling units, or merging units, for performing the respective calculations, each calculation unit may be referred to as an "operator". The execution logic of the AI model is the order of execution of each computing unit. The computational units in the AI model and the input or output relationships between the computational units may be expressed in terms of a graph, which is referred to as a "computational graph". All operators in the AI model are included in the computational graph, and the operators are usually multiple in type, and one or more operators in the same type can also be used. The type of operator typically characterizes the computational properties of the operator, such as: the method comprises the steps of convolution type, pooling type, merging type, batch standardization type or linear correction type and the like, wherein an operator of the convolution type refers to an operator for performing convolution operation, an operator of the pooling type refers to an operator for performing pooling operation, an operator of the merging type refers to an operator for performing merging operation, an operator of the batch standardization type refers to an operator for performing batch standardization, and an operator of the linear correction type refers to an operator for performing linear correction. In the computational graph, each operator may have a unique identifier, or unique name, such as: convolution operator 1, convolution operator 2, pooling operator 1 or merging operator 1, etc.

In the present application, an operator in the first computation graph is referred to as a first operator. The dependency relationships between the plurality of first operators represent input relationships or output relationships between the plurality of first operators. The second calculation diagram is obtained by carrying out confusion processing on the first calculation diagram, and the meaning of the expression of the confusion processing is that interference factors are added into the first calculation diagram, so that semantic information cannot be read out from the second calculation diagram, and the function of the first calculation diagram is realized by the second calculation diagram. The obfuscated state may also be represented as a state without semantic information. There are a variety of processes for this confusion process, such as: any one or combination of graph compression, graph augmentation, anonymization, or weight scrambling. The operators in the second computational graph are all called second operators, and the second operators are in an anonymous state, which means that the type of the second operators cannot be obtained from the name or the identification of the second operators. Anonymization in the present application is not a hidden name, but instead a name without semantics is used instead of a real name containing operator types. In the present application, no matter in the first calculation graph or the second calculation graph, the dependency relationship may also be called "edge", each edge connects two operators, and two operators connected by the same edge have an input relationship or an output relationship, that is, the "dependency relationship" in the present application.

As can be seen from the solution of the first aspect, in the present application, in a model owner environment, after performing confusion processing on a first computation graph of an AI model, semantic information cannot be read out from an obtained second computation graph, so as to generate a model file in which the semantic information cannot be read out. Therefore, even if the model file in the confusion state is stolen in the storage and transmission process, the semantic information of the model cannot be read, and the confidentiality and the security of the AI model in the storage and transmission process are improved.

In a possible implementation manner of the first aspect, the steps are as follows: performing confusion processing on the first calculation map to obtain a second calculation map, wherein the confusion processing comprises the following steps: merging at least two first operators of the first computational graph with the dependency relationship into one operator; and anonymizing operators in the combined first calculation map to obtain a second calculation map.

In this possible implementation manner, the first computation graph is subjected to confusion processing in a graph compression manner and an anonymization manner, so as to obtain the second computation graph. The process of graph compression may be that a developer configures a merging structure in advance, where the merging structure includes at least two first operators with a dependency relationship. Of course, graph compression is not limited to the manner in which a developer preconfigures the merged structure. It is also possible to specify some way of dynamically determining the merging structure, such as: the merging structure is determined by a detection mode, that is, the server detects the first calculation graph once, determines that the probability of occurrence of a structure (such as convolution-batch standardization-linear correction) is highest, and then determines the structure with the highest occurrence probability as the merging structure. Of course, the merging structure may be determined in other ways, and is not limited to the two ways listed in the present application. Anonymization refers to configuring a name or a mark without semantic information for part or all operators in the combined first calculation graph, and the type of the operators cannot be read from the name or the mark.

In the possible implementation manner, the structural representation of the first calculation graph can be modified in a graph compression mode without influencing the execution logic of the first calculation graph, and then the function of determining the operator cannot be read from the representation information of the operator after the operator anonymization processing, so that the confidentiality of the AI model is further improved.

In a possible implementation manner of the first aspect, the steps are as follows: performing confusion processing on the first calculation map to obtain a second calculation map, wherein the confusion processing comprises the following steps: performing an augmentation operation on the first computational graph, the augmentation operation comprising: adding a dependency relationship among a plurality of first operators in a first computational graph; or adding an augmentation operator in the first calculation graph, and establishing a dependency relationship between the augmentation operator and at least one first operator in the plurality of first operators, wherein the augmentation operator is an operator added in the process of confusion processing of the first calculation graph; and anonymizing operators in the amplified first calculation map to obtain a second calculation map.

In this possible implementation, the graph augmentation method includes: the dependency between operators is increased, and the augmented operator is increased to establish at least one of the dependency between the augmented operator and at least one of the plurality of first operators. And performing confusion processing on the first calculation map in a map augmentation mode and an anonymization mode to obtain a second calculation map. The graph is augmented by adding new dependencies between existing operators of the first computational graph, or adding one or more operators, these latter added operators on the first computational graph being referred to as augmented operators, and then creating dependencies between the augmented operators and some or all of the first operators, the addition of which does not normally affect the execution logic of the original first computational graph, equivalent to just adding a bit of perturbation. The anonymization process may be understood by reference to the foregoing description.

In the possible implementation manner, the structural representation of the first calculation graph can be modified in a graph augmentation mode without influencing the execution logic of the first calculation graph, and then the function of determining the operator cannot be read from the representation information of the operator after the operator anonymization processing, so that the confidentiality of the AI model is further improved.

In a possible implementation manner of the first aspect, the steps are as follows: performing confusion processing on the first calculation map to obtain a second calculation map, wherein the confusion processing comprises the following steps: merging at least two first operators with a dependency relationship in the first calculation graph into one operator; and performing an augmentation operation on the combined first calculation graph, wherein the augmentation operation comprises the following steps: adding a dependency relationship between operators in the combined first calculation graph; or adding an augmentation operator in the combined first calculation graph, and establishing a dependency relationship between the augmentation operator and the operator in the combined first calculation graph, wherein the augmentation operator is an operator added in the process of carrying out confusion processing on the first calculation graph; and anonymizing operators in the amplified first calculation map to obtain a second calculation map.

In this possible implementation, the graph compression and the graph augmentation may be performed, and then anonymization may be performed, or the order of the graph compression and the graph augmentation may not be limited, or the graph augmentation may be performed first, and then anonymization may be performed. The process of graph compression, graph augmentation and anonymization may be understood with reference to the foregoing description.

In this possible implementation, the first computation graph is better confused by graph compression, graph augmentation and anonymization, so that the confidentiality of the AI model is further improved.

In a possible implementation manner of the first aspect, the steps are as follows: performing confusion processing on the first calculation map to obtain a second calculation map, wherein the confusion processing comprises the following steps: scrambling the weight of at least one first operator in the first calculation map, and anonymizing the operators in the scrambled first calculation map to obtain a second calculation map.

In this possible implementation, the first computational graph may be obfuscated by scrambling the weights of the operators, and by anonymizing the operators. After the weight scrambling, the mapping relation of the scrambling is not easy to crack on the premise of not knowing the mapping relation of the scrambling, and the mapping relation of the scrambling is not easy to crack after anonymization treatment, so that the confidentiality of the AI model is improved to a great extent.

In a possible implementation manner of the first aspect, the above process of obtaining the second computation graph further includes: the weights of operators in the first calculation graph after anonymization are scrambled.

In this possible implementation manner, for the computation graph processed by the modes of graph compression, anonymization, graph augmentation, anonymization, and graph compression, graph augmentation, and anonymization, the weights of the operators on the computation graph can be further scrambled, and the second computation graph is obtained after scrambling.

In a possible implementation manner of the first aspect, the anonymized names of different operators of the same type in the first calculation graph after anonymization processing include the same anonymized symbol.

In this possible implementation, considering that there may be hundreds or thousands of operators in the computation graph, if each operator uses a different anonymous symbol, the anonymous symbol may be too numerous, so for multiple operators of the same type, the operators may be distinguished by including the same anonymous symbol and a sequence number, for example: with 2 convolution types of operators, anonymization can be performed by means of OptA1 and OptA 2. Both convolution operators contain the same anonymous symbol "OptA". The naming mode can reduce the need for anonymous symbols in anonymous naming, and can reduce the calculation amount of a server in naming.

In a possible implementation manner of the first aspect, the anonymous names of different operators of the same type in the first calculation graph after anonymization processing include a first anonymous symbol and a second anonymous symbol, the first anonymous symbol is different from the second anonymous symbol, the operator corresponding to the first anonymous symbol is added with a dependency relationship in an augmentation process, and the operator corresponding to the second anonymous symbol is not added with the dependency relationship in the augmentation process.

In this possible implementation manner, not only the same type is considered, but also whether operators of the same type are affected by graph augmentation in graph augmentation is considered, for example, when graph augmentation is performed, if dependencies are added and dependencies are not added in multiple operators of the same type, then when anonymous naming is performed, different anonymous symbols can be used for naming, for example: there are 4 convolution operators, namely, a convolution operator 1, a convolution operator 2, a convolution operator 3 and a convolution operator 4, wherein the convolution operator 1 and the convolution operator 2 are not affected by the graph augmentation, and the convolution operator 3 and the convolution operator 4 are affected by the graph augmentation, so that the convolution operator 1 and the convolution operator 2 can be named as OptA1 and OptA2, and the convolution operator 3 and the convolution operator 4 can be named as OptB1 and OptB2. Thus, not only is the need for anonymous symbols solved, but operators affected by graph augmentation are also distinguished.

In a possible implementation manner of the first aspect, the method further includes: determining a confusion operator library, wherein the confusion operator library comprises calculation logics of a plurality of second operators, each of the calculation logics of the second operators corresponds to the name of one second operator in an anonymous state, and the calculation logic of each second operator of the plurality of second operators comprises the calculation logic of at least one first operator from which each second operator is derived.

In this possible implementation, not only the computation graph is confused, but also the computation logic of the operator is confused, and the confusion of the computation logic can be understood as the confusion of the code of the operator or the confusion of the input/output interface of the operator. In the application, the confusion operator library is determined, so that the equipment applying the AI model can directly operate the AI model in a confusion state, and a second operator in the confusion operator library is called to execute execution logic in a second calculation graph, thereby further ensuring confidentiality of the model in the operation process.

In a possible implementation manner of the first aspect, the method further includes: executing at least one of the following on the basis of the computation logic of the at least one first operator to obtain computation logic of a second operator derived from the at least one first operator, the at least one item comprising: modifying the entry or exit of the computational logic of the corresponding operator according to the increased dependency on the first computational graph, and adding a confusing code to the code of the operator of the first computational graph after the augmentation; adding the obtained calculation logic of the second operator and the obtained names of the second operators into an confusion operator library, wherein the confusion operator library comprises a plurality of calculation logic of the second operators, and the calculation logic of each of the second operators corresponds to the name of one second operator in an anonymous state.

In this possible implementation manner, in the process of performing graph augmentation on the first computation graph, for the operator with the added dependency relationship, the entry or the exit of the operator needs to be modified to match with the execution logic variation in the first computation graph in the graph augmentation process, and any one or a combination of the confusion codes is added to the codes of the operator of the first computation graph after the augmentation to obtain the computation logic of the second operator. It should be noted that, in the present application, one calculation logic may correspond to the name of one second operator in an anonymous state, or may correspond to the names of a plurality of second operators in an anonymous state. Because the computational logic has been processed, even if the confusion operator library is obtained during the transmission, no speech information can be obtained from the confusion operator library.

In a possible implementation manner of the first aspect, the method further includes: adding a code for eliminating the weight disturbance to the code of the operator with the scrambled weight on the basis of the calculation logic of the at least one first operator to obtain the calculation logic of a second operator from the at least one first operator; adding the obtained calculation logic of the second operator and the obtained names of the second operators into an confusion operator library, wherein the confusion operator library comprises a plurality of calculation logic of the second operators, and the calculation logic of each of the second operators corresponds to the name of one second operator in an anonymous state.

In the possible implementation manner, the weight of an operator in the calculation graph is scrambled, and the code for eliminating the weight disturbance is added into the code of the operator, so that the noise disturbance can be effectively eliminated, and the fact that the confused AI model can obtain the same result as the original AI model in the process of executing data reasoning is effectively ensured.

The second aspect of the application provides a data processing method based on an artificial intelligent model, comprising the steps of obtaining a second calculation graph of the artificial intelligent model, wherein the second calculation graph is used for indicating execution logic after confusion processing of the artificial intelligent model, the second calculation graph comprises a plurality of second operators and dependency relations among the plurality of second operators, and the second operators are in an anonymous state; receiving application data corresponding to the artificial intelligence model; the application data is processed according to the second computational graph.

In the second aspect, the method is applied in a model user environment, and the device for executing the method may be a terminal device, a server or an edge device, a VM or a container, etc. The device in the model user environment can obtain the model file in the confusion state from the device of the model owner in an active downloading mode, or the device of the model owner can actively send the model file to the device of the model user, then the device of the model user obtains the second calculation map in the first aspect from the model file in the confusion state, and further uses the second calculation map to infer the received application data to obtain an inference result. The application data may be pictures, voice or text, etc., and the inference results may be information marked out of interest in the pictures, or translation results of the text, where the specific inference results are different in combination with different usage fields Jing Huiyou. The second aspect obtains the model file in the confusion state to further obtain a second calculation map, so that confidentiality of the AI model in the storage and transmission processes is guaranteed.

In a possible implementation manner of the first aspect, the steps are as follows: processing the application data according to a second computational graph, comprising: generating a task sequence according to the second calculation graph, wherein the task sequence indicates the execution sequence of a second operator in the second calculation graph; and according to the task sequence, calling a corresponding second operator in the confusion operator library, and processing application data, wherein the confusion operator library comprises calculation logic of a plurality of second operators in the second calculation graph.

In this possible implementation manner, the task sequence may include names or identifiers of the second operators arranged in sequence, and the task sequence may ensure that a plurality of second operators are sequentially executed according to the execution sequence. The application uses the second calculation graph and the confusion operator library to process the application data, can ensure that the AI model operates and infers in a confusion state, and ensures the confidentiality of the AI model in operation. In addition, the scheme provided by the application is suitable for various software and hardware environments and scenes, a trusted computing environment (trust execution environment, TEE) environment is not needed, and the universality is better.

In a possible implementation manner of the first aspect, the steps are as follows: processing the application data according to a second computational graph, comprising: restoring the second computational graph into a first computational graph according to a logic function used for describing a logic architecture of the artificial intelligence model, wherein the first computational graph is an original execution logic graph of the artificial intelligence model; generating a task sequence according to the first calculation graph, wherein the task sequence indicates the execution sequence of a first operator in the first calculation graph; and according to the task sequence, invoking calculation logic of a first operator corresponding to the original operator library corresponding to the first calculation graph, and processing application data.

In this possible implementation manner, the task sequence may include names or identifiers of the first operators arranged in sequence, and the task sequence may ensure that a plurality of first operators are sequentially executed according to the execution sequence. The concept of the first computational graph, and the relationship of the first computational graph and the second computational graph, may be understood with reference to the first computational graph in the first aspect described above. In the application, when the first computational graph is restored, a mapping relation exists between the first operator of the first computational graph and the operator of the second computational graph, so that the first computational graph can be restored through the mapping relation between the operators. The second computational graph may also be restored to the first computational graph based on a logical function of an AI application installed by the device in the model user environment, the logical function describing a logical architecture of the artificial intelligence model, such as: the first layer convolves, the second layer convolves, the third layer convolves, and the like, so that the first computational graph can be recovered by combining the execution logic of the second computational graph with the execution logic of the first computational graph according to the representations in the AI application program. After the first calculation diagram is restored, the original operator library is further scheduled to process data, and diversified operation modes are provided on the premise that confidentiality of the AI model in the storage and transmission processes is guaranteed.

A third aspect of the application provides an apparatus for processing an artificial intelligence model, the apparatus having functionality to implement the method of the first aspect or any one of the possible implementations of the first aspect. The functions can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above, such as: and a processing unit.

A fourth aspect of the application provides an apparatus for artificial intelligence model based data processing having the functionality to implement the method of the second aspect or any one of the possible implementations of the second aspect. The functions can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above, such as: and a processing unit.

A fifth aspect of the application provides a computer device comprising at least one processor, a memory, an input/output (I/O) interface, and computer-executable instructions stored in the memory and executable on the processor, the processor performing the method as described above in the first aspect or any one of the possible implementations of the first aspect when the computer-executable instructions are executed by the processor.

A sixth aspect of the application provides a computer device comprising at least one processor, a memory, an input/output (I/O) interface and computer-executable instructions stored in the memory and executable on the processor, the processor performing the method according to the second aspect or any one of the possible implementations of the second aspect when the computer-executable instructions are executed by the processor.

A seventh aspect of the application provides a computer readable storage medium storing one or more computer executable instructions which, when executed by a processor, perform a method as described above or any one of the possible implementations of the first aspect.

An eighth aspect of the application provides a computer readable storage medium storing one or more computer executable instructions which, when executed by a processor, perform a method as described above in the second aspect or any one of the possible implementations of the second aspect.

A ninth aspect of the application provides a computer program product storing one or more computer-executable instructions which, when executed by a processor, perform a method as described above or any one of the possible implementations of the first aspect.

A tenth aspect of the application provides a computer program product storing one or more computer-executable instructions which, when executed by a processor, perform a method as described above in the second aspect or any one of the possible implementations of the second aspect.

An eleventh aspect of the present application provides a chip system comprising at least one processor for implementing the functions referred to in the first aspect or any one of the possible implementations of the first aspect. In one possible design, the chip system may further include memory to hold program instructions and data necessary for the apparatus to process the artificial intelligence model. The chip system can be composed of chips, and can also comprise chips and other discrete devices.

A twelfth aspect of the application provides a chip system comprising at least one processor for implementing the functions involved in the second aspect or any one of the possible implementations of the second aspect. In one possible design, the chip system may further include a memory to hold program instructions and data necessary for the device for artificial intelligence model-based data processing. The chip system can be composed of chips, and can also comprise chips and other discrete devices.

According to the embodiment of the application, the first calculation map with semantic information of the AI model is subjected to confusion processing, so that the second calculation map without semantic information is obtained, thus the confidentiality of the AI model in terms of storage and transmission can be improved, in addition, the confused AI model can be directly operated in a user environment to carry out data reasoning, and the confidentiality of the AI model in operation is also improved. The scheme provided by the application is suitable for various software and hardware environments and scenes, does not need a TEE environment, and has better universality.

Drawings

FIG. 1 is a schematic diagram of a system architecture for AI model training and application provided in an embodiment of the application;

FIG. 2 is a schematic diagram of the processing of an AI model in a model owner environment provided by an embodiment of the application;

FIG. 3 is another schematic diagram of the processing of an AI model in a model owner environment provided by an embodiment of the application;

FIG. 4 is a schematic diagram of an exemplary scenario provided by an embodiment of the present application;

FIG. 5 is a schematic diagram of another example scenario provided by an embodiment of the present application;

FIG. 6 is a schematic diagram of another example scenario provided by an embodiment of the present application;

FIG. 7 is a schematic diagram of another example scenario provided by an embodiment of the present application;

FIG. 8 is a schematic diagram of an AI model-based data processing process according to an embodiment of the application;

FIG. 9 is a schematic diagram of an embodiment of an apparatus for processing artificial intelligence models provided by an embodiment of the present application;

FIG. 10 is a schematic diagram of an embodiment of an apparatus for artificial intelligence model based data processing provided by an embodiment of the present application;

FIG. 11 is a schematic diagram of a computer device according to an embodiment of the present application.

Detailed Description

Embodiments of the present application will now be described with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the present application. As one of ordinary skill in the art can know, with the development of technology and the appearance of new scenes, the technical scheme provided by the embodiment of the application is also applicable to similar technical problems.

The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

The embodiment of the application provides a method for processing an artificial intelligence model, a method and a device for processing data, which are used for guaranteeing the safety of the artificial intelligence (artificial intelligence, AI) model during transmission and storage. The embodiment of the application also provides a corresponding device, a computer storage medium, a computer program product and the like. The following will describe in detail.

Artificial intelligence is the theory, method, technique and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend and expand human intelligence, sense the environment, acquire knowledge and use the knowledge to obtain optimal results. In other words, artificial intelligence is an integrated technology of computer science that attempts to understand the essence of intelligence and to produce a new intelligent machine that can react in a similar way to human intelligence. Artificial intelligence, i.e. research on design principles and implementation methods of various intelligent machines, enables the machines to have functions of sensing, reasoning and decision.

The artificial intelligence technology is a comprehensive subject, and relates to the technology with wide fields, namely the technology with a hardware level and the technology with a software level. Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.

Intelligent manufacturing, intelligent transportation, intelligent home, intelligent medical treatment, intelligent security, automatic driving, safe city, intelligent terminal and the like.

AI models are typically trained in a device or platform (e.g., server, virtual Machine (VM), or container) of the model owner, and the trained models are stored in the form of model files. When the device of the model user (such as a terminal device, a server or an edge device, a VM or a container) needs to use the AI model, the device of the model user can actively load the model file of the AI model. The device of the model owner can also actively send to the device of the model user to install the model file of the AI model.

The server refers to a physical machine.

A terminal device (also referred to as a User Equipment (UE)) is a device with a wireless transceiving function, which may be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; can also be deployed on the water surface (such as ships, etc.); but may also be deployed in the air (e.g., on aircraft, balloon, satellite, etc.). The terminal may be a mobile phone (mobile phone), a tablet computer (pad), a computer with a wireless transceiving function, a Virtual Reality (VR) terminal, an augmented reality (augmented reality, AR) terminal, a wireless terminal in industrial control (industrial control), a wireless terminal in unmanned driving (self driving), a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation security (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), and the like.

Either the VM or the container may be a virtualized device that is virtualized across the hardware resources of the physical machine.

The scheme provided by the embodiment of the application is a system architecture schematic diagram of AI model training and application shown in FIG. 1. The device of the model owner takes a server as an example, and the device of the model user takes a terminal device as an example. After training the AI model, the server may continue to obfuscate the AI model to obtain an obfuscated model file. The terminal equipment of the model user loads the confused model file for application. Thus, even if the confused model file is stolen during transmission and storage, a thief cannot understand the semantics expressed by the confused model file, and the confidentiality of the AI model is improved.

In addition, in the embodiment of the application, the equipment of the model user can also operate the confused model to perform data reasoning, so that the confidentiality of the model in operation can be further improved. Moreover, the scheme provided by the application is suitable for various software and hardware environments and scenes, does not need a trusted computing environment (trust execution environment, TEE) environment, and has better universality.

The solution according to the application will be described below in terms of the device of the model owner and the device of the model user, respectively.

It should be noted that, hereinafter, a server is used for the equipment of the model owner, and a terminal is used for the equipment of the model user, and in fact, the embodiment of the present application is not limited to the specific form of the equipment of the model owner and the equipment of the model user, and other forms of equipment may replace the corresponding server or terminal to execute the corresponding flow.

And (3) a step of: confusion process of AI model by the model owner's device.

As shown in FIG. 2, the process of model owner's device-to-model processing may include both an initial model training and AI model confusion process.

1. And (5) training an initial model.

The model owner side server can perform model training through a large number of samples to obtain an AI model capable of data reasoning, which can be further optimized in connection with the specific modality of the device of the model user to which it is applied. The optimized AI model is then stored in the form of an AI model file.

2. AI model confusion.

AI model obfuscation includes obtaining a first computational graph, computational graph obfuscation to obtain a second computational graph, and operator obfuscation to determine three portions of an obfuscation operator library.

(1) And acquiring a first calculation map.

The server may parse the AI model file and obtain from the AI model file a graph representation of the AI model, i.e., a first computational graph of the AI model, the first computational graph being indicative of execution logic of the artificial intelligence model.

The AI model may include a plurality of computing units, such as: various types of units, such as convolution units, pooling units, or merging units, for performing the respective calculations, each calculation unit may be referred to as an "operator". The execution logic of the AI model is the order of execution of each computing unit. The computing units in the AI model and the input or output relationships between the computing units may be expressed in terms of a graph, which is referred to as a "computation graph". All operators in the AI model are included in the computational graph, and the operators are usually multiple in type, and one or more operators in the same type can also be used. The type of operator typically characterizes the computational properties of the operator, such as: convolution type, pooling type, merge type, batch normalization type, or linear correction type, etc. The convolution type operator refers to an operator for performing convolution operation, the pooling type operator refers to an operator for performing pooling operation, the merging type operator refers to an operator for performing merging operation, the batch standardization type operator refers to an operator for performing batch standardization, and the linear correction type operator refers to an operator for performing linear correction. In the computational graph, each operator may have a unique identifier, or unique name, such as: convolution operator 1, convolution operator 2, pooling operator 1 or merging operator 1, etc.

The first computational graph includes a plurality of first operators in the AI model and dependencies among the plurality of first operators. The plurality of first operators may have the same type of operators, such as: two or more convolution operators may be included in the plurality of first operators. Operator types may include convolution, pooling, slicing, merging, linear correction, and the like. Each first operator may have a unique operator identity or operator name. Each first operator represents a computational unit that includes at least one inference-related parameter, which typically has a weight. Thus, each first operator may have a set of weights including one or more weights therein.

(2) Calculation map confusion.

After the server obtains the first computational graph, confusion processing is carried out on the first computational graph to obtain a second computational graph, the second computational graph is used for indicating execution logic after confusion processing of the artificial intelligent model, the second computational graph comprises a plurality of second operators and dependency relations among the plurality of second operators, the second operators are derived from the first operators, the second operators are in an anonymous state, and a model file in the confusion state is generated according to the second computational graph.

The second calculation diagram is obtained by carrying out confusion processing on the first calculation diagram, and the meaning of the expression of the confusion processing is that interference factors are added into the first calculation diagram, so that semantic information cannot be read out from the second calculation diagram, and the function of the first calculation diagram is realized by the second calculation diagram. The obfuscated state may also be represented as a state without semantic information. There are a variety of processes for this confusion process, such as: any one or combination of graph compression, graph augmentation, anonymization, or weight scrambling. The operators in the second computational graph are all called second operators, and the second operators are in an anonymous state, which means that the type of the second operators cannot be obtained from the name or the identification of the second operators. Anonymization in the present application is not a hidden name, but instead a name without semantics is used instead of a real name containing operator types.

In the present application, no matter in the first calculation graph or the second calculation graph, the dependency relationship may also be called "edge", each edge connects two operators, and two operators connected by the same edge have an input relationship or an output relationship, that is, the "dependency relationship" in the present application.

The above described "confusion process" may be understood with reference to fig. 3, and computation graph confusion may be performed from at least one of network structure scrambling, operator anonymization, and weight scrambling as shown in fig. 3.

The network structure may also be called a dependency relationship between operators, where two operators with a dependency relationship have an input relationship or an output relationship, for example: the fact that the operator A and the operator B have a dependency relationship means that data output by the operator A are transmitted to the operator B, the operator B takes the data as input to continue to execute the calculation logic of the operator B, or the operator B outputs the data to the operator A, and the operator A takes the data as input to continue to execute the calculation logic of the operator A.

Operator anonymization refers to modifying names in the first computational graph having a name representing the first operator type to names without semantics, such as: modifying the convolution operator 1 to operator 1, modifying the pooling operator 1 to operator 2, etc.

Weight scrambling refers to mapping weights or adding noise, or both.

Several aspects of computational graph confusion in embodiments of the present application are described below in conjunction with the accompanying drawings.

FIG. 4 is an exemplary diagram of a scenario of the first computational graph. In fig. 4, an arrow indicates a dependency relationship, which may also be referred to as an input-output relationship. The first calculation graph includes a volume operator_1 (volume_1), a batch normalization operator_1 (batch norm_1), a linear correction operator_1 (concat_1), a slice operator_1 (split_1), a volume operator_2 (volume_2), a batch normalization operator_2 (batch norm_2), a linear correction operator_2 (volume_2), a volume operator_3 (volume_3), a batch normalization operator_3 (batch norm_3), a linear correction operator_3 (volume_3), a pooling operator_1 (pooling_1), a merging operator_1 (concat_1), a volume operator_4 (volume_4), a batch normalization operator_4 (batch norm_4), a linear correction operator_4 (volume_4), and a logic function operator_1 (Sigmod_1).

The network structure scrambling may include both graph compression and graph augmentation, either or a combination of which may be implemented to scramble the network structure of the first computational graph.

Optionally, in an embodiment of the present application, performing confusion processing on the first computation graph to obtain a second computation graph, including: merging at least two first operators of the first computational graph with the dependency relationship into one operator; and anonymizing operators in the combined first calculation map to obtain a second calculation map.

The process of graph compression may be that a developer configures a merging structure in advance, where the merging structure includes at least two first operators with a dependency relationship. As shown in fig. 4, if the merge structure is convolution_batch normalization_linear correction: convolition- > BatchNorm- > Relu, the first computational graph of FIG. 4 may be compressed into the computational graph shown in FIG. 5. As can be seen from fig. 5, the roll_1 (volume_1), the batch normalization operator_1 (batch norm_1) and the linear correction operator_1 (volume_1) are combined into one convolution_batch normalization_linear correction operator_1, the roll_2 (volume_2), the batch normalization operator_2 (batch norm_2) and the linear correction operator_2 (volume_2) are combined into one convolution_batch normalization_linear correction operator_2, the roll_3 (volume_3), the batch normalization operator_3 (batch norm_3) and the linear correction operator_3 (volume_3) are combined into one convolution_batch normalization_linear correction operator_3, and the roll_4 (volume_4), the normalization operator_4 (batch norm_4) and the linear correction operator_4) are combined into one convolution_normalization_4.

The embodiment of the application is not limited to the way that a developer configures the merging structure in advance, and can also be used for dynamically determining the merging structure in a certain mode, such as: the merging structure is determined by a detection mode, that is, the server detects the first calculation graph once, determines that the probability of occurrence of the structure with the highest convolution-batch standardization-linear correction is highest, and then determines the structure with the highest occurrence probability as the merging structure. The above-described merging process from fig. 4 to fig. 5 is then performed. Of course, the merging structure may be determined in other ways, and is not limited to the two ways listed in the present application.

The operators obtained by merging in the above-mentioned fig. 5 may be referred to as merging operators, such as convolution_batch normalization_linear correction operator_1, convolution_batch normalization_linear correction operator_2, convolution_batch normalization_linear correction operator_3, and convolution_batch normalization_linear correction operator_4 are all merging operators.

If anonymization processing is performed after graph compression, configuring a name or an identifier without semantic information for part or all operators in the combined first calculation graph, and the type of the operator cannot be read from the name or the identifier, so as to obtain a second calculation graph, where the second operator in the second calculation graph includes the combined operator and the first operator which is not combined.

In this embodiment, the structural representation of the first computation graph may be modified by the graph compression method, and the execution logic of the first computation graph is not affected, and then the operator anonymization processing is performed, and the function of determining the operator cannot be read from the representation information of the operator, so that the confidentiality of the AI model is further improved.

Optionally, in an embodiment of the present application, performing confusion processing on the first computation graph to obtain a second computation graph, including: performing an augmentation operation on the first computational graph, the augmentation operation comprising: adding a dependency relationship among a plurality of first operators in a first computational graph; or adding an augmentation operator in the first calculation graph, and establishing a dependency relationship between the augmentation operator and at least one first operator in the plurality of first operators, wherein the augmentation operator is an operator added in the process of confusion processing of the first calculation graph; and then anonymizing operators in the amplified first calculation map to obtain a second calculation map.

In the present application, the modes of graph augmentation include: the dependency between operators is increased, and the augmented operator is increased to establish at least one of the dependency between the augmented operator and at least one of the plurality of first operators.

In this embodiment, the first calculation map is obfuscated by means of map augmentation and anonymization, and a second calculation map is obtained. The graph is augmented by adding new dependencies between existing operators of the first computational graph, or adding one or more operators, these latter added operators on the first computational graph being referred to as augmented operators, and then creating dependencies between the augmented operators and some or all of the first operators, the addition of which does not normally affect the execution logic of the original first computational graph, equivalent to just adding a bit of perturbation. The structural representation of the first computational graph can be modified in a graph augmentation mode, the execution logic of the first computational graph is not affected, and then the operator cannot be read from the representation information of the operator to determine the operator after the operator anonymization processing, so that the confidentiality of the AI model is further improved.

Optionally, in the embodiment of the present application, after the graph is compressed, graph augmentation may be performed, and anonymization may be performed, where the process includes: merging at least two first operators conforming to the merging structure in the first calculation map into a merging operator; and performing an augmentation operation on the combined first calculation graph, wherein the augmentation operation comprises the following steps: adding a dependency relationship between operators in the combined first calculation graph; or adding an augmentation operator in the combined first calculation graph, and establishing a dependency relationship between the augmentation operator and the operator in the combined first calculation graph; and then anonymizing operators in the amplified first calculation map to obtain a second calculation map.

The process of graph compression may be understood with reference to the foregoing processes of fig. 4 through 5. After the graph is compressed, graph augmentation can be performed on the basis of the compressed graph in fig. 5, and the graph augmentation process can include adding new dependencies between operators in fig. 5, such as: FIG. 6 shows the addition of a new dependency between convolution_batch normalization_linearly modified operator_1 and merge operator_1. The graph augmentation may also be the addition of a new operator in fig. 5, which may be referred to as an augmentation operator, such as the volume operator_1 in fig. 6 as an augmentation operator. Then, the dependency relationship between the augmentation operator and some operators in fig. 5 is established, as in fig. 6, the dependency relationship between the convolution_batch standardization_linearity correction operator_2 and the convolution sub-operator_1 is increased, and the dependency relationship between the convolution operator_1 and the logic function operator_1 (sigmod_1) is increased.

In the above embodiments, after the graph compression, the graph augmentation, or the combination of both, anonymization processing is performed on the operators in the obtained calculation graph.

In the above described embodiment of the present application, anonymization is not a hidden name, but a name without semantics is used instead of a real name containing an operator type. As can be seen from the process of fig. 6 to 7, the names containing operator types in fig. 6 may be replaced with names not containing operator types, such as OptA, optB, optC, optD, optE, optF and OptG.

In order to avoid the problem of operator type explosion caused by operator anonymization in a large-scale computational graph, operators of the same type in the computational graph can be divided into a plurality of disjoint sets, and the operator types of nodes in the same set are replaced by the same anonymous symbols. Such as: with 2 convolution types of operators, anonymization can be performed by means of OptA1 and OptA 2. Both convolution operators contain the same anonymous symbol "OptA". The naming mode can reduce the need for anonymous symbols in anonymous naming, and can reduce the calculation amount of a server in naming.

The anonymous names of different operators of the same type in the first amplified calculation graph can also comprise a first anonymous symbol and a second anonymous symbol, the first anonymous symbol is different from the second anonymous symbol, the operator corresponding to the first anonymous symbol is added with a dependency relationship in the amplifying process, and the operator corresponding to the second anonymous symbol is not added with the dependency relationship in the amplifying process.

As in fig. 7, the convolution batch normalization_linear correction operator_1 and the convolution batch normalization_linear correction operator_2 are operators of the same type and are both established with new dependencies in the process of graph augmentation, so that the convolution batch normalization_linear correction operator_1 and the convolution batch normalization_linear correction operator_2 can be represented by the same operator type, e.g., both are represented by OptA, and to distinguish between different operators, the convolution batch normalization_linear correction operator_1 can be represented by opta_1 and the convolution batch normalization_linear correction operator_2 can be represented by opta_2. Convolution batch normalization_linear correction operator_3 and convolution batch normalization_linear correction operator_4 are the same type of operator and are not affected by graph augmentation, so convolution batch normalization_linear correction operator_3 and convolution batch normalization_linear correction operator_4 may be represented by the same operator type, e.g., both represented by OptB, convolution batch normalization_linear correction operator_3 may be represented by optb_1 and convolution batch normalization_linear correction operator_4 may be represented by optb_2 in order to distinguish between different operators.

Wherein OptA_1 and OptA_2 may be assigned to set S1 and OptB_1 and OptB_2 may be assigned to set S2.

The anonymization process from fig. 6 to fig. 7, the mapping relationship M between the operators in fig. 6 and fig. 7 includes:

convolution_batch standardization_linearity correction operator- > OptA, optB;

slicing- > OptC;

pooling- > OptD;

merging- > OptE;

convolution- > OptF;

logic function- > OptG.

The mapping relation shows only one mapping relation between operator types. In fact, the operator mapping relationship between fig. 6 and fig. 7 may also be a one-to-one mapping relationship, but once the one-to-one mapping relationship is obtained by a model stealer, the confidentiality of the model is not facilitated, so in the embodiment of the present application, operator types are used for mapping between before anonymization and after anonymization, instead of a single operator for mapping, and the confidentiality of the model can be improved.

After anonymizing the operators, the weights of the operators may also be scrambled. In the embodiment of the application, the weight can be scrambled by using a reversible mapping function and random noise, for example: the scrambling criteria may be:

w′ _i ＝f(w _i )+∈ _i

wherein w is _i For the original weight, f is any one reversible function, E _i Is random noise, w' _i Is the scrambled weight. If f (x) =x, then the result of scrambling w' _i ＝w _i +∈ _i 。

The scrambling process may be to scramble each operator, or to scramble operators pre-configured by the user, for example, to scramble weights of operators with operator type OptA, and then the mapping function used is f _A The random noise used is e _A . The scrambled weights may be: w' _A ＝f _A +∈ _A 。

The scrambling process of the weights described above is performed after anonymization. Alternatively, in the embodiment of the present application, scrambling may be performed directly on the first operator in the first computation graph, or the weight scrambling may be performed after the network structure scrambling and before anonymization.

The computation graph, such as that shown in fig. 7, obtained after the computation graph is obfuscated, may be referred to as a second computation graph, and each operator in the second computation graph may be referred to as a second operator.

(3) Operator confusion.

In the embodiment of the application, the confusion operator library can be determined in an operator confusion manner, the confusion operator library comprises calculation logics of a plurality of second operators, each of the calculation logics of the second operators corresponds to the name of a second operator in an anonymous state, and the calculation logic of each second operator of the plurality of second operators comprises the calculation logic of at least one first operator from which each second operator is derived.

In this embodiment, not only the computation graph is confused, but also the computation logic of the operator is confused, and the confusion of the computation logic can be understood as that the code of the operator is confused or the input/output interface of the operator is confused. In the application, the confusion operator library is determined, so that the equipment applying the AI model can directly operate the AI model in a confusion state, and a second operator in the confusion operator library is called to execute execution logic in a second calculation graph, thereby further ensuring confidentiality of the model in the operation process.

The process of operator confusion may occur in a graph augmentation process, in which case the process of operator confusion includes: executing at least one of the following on the basis of the computation logic of the at least one first operator to obtain computation logic of a second operator derived from the at least one first operator, the at least one item comprising: modifying the entry or exit of the computational logic of the corresponding operator according to the increased dependency on the first computational graph, and adding a confusing code to the code of the operator of the first computational graph after the augmentation; adding the obtained calculation logic of the second operator and the obtained names of the second operators into an confusion operator library, wherein the confusion operator library comprises a plurality of calculation logic of the second operators, and the calculation logic of each of the second operators corresponds to the name of one second operator in an anonymous state.

The process of operator confusion may also occur in the process of scrambling weights, in which case the process of operator confusion includes: adding a code for eliminating the weight disturbance to the code of the operator with the scrambled weight on the basis of the calculation logic of the at least one first operator to obtain the calculation logic of a second operator from the at least one first operator; adding the obtained calculation logic of the second operator and the obtained names of the second operators into an confusion operator library, wherein the confusion operator library comprises a plurality of calculation logic of the second operators, and the calculation logic of each of the second operators corresponds to the name of one second operator in an anonymous state.

In the application, one calculation logic can correspond to the name of a second operator in an anonymous state, or one calculation logic can correspond to the names of a plurality of second operators in an anonymous state.

As shown in fig. 3, the process of operator confusion includes an operator interface transformation and an operator implementation transformation, which are described separately below.

The operator interface transformations include interface name transformations and input-output transformations.

The interface name transformation is to replace the original operator name with the anonymized operator name according to the mapping relation between the original operator and the anonymized operator, so that the model after the anonymization of the operator can still be identified and executed, and the calculation logic of the operator cannot be revealed by the operator name. The examples of fig. 6 to 7 described above are combined, that is, the above: fig. 6 illustrates the mapped { OptA, optB in the mapping relationship M illustrated in fig. 7; optC; optD; optE; optF; optG } is stored in the confusion operator library.

Input-output transformation refers to modifying input data or output data of an operator according to the input-output relationship between interdependent operators. For example: for convolution_batch normalization_linear correction operator_1 and convolution_batch normalization_linear correction operator_2 in fig. 6, an input data is added based on the original output/output (e.g., increasing random noise e _A ) And an output data, generating the interface of the OptA operator in FIG. 7.

The operator realization transformation is to transform the code realization of the operator according to the software code confusion techniques such as character string encryption, redundant codes and the like, so as to ensure that the confusion operator and the original operator realize the same calculation logic with the same semanteme, but are difficult to read and understand.

For example: several types of operator codes, such as the slicing, pooling, merging, and logical functions described above in fig. 6, are deformed to generate the obfuscated second operator OptC, optD, optE and OptG. For the convolution_batch standardization_linear correction type operator, besides code deformation, code for eliminating weight noise disturbance can be added, and the code for eliminating weight noise disturbance can be based on a mapping function f _A Is the inverse of the function of (2)And random noise epsilon _A And dynamically eliminating noise disturbance in the operator execution process, and ensuring that the calculation result of the model after confusion is consistent with the original model.

Having described the process of AI model confusion in a model owner environment, the process of performing data processing on the confused model in a model user environment is described below in conjunction with the accompanying drawings.

As shown in fig. 8, the terminal device is provided with an AI application program, and before executing data processing, the model owner needs to load the confusion model file obtained in the model owner environment, and then obtain a second calculation map after confusion, so as to execute data processing.

The application can directly use the second calculation graph and the confusion operator library to execute the data processing process, and can also restore the second calculation graph into the first calculation graph, and use the first calculation graph and the original operator library to execute the data processing process. The terminal device may determine whether to revert from the second computational graph to the first computational graph based on the security configuration options. For example: if the flag bit of the security configuration option is 1, the second calculation map is directly used for data processing without restoration, if the flag bit of the security configuration option is 0, the first calculation map is required to be restored, and then the first calculation map is used for data processing. It should be noted that, the flag bit of the security configuration option in the embodiment of the present application is represented by 0 or 1, which is only used as an example herein, and may also be represented by other forms, which is not limited by the present application.

After receiving the application data, if the terminal equipment directly uses the second calculation graph to process the data, generating a task sequence according to the second calculation graph, wherein the task sequence indicates the execution sequence of a second operator in the second calculation graph; and according to the task sequence, calling a corresponding second operator in the confusion operator library, and processing application data, wherein the confusion operator library comprises calculation logic of a plurality of second operators in the second calculation graph.

In the embodiment of the application, the task sequence can comprise names or identifiers of the second operators arranged in sequence, and the task sequence can ensure that a plurality of second operators can be sequentially executed according to the execution sequence. The application data may be pictures, voice or text, etc., and the inference results may be information marked out of interest in the pictures, or translation results of the text, where the specific inference results are different in combination with different usage fields Jing Huiyou.

In the embodiment, the application data is processed by using the second calculation graph and the confusion operator library, so that the AI model can be ensured to run and be inferred in a confusion state, and the confidentiality of the AI model in running is ensured. In addition, the scheme provided by the application is suitable for various software and hardware environments and scenes, does not need a TEE environment, and has better universality.

If the first calculation map needs to be restored, restoring the second calculation map to the first calculation map according to a logic function of a logic architecture for describing the artificial intelligent model; generating a task sequence according to the first calculation graph, wherein the task sequence indicates the execution sequence of a first operator in the first calculation graph; and calling a first operator corresponding to the original operator library corresponding to the first calculation graph according to the task sequence, and processing application data.

In such an embodiment, the task sequence may include names or identifiers of the first operators arranged in sequence, and the task sequence may ensure that the plurality of first operators are sequentially executed in the execution order. In addition, when the first computation graph is restored, a mapping relationship exists between the first operator of the first computation graph and the operator of the second computation graph, so that the first computation graph can be restored through the mapping relationship between the operators. The second computational graph may also be restored to the first computational graph based on a logical function of an AI application installed by the device in the model user environment, where the logical function of the AI application expresses architectural logic of the AI application, such as: the first layer convolves, the second layer convolves, the third layer convolves, and the like, so that the first computational graph can be recovered by combining the execution logic of the second computational graph with the execution logic of the first computational graph according to the representations in the AI application program. After the first calculation diagram is restored, the original operator library is further scheduled to process data, and diversified operation modes are provided on the premise that confidentiality of the AI model in the storage and transmission processes is guaranteed.

Having described the process of performing model confusion in the model owner's device and data processing in the model user's device, the corresponding apparatus provided by embodiments of the present application is described below with reference to the accompanying drawings.

As shown in fig. 9, an embodiment of an apparatus 30 for processing an artificial intelligence model according to an embodiment of the present application includes:

an obtaining unit 301, configured to obtain a first computational graph of the artificial intelligence model, where the first computational graph is used to indicate execution logic of the artificial intelligence model, and the first computational graph includes a plurality of first operators in the artificial intelligence model and a dependency relationship between the plurality of first operators.

The processing unit 302 is configured to perform confusion processing on the first computation graph acquired by the acquiring unit 301 to obtain a second computation graph, where the second computation graph is used to indicate execution logic after confusion processing of the artificial intelligence model, and the second computation graph includes a plurality of second operators and a dependency relationship between the plurality of second operators, and the second operators are in an anonymous state.

A generating unit 303, configured to generate a model file in a mixed state according to the second computation graph obtained by the processing unit 302.

In the model owner environment, after confusion processing is carried out on the first calculation diagram of the AI model, semantic information cannot be read out from the obtained second calculation diagram, and thus a model file in which the semantic information cannot be read out is generated. Therefore, even if the model file in the confusion state is stolen in the storage and transmission process, the semantic information of the model cannot be read, and the confidentiality and the security of the AI model in the storage and transmission process are improved.

Optionally, the processing unit 302 is configured to combine at least two first operators having a dependency relationship in the first computation graph into one operator; and anonymizing operators in the combined first calculation map to obtain a second calculation map.

Optionally, the processing unit 302 is configured to perform an augmentation operation on the first computation graph, where the augmentation operation includes: adding a dependency relationship among a plurality of first operators in a first computational graph; or adding an augmentation operator in the first calculation graph, and establishing a dependency relationship between the augmentation operator and at least one first operator in the plurality of first operators, wherein the augmentation operator is an operator added in the process of confusion processing of the first calculation graph; and anonymizing operators in the amplified first calculation map to obtain a second calculation map.

Optionally, the processing unit 302 is configured to combine at least two first operators having a dependency relationship in the first computation graph into one operator; and performing an augmentation operation on the combined first calculation graph, wherein the augmentation operation comprises the following steps: adding a dependency relationship between operators in the combined first calculation graph; or adding an augmentation operator in the combined first calculation graph, and establishing a dependency relationship between the augmentation operator and the operator in the combined first calculation graph, wherein the augmentation operator is an operator added in the process of carrying out confusion processing on the first calculation graph; and anonymizing operators in the amplified first calculation map to obtain a second calculation map.

Optionally, the processing unit 302 is configured to scramble the weight of at least one first operator in the first computation graph, and anonymize the operators in the scrambled first computation graph to obtain a second computation graph.

Optionally, the processing unit 302 is configured to scramble the weights of the operators in the first calculation map after anonymization processing.

Optionally, the anonymized names of different operators of the same type in the first calculation graph after anonymization processing contain the same anonymized symbol.

Optionally, the anonymous names of different operators of the same type in the first calculation graph after anonymization processing include a first anonymous symbol and a second anonymous symbol, the first anonymous symbol is different from the second anonymous symbol, the operator corresponding to the first anonymous symbol is added with a dependency relationship in the augmentation process, and the operator corresponding to the second anonymous symbol is not added with the dependency relationship in the augmentation process.

Optionally, the processing unit 302 is further configured to determine an confusion operator library, where the confusion operator library includes computing logic of a plurality of second operators, each of the computing logic of the plurality of second operators corresponds to a name of a second operator in an anonymous state, and the computing logic of each of the plurality of second operators includes computing logic of at least one first operator from which each of the second operators originates.

Optionally, the processing unit 302 is further configured to perform at least one of the following on the basis of the calculation logic of the at least one first operator, to obtain calculation logic of a second operator derived from the at least one first operator, where the at least one item includes: modifying the entry or exit of the computational logic of the corresponding operator according to the increased dependency on the first computational graph, and adding a confusing code to the code of the operator of the first computational graph after the augmentation; adding the obtained calculation logic of the second operator and the obtained names of the second operators into an confusion operator library, wherein the confusion operator library comprises a plurality of calculation logic of the second operators, and the calculation logic of each of the second operators corresponds to the name of one second operator in an anonymous state.

Optionally, the processing unit 302 is further configured to add, based on the calculation logic of the at least one first operator, a code for eliminating the weight disturbance to the code of the operator with the scrambled weight, so as to obtain the calculation logic of the second operator derived from the at least one first operator; adding the obtained calculation logic of the second operator and the obtained names of the second operators into an confusion operator library, wherein the confusion operator library comprises a plurality of calculation logic of the second operators, and the calculation logic of each of the second operators corresponds to the name of one second operator in an anonymous state.

The above-described apparatus 30 for processing an artificial intelligence model may be understood by referring to the corresponding description of the foregoing method embodiment, and the detailed description will not be repeated here.

FIG. 10 is a schematic diagram of an apparatus for artificial intelligence model-based data processing according to an embodiment of the present application.

As shown in FIG. 10, one embodiment of an apparatus 40 for artificial intelligence model based data processing according to an embodiment of the present application includes:

the obtaining unit 401 is configured to obtain a second computational graph of the first computational graph of the artificial intelligence model, where the second computational graph is used to indicate execution logic after confusion processing of the artificial intelligence model, and the second computational graph includes a plurality of second operators and dependencies among the plurality of second operators, where the second operators are in an anonymous state.

And a receiving unit 402, configured to receive application data corresponding to the artificial intelligence model.

A processing unit 403, configured to process the application data received by the receiving unit 402 according to the second calculation map acquired by the acquiring unit 401.

In the embodiment of the application, the device acquires the model file in the confusion state so as to obtain the second calculation map, thereby ensuring the confidentiality of the AI model in the storage and transmission processes.

Optionally, the processing unit 403 is configured to generate a task sequence according to the second computation graph, where the task sequence indicates an execution order of the second operator in the second computation graph; and according to the task sequence, calling a corresponding second operator in the confusion operator library, and processing application data, wherein the confusion operator library comprises calculation logic of a plurality of second operators in the second calculation graph.

Optionally, the processing unit 403 is configured to restore the second computational graph to the first computational graph according to a logic function of a logic architecture for describing the artificial intelligence model; generating a task sequence according to the first calculation graph, wherein the task sequence indicates the execution sequence of a first operator in the first calculation graph; and calling a first operator corresponding to the original operator library corresponding to the first calculation graph according to the task sequence, and processing application data.

The above-described apparatus 40 for data processing based on an artificial intelligence model may be understood by referring to the corresponding description of the foregoing method embodiment, and a detailed description thereof will not be repeated here.

Fig. 11 is a schematic diagram of a possible logic structure of a computer device 50 according to an embodiment of the present application. The computer device 50 may be a device of the model owner or a device of the model user. The computer device 50 includes: a processor 501, a communication interface 502, a memory 503, and a bus 504. The processor 501, the communication interface 502 and the memory 503 are connected to each other via a bus 504. In an embodiment of the present application, the processor 501 is configured to control and manage the actions of the computer device 50, for example, the processor 501 is configured to perform the processes of obtaining the first computation graph, confusing the operators in the method embodiment of fig. 2 to 8, and the communication interface 502 is configured to support the computer device 50 to communicate. Memory 503 for storing program codes and data for computer device 50.

The processor 501 may be a central processing unit, a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various exemplary logic blocks, modules and circuits described in connection with this disclosure. The processor 501 may also be a combination that implements computing functionality, such as a combination comprising one or more microprocessors, a digital signal processor and a microprocessor, or the like. Bus 504 may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in FIG. 11, but not only one bus or one type of bus.

In another embodiment of the present application, there is also provided a computer-readable storage medium having stored therein computer-executable instructions which, when executed by a processor of a device, perform the method of processing an artificial intelligence model of fig. 2 to 7 described above, or perform the method of processing data based on an artificial intelligence model of fig. 8 described above.

In another embodiment of the present application, there is also provided a computer program product comprising computer-executable instructions stored in a computer-readable storage medium; when the processor of the device executes the computer-executable instructions, the device performs the method of processing the artificial intelligence model of fig. 2-7 described above, or performs the method of data processing based on the artificial intelligence model of fig. 8 described above.

In another embodiment of the present application, there is also provided a chip system including a processor for implementing the method of processing an artificial intelligence model in fig. 2 to 7 described above or performing the method of data processing based on an artificial intelligence model in fig. 8 described above. In one possible design, the system on a chip may further include memory storing program instructions and data necessary for the means for inter-process communication. The chip system can be composed of chips, and can also comprise chips and other discrete devices.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the embodiments of the present application.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In the embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be embodied in essence or a part contributing to the prior art or a part of the technical solution, or in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

The foregoing is merely a specific implementation of the embodiment of the present application, but the protection scope of the embodiment of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the embodiment of the present application, and the changes or substitutions are covered by the protection scope of the embodiment of the present application. Therefore, the protection scope of the embodiments of the present application shall be subject to the protection scope of the claims.

Claims (20)

1. A method of processing an artificial intelligence model, comprising:

acquiring a first artificial intelligent model, wherein the first artificial intelligent model comprises a plurality of first operators and a dependency relationship among the plurality of first operators;

and carrying out confusion processing on the first artificial intelligent model to obtain a second artificial intelligent model, wherein the second artificial intelligent model comprises a plurality of second operators and dependency relations among the plurality of second operators, and the second operators are in a hidden name shape.

2. The method of claim 1, wherein the computation logic of the second operator corresponds to a name of the second operator.

3. The method of claim 1, wherein the computation logic of the second operator comprises computation logic of the corresponding at least one first operator.

4. A method according to any one of claims 1-3, wherein said obfuscating the first artificial intelligence model to obtain a second artificial intelligence model comprises:

merging at least two first operators with a dependency relationship in the first artificial intelligent model into one operator;

anonymizing operators in the combined first artificial intelligence model to obtain the second artificial intelligence model.

5. A method according to any one of claims 1-3, wherein said obfuscating the first artificial intelligence model to obtain a second artificial intelligence model comprises:

performing an augmentation operation on the first artificial intelligence model, the augmentation operation comprising: adding a dependency relationship among a plurality of first operators in the first artificial intelligence model; or adding an augmentation operator in the first artificial intelligent model, and establishing a dependency relationship between the augmentation operator and at least one first operator in the plurality of first operators, wherein the augmentation operator is an operator added in the process of confusion processing of the first artificial intelligent model;

anonymizing operators in the augmented first artificial intelligence model to obtain the second artificial intelligence model.

6. A method according to any one of claims 1-3, wherein said obfuscating the first artificial intelligence model to obtain a second artificial intelligence model comprises:

merging at least two first operators with a dependency relationship in the first artificial intelligent model into one operator;

and performing augmentation operation on the combined first artificial intelligent model, wherein the augmentation operation comprises the following steps: adding a dependency relationship between operators in the combined first artificial intelligent model; or adding an augmentation operator in the combined first artificial intelligent model, and establishing a dependency relationship between the augmentation operator and an operator in the combined first artificial intelligent model, wherein the augmentation operator is an operator added in the process of confusion processing of the first artificial intelligent model;

Anonymizing operators in the augmented first artificial intelligence model to obtain the second artificial intelligence model.

7. A method according to any one of claims 1-3, wherein said obfuscating the first artificial intelligence model to obtain a second artificial intelligence model comprises:

scrambling the weight of at least one first operator in the first artificial intelligence model, and anonymizing the scrambled operators in the first artificial intelligence model to obtain the second artificial intelligence model.

8. The method of any of claims 4-6, wherein the deriving the second artificial intelligence model further comprises:

and scrambling the weight of the operator in the first artificial intelligence model after anonymization.

9. The method of any of claims 4-8, wherein the anonymous names of different operators of the same type in the second artificial intelligence model contain the same anonymous symbol.

10. The method according to claim 5 or 6, characterized in that the method further comprises:

performing at least one of the following on the basis of the computation logic of at least one first operator to obtain computation logic of a second operator derived from said at least one first operator, said at least one of the following comprising: modifying an entry or an exit of computational logic of a corresponding operator according to the increased dependency relationship on the first artificial intelligence model, and adding a confusion code into the code of the operator of the first artificial intelligence model after the augmentation;

Adding the obtained computation logic of the second operators and the obtained names of the second operators into an confusion operator library, wherein the confusion operator library comprises the computation logic of the plurality of second operators, and the computation logic of each of the plurality of second operators corresponds to the name of one second operator in an anonymous state.

11. The method according to claim 7 or 8, characterized in that the method further comprises:

adding a code for eliminating weight disturbance to a code of an operator with the scrambled weight on the basis of the calculation logic of at least one first operator to obtain the calculation logic of a second operator from the at least one first operator;

adding the obtained computation logic of the second operators and the obtained names of the second operators into an confusion operator library, wherein the confusion operator library comprises the computation logic of the plurality of second operators, and the computation logic of each of the plurality of second operators corresponds to the name of one second operator in an anonymous state.

12. A method of artificial intelligence model-based data processing, comprising:

acquiring a second artificial intelligent model of the artificial intelligent model, wherein the second artificial intelligent model comprises a plurality of second operators and dependency relations among the plurality of second operators, and the second operators are in an anonymous state;

Receiving application data corresponding to the artificial intelligence model;

and processing the application data according to the second artificial intelligence model.

13. The method of claim 12, wherein said processing said application data according to said second artificial intelligence model comprises:

generating a task sequence according to the second artificial intelligence model, wherein the task sequence indicates the execution sequence of a second operator in the second artificial intelligence model;

and according to the task sequence, invoking computation logic of the corresponding second operators in a confusion operator library, and processing the application data, wherein the confusion operator library comprises the computation logic of a plurality of second operators in the second artificial intelligent model.

14. The method of claim 12, wherein said processing said application data according to said second artificial intelligence model comprises:

restoring the second artificial intelligence model to the first artificial intelligence model according to the logic architecture of the artificial intelligence model, wherein the first artificial intelligence model is an original execution logic diagram of the artificial intelligence model;

generating a task sequence according to the first artificial intelligent model, wherein the task sequence indicates the execution sequence of a first operator in the first artificial intelligent model;

And according to the task sequence, invoking calculation logic of a first operator corresponding to the original operator library corresponding to the first artificial intelligent model, and processing the application data.

15. A computer readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the method according to any of claims 1-11.

16. A computer readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the method according to any of claims 12-14.

17. A computing device comprising a processor and a computer-readable storage medium storing a computer program;

the processor being coupled to the computer readable storage medium, the computer program, when executed by the processor, implementing the method according to any of claims 1-11.

18. A computing device comprising a processor and a computer-readable storage medium storing a computer program;

the processor being coupled to the computer readable storage medium, the computer program, when executed by the processor, implementing the method according to any of claims 12-14.

19. A system on a chip comprising a processor, the processor being invoked to perform the method of any one of claims 1-11.

20. A system on a chip comprising a processor, the processor being invoked to perform the method of any one of claims 12-14.