JP2019101807A - Device, secure element, program, information processing system, and information processing method - Google Patents

Abstract

To provide a device or the like capable of safely executing processing using machine learning results.SOLUTION: A device 1 includes an execution unit configured to execute arithmetic processing and, as a component that is more secure than the execution unit, a secure unit configured to store parameters for developing a learned model generated by machine learning. The execution unit acquires the parameters from the secure unit, develops the learned model in a memory on the basis of the acquired parameters, and executes arithmetic processing on the basis of the developed learned model.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a device, a secure element, a program, an information processing system, and an information processing method.

  In recent years, IoT (Internet of Things) technology has rapidly spread and various devices are connected to the Internet. On the other hand, with the expansion of devices connected to the Internet, security problems resulting from device vulnerabilities have become apparent.

  In addition, interest in machine learning represented by deep learning as well as IoT is increasing. Along with this, machine learning technology is applied to cloud computing related to IoT, the cloud server which is a data center performs machine learning, builds a learned model, provides learning results to the IoT device, and performs various processing A system to perform is being studied (for example, Patent Document 1).

  On the other hand, in cloud computing where all data and functions are integrated on the cloud, there is a problem that latency (processing speed) delay can not be avoided because the communication distance between the user and the cloud server becomes long. is there. In order to address this problem, edge computing technology that shortens the communication distance and improves latency has attracted attention by performing a part of the processing performed by the cloud server on the client side closer to the user.

  Attention has also been drawn to the complementation of machine learning and edge computing described above. That is, by delegating a part of the machine learning operation to the IoT device which is the client, it is an idea that the operation result is transmitted to the user earlier than in cloud computing. For example, a cloud server performs machine learning and distributes learning results to an IoT device, and the IoT device develops a learned model, which is a learning result, on a memory, and executes various processes based on the learned model.

Unexamined-Japanese-Patent No. 2017-142654

  However, as described above, it is predicted from the security problem in the IoT device that a problem such as theft or imitation by a third party of the learned model developed on the device will be apparent.

  In one aspect, it is an object of the present invention to provide a device or the like capable of safely executing processing using machine learning results.

  A device according to one aspect is an execution unit that executes arithmetic processing, and a secure unit that is a component that is more secure than the execution unit and that stores parameters for developing a learned model generated by machine learning. And the execution unit acquires the parameter from the secure unit, expands the learned model on a memory based on the acquired parameter, and executes arithmetic processing based on the expanded learned model. It is characterized by

  A secure element according to one aspect is a secure element mounted on a device, wherein the storage unit stores parameters necessary for developing a learned model generated by machine learning, and the learned model is stored in a memory. The device body is characterized by comprising: an output unit that outputs the parameter with respect to a device body that is developed on top and that executes arithmetic processing based on the learned model.

  A program according to one aspect is a computer equipped with a secure element, which acquires the parameter from the secure element storing the parameter for expanding a learned model generated by machine learning, and acquires the acquired parameter Based on the learning model, the learning model is expanded, and a process of performing an operation based on the expanded learning model is executed.

  A program according to one aspect stores in a computer a parameter for deploying a learned model generated by machine learning in a trusted execution environment that is more secure than an execution environment that executes arithmetic processing based on the learned model. And acquiring the parameter from the trusted execution environment, expanding the learned model in the execution environment based on the acquired parameter, and executing a process to perform an operation based on the expanded learned model. It features.

  An information processing system according to one aspect is an information processing system including a device and a management apparatus that manages an operation state of the device, wherein the device is an execution unit that executes arithmetic processing, and the execution unit. And a secure unit that stores a parameter for expanding a learned model generated by machine learning, and the execution unit acquires the parameter from the secure unit and acquires the parameter. Based on the parameters, the learned model is expanded on a memory, and arithmetic processing is performed based on the expanded learned model, and the management apparatus is configured to, from the secure unit, execute the device based on the learned model. An operation status acquisition unit for acquiring information on an operation status, identification information of the device, and information on the operation status, Characterized in that it comprises a storage unit that stores in association with the serial identifier.

  An information processing method according to one aspect includes an execution unit that executes arithmetic processing and a component that is more secure than the execution unit and that stores parameters for expanding a learned model generated by machine learning. And the execution unit acquires the parameter from the secure unit, and the learning model is expanded on a memory based on the acquired parameter, and the learning model is expanded based on the expanded model. A feature of the present invention is to execute a process of performing an operation.

  In one aspect, processing using machine learning results can be performed safely.

It is a block diagram showing an example of composition of an IoT system. It is explanatory drawing regarding expansion processing of an inference model. It is explanatory drawing regarding the basic structure of an inference model. It is an explanatory view about application processing of a learning parameter. It is a flowchart which shows an example of the process sequence of an inference model expansion | deployment process. It is a flowchart which shows an example of the process sequence of an inference process. It is explanatory drawing which shows an example of the record layout of operation management DB. It is explanatory drawing regarding a verification process. It is a flow chart which shows an example of processing procedure of verification processing. It is explanatory drawing regarding an update process. It is a flowchart which shows an example of the process sequence of an update process. FIG. 21 is an explanatory diagram for describing an update process according to a fourth embodiment. 21 is a flowchart illustrating an example of a processing procedure of update processing according to the fourth embodiment. It is a functional block diagram which shows operation | movement of the IoT system of the form mentioned above.

Hereinafter, the present invention will be described in detail based on the drawings showing the embodiments.
Embodiment 1
FIG. 1 is a block diagram showing an example of the configuration of an IoT system. In the present embodiment, an inference process is performed in which an inference model 121, which is a product of machine learning, is installed in a device 1 as an IoT terminal, and the device 1 infers appropriate output data from input data using the inference model 121. Describe the form in which In the present specification, “inference” is used as a term representing the whole process using machine learning results, and “inference model” is used as a term representing a learned model generated by machine learning.

  The IoT system has a device 1 and a server 3. The device 1 is an electronic device connected to the network N which is the Internet, and is, for example, various devices such as a monitoring camera, an ECU (Electronic Control Unit) mounted on a vehicle, and an abnormality monitoring device for production facilities and infrastructure facilities. obtain. In the present embodiment, the device 1 is described as a surveillance camera.

  The server 3 is a management device that manages the operation status of the device 1 and is communicably connected to the device 1 via the network N. In the present embodiment, the server 3 performs machine learning to generate the inference model 121, and distributes data of the generated inference model 121 (the latest model parameter 341 shown in FIG. 1) to the device 1. The device 1 develops the inference model 121 on the memory of the own device based on the data and performs inference processing. For example, when the device 1 is a surveillance camera, the device 1 infers (estimates) what object is included in the captured image, and notifies the server 3 or the like of the inference result.

  Also, the server 3 collects data on the operation status of the device 1 based on the inference model 121, and manages the operation status of the device 1 on a database. In the present embodiment, the processing on the device 1 side will be described, and the processing content of the server 3 will be described in detail in the second and subsequent embodiments.

  The device 1 has a device body 10 and a secure element (secure unit) 20. The device body 10 is a body portion of the device 1 configured by a SoC (System on Chip) and implementing many or all of the functions of the device 1. The secure element 20 is hardware physically or logically separated from the device body 10, and is a chip having tamper resistance against external attacks. The secure element 20 has a non-volatile memory inside, and securely stores data. The secure element 20 may be configured to be removable from the device 1 like a universal integrated circuit card (UICC). The device body 10 and the secure element 20 are mutually connected by a standard such as, for example, ISO (International Organization Standardization) 7816, SPI (Serial Peripheral Interface).

The device body 10 includes a control unit 11, a storage unit 12, an input / output I / F 13, a communication unit 14, an input unit 15, and an imaging unit 16.
The control unit 11 includes an arithmetic processing unit such as one or more central processing units (CPUs), a micro-processing unit (MPU), and a graphics processing unit (GPU), and reads out the program P1 stored in the storage unit 12 By performing the processing, various information processing and control processing related to the device 1 are performed. The storage unit 12 includes a random access memory (RAM), a read only memory (ROM), and the like, and stores a program P1 necessary for the control unit 11 to execute arithmetic processing and other data. In addition, the storage unit 12 stores an inference model 121 constructed based on the inference model parameters 241 stored in the secure element 20, as described later.

  The input / output I / F 13 is an interface for performing input and output of information with the secure element 20, and as described above, performs input and output of information according to a standard such as ISO 7816 and SPI. The communication unit 14 includes a processing circuit for performing processing related to Internet communication, an antenna, and the like, and transmits and receives information with the server 3 and the like through the network N. The input unit 15 is an input interface that receives an input of information from the user, and may be in various forms such as a mechanical key, a touch panel, a voice input microphone, or the like according to the type of the device 1. The imaging unit 16 is an imaging mechanism having a Complementary Metal Oxide Semiconductor (CMOS) sensor or the like, and captures an image.

The secure element 20 includes a reading unit 21, an authentication unit 22, an input / output I / F 23, and a storage unit 24.
The reading unit 21 reads data from the storage unit 24 and outputs the data to the device body 10. The authentication unit 22 confirms authentication information input from the device main body 10 as described later. The input / output I / F 23 performs data input / output with the input / output I / F 13 of the device body 10. The storage unit 24 is a non-volatile memory, and stores inference model parameters 241 necessary for the device body 10 to expand the inference model 121 as described later.

The server 3 includes a control unit 31, a main storage unit 32, a communication unit 33, and an auxiliary storage unit 34.
The control unit 31 includes arithmetic devices such as one or more CPUs and MPUs, and performs various information processing and control processes related to the server 3. The main storage unit 32 is a volatile memory such as a RAM, and temporarily stores data necessary for the control unit 31 to execute processing. The communication unit 33 includes a processing circuit that performs processing related to communication, and communicates with the device 1 and the like via the network N.

  The auxiliary storage unit 34 is a large capacity memory, a hard disk or the like, and stores a program P2 necessary for the server 3 to perform processing and other data. Further, the auxiliary storage unit 34 stores the latest model parameter 341 and the operation management DB 342. The latest model parameter 341 is data of the latest inference model 121 distributed to the device 1, and is a parameter necessary for the device 1 to deploy the inference model 121. The operation management DB 342 is a database that manages the operation status of the device 1.

  The auxiliary storage unit 34 may be an external storage device connected to the server 3. Also, the server 3 may be a multi server consisting of a plurality of computers, or may be a virtual machine virtually constructed by software.

FIG. 2 is an explanatory diagram of expansion processing of the inference model 121. As shown in FIG. FIG. 2 conceptually illustrates how the device body 10 reads the inference model parameter 241 from the secure element 20 and develops the inference model 121 on the memory based on the parameter.
As described above, the secure element 20 stores the inference model parameter 241 for expanding the inference model 121 generated by machine learning in the storage unit 24. In the present embodiment, the inference model 121 is described as a neural network generated by deep learning. Note that the machine learning algorithm is not limited to deep learning, and may be, for example, regression method, decision tree learning, Bayesian method, clustering, etc. Further, if the inference model 121 is limited to a neural network Instead, they may be linear models, decision trees, Bayesian networks, etc.

  For example, the server 3 periodically updates (learns) the inference model 121 and distributes the latest model parameter 341 to the device 1. The device 1 stores the latest model parameter 341 distributed from the server 3 in the secure element 20 as the inference model parameter 241. The machine learning may be performed mainly by the server 3 that is the distribution source of the parameter, or another computer may perform machine learning and store the learning result in the server 3.

  The inference model parameter 241 is a data group including a hyper parameter 241a, a learning parameter 241b, and version information 241c. The hyper parameter 241 a is a setting value manually set to cause the computer to perform machine learning, and is a parameter that can uniquely identify the basic structure of the inference model 121. For example, when the inference model 121 is a neural network, the hyperparameters 241a are used for the number of inputs input to each neuron layer, the number of outputs output from each neuron layer, interlayer connection between neurons, and arithmetic processing of each neuron Information indicating an activation function or the like.

The learning parameter 241 b is a learning value learned by a computer by machine learning under the network structure defined by the hyper parameter 241 a. For example, when the inference model 121 is a neural network, the learning parameter 241 b is a parameter such as a weighting coefficient or bias value of each neuron. The server 3 receives the input of the teacher data with the correct value, and learns the learning parameter 241 b to be applied to each neuron.
Machine learning may be unsupervised learning, semi-supervised learning, or the like. The machine learning may be reinforcement learning, and in this case, the inference model parameter 241 may be a Q value (Q (s, a); s is a state, a is an action).

  The version information 241 c is information indicating the number of versions of the inference model 121. As described above, the server 3 periodically updates the inference model 121 and distributes the latest model parameters 341. The version information 241 c indicates the number of versions according to the update.

The processing processes indicated by reference numerals P1 to P8 in FIG. 2 will be described in order. It is assumed that the inference model 121 is not developed in the device body 10 at the initial stage.
The control unit 11 of the device body 10 requests the secure element 20 to read out the inference model parameter 241 (P1), for example, at the time of activation of the device 1, or at the start of operation of the application involving inference.

  When a read request is received, the read unit 21 of the secure element 20 first performs operator authentication to determine whether the read request is valid. The reading unit 21 requests the authenticating unit 22 to confirm the authentication information necessary for authenticating the operator (the user of the device 1 or the like) (P2). When the request is received, the authentication unit 22 requests the device body 10 to output the authentication information (P3).

  When the output request for the authentication information is received, the control unit 11 of the device body 10 outputs the authentication information to the secure element 20 (P4). The authentication information is, for example, a PIN (Personal Identification Number) code input via the input unit 15, a password, biometric information and the like. The authentication information is not limited to these, as long as the legitimacy of the operator can be appropriately confirmed. The authentication unit 22 performs authentication based on the authentication information.

  If the authentication fails, the secure element 20 does not output the inference model parameter 241 and ends the series of processes. If the authentication is successful, the authentication unit 22 holds that the authentication is completed in the secure element 20 and notifies the device body 10 that the authentication is completed.

  When the notification of the authentication completion is received, the control unit 11 of the device main body 10 makes a read request of the parameter again (P5). When the reading request is received, the reading unit 21 of the secure element 20 reads the inference model parameter 241 from the storage unit 24 (P6). The reading unit 21 outputs the read parameter to the device body 10 (P7).

  The control unit 11 of the device body 10 deploys the inference model 121 on the memory based on the parameters acquired from the secure element 20 (P8). Specifically, as described below, the control unit 11 determines the basic structure of the neural network based on the hyper parameter 241a of the inference model parameters 241, and determines each neuron of the neural network whose basic structure has been determined. The inference model 121 is developed by applying the learning parameter 241 b to the above.

  FIG. 3 is an explanatory diagram of the basic structure of the inference model 121. As shown in FIG. FIG. 3 conceptually illustrates how the basic structure of the neural network is determined based on the hyper parameter 241a. The hyper parameter 241 a is data defining the number of inputs, the number of outputs, interlayer coupling and the like of each neuron layer, and is defined so as to uniquely identify the structure for each neuron layer.

  In the example of FIG. 3, since the number of inputs of the 0th layer (input layer) is defined as “3”, the control unit 11 of the device body 10 assumes input values x0 to x2. Further, since the number of outputs of the zeroth layer is “3”, the control unit 11 arranges three neurons. Further, since the interlayer coupling is “all coupling”, the control unit 11 inputs the output value of all neurons in the zeroth layer to all neurons in the next layer (first layer). Furthermore, since the activation function of the 0th layer is defined by ReLU (Rectified Linear Unit), the control unit 11 calculates the output value using the ReLU function in each neuron of the 0th layer.

  Likewise, the control unit 11 determines the structure in each neuron layer in the same manner. The control unit 11 thereby determines the basic structure of the neural network from the input to the output as shown in FIG.

FIG. 4 is an explanatory diagram of an application process of the learning parameter 241b. FIG. 4 illustrates how the learning parameters 241b according to the machine learning result are applied to the basic structure of the neural network shown in FIG.
For example, in the secure element 20, learning parameters 241b to be applied to each neuron layer are held corresponding to the 0th to 3rd neuron layers defined by the hyper parameter 241a. Specifically, the secure element 20 stores parameters such as weighting factors and bias values to be applied to each neuron, and the control unit 11 applies the parameters to each neuron.

  In the tables of FIG. 2 and FIG. 4, the value of the table portion indicated by “from / to” corresponds to the weighting factor. Note that "from" indicates input values x0 to x2 as input sources, or neurons in the anterior layer, and "to" indicates neurons to be input targets. For example, in the 0th layer, when (from, to) = (0, 0), the value in the table is 0.1. This value indicates the weighting factor when the 0th input (x0) is input to the 0th neuron. Therefore, the control unit 11 calculates the weight when the input value x0 is input to the zeroth neuron as 0.1. Likewise, the control unit 11 sets the weight when the input value x0 is input to the first neuron to 0.2 and the weight when the input value x0 is input to the second neuron. The weight when the input value x1 is input to the 0-th neuron is set to 0.1,.

  Also, “bias” in the tables of FIG. 2 and FIG. 4 indicates a bias value to be applied to the input value after multiplication of the weighting coefficient in each neuron. For example, the bias values in the zeroth layer are all 0.6. Therefore, the control unit 11 sets a bias value of 0.6 for each neuron in the zeroth layer.

  Likewise, the control unit 11 also sets weighting coefficients and bias values for the first to third neuron layers. Thus, the control unit 11 develops a learning parameter throughout the network, and generates a neural network that calculates output values y0 to y2 from input values x0 to x2.

  The device body 10 performs predetermined inference processing using the inference model 121 (neural network) developed as described above. Although detailed illustration and description are omitted, for example, when the device 1 is a surveillance camera, the device body 10 acquires an image captured by the imaging unit 16 as input data, and inputs the input data to the inference model 121. , And perform processing of estimating (inferring) an object included in the image. The device body 10 inputs values such as chromaticity and luminance of each pixel of the captured image as input values into the inference model 121, and calculates output values. For example, the output value is a value indicating the probability that the object included in the image is a specific object for which the feature amount has been learned at the time of machine learning. The device body 10 outputs the output value to the server 3 or another device. For example, when the suspicious object is specified from the image, the device body 10 notifies that the suspicious object has been found.

  As described above, the device 1 stores the inference model parameter 241 in the secure element 20 physically or logically separated from the device body 10, reads out the inference model parameter 241 from the secure element 20, and performs inference Expand the model 121. By holding the inference model parameter 241 in a more secure component than the device body 10, the possibility of theft, imitation, etc. of the inference model 121 by a third party can be reduced.

  Although the device 1 reads out both the hyper parameter 241 a and the learning parameter 241 b from the secure element 20 and develops the inference model 121 in the above, the present embodiment is not limited to this. For example, the device 1 holds the hyper parameter 241 a in the device body 10 and stores the learning parameter 241 b in the secure element 20, and the device body 10 reads out only the learning parameter 241 b from the secure element 20. May be expanded. As described above, only part of the inference model parameters 241 may be stored in the secure element 20.

FIG. 5 is a flowchart showing an example of the procedure of inference model expansion processing. The processing content which the device 1 executes will be described based on FIG.
For example, the device 1 executes the following processing at a predetermined timing, such as when the device 1 is activated or when an application involving inference processing is activated. The control unit 11 of the device body 10 requests the secure element 20 holding parameters necessary for developing the inference model 121 to read the parameters (step S11). As described above, the secure element 20 is a chip having tamper resistance, is physically separated from the device body 10, and securely holds parameters for the inference model.

  When receiving the parameter read request from the device body 10, the secure element 20 requests the device body 10 to output authentication information required for operator authentication (step S12). When receiving the output request of the authentication information, the control unit 11 of the device main body 10 receives the input of the authentication information through the input unit 15, and outputs the input to the secure element 20 (step S13). The authentication information is, for example, a PIN code, a password, biometric information, etc., but may be any information that can properly confirm the legitimacy of the operator.

  The secure element 20 performs operator authentication based on the authentication information (step S14). The secure element 20 determines whether the operator authentication is successful (step S15). If the authentication fails (S15: NO), the secure element 20 does not read the parameter and ends the series of processes. If the authentication is successful (S15: YES), the secure element 20 reads out the inference model parameter 241 from the storage unit 24 (step S16). For example, when the inference model 121 is a neural network generated by deep learning, the secure element 20 reads out hyper parameters 241 a defining the basic structure of the neural network and learning parameters 241 b applied to each neuron layer. The secure element 20 outputs the read parameter to the device body 10 (step S17).

  When receiving the output of the parameter from the secure element 20, the control unit 11 of the device body 10 develops the inference model 121 in the storage unit 12 based on the parameter (step S18). Specifically, the control unit 11 constructs a neural network according to the hyper parameter 241 a, applies the learning parameter 241 b to each neuron, and develops the inference model 121. The control unit 11 ends the series of processes.

FIG. 6 is a flowchart showing an example of the procedure of the inference process. The processing content of the inference processing performed by the device 1 will be described based on FIG.
The control unit 11 of the device body 10 acquires input data to be input to the inference model 121 (step S21). For example, when the device 1 is a surveillance camera, the imaging unit 16 of the device 1 captures an image. The control unit 11 acquires the captured image as input data. As a matter of course, the input data differs depending on the type of the device 1, and may be, for example, a parameter detected by the sensing device, text data, voice data or the like.

  The control unit 11 inputs the input data to the inference model 121, calculates an output value, and executes an inference process of inferring optimal output data from the input data (step S22). For example, the control unit 11 inputs each pixel data in the captured image as an input value to the inference model 121, and calculates the probability that the object included in the image is a specific object as an output value, thereby including the pixel in the captured image. Estimate the inferred object. The control unit 11 outputs the inference result (calculation result) (step S23), and ends the series of processing.

  In the above, the device 1 has the secure element 20 separated in hardware from the device body 10, and the inference model parameter 241 is stored in the secure element 20, but the embodiment is limited to this. It is not something to be done. For example, device 1 prepares a trusted execution environment (TEE; Trusted Execution Environment) separated in software from a normal execution environment (so-called REE; Rich Execution Environment) that realizes the basic functions of device 1; The inference model parameters 241 may be stored in the execution environment. That is, the device 1 constructs a virtual area that can not be recognized from a general-purpose OS and an execution environment for executing an application, and stores the inference model parameter 241 in the area. The device 1 reads parameters from the trusted execution environment, develops the inference model 121 in the normal execution environment, and performs an operation related to inference processing. Since it can not be recognized from the normal execution environment, the inference model parameter 241 can be safely stored even by the configuration.

  As described above, the device 1 includes a component (executing unit) that performs basic, general-purpose arithmetic processing and a component that is more secure than the component, and the former reads the parameters from the latter and stores the inference model 121 as a memory. It is sufficient if it can be expanded above and inference processing can be performed. The secure component may be a tamper-resistant secure element 20, or may be a secure virtual area different from a normal execution environment, such as a trusted execution environment.

  As described above, according to the first embodiment, the device 1 stores the inference model parameter 241 in a secure component, acquires the parameter from the secure component, and develops the inference model 121. By holding parameters in a secure component, it is possible to prevent theft and imitation by a third party, and secure security.

  Further, according to the first embodiment, as the above-mentioned secure component, it is possible to adopt the tamper-resistant secure element 20 or the transposed execution environment (TEE) that is more secure than the normal execution environment (REE).

  Further, according to the first embodiment, since the secure element 20 authenticates the operator before outputting the parameter to the device main body 10, the security can be further enhanced.

Second Embodiment
In this embodiment, an embodiment will be described in which the inference model parameter 241 is verified to prevent the inference model 121 developed in the memory by the device 1 from being tampered with. The same reference numerals as in the first embodiment denote the same parts as in the first embodiment, and a description thereof will be omitted.
FIG. 7 is an explanatory view showing an example of the record layout of the operation management DB 242. As shown in FIG. The operation management DB 242 includes a device ID column, a last update date column, and an operation status column. The device ID column stores identification information for identifying each device 1 that synchronizes parameters with the server 3. The last update date column stores the last update date and time when each device 1 updated the inference model parameter 241 in association with the device ID. The operation status column stores, in association with the device ID, a verification result obtained by verifying normality or abnormality of the operation of each device 1. In the present embodiment, the server 3 acquires a comparison result of parameters to be described later as information related to the operation status of the device 1 and stores normal or abnormal operation of the device 1 in the operation management DB 342 according to the comparison result.

  FIG. 8 is an explanatory diagram of the verification process. In FIG. 8, verification of the inference model 121 is performed by the secure element 20 collating the inference model parameter 241 applied to the inference model 121 expanded in the device body 10 with the parameters held by itself. It shows how to do it. In FIG. 8, for convenience of illustration, the input / output I / F 13 of the device body 10 and the input / output I / F 23 of the secure element 20 are illustrated by rectangular dotted lines.

  The secure element 20 according to the present embodiment includes a check unit 25 and a communication path establishment unit 26. The collation unit 25 collates the inference model parameter 241 output from the device body 10 for verification with the inference model parameter 241 stored in the storage unit 24 of the secure element 20. The communication path establishment unit 26 establishes the secret communication path 41 between the device 1 and the server 3.

  Processing processes indicated by reference numerals P21 to P28 in FIG. 8 will be described in order. First, the control unit 11 of the device body 10 extracts the inference model parameter 241 from the data of the inference model 121 which has been expanded on the memory and is currently operating (P21). The extraction of the parameters may be performed in the reverse procedure of the expansion processing of the inference model 121 described in the first embodiment. The control unit 11 converts the extracted parameter into a value of a predetermined format that the secure element 20 can collate, outputs the value to the secure element 20, and requests the inference model 121 to collate (P22). Specifically, the control unit 11 converts not a parameter itself but a parameter into a hash value and outputs it. The conversion format of the parameter is not limited to the hash value, as long as a third party can convert the parameter so as to be difficult to analyze.

  When a collation request is received from the device body 10, the collation unit 25 collates the inference model parameter 241 held in the secure element 20 with the parameter output from the device body 10, and determines whether or not they match. Yes (P23). For example, the collation unit 25 compares the parameters output as the hash value from the device body 10 as described above. If the parameters match, the matching unit 25 determines that the inference model 121 has not been tampered with, and is operating normally. On the other hand, if the parameters do not match, the matching unit 25 determines that the inference model 121 has been falsified.

  The collation unit 25 notifies the device main body 10 of the collation result (verification result) of the parameter (P24). If the notified collation result indicates that the parameters do not match, for example, the control unit 11 of the device body 10 stops the inference processing based on the inference model 121. As described above, the device body 10 determines whether or not the inference process can be performed according to the result of the parameter comparison in the secure element 20, and prevents unauthorized use of the own device by a third party.

  Further, the verification unit 25 notifies the server 3 of the verification result as well as the device body 10. Specifically, the collation unit 25 requests the communication path establishment unit 26 to notify of the collation result (P25). When the notification request is received, the communication channel establishment unit 26 first establishes an end-to-end confidential communication channel 41 between the device 1 and the server 3 (P26). The secret communication path 41 is, for example, a communication path in which the communication content is encrypted by a protocol of TLS (Transport Layer Security). The communication path establishment unit 26 establishes the secret communication path 41 with the server 3 via the communication unit 14 which is a communication interface with the network N in the device main body 10.

  The secret communication path 41 may be any type as long as the communication content can be concealed, and for example, a protocol such as SSL (Secure Sockets Layer) may be adopted. Further, although the secret communication path 41 is established through the physical communication means (communication unit 14) of the device main body 10 in the above, the secure element 20 can establish the secret communication path 41 with the server 3 If the secure element 20 itself has physical communication means (LAN, Wi-Fi (registered trademark), etc.), the secure element 20 directly establishes the secret communication path 41 with the server 3. It is also good.

  The communication path establishment unit 26 notifies the server 3 of the collation result via the secret communication path 41 (P27). Specifically, the communication path establishment unit 26 notifies the server 3 of the device ID relating to the own device and the collation result indicating matching or non-coincidence of the inference model parameter 241. When the control unit 31 of the server 3 receives the notification, the control unit 31 stores that the operation status of the device 1 is normal or abnormal in the operation management DB 342 in association with the device ID (P28). As described above, the remote monitoring of the device 1 in the server 3 is also possible, and effective measures can be taken, such as remote control of the device 1 for preventing tampering.

  Although the secure element 20 notifies the device body 10 and the server 3 of the comparison result regardless of whether the parameters match or not match, if the parameters match, there is no problem in operation, so the parameters do not match. Notification may be made only in the case of.

FIG. 9 is a flowchart illustrating an example of a processing procedure of verification processing. The contents of processing performed by the IoT system according to the second embodiment will be described based on FIG.
The control unit 11 of the device body 10 extracts the inference model parameter 241 from the data of the inference model 121 developed on the memory (storage unit 12) (step S31). The control unit 11 converts the extracted parameter into a value of a predetermined format (for example, a hash value) (step S32). The control unit 11 outputs the converted parameter to the secure element 20 and requests collation of the parameter (step S33).

  The secure element 20 reads the inference model parameter 241 from the storage unit 24 and collates the inference model parameter 241 output from the device body 10 (step S34). The secure element 20 notifies the device body 10 of the verification result (verification result) (step S35).

  The control unit 11 of the device body 10 refers to the collation result notified from the secure element 20 and determines whether or not the parameters do not match (step S36). If it is determined that the parameters do not match (S36: NO), the control unit 11 ends the series of processes. When it is determined that the parameters do not match (S36: YES), the control unit 11 stops the processing operation based on the inference model 121 (step S37), and ends the series of verification processing.

  After executing step S35, the secure element 20 establishes the secret communication path 41 between the device 1 and the server 3 (step S38). For example, the secure element 20 establishes a secret communication path 41 for encrypting communication contents with the server 3 by the protocol of TLS. The secure element 20 notifies the server 3 of the comparison result of the parameters via the secret communication path 41 (step S39). The control unit 31 of the server 3 stores the collation result notified from the secure element 20 (device 1) in the operation management DB 342 in association with the device ID of the secure element 20 (step S40).

  As described above, according to the second embodiment, the secure element 20 compares the parameters of the inference model 121 operating in the device main body 10 with the parameters held by itself, whereby the secure element 20 is able to Perform verification. By performing verification based on the parameters stored in the secure element 20, verification can be performed reliably. Further, by performing verification in the secure element 20 instead of the device body 10, it is possible to prevent falsification of the verification result itself. In this manner, the device 1 can detect tampering or the like of the inference model 121 by a third party, and security can be further enhanced.

  Further, according to the second embodiment, by converting into a format such as a hash value and comparing the parameters, the security relating to the verification is enhanced compared to the case where the complete match of the parameters is simply confirmed. be able to.

  Further, according to the second embodiment, the verification result (collation result) is notified to the server 3, and the verification result is stored in the server 3 to operate based on the inference model 121 generated by the server 3. Remote monitoring of the device 1 can be performed, and security can be further enhanced.

  Further, according to the second embodiment, by notifying the verification result via the secret communication path 41, the third party interferes with the notification of the operation status to the server 3, or the notification content is altered, etc. It can prevent the situation.

Third Embodiment
In the present embodiment, a form will be described in which the inference model parameter 241 stored in the secure element 20 is updated to the latest model parameter 341.
FIG. 10 is an explanatory diagram of the updating process. FIG. 10 conceptually shows that the secure element 20 communicates with the server 3 and updates the inference model parameter 241. In FIG. 10, for convenience of illustration, the communication unit 14 of the device body 10 and the communication unit 33 of the server 3 are illustrated by rectangular dotted lines.

  The secure element 20 according to the present embodiment includes the updating unit 27. The update unit 27 acquires the latest model parameters 341 from the server 3 and updates the parameters stored in the storage unit 24.

  The processing processes indicated by reference numerals P31 to P38 in FIG. 10 will be described in order. First, the device body 10 requests the secure element 20 to confirm to the server 3 whether the inference model 121 has been updated to the latest data (P31). When the confirmation request is received, the updating unit 27 of the secure element 20 requests the communication channel opening unit 26 to open the secret communication channel 41 (P32). When the request is received, the communication path establishment unit 26 establishes the secret communication path 41 (P33). The concealment channel 41 is the same as that of the second embodiment, so the description is omitted here.

  The update unit 27 requests the server 3 to update the parameter via the secret communication path 41 (P34). Specifically, the updating unit 27 transmits version information 241 c of the current inference model parameter 241 held by the secure element 20 and the device ID of the own device.

  When receiving the update request from the secure element 20 (device 1), the server 3 determines whether the inference model 121 has been updated in the device 1 as the request source (P35). Specifically, the server 3 collates the version information 241 c transmitted from the secure element 20 with the version information 341 c (see FIG. 10) of the latest model parameter 341. If the version information matches the latest one, the inference model 121 of the device 1 has been updated to the latest model, and the server 3 does not perform any particular processing, and ends the series of processing. On the other hand, if the version information does not match the latest version, the server 3 transmits the latest model parameter 341 to the device 1 via the secret communication path 41 (P36). In addition, when transmitting the latest model parameter 341, the server 3 stores update information indicating that the inference model 121 of the device 1 has been updated in the operation management DB 342 in association with the device ID received together with the version information ( P37). For example, the server 3 stores the current date and time in the operation management DB 342 as the final update date and time. The server 3 may store information that has been updated on the database, and may store information other than date and time as update information, such as storing version information 341c of the latest model, for example. .

  The update unit 27 of the secure element 20 stores the latest model parameter 341 transmitted from the server 3 in the storage unit 24 and updates the parameter (P38). For example, the updating unit 27 outputs the parameter to the device body 10 immediately after downloading the parameter, and the device body 10 updates (reconstructs) the inference model 121 based on the parameter. Note that the updating may be performed at any timing such as the next activation of the device 1 or the next execution of the application without updating the inference model 121 immediately after downloading the parameter. As described above, the data stored in the IoT device can be updated to the latest one, and it is possible to meet the update needs, such as preventing obsolescence.

  In the above, a series of processing is started according to a request from the device main body 10, but, for example, updating is performed together with the verification according to the second embodiment, or the server 3 is operated with the old version from the operation management DB 342 The model update process may be started at an arbitrary timing, such as detecting the existing device 1 and making a parameter update request from the server 3 side to the device 1 side.

FIG. 11 is a flowchart illustrating an example of the processing procedure of the update processing. The contents of processing performed by the IoT system according to the present embodiment will be described based on FIG.
The control unit 11 of the device body 10 requests the secure element 20 to confirm to the server 3 whether it is the latest model of the inference model 121 (step S61). When the request is received, the secure element 20 establishes the secret communication path 41 with the server 3 (step S62). The secure element 20 makes an update request for the inference model parameter 241 via the secret communication path 41 (step S63). For example, as described above, the secure element 20 transmits the version information 241c of the parameter stored in the storage unit 24 and the device ID of the own device to the server 3.

  If the update request has been received, the control unit 31 of the server 3 determines whether the inference model parameter 241 has been updated in the device 1 that has made the update request (step S64). For example, the control unit 31 determines whether the version information 341c of the latest model matches the version information 241c transmitted from the secure element 20. If it is determined that the update has been completed (S64: YES), the control unit 31 ends the series of processing.

  When it is determined that the update is not completed (S64: NO), the control unit 31 transmits the latest model parameter 341 to the secure element 20 via the secret communication path 41 (step S65). When the latest model parameter 341 is transmitted, the control unit 31 stores update information indicating that the inference model 121 of the device 1 has been updated in the operation management DB 342 (step S66), and ends the series of processing.

  When the latest model parameter 341 is received from the server 3, the secure element 20 stores the parameter in the storage unit 24 (step S67), and ends the series of processing.

  Although the version information 241c and 341c are illustrated and described as being the version number, that is, the number indicating the version in the above, the present embodiment is not limited to this. For example, the version information 241 c and 341 c may be information representing a time such as a date when the parameter was updated. Also, for example, the server 3 may compare the hash value of the inference model 121 developed in the device 1 with the latest inference model 121 to determine whether or not the latest version. Thus, the server 3 only needs to be able to update the inference model parameter 241 based on the information that can determine the new and old of the inference model 121, and the version information 241c and 341c are not limited to numbers.

  As described above, according to the third embodiment, the secure element 20 acquires the latest model parameter 341 from the server 3 and stores the latest model parameter 341 in the storage unit 24, thereby preventing obsolescence of the inference model 121, etc. The inference model 121 can be updated.

  Further, according to the third embodiment, by exchanging parameters via the secret communication path 41, model update can be performed while securing security.

  Also, as described in the second and third embodiments, the server 3 acquires, from the secure element 20, data on the operation status of the inference model 121 currently operating on the device 1, such as the result of parameter comparison, version information, etc. , Stored in the operation management DB 342. As a result, the operation status of the device 1 that synchronizes the server 3 and the inference model 121 can be remotely monitored. In particular, since the information transmitted from the device 1 is data transmitted from the secure element 20, highly reliable remote monitoring can be performed by combining the concealment of the communication path.

Embodiment 4
In the third embodiment, the form has been described in which the inference model 121 operating on the device 1 is updated. In the present embodiment, a practical operation form of the update processing will be described.
FIG. 12 is an explanatory diagram for explaining an update process according to the fourth embodiment. FIG. 12 illustrates how the inference model 121 in the device 1 is updated according to the update request from the operator (user) of the device 1.

  An apparatus indicated by reference numeral 5 in FIG. 12 is an operator terminal 5 used by an operator (user) of the device 1. In the present embodiment, the server 3 receives an update request for the inference model 121 from the operator via the operator terminal 5 or the like, and distributes the latest model parameter 341 to the device 1 when there is the update request.

  First, the secure element 20 of the device 1 receives the update confirmation request for the inference model 121 from the device main body 10 as in the third embodiment, or receives the update request for the latest model from the server 3, etc. The version information 241 c is transmitted to the server 3 at timing. The server 3 compares the version information 241c transmitted from the device 1 with the version information 341c of the latest model, and confirms whether the device 1 has been updated to the latest model.

  If not updated, the server 3 sends a predetermined update notification to the operator terminal 5 in order to confirm to the operator whether or not to update to the latest model. The server 3 may notify the device 1 itself which is the update target.

  The operator receives the update notification via the operator terminal 5 and sends back to the server 3 whether to update the inference model 121 of the device 1 being operated. If the server 3 receives the response to update and receives the update request of the inference model 121, the server 3 transmits the latest model parameter 341 to the device 1.

  In this case, the server 3 may request the operator to pay a predetermined update fee as compensation for updating the inference model 121. For example, the server 3 stores, in the operation management DB 342, information of the operator (personal name, company name, name, address, etc.), update fee payment method (account number, withdrawal setting, etc.) in association with the device ID. Keep it. The server 3 receives the update request from the operator, distributes the parameters, and executes the payment request processing of the update fee according to the information. For example, the server 3 notifies a server device such as a credit company or other devices of information indicating a customer (operator), a payment amount and the like, and requests payment of an update fee.

  In the present embodiment, although it is decided to charge a fee as compensation for the update of the inference model 121, charge processing of the fee is not essential. Good. Further, the timing for executing the billing process is not limited after the distribution of the parameter, and may be performed at any timing, for example, the billing process may be performed before the delivery of the parameter and the settlement may be completed after the settlement is completed.

FIG. 13 is a flowchart of an example of the process procedure of the update process according to the fourth embodiment. The contents of the update process according to the fourth embodiment will be described based on FIG.
The secure element 20 of the device 1 reads the version information 241 c of the inference model parameter 241 stored in the storage unit 24 and transmits the version information 241 c to the server 3 (step S 81). For example, the secure element 20 transmits version information triggered by a request from the device body 10 as in the third embodiment.

  When the version information 241c is acquired from the device 1, the control unit 31 of the server 3 compares the version information 241c with the version information 341c of the latest model, and is the inference model 121 of the device 1 updated to the latest model? It is determined whether or not it is (step S82). If it is determined that the update has been completed (S82: YES), the control unit 31 ends the series of processing.

  If it is determined that the inference model 121 has not been updated (S82: NO), the control unit 31 sends an update notification that confirms with the operator whether to update the inference model 121 of the device 1 (step S83). For example, the control unit 31 may notify the operator terminal 5 or the like used by the operator, or may notify the device 1 itself as an update target.

  The control unit 31 receives an update request for the inference model 121 from the operator (step S84). The control unit 31 determines whether an update request has been made (step S85). If it is determined that the update request has not been made (S85: NO), the control unit 31 ends the series of processes. If it is determined that an update request has been made (S85: YES), the control unit 31 transmits the latest model parameter 341 to the device 1 (step S86). The secure element 20 of the device 1 acquires the parameter and stores the parameter in the storage unit 24 (step S87), and ends the series of processing.

  After transmitting the latest model parameter 341 (step S86), the control unit 31 of the server 3 executes a billing process for billing the operator for the payment of the update fee accompanying the update of the inference model 121 (step S88). . For example, the server 3 stores the information of the operator, the payment method, and the like in the operation management DB 342 in association with the device ID. In accordance with the payment method, the server 3 transmits, for example, a billing notification indicating a customer (operator), a payment amount, and the like to a server device or the like of a credit company. The control unit 31 ends the series of processes.

  As described above, according to the fourth embodiment, the server 3 acquires the version information 241 c from the secure element 20 and determines whether the inference model 121 of the device 1 has been updated to the latest model according to the version information 241 c. If it is determined that the update has not been completed, an update notification is performed to confirm to the operator of the device 1 whether or not to perform the update. When the server 3 receives an update request for updating from the operator, the server 3 transmits the latest model parameter 341 to the secure element 20 of the device 1. In addition, when transmitting the latest model parameter 341, the server 3 executes a billing process for billing the operator for the update fee, which is the price for the update. As a result, it is possible to compensate for the input cost of computer resources input for generating the inference model 121, and it is possible to realize the practical operation of this system in a commercial and practical aspect.

  Although the inference model 121 is updated by data distribution in the above, the present embodiment is not limited to this. For example, when the secure element 20 is a chip such as a removable UICC, the inference model 121 may be updated by issuing a new secure element 20. For example, the server 3 issues an update notification to the operator of the device 1 and, when having received a payment for the update fee, issues the secure element 20 that issues the secure element 20 storing the latest model parameter 341 to the issuer of the secure element 20 Notice. For example, the server 3 transmits the information of the customer (operator), the version information, and the permission information for permitting the issuance to the server of the issuer or another device. Even if it is said structure, the same effect as the case of performing data delivery is produced.

Fifth Embodiment
FIG. 14 is a functional block diagram showing the operation of the IoT system of the embodiment described above. When the control unit 11 executes the program P1, the device 1 operates as follows. The execution unit 141 executes arithmetic processing. The secure unit 142 is a component that is more secure than the execution unit 141, and stores parameters for developing a learned model generated by machine learning. The execution unit 141 acquires the parameter from the secure unit 142, expands the learned model on a memory based on the acquired parameter, and executes arithmetic processing based on the expanded learned model.

  In addition, when the control unit 31 executes the program P2, the server 3 operates as follows. The operation status acquisition unit 143 acquires, from the secure unit 142, information on the operation status of the device 1 based on the learned model and identification information of the device 1. The storage unit 144 stores information on the operation status in association with the identification information.

  The fifth embodiment is as described above, and the other parts are the same as the first to fourth embodiments. Therefore, the corresponding parts are denoted with the same reference numerals and the detailed description thereof will be omitted.

  It should be understood that the embodiments disclosed herein are illustrative in all respects and not restrictive. The scope of the present invention is indicated not by the meaning described above but by the claims, and is intended to include all modifications within the meaning and scope equivalent to the claims.

1 device 10 device body 121 inference model (learned model)
20 Secure Element (Secure Department)
241 Parameters for Inference Model 3 Server (Management Device)
341 Parameter for latest model 342 Operation Management DB

Claims (19)

An execution unit that executes arithmetic processing;
And a secure unit that is more secure than the execution unit, and stores parameters for developing a learned model generated by machine learning.
The execution unit is
Obtain the parameters from the secure unit,
Based on the acquired parameters, the learned model is expanded in memory,
A device characterized by performing arithmetic processing based on the expanded learned model. The device according to claim 1, wherein the secure unit is a tamper-resistant secure element. The secure unit is a virtual area different from an execution environment in which the execution unit executes processing, and is a trusted execution environment that is more secure than the execution environment,
The device according to claim 1, wherein the execution unit develops the learned model in the execution environment based on the parameter acquired from the trusted execution environment. An acquisition unit for acquiring an input value to be input to the learned model;
The execution unit inputs the input value to the learned model and calculates an output value.
The device according to any one of claims 1 to 3, further comprising an output unit configured to output an operation result. An authentication information acquisition unit that acquires authentication information required for operator authentication, and
The device according to any one of claims 1 to 4, wherein when the operator authentication based on the authentication information succeeds, the secure unit outputs the parameter. An extraction unit that extracts the parameter from the learned model developed by the execution unit;
A parameter output unit that outputs the extracted parameter to the secure unit;
The device according to any one of claims 1 to 5, wherein the secure unit collates the parameter output from the parameter output unit with the stored parameter. The parameter output unit converts the parameter into a value of a predetermined format and outputs it.
The device according to claim 6, wherein the secure unit collates the value of the predetermined format. The secure unit notifies the execution unit of the comparison result of the parameter,
The device according to claim 6, wherein the execution unit determines whether or not execution of the arithmetic processing based on the learned model is possible in accordance with the notified collation result. The device according to any one of claims 6 to 8, wherein the secure unit notifies a management device that manages an operation state of the device of a comparison result of the parameter. The secure unit
Version information of the learned model corresponding to the parameter is stored in association with the parameter;
The version information is notified to a management device that manages the operation status of the device,
Acquiring the parameter corresponding to the latest learned model from the management device according to the version information;
The device according to any one of claims 1 to 9, wherein the acquired parameter is stored. The secure unit
Establishing a secret communication path in which the communication content is encrypted with the management apparatus;
11. The device according to claim 9, wherein transmission and reception of data are performed via the secret communication path. A secure element mounted on the device,
A storage unit for storing parameters necessary for developing a learned model generated by machine learning;
A secure element comprising: an output unit that develops the learned model on a memory and outputs the parameter to a device body that executes arithmetic processing based on the learned model. On computers equipped with Secure Element,
Obtaining the parameters from the secure element storing parameters for developing a learned model generated by machine learning;
Developing the learned model based on the acquired parameters;
A program that executes processing for performing operations based on the expanded learned model. On the computer
Storing parameters for developing a learned model generated by machine learning in a trusted execution environment that is more secure than an execution environment that executes arithmetic processing based on the learned model,
Obtaining the parameters from the trusted execution environment;
Developing the learned model in the execution environment based on the acquired parameters;
A program that executes processing for performing operations based on the expanded learned model. An information processing system comprising: a device; and a management device that manages an operation state of the device,
The device is
An execution unit that executes arithmetic processing;
And a secure unit that is more secure than the execution unit, and stores parameters for developing a learned model generated by machine learning.
The execution unit is
Obtain the parameters from the secure unit,
Based on the acquired parameters, the learned model is expanded in memory,
Perform arithmetic processing based on the expanded learned model,
The management device is
An operation status acquisition unit that acquires, from the secure unit, information related to the operation status of the device based on the learned model, and identification information of the device;
A storage unit that stores information related to the operation status in association with the identification information. The device is
An extraction unit that extracts the parameter from the learned model developed by the execution unit;
A parameter output unit that outputs the extracted parameter to the secure unit;
The secure unit
Collating the parameter output from the parameter output unit with the stored parameter;
Notifying the management device of the collation result,
The operation status acquisition unit acquires the collation result.
The information processing system according to claim 15, wherein the storage unit stores the matching result in association with the identification information. The secure unit
Version information of the learned model corresponding to the parameter is stored in association with the parameter;
Notifying the version information to the management device;
The operation status acquisition unit acquires the version information.
The management apparatus includes a transmission unit that transmits the parameter corresponding to the latest learned model according to the acquired version information.
When the parameter is transmitted, the storage unit stores update information indicating that the learned model has been updated in the device;
The secure unit
Acquiring the parameter from the management device;
The information processing system according to claim 15, wherein the acquired parameter is stored. A device comprising: an execution unit that executes arithmetic processing; and a secure unit that is more secure than the execution unit and that stores parameters for expanding a learned model generated by machine learning.
The execution unit
Obtain the parameters from the secure unit,
Based on the acquired parameters, the learned model is expanded in memory,
An information processing method comprising: executing a process based on the expanded learned model. The secure unit stores version information of the learned model corresponding to the parameter in association with the parameter;
The secure unit
The version information is notified to a management device that manages the operation status of the device,
Acquiring the parameter corresponding to the latest learned model from the management device according to the version information;
The information processing method according to claim 18, wherein the acquired parameter is stored.

Images