WO2020125134A1 - 自定义模型防篡改方法、装置、终端设备及存储介质 - Google Patents

自定义模型防篡改方法、装置、终端设备及存储介质 Download PDF

Info

Publication number
WO2020125134A1
WO2020125134A1 PCT/CN2019/109644 CN2019109644W WO2020125134A1 WO 2020125134 A1 WO2020125134 A1 WO 2020125134A1 CN 2019109644 W CN2019109644 W CN 2019109644W WO 2020125134 A1 WO2020125134 A1 WO 2020125134A1
Authority
WO
WIPO (PCT)
Prior art keywords
model
custom
custom model
verification value
file
Prior art date
Application number
PCT/CN2019/109644
Other languages
English (en)
French (fr)
Inventor
刘耀勇
陈岩
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Publication of WO2020125134A1 publication Critical patent/WO2020125134A1/zh

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • Embodiments of the present application relate to computer technology, and in particular, to a method, device, terminal device, and storage medium for anti-tampering of a custom model.
  • terminal devices With the increasing popularity of terminal devices, more and more users use terminal devices to perform a variety of functions to meet their own needs, such as using terminal devices to read text, watch videos, listen to music, play games, etc.
  • terminal devices With the development of artificial intelligence technology, one or more learning models are deployed in the terminal device to perform artificial intelligence calculation processing.
  • the present application provides a method, device, terminal device, and storage medium for anti-tampering of a custom model, which can effectively solve the problem of tampering of the custom model and improve the stability of the custom model.
  • an embodiment of the present application provides a method for preventing tampering of a custom model, including:
  • the corresponding first verification value is calculated according to the model structure file of the custom model
  • the model structure file and the first verification value are read in the trusted execution environment, and a second verification value corresponding to the model structure file is calculated;
  • an embodiment of the present application further provides a custom model anti-tampering device, including:
  • a first verification value calculation module configured to calculate the corresponding first verification value according to the model structure file of the custom model when the custom model is generated
  • a verification value storage module configured to add the first verification value to the custom model and store it in a trusted execution environment
  • a second check value calculation module configured to read the model structure file and the first check value in the trusted execution environment when the custom model is read in, and calculate the model structure file The corresponding second check value;
  • the verification value comparison module is configured to trigger a tampering event if the first verification value and the second verification value are different.
  • an embodiment of the present application further provides a terminal device, including: a processor, a memory, and a computer program stored on the memory and executable on the processor, and the processor implements the computer program when the processor executes the computer program:
  • the corresponding first verification value is calculated according to the model structure file of the custom model
  • the model structure file and the first verification value are read in the trusted execution environment, and a second verification value corresponding to the model structure file is calculated;
  • an embodiment of the present application further provides a storage medium containing terminal device executable instructions, where the terminal device executable instructions are used to execute when executed by a terminal device processor:
  • the corresponding first verification value is calculated according to the model structure file of the custom model
  • the model structure file and the first verification value are read in the trusted execution environment, and a second verification value corresponding to the model structure file is calculated;
  • FIG. 1 is a flowchart of a method for preventing tampering with a custom model provided by an embodiment of the present application
  • FIG. 2 is a flow chart of another method for preventing tampering of a custom model provided by an embodiment of the present application
  • FIG. 3 is a flowchart of another method for preventing tampering of a custom model provided by an embodiment of the present application
  • FIG. 5 is a structural block diagram of a custom model anti-tamper device provided by an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
  • An embodiment of the present application provides a method for preventing tampering of a custom model, including:
  • the corresponding first verification value is calculated according to the model structure file of the custom model
  • the model structure file and the first verification value are read in the trusted execution environment, and a second verification value corresponding to the model structure file is calculated;
  • the triggering tampering event includes:
  • the trusted execution environment is used to automatically encrypt the stored files and decrypt them automatically when the stored files are read.
  • the custom model is converted from a trained neural network model, and the operator in the custom model is configured with a corresponding expected running device type, and the expected running device type includes CPU and GPU , At least one of DSP and NPU.
  • the model structure file includes at least two operators and corresponding weight information, and the at least two operators and corresponding weight information pass the name of the subordinate operator recorded in the weight information To be associated.
  • the type of running equipment of the custom model is determined, and if the type of running equipment and the custom model are recorded The type of the expected running equipment is different, then the type of the expected running equipment in the custom model is modified to the type of the running equipment, and the modified custom model is re-read.
  • adding the first verification value to the custom model and storing it before the trusted execution environment includes:
  • FIG. 1 is a flowchart of a method for preventing tampering of a custom model provided by an embodiment of the present application, which can be applied to a case where a custom model is deployed on a terminal device to run.
  • the anti-tampering device of the self-defined model of the terminal device may be implemented by software and/or hardware. As shown in FIG. 1, the specific solution provided by this embodiment is as follows:
  • the custom model defines the model format of the deep learning computing framework, which can be used for artificial intelligence and big data operations.
  • the custom model is deployed in the terminal device, such as through the custom model to achieve automatic beauty , Intelligent photography, user interest point analysis, and intelligent data recommendation.
  • the custom model can be generated according to the hardware and software system adaptability of different terminal devices, or it can be a custom model compression package or code segment sent by the receiving server, and the custom model is generated in the terminal device after the reception is completed Used for deep learning or other intelligent operations.
  • the focus in the prior art is how to encrypt the custom model to prevent the third-party or malware from cracking the custom model, but there are design flaws in the tamper-proofing of the custom model.
  • the custom model When the custom model is generated, the corresponding first verification value is calculated according to the model structure file of the custom model.
  • the custom model is mainly composed of model structure files, and the exemplary structure pattern may be as follows.
  • the corresponding first verification value calculated according to the model structure file of the custom model may be (in the C language as an example, implemented by calling an API):
  • the first verification value may be a hash signature value as described above. It should be noted that other signature methods may also be used, which is not limited in this application.
  • a private key provided by the service provider may be used to obtain the first verification value by performing a signature operation on the hash value.
  • the public key is used for analysis to obtain the corresponding verification value.
  • the first check value added value calculated in S101 is added to the end of the custom model, and the specific structure is as follows:
  • first verification value may also be added to other positions of the custom model, which is not limited in this application.
  • the Trusted Execution Environment includes a data storage environment that automatically encrypts stored files and automatically decrypts when reading stored files.
  • the first verification value is added to the custom model and stored in a trusted execution environment, which cannot be directly accessed by the CPU, but can only be accessed by programs that establish a secure connection.
  • the deployment mode of the trusted execution environment includes software implementation using open source tools or SDKs developed based on TEE. Specifically, it may be any of T-base, OP-TEE, securiTEE, or TLK. .
  • the custom model when you need to perform deep learning operations, you need to call the corresponding custom model and read the custom model file.
  • the model structure file and the first verification value are read in the trusted execution environment, and the second verification value corresponding to the model structure file is calculated, wherein the model structure file is calculated
  • the corresponding second verification value is obtained by using the verification method corresponding to the first verification value, such as calculating the hash value of the model structure file and calculating the hash value using the public key of the stored record to obtain the second calibration value.
  • the verification value that is, the second verification value may be a hash signature value.
  • the first check value and the second check value are compared. If the two are found to be different, it means that the custom model has been tampered with, and a corresponding tampering event needs to be initiated.
  • the tampering event is an event defined to determine that the tampered custom model is not used after the tampered custom model is tampered.
  • the custom model update request may be sent to the server to reacquire the custom model.
  • the verification value of the custom model is calculated and verified in the custom model generation stage and the reading stage, which avoids the information security risks caused by the operation of the tampered custom model.
  • the custom model It is stored in a trusted execution environment and cannot be directly accessed by the CPU, and corresponding encryption and decryption are performed when the custom model is stored and read to further ensure the stability of the custom model.
  • FIG. 2 is a flowchart of another method for preventing a custom model from being tampered according to an embodiment of the present application.
  • the event of triggering tampering includes sending a model update request to a server for the server to issue an updated model file ; Receive the updated model file.
  • the technical solution is as follows:
  • the custom model when it is determined that the first verification value and the second verification value are different, it means that the custom model has been tampered with by other malicious programs.
  • Avoid using a tampered custom model and send a model update request to the server to obtain the updated model file issued by the server.
  • the updated model file delivered by the server is received to replace the original custom model detected to be tampered with.
  • the first verification value of the model file is calculated and the additional value of the first verification value is stored in the trusted execution environment in the updated model.
  • the saved data is read and verified accordingly, and if it is found that the updated model has been tampered with, the corresponding model is requested to be updated again from the server.
  • the custom model can be generated by the server
  • the corresponding first verification value is calculated according to the model structure file of the custom model
  • the first verification value is added to the custom model and delivered to the terminal device.
  • the terminal device receives the customized model containing the first verification value and stores it in the trusted execution environment.
  • the custom model is updated accordingly to ensure that the model used in the deep learning operation is a non-tampered custom model, which ensures the safety of operation and the accuracy of the calculation results.
  • FIG. 3 is a flowchart of another method for tamper-proofing a custom model provided by an embodiment of the present application.
  • the method further includes a process of generating a custom model.
  • the technical solution is as follows:
  • the custom model is converted from the trained neural network model.
  • the operator in the custom model is configured with the corresponding expected running device type, and the expected running device type includes CPU, GPU, DSP And at least one of NPU.
  • the conversion and generation process of the self-defined model may be: analysis of the trained neural network model, and each type of operator that is parsed corresponds to the type of expected operating device associated with the configuration.
  • the subsequent custom model When being read in, it is necessary to modify an operator to run on a calculation processing unit, correspondingly modify the custom model file, without recompiling the code to generate a new binary executable file, and correspondingly, regenerating the custom
  • the subsequent generation of the first verification value and the process of calculating and verifying the second verification value when reading the custom model are also performed.
  • the model structure is exemplified as follows:
  • the custom model structure file includes at least two operators and corresponding weight information.
  • the at least two operators and the corresponding weight information are related by the name of the subordinate operator recorded in the weight information , To further improve the architectural stability and operating efficiency of the custom model.
  • the generated custom model can be run on different devices, only need to modify the custom model file, and then re-read the model, no need to recompile the code to generate a new binary executable file, is a deep learning model Configuration is more flexible, and at the same time it can prevent its modification configuration from being tampered by other malicious programs.
  • FIG. 4 is a flowchart of another method for preventing tampering of a custom model provided by an embodiment of the present application.
  • the custom definition is determined.
  • the running equipment type of the model If the running equipment type is different from the expected running equipment type recorded in the custom model, modify the expected running equipment type in the custom model to the running equipment type and re-read Into the modified custom model. As shown in Figure 4, the technical solution is as follows:
  • the running device type is determined according to different hardware environments, including at least one of CPU, GPU, DSP, and NPU.
  • S406. Determine whether the type of running equipment of the custom model is consistent with the expected type of running equipment recorded in the custom model. If yes, execute S407, otherwise execute S408.
  • the configuration modification can be performed on the custom model, such as modifying the expected type of operating equipment in the operator structure The type of equipment currently in operation, and re-read the modified custom model for deep learning operations.
  • An embodiment of the present application also provides a self-defined model anti-tampering device, including:
  • a first verification value calculation module configured to calculate the corresponding first verification value according to the model structure file of the custom model when the custom model is generated
  • a verification value storage module configured to add the first verification value to the custom model and store it in a trusted execution environment
  • a second check value calculation module configured to read the model structure file and the first check value in the trusted execution environment when the custom model is read in, and calculate the model structure file The corresponding second check value;
  • the verification value comparison module is configured to trigger a tampering event if the first verification value and the second verification value are different.
  • the verification value comparison module is further used to:
  • the trusted execution environment is used to automatically encrypt the stored files and decrypt them automatically when the stored files are read.
  • the custom model is converted from a trained neural network model, and the operator in the custom model is configured with a corresponding expected running device type, and the expected running device type includes CPU and GPU , DSP and NPU at least one.
  • the model structure file includes at least two operators and corresponding weight information, and the at least two operators and corresponding weight information pass the name of the subordinate operator recorded in the weight information To be associated.
  • the verification value comparison module is further used to:
  • first check value and the second check value are the same, determine the type of operating equipment of the custom model, if the type of operating equipment and the type of expected operating equipment recorded in the custom model are different , Then modify the expected operating device type in the custom model to the operating device type, and re-read the modified custom model.
  • the check value storage module is further used to:
  • FIG. 5 is a structural block diagram of a custom model anti-tampering device provided by an embodiment of the present application.
  • the device is used to execute the custom model anti-tampering method provided by the foregoing embodiment, and has functional modules and beneficial effects corresponding to the execution method.
  • the device specifically includes: a first check value calculation module 101, a check value storage module 102, a second check value calculation module 103, and a check value comparison module 104, wherein,
  • the first verification value calculation module 101 is configured to calculate the corresponding first verification value according to the model structure file of the custom model when the custom model is generated.
  • the custom model defines the model format of the deep learning computing framework, which can be used for artificial intelligence and big data operations.
  • the custom model is deployed in the terminal device, such as through the custom model to achieve automatic beauty , Intelligent photography, user interest point analysis, and intelligent data recommendation.
  • the custom model can be generated according to the hardware and software system adaptability of different terminal devices, or it can be a custom model compression package or code segment sent by the receiving server, and the custom model is generated in the terminal device after the reception is completed Used for deep learning or other intelligent operations.
  • the focus in the prior art is how to encrypt the custom model to prevent the third-party or malware from cracking the custom model, but there are design flaws in the tamper-proofing of the custom model.
  • the custom model is generated, the corresponding first verification value is calculated according to the model structure file of the custom model.
  • the corresponding first verification value calculated according to the model structure file of the custom model may be (in the C language as an example, implemented by calling an API):
  • the first verification value may be a hash signature value as described above. It should be noted that other signature methods may also be used, which is not limited in this application.
  • a private key provided by the service provider may be used to obtain the first verification value by performing a signature operation on the hash value.
  • the public key is used for analysis to obtain the corresponding verification value.
  • the verification value storage module 102 is configured to add the first verification value to the custom model and store it in a trusted execution environment.
  • the Trusted Execution Environment includes a data storage environment that automatically encrypts stored files and automatically decrypts when reading stored files.
  • the first verification value is added to the custom model and stored in a trusted execution environment, which cannot be directly accessed by the CPU, but can only be accessed by programs that establish a secure connection.
  • the deployment mode of the trusted execution environment includes software implementation using open source tools or SDKs developed based on TEE. Specifically, it may be any of T-base, OP-TEE, securiTEE, or TLK. .
  • the second check value calculation module 103 is configured to read the model structure file and the first check value in the trusted execution environment when the custom model is read in to calculate the model structure The second check value corresponding to the file.
  • the custom model when you need to perform deep learning operations, you need to call the corresponding custom model and read the custom model file.
  • the model structure file and the first verification value are read in the trusted execution environment, and the second verification value corresponding to the model structure file is calculated, wherein the model structure file is calculated
  • the corresponding second verification value is obtained by using the verification method corresponding to the first verification value, such as calculating the hash value of the model structure file and calculating the hash value using the public key of the stored record to obtain the second calibration value.
  • the verification value that is, the second verification value may be a hash signature value.
  • the verification value comparison module 104 is configured to trigger a tampering event if the first verification value and the second verification value are different.
  • the first check value and the second check value are compared. If the two are found to be different, it means that the custom model has been tampered with, and a corresponding tampering event needs to be initiated.
  • the tampering event is an event defined to determine that the tampered custom model is not used after the tampered custom model is tampered with.
  • the custom model update request may be sent to the server to reacquire the custom model.
  • the verification value of the custom model is calculated and verified in the custom model generation stage and the reading stage, which avoids the information security risks caused by the operation of the tampered custom model.
  • the custom model It is stored in a trusted execution environment and cannot be directly accessed by the CPU, and corresponding encryption and decryption are performed when the custom model is stored and read to further ensure the stability of the custom model.
  • check value comparison module 104 is specifically used to:
  • the trusted execution environment is used to automatically encrypt the stored file, and automatically decrypt the stored file when it is read.
  • the custom model is converted from a trained neural network model, and the operator in the custom model is configured with a corresponding expected operating device type, and the expected operating device type includes a CPU , GPU, DSP and NPU at least one.
  • the model structure file includes at least two operators and corresponding weight information, and the at least two operators and corresponding weight information are recorded through the membership calculation recorded in the weight information Subnames are associated.
  • check value comparison module 104 is specifically used to:
  • the apparatus further includes a custom model configuration module 105, configured to modify the expected type of operating equipment in the custom model to the type if the type of operating equipment and the type of expected operating equipment recorded in the custom model are different Run the device type and re-read the modified custom model.
  • a custom model configuration module 105 configured to modify the expected type of operating equipment in the custom model to the type if the type of operating equipment and the type of expected operating equipment recorded in the custom model are different Run the device type and re-read the modified custom model.
  • the check value storage module 102 is further used to:
  • FIG. 6 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
  • the terminal device 200 includes: a memory 201, Processor (Central Processing Unit, CPU) 202, peripheral interface 203, RF (Radio Frequency) circuit 205, audio circuit 206, speaker 211, power management chip 208, input/output (I/O) subsystem 209,
  • the touch screen 212, the Wifi module 213, other input/control devices 210, and the external port 204, these components communicate through one or more communication buses or signal lines 207.
  • the illustrated terminal device 200 is only an example of the terminal device, and the terminal device 200 may have more or fewer components than shown in the figure, and two or more components may be combined, Or it can have different component configurations.
  • the various components shown in the figures may be implemented in hardware, software, or a combination of hardware and software, including one or more signal processing and/or application specific integrated circuits.
  • the terminal device uses a smart phone as an example.
  • Memory 201 which can be accessed by CPU 202, peripheral interface 203, etc.
  • the memory 201 can include high-speed random access memory, and can also include non-volatile memory, such as one or more disk storage devices, flash memory devices , Or other volatile solid-state storage devices.
  • Peripheral interface 203 which can connect input and output peripherals of the device to CPU 202 and memory 201.
  • the I/O subsystem 209 which can connect input and output peripherals on the device, such as touch screen 212 and other input/control devices 210, to peripheral interface 203.
  • the I/O subsystem 209 may include a display controller 2091 and one or more input controllers 2092 for controlling other input/control devices 210.
  • One or more input controllers 2092 receive electrical signals from other input/control devices 210 or send electrical signals to other input/control devices 210.
  • the other input/control devices 210 may include physical buttons (press buttons, rocker buttons, etc.) ), dial pad, slide switch, joystick, click wheel. It is worth noting that the input controller 2092 can be connected to any of the following: a keyboard, an infrared port, a USB interface, and a pointing device such as a mouse.
  • the touch screen 212 which is an input interface and an output interface between the user terminal and the user, displays the visual output to the user, and the visual output may include graphics, text, icons, video, and the like.
  • the display controller 2091 in the I/O subsystem 209 receives electrical signals from the touch screen 212 or sends electrical signals to the touch screen 212.
  • the touch screen 212 detects the contact on the touch screen, and the display controller 2091 converts the detected contact into interaction with the user interface object displayed on the touch screen 212, that is, realizes human-computer interaction, and the user interface object displayed on the touch screen 212 may be running Icons for games, icons connected to the corresponding network, etc.
  • the device may also include a light mouse, which is a touch-sensitive surface that does not display visual output or an extension of the touch-sensitive surface formed by a touch screen.
  • the RF circuit 205 is mainly used to establish communication between the mobile phone and the wireless network (that is, the network side), and realize data reception and transmission between the mobile phone and the wireless network. For example, sending and receiving short messages, e-mail, etc. Specifically, the RF circuit 205 receives and transmits RF signals, which are also called electromagnetic signals. The RF circuit 205 converts electrical signals into electromagnetic signals or converts electromagnetic signals into electrical signals, and communicates with the communication network and other devices through the electromagnetic signals Communicate.
  • the RF circuit 205 may include known circuits for performing these functions, including but not limited to antenna systems, RF transceivers, one or more amplifiers, tuners, one or more oscillators, digital signal processors, CODEC ( COder-DECoder (codec) chipset, subscriber identity module (Subscriber Identity Module, SIM), etc.
  • CODEC COder-DECoder (codec) chipset
  • subscriber identity module Subscriber Identity Module, SIM
  • the audio circuit 206 is mainly used to receive audio data from the peripheral interface 203, convert the audio data into electrical signals, and send the electrical signals to the speaker 211.
  • the speaker 211 is used to restore the voice signal received by the mobile phone from the wireless network through the RF circuit 205 to a sound and play the sound to the user.
  • the power management chip 208 is used for power supply and power management for the hardware connected to the CPU 202, the I/O subsystem, and the peripheral interface.
  • the apparatus for preventing tampering with the customized model of the terminal device and the terminal device provided in the above embodiments can execute the method for preventing tampering with the customized model of the terminal device provided in any embodiment of the present application, and have corresponding function modules and beneficial effects for performing the method.
  • the method for preventing tampering with the custom model of the terminal device provided in any embodiment of the present application refer to the method for preventing tampering with the custom model of the terminal device provided in any embodiment of the present application.
  • An embodiment of the present application further provides a storage medium containing executable instructions of a terminal device.
  • executable instructions of the terminal device are executed by a processor of the terminal device, a method for preventing a custom model from being tampered is performed.
  • the method includes:
  • the corresponding first verification value is calculated according to the model structure file of the custom model
  • the model structure file and the first verification value are read in the trusted execution environment, and a second verification value corresponding to the model structure file is calculated;
  • the event of triggering tampering includes:
  • the trusted execution environment is used to automatically encrypt the stored file, and automatically decrypt the stored file when it is read.
  • the custom model is converted from a trained neural network model, and the operator in the custom model is configured with a corresponding expected operating device type, and the expected operating device type includes a CPU , GPU, DSP and NPU at least one.
  • the model structure file includes at least two operators and corresponding weight information, and the at least two operators and corresponding weight information are recorded through the membership calculation recorded in the weight information Subnames are associated.
  • the first check value and the second check value are the same, determine the type of running equipment of the custom model, if the type of running equipment and the custom model The type of expected operating equipment recorded in is different, the expected operating equipment type in the custom model is modified to the type of operating equipment, and the modified custom model is re-read.
  • adding the first verification value to the custom model and storing it before the trusted execution environment includes:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Stored Programmes (AREA)
  • Storage Device Security (AREA)

Abstract

一种自定义模型防篡改方法,包括:当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值(S101),将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中(S102);当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值(S103);如果所述第一校验值和所述第二校验值不同,则触发篡改事件(S104)。该方法提高了自定义模型的稳定性。

Description

自定义模型防篡改方法、装置、终端设备及存储介质
本申请要求于2018年12月19日提交中国专利局、申请号为201811557543.8、申请名称为“自定义模型防篡改方法、装置、终端设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请实施例涉及计算机技术,尤其涉及一种自定义模型防篡改方法、装置、终端设备及存储介质。
背景技术
随着终端设备普及程度的提高,越来越多的用户使用终端设备执行各种各样的功能以满足自身需求,如使用终端设备阅读文字、观看视频、听音乐、玩游戏等,同时,伴随着人工智能技术的发展,终端设备中部署有一个或多个学习模型以进行人工智能的运算处理。
发明内容
本申请提供了一种自定义模型防篡改方法、装置、终端设备及存储介质,可以有效的解决自定义模型被篡改的问题,提高了自定义模型的稳定性。
第一方面,本申请实施例提供了一种自定义模型防篡改方法,包括:
当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值;
将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中;
当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值;
如果所述第一校验值和所述第二校验值不同,则触发篡改事件。
第二方面,本申请实施例还提供了一种自定义模型防篡改装置,包括:
第一校验值计算模块,用于当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值;
校验值存储模块,用于将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中;
第二校验值计算模块,用于当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对 应的第二校验值;
校验值比对模块,用于如果所述第一校验值和所述第二校验值不同,则触发篡改事件。
第三方面,本申请实施例还提供了一种终端设备,包括:处理器、存储器以及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现:
当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值;
将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中;
当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值;
如果所述第一校验值和所述第二校验值不同,则触发篡改事件。
第四方面,本申请实施例还提供了一种包含终端设备可执行指令的存储介质,所述终端设备可执行指令在由终端设备处理器执行时用于执行:
当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值;
将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中;
当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值;
如果所述第一校验值和所述第二校验值不同,则触发篡改事件。
附图说明
通过阅读参照以下附图所作的对非限制性实施例所作的详细描述,本申请的其它特征、目的和优点将会变得更明显:
图1是本申请实施例提供的一种自定义模型防篡改方法的流程图;
图2是本申请实施例提供的另一种自定义模型防篡改方法的流程图;
图3是本申请实施例提供的另一种自定义模型防篡改方法的流程图;
图4是本申请实施例提供的另一种自定义模型防篡改方法的流程图;
图5是本申请实施例提供的一种自定义模型防篡改装置的结构框图;
图6是本申请实施例提供的一种终端设备的结构示意图。
具体实施方式
下面结合附图和实施例对本申请作进一步的详细说明。可以理解的是,此处所描述的具体实施例用于解释本申请,而非对本申请的限定。另外还需要说明的是,为了便于描述,附图中仅示出了与本申请相关的部分而非全部结构。
本申请实施例提供一种自定义模型防篡改方法,包括:
当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值;
将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中;
当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值;
如果所述第一校验值和所述第二校验值不同,则触发篡改事件。
在一些实施例中,所述触发篡改事件包括:
发送模型更新请求至服务器,用于所述服务器下发更新模型文件;
接收所述更新模型文件。
在一些实施例中,所述可信赖执行环境用于对存储的文件自动进行加密,在所述存储的文件进行读取时自动进行解密。
在一些实施例中,所述自定义模型由训练完毕的神经网络模型转化而成,所述自定义模型中的算子配置有对应的期望运行设备类型,所述期望运行设备类型包括CPU、GPU、DSP和NPU中的至少一种。
在一些实施例中,所述模型结构文件包括至少两个算子以及对应的权值信息,所述至少两个算子和对应的权值信息通过所述权值信息中记录的隶属算子名称进行关联。
在一些实施例中,如果所述第一校验值和所述第二校验值相同,则确定所述自定义模型的运行设备类型,如果所述运行设备类型和所述自定义模型中记录的期望运行设备类型不同,则修改所述自定义模型中的期望运行设备类型为所述运行设备类型,并重新读入修改后的自定义模型。
在一些实施例中,将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境之前,还包括:
依据开源工具或者基于TEE开发的SDK搭建可信赖执行环境。
图1是本申请实施例提供的一种自定义模型防篡改方法的流程图,可适用 于自定义模型部署在终端设备进行运行的情况,该方法可以由本申请实施例提供的终端设备来执行,该终端设备的自定义模型防篡改装置可采用软件和/或硬件的方式实现,如图1所示,本实施例提供的具体方案如下:
S101、当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值。
现有技术中,存在多种对学习模型进行加密的方法,以对学习模型进行保护,该种方式存在缺陷,需要改进。
在一个实施例中,该自定义模型定义了深度学习计算框架的模型格式,可用于人工智能和大数据运算,该自定义模型部署在终端设备中,如通过该自定义模型以实现自动美颜、智能拍照、用户兴趣点分析以及智能化数据推荐等。该自定义模型可依据不同的终端设备的硬件、软件系统适配性的生成,还可以是接收服务器发送的自定义模型压缩包或代码段,当接收完毕后在终端设备中生成该自定义模型以用于深度学习或其它智能化运算。现有技术中关注点均在于如何对自定义模型加密以防止被第三方或恶意软件对自定义模型的破解,但对于自定义模型的防篡改存在设计缺陷。
当自定义模型生成时,依据该自定义模型的模型结构文件计算得到对应的第一校验值。其中,自定义模型主要由模型结构文件组成,示例性可以是如下结构模式。
自定义模型结构:
Figure PCTCN2019109644-appb-000001
Figure PCTCN2019109644-appb-000002
在一个实施例中,依据自定义模型的模型结构文件计算得到对应的第一校验值可以是(以C语言为例,通过调用API进行实现):
使用CryptCreateHash创建一个哈希对象;
使用CryptHashData对模型结构文件中的数据(如字符串数据、二进制数据和十进制数据等)进行哈希运算得到哈希值;
使用CryptSignHash对该哈希值进行签名运算得到第一校验值。
其中,该第一校验值可以是如上描述的哈希签名值,需要说明的是,还可采用其他签名方式,本申请不做限定。
在上述实例中,对哈希值进行签名运算得到第一校验值使用的可以是服务商提供的私钥,在后续进行验证过程中,使用公钥进行解析以得到对应的校验值。
S102、将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中。
在一个实施例中,将S101中计算得到的第一校验值附加值自定义模型的末尾,具体结构如下:
自定义模型结构:
Figure PCTCN2019109644-appb-000003
Figure PCTCN2019109644-appb-000004
需要说明的是,该第一校验值还可以是添加到自定义模型的其他位置,本申请不做限定。
其中,可信赖执行环境(Trusted Execute Environment,简称TEE)包括对存储的文件进行自动加密,在读取存储的文件时进行自动解密的数据存储环境。在一个实施例中,将第一校验值添加至自定义模型并存储在可信赖执行环境中,该可信赖执行环境无法被CPU直接访问,仅可被建立安全连接的程序访问。在一个实施例中,该可信赖执行环境的部署方式包括使用开源工具或者基于TEE开发的SDK进行软件实现,具体的,可以是采用T-base、OP-TEE、securiTEE或者TLK中的任意一种。
S103、当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值。
在需要进行深度学习运算时需要调用对应的自定义模型并进行自定义模型文件的读取。在一个实施例中,当自定义模型读入时,在可信赖执行环境中读取模型结构文件以及第一校验值,计算模型结构文件对应的第二校验值,其中,计算模型结构文件对应的第二校验值的方式为采用得到第一校验值对应的验证方式,如可以是计算模型结构文件的哈希值并使用存储记录的公钥对哈希值进行运算得到第二校验值,即该第二校验值可以是哈希签名值。
S104、如果所述第一校验值和所述第二校验值不同,则触发篡改事件。
在一个实施例中,对第一校验值和第二校验值进行比对,如果发现二者不同,则意味着该自定义模型被篡改,需要出发相应的篡改事件。其中,篡改事件为确定出自定义模型被篡改后为保证不使用篡改的自定义模型而定义的事件。示例性的,可以是发送自定义模型更新请求至服务器以重新获取自定义模型。
由上述内容可知,分别在自定义模型生成阶段和读取阶段计算自定义模型的校验值进行校验,避免了使用篡改的自定义模型进行运算带来的信息安全隐 患,同时,自定义模型存储在可信赖执行环境中,无法被CPU直接访问,且在自定义模型存储和读取时进行对应的加密和解密进一步保证了自定义模型的稳定性。
图2是本申请实施例提供的另一种自定义模型防篡改方法的流程图,可选的,所述触发篡改事件包括:发送模型更新请求至服务器,用于所述服务器下发更新模型文件;接收所述更新模型文件。如图2所示,技术方案具体如下:
S201、当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值。
S202、将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中。
S203、当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值。
S204、如果所述第一校验值和所述第二校验值不同,发送模型更新请求至服务器,用于所述服务器下发更新模型文件。
在一个实施例中,当确定出第一校验值和第二校验值不同,则意味着该自定义模型被其他恶意程序进行了篡改,为了保证用户信息安全以及模型运算结果的正确性,避免使用被篡改的自定义模型,采用发送模型更新请求至服务器以获取服务器下发更新模型文件。
S205、接收所述更新模型文件。
在一个实施例中,接收服务器下发的更新模型文件以替换原有的检测出被篡改的自定义模型。相应的,在接收到更新模型文件后计算该模型文件的第一校验值并将该第一校验值附加值该更新模型中保存在可信赖执行环境下,同理,在后续每次使用该更新模型时,相应的读取该保存的数据并进行校验,如果发现更新模型被篡改则相应的重新从服务器请求更新模型。
需要说明的是,自定义模型可由服务器端生成时,依据自定义模型的模型结构文件计算得到对应的第一校验值,并将第一校验值添加至自定义模型下发至终端设备,终端设备接收到该包含第一校验值的自定义模型后保存在可信赖执行环境中。
由上述可知,当确定自定义模型被篡改后,相应的进行自定义模型的更新,以保证深度学习运算使用的模型为非篡改的自定义模型,保证了运行安全以及 计算结果的准确性。
图3是本申请实施例提供的另一种自定义模型防篡改方法的流程图,可选的,还包括生成自定义模型的流程。如图3所示,技术方案具体如下:
S301、将训练完毕的神经网络模型转化为自定义模型。
在一个实施例中,自定义模型由训练完毕的神经网络模型转化而成,具体的,该自定义模型中的算子配置有对应的期望运行设备类型,期望运行设备类型包括CPU、GPU、DSP和NPU中的至少一种。示例性的,该自定模型的转化生成过程可以是:对训练完毕的神经网络模型进行解析,对解析到的每一个算子对应配置关联的期望运行设备类型,相应的,在后续自定义模型被读入时,需要修改某个算子期望在某个计算处理单元上运行时,相应的修改自定义模型文件,无需重新编译代码生成新的二进制可执行文件,相应的,在重新生成自定义模型后同样进行后续第一校验值生成以及在读取自定义模型时计算第二校验值并进行验证的过程。具体的,模型结构示例性的如下:
Figure PCTCN2019109644-appb-000005
在一个实施例中,该自定义模型结构文件中包括至少两个算子以及对应的 权值信息,至少两个算子和对应的权值信息通过权值信息中记录的隶属算子名称进行关联,进一步提高了自定义模型的架构稳定性以及运行效率。
S302、当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值。
S303、将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中。
S304、当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值。
S305、如果所述第一校验值和所述第二校验值不同,则触发篡改事件。
由上述可知,生成的自定义模型可运行在不同的设备中,仅需要修改自定义模型文件,重新进行模型读入即可,无需重新编译代码生成新的二进制可执行文件,是的深度学习模型的配置更加灵活,同时能够防止其修改配置后被其他恶意程序篡改。
图4是本申请实施例提供的另一种自定义模型防篡改方法的流程图,可选的,如果所述第一校验值和所述第二校验值相同,则确定所述自定义模型的运行设备类型,如果所述运行设备类型和所述自定义模型中记录的期望运行设备类型不同,则修改所述自定义模型中的期望运行设备类型为所述运行设备类型,并重新读入修改后的自定义模型。如图4所示,技术方案具体如下:
S401、当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值。
S402、将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中。
S403、当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值。
S404、判断第一校验值和第二校验值是否一致,如果是,则执行S405,如果否,则执行S409。
S405、确定所述自定义模型的运行设备类型。
在一个实施例中,该运行设备类型依据不同的硬件环境确定,包括CPU、GPU、DSP和NPU中的至少一种。
S406、判断自定义模型的运行设备类型和自定义模型中记录的期望运行设 备类型是否一致,如果是,则执行S407,否则执行S408。
S407、运行所述自定义模型进行数据运算处理。
S408、修改所述自定义模型中的期望运行设备类型为所述运行设备类型,并重新读入修改后的自定义模型。
在一个实施例中,可在确定出自定义模型的运行设备类型和自定义模型中记录的期望运行设备类型不一致后,对自定义模型执行配置修改,如修改算子结构中的期望运行设备类型为当前运行中的设备类型,并重新读入修改后的自定义模型进行深度学习运算。
S409、发送模型更新请求至服务器,用于所述服务器下发更新模型文件,并接收所述更新模型文件。
由上述可知,通过对自定义模型的文件修改,提高了深度学习运算效率,无需进行复杂的重新编译过程,提高了数据运算效率。
本申请实施例还提供一种自定义模型防篡改装置,包括:
第一校验值计算模块,用于当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值;
校验值存储模块,用于将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中;
第二校验值计算模块,用于当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值;
校验值比对模块,用于如果所述第一校验值和所述第二校验值不同,则触发篡改事件。
在一些实施例中,所述校验值比对模块还用于:
发送模型更新请求至服务器,用于所述服务器下发更新模型文件;
接收所述更新模型文件。
在一些实施例中,所述可信赖执行环境用于对存储的文件自动进行加密,在所述存储的文件进行读取时自动进行解密。
在一些实施例中,所述自定义模型由训练完毕的神经网络模型转化而成,所述自定义模型中的算子配置有对应的期望运行设备类型,所述期望运行设备类型包括CPU、GPU、DSP和NPU中的至少一种。
在一些实施例中,所述模型结构文件包括至少两个算子以及对应的权值信息,所述至少两个算子和对应的权值信息通过所述权值信息中记录的隶属算子名称进行关联。
在一些实施例中,所述校验值比对模块还用于:
如果所述第一校验值和所述第二校验值相同,则确定所述自定义模型的运行设备类型,如果所述运行设备类型和所述自定义模型中记录的期望运行设备类型不同,则修改所述自定义模型中的期望运行设备类型为所述运行设备类型,并重新读入修改后的自定义模型。
在一些实施例中,所述校验值存储模块还用于:
在将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境之前,依据开源工具或者基于TEE开发的SDK搭建可信赖执行环境。
图5是本申请实施例提供的一种自定义模型防篡改装置的结构框图,该装置用于执行上述实施例提供的自定义模型防篡改方法,具备执行方法相应的功能模块和有益效果。如图5所示,该装置具体包括:第一校验值计算模块101、校验值存储模块102、第二校验值计算模块103和校验值比对模块104,其中,
第一校验值计算模块101,用于当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值。
在一个实施例中,该自定义模型定义了深度学习计算框架的模型格式,可用于人工智能和大数据运算,该自定义模型部署在终端设备中,如通过该自定义模型以实现自动美颜、智能拍照、用户兴趣点分析以及智能化数据推荐等。该自定义模型可依据不同的终端设备的硬件、软件系统适配性的生成,还可以是接收服务器发送的自定义模型压缩包或代码段,当接收完毕后在终端设备中生成该自定义模型以用于深度学习或其它智能化运算。现有技术中关注点均在于如何对自定义模型加密以防止被第三方或恶意软件对自定义模型的破解,但对于自定义模型的防篡改存在设计缺陷。当自定义模型生成时,依据该自定义模型的模型结构文件计算得到对应的第一校验值。
在一个实施例中,依据自定义模型的模型结构文件计算得到对应的第一校验值可以是(以C语言为例,通过调用API进行实现):
使用CryptCreateHash创建一个哈希对象;
使用CryptHashData对模型结构文件中的数据(如字符串数据、二进制数 据和十进制数据等)进行哈希运算得到哈希值;
使用CryptSignHash对该哈希值进行签名运算得到第一校验值。
其中,该第一校验值可以是如上描述的哈希签名值,需要说明的是,还可采用其他签名方式,本申请不做限定。
在上述实例中,对哈希值进行签名运算得到第一校验值使用的可以是服务商提供的私钥,在后续进行验证过程中,使用公钥进行解析以得到对应的校验值。
校验值存储模块102,用于将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中。
其中,可信赖执行环境(Trusted Execute Environment,简称TEE)包括对存储的文件进行自动加密,在读取存储的文件时进行自动解密的数据存储环境。在一个实施例中,将第一校验值添加至自定义模型并存储在可信赖执行环境中,该可信赖执行环境无法被CPU直接访问,仅可被建立安全连接的程序访问。在一个实施例中,该可信赖执行环境的部署方式包括使用开源工具或者基于TEE开发的SDK进行软件实现,具体的,可以是采用T-base、OP-TEE、securiTEE或者TLK中的任意一种。
第二校验值计算模块103,用于当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值。
在需要进行深度学习运算时需要调用对应的自定义模型并进行自定义模型文件的读取。在一个实施例中,当自定义模型读入时,在可信赖执行环境中读取模型结构文件以及第一校验值,计算模型结构文件对应的第二校验值,其中,计算模型结构文件对应的第二校验值的方式为采用得到第一校验值对应的验证方式,如可以是计算模型结构文件的哈希值并使用存储记录的公钥对哈希值进行运算得到第二校验值,即该第二校验值可以是哈希签名值。
校验值比对模块104,用于如果所述第一校验值和所述第二校验值不同,则触发篡改事件。
在一个实施例中,对第一校验值和第二校验值进行比对,如果发现二者不同,则意味着该自定义模型被篡改,需要出发相应的篡改事件。其中,篡改事件为确定出自定义模型被篡改后为保证不使用篡改的自定义模型而定义的事 件。示例性的,可以是发送自定义模型更新请求至服务器以重新获取自定义模型。
由上述内容可知,分别在自定义模型生成阶段和读取阶段计算自定义模型的校验值进行校验,避免了使用篡改的自定义模型进行运算带来的信息安全隐患,同时,自定义模型存储在可信赖执行环境中,无法被CPU直接访问,且在自定义模型存储和读取时进行对应的加密和解密进一步保证了自定义模型的稳定性。
在一个可能的实施例中,所述校验值比对模块104具体用于:
发送模型更新请求至服务器,用于所述服务器下发更新模型文件;
接收所述更新模型文件。
在一个可能的实施例中,所述可信赖执行环境用于对存储的文件自动进行加密,在所述存储的文件进行读取时自动进行解密。
在一个可能的实施例中,所述自定义模型由训练完毕的神经网络模型转化而成,所述自定义模型中的算子配置有对应的期望运行设备类型,所述期望运行设备类型包括CPU、GPU、DSP和NPU中的至少一种。
在一个可能的实施例中,所述模型结构文件包括至少两个算子以及对应的权值信息,所述至少两个算子和对应的权值信息通过所述权值信息中记录的隶属算子名称进行关联。
在一个可能的实施例中,所述校验值比对模块104具体用于:
如果所述第一校验值和所述第二校验值相同,则确定所述自定义模型的运行设备类型;
该装置还包括自定义模型配置模块105,用于如果所述运行设备类型和所述自定义模型中记录的期望运行设备类型不同,则修改所述自定义模型中的期望运行设备类型为所述运行设备类型,并重新读入修改后的自定义模型。
在一个可能的实施例中,所述校验值存储模块102还用于:
在将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境之前,依据开源工具或者基于TEE开发的SDK搭建可信赖执行环境。
本实施例在上述各实施例的基础上提供了一种终端设备,图6是本申请实施例提供的一种终端设备的结构示意图,如图6所示,该终端设备200包括:存储器201、处理器(Central Processing Unit,CPU)202、外设接口203、RF (Radio Frequency,射频)电路205、音频电路206、扬声器211、电源管理芯片208、输入/输出(I/O)子系统209、触摸屏212、Wifi模块213、其他输入/控制设备210以及外部端口204,这些部件通过一个或多个通信总线或信号线207来通信。
应该理解的是,图示终端设备200仅仅是终端设备的一个范例,并且终端设备200可以具有比图中所示出的更多的或者更少的部件,可以组合两个或更多的部件,或者可以具有不同的部件配置。图中所示出的各种部件可以在包括一个或多个信号处理和/或专用集成电路在内的硬件、软件、或硬件和软件的组合中实现。
下面就本实施例提供的用于自定义模型防篡改的终端设备进行详细的描述,该终端设备以智能手机为例。
存储器201,所述存储器201可以被CPU202、外设接口203等访问,所述存储器201可以包括高速随机存取存储器,还可以包括非易失性存储器,例如一个或多个磁盘存储器件、闪存器件、或其他易失性固态存储器件。
外设接口203,所述外设接口203可以将设备的输入和输出外设连接到CPU202和存储器201。
I/O子系统209,所述I/O子系统209可以将设备上的输入输出外设,例如触摸屏212和其他输入/控制设备210,连接到外设接口203。I/O子系统209可以包括显示控制器2091和用于控制其他输入/控制设备210的一个或多个输入控制器2092。其中,一个或多个输入控制器2092从其他输入/控制设备210接收电信号或者向其他输入/控制设备210发送电信号,其他输入/控制设备210可以包括物理按钮(按压按钮、摇臂按钮等)、拨号盘、滑动开关、操纵杆、点击滚轮。值得说明的是,输入控制器2092可以与以下任一个连接:键盘、红外端口、USB接口以及诸如鼠标的指示设备。
触摸屏212,所述触摸屏212是用户终端与用户之间的输入接口和输出接口,将可视输出显示给用户,可视输出可以包括图形、文本、图标、视频等。
I/O子系统209中的显示控制器2091从触摸屏212接收电信号或者向触摸屏212发送电信号。触摸屏212检测触摸屏上的接触,显示控制器2091将检测到的接触转换为与显示在触摸屏212上的用户界面对象的交互,即实现人机交互,显示在触摸屏212上的用户界面对象可以是运行游戏的图标、联网到相 应网络的图标等。值得说明的是,设备还可以包括光鼠,光鼠是不显示可视输出的触摸敏感表面,或者是由触摸屏形成的触摸敏感表面的延伸。
RF电路205,主要用于建立手机与无线网络(即网络侧)的通信,实现手机与无线网络的数据接收和发送。例如收发短信息、电子邮件等。具体地,RF电路205接收并发送RF信号,RF信号也称为电磁信号,RF电路205将电信号转换为电磁信号或将电磁信号转换为电信号,并且通过该电磁信号与通信网络以及其他设备进行通信。RF电路205可以包括用于执行这些功能的已知电路,其包括但不限于天线系统、RF收发机、一个或多个放大器、调谐器、一个或多个振荡器、数字信号处理器、CODEC(COder-DECoder,编译码器)芯片组、用户标识模块(Subscriber Identity Module,SIM)等等。
音频电路206,主要用于从外设接口203接收音频数据,将该音频数据转换为电信号,并且将该电信号发送给扬声器211。
扬声器211,用于将手机通过RF电路205从无线网络接收的语音信号,还原为声音并向用户播放该声音。
电源管理芯片208,用于为CPU202、I/O子系统及外设接口所连接的硬件进行供电及电源管理。
上述实施例中提供的终端设备的自定义模型防篡改装置及终端设备可执行本申请任意实施例所提供的终端设备的自定义模型防篡改方法,具备执行该方法相应的功能模块和有益效果。未在上述实施例中详尽描述的技术细节,可参见本申请任意实施例所提供的终端设备的自定义模型防篡改方法。
本申请实施例还提供一种包含终端设备可执行指令的存储介质,所述终端设备可执行指令在由终端设备处理器执行时用于执行一种自定义模型防篡改方法,该方法包括:
当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值;
将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中;
当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值;
如果所述第一校验值和所述第二校验值不同,则触发篡改事件。
在一个可能的实施例中,所述触发篡改事件包括:
发送模型更新请求至服务器,用于所述服务器下发更新模型文件;
接收所述更新模型文件。
在一个可能的实施例中,所述可信赖执行环境用于对存储的文件自动进行加密,在所述存储的文件进行读取时自动进行解密。
在一个可能的实施例中,所述自定义模型由训练完毕的神经网络模型转化而成,所述自定义模型中的算子配置有对应的期望运行设备类型,所述期望运行设备类型包括CPU、GPU、DSP和NPU中的至少一种。
在一个可能的实施例中,所述模型结构文件包括至少两个算子以及对应的权值信息,所述至少两个算子和对应的权值信息通过所述权值信息中记录的隶属算子名称进行关联。
在一个可能的实施例中,如果所述第一校验值和所述第二校验值相同,则确定所述自定义模型的运行设备类型,如果所述运行设备类型和所述自定义模型中记录的期望运行设备类型不同,则修改所述自定义模型中的期望运行设备类型为所述运行设备类型,并重新读入修改后的自定义模型。
在一个可能的实施例中,将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境之前,还包括:
依据开源工具或者基于TEE开发的SDK搭建可信赖执行环境。
注意,上述仅为本申请的较佳实施例及所运用技术原理。本领域技术人员会理解,本申请不限于这里所述的特定实施例,对本领域技术人员来说能够进行各种明显的变化、重新调整和替代而不会脱离本申请的保护范围。因此,虽然通过以上实施例对本申请进行了较为详细的说明,但是本申请不仅仅限于以上实施例,在不脱离本申请构思的情况下,还可以包括更多其他等效实施例,而本申请的范围由所附的权利要求范围决定。

Claims (20)

  1. 自定义模型防篡改方法,其中,包括:
    当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值;
    将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中;
    当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值;
    如果所述第一校验值和所述第二校验值不同,则触发篡改事件。
  2. 根据权利要求1所述的方法,其中,所述触发篡改事件包括:
    发送模型更新请求至服务器,用于所述服务器下发更新模型文件;
    接收所述更新模型文件。
  3. 根据权利要求1所述的方法,其中,所述可信赖执行环境用于对存储的文件自动进行加密,在所述存储的文件进行读取时自动进行解密。
  4. 根据权利要求1-3中任一项所述的方法,其中,所述自定义模型由训练完毕的神经网络模型转化而成,所述自定义模型中的算子配置有对应的期望运行设备类型,所述期望运行设备类型包括CPU、GPU、DSP和NPU中的至少一种。
  5. 根据权利要求4所述的方法,其中,所述模型结构文件包括至少两个算子以及对应的权值信息,所述至少两个算子和对应的权值信息通过所述权值信息中记录的隶属算子名称进行关联。
  6. 根据权利要求4所述的方法,其中,如果所述第一校验值和所述第二校验值相同,则确定所述自定义模型的运行设备类型,如果所述运行设备类型和所述自定义模型中记录的期望运行设备类型不同,则修改所述自定义模型中的期望运行设备类型为所述运行设备类型,并重新读入修改后的自定义模型。
  7. 根据权利要求4所述的方法,其中,将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境之前,还包括:
    依据开源工具或者基于TEE开发的SDK搭建可信赖执行环境。
  8. 自定义模型防篡改装置,其中,包括:
    第一校验值计算模块,用于当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应的第一校验值;
    校验值存储模块,用于将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中;
    第二校验值计算模块,用于当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值;
    校验值比对模块,用于如果所述第一校验值和所述第二校验值不同,则触发篡改事件。
  9. 根据权利要求8所述的装置,其中,所述校验值比对模块还用于:
    发送模型更新请求至服务器,用于所述服务器下发更新模型文件;
    接收所述更新模型文件。
  10. 根据权利要求8所述的装置,其中,所述可信赖执行环境用于对存储的文件自动进行加密,在所述存储的文件进行读取时自动进行解密。
  11. 根据权利要求8-10中任一项所述的装置,其中,所述自定义模型由训练完毕的神经网络模型转化而成,所述自定义模型中的算子配置有对应的期望运行设备类型,所述期望运行设备类型包括CPU、GPU、DSP和NPU中的至少一种。
  12. 根据权利要求11所述的装置,其中,所述模型结构文件包括至少两个算子以及对应的权值信息,所述至少两个算子和对应的权值信息通过所述权值信息中记录的隶属算子名称进行关联。
  13. 根据权利要求11所述的装置,其中,所述校验值比对模块还用于:
    如果所述第一校验值和所述第二校验值相同,则确定所述自定义模型的运行设备类型,如果所述运行设备类型和所述自定义模型中记录的期望运行设备类型不同,则修改所述自定义模型中的期望运行设备类型为所述运行设备类型,并重新读入修改后的自定义模型。
  14. 根据权利要求11所述的装置,其中,所述校验值存储模块还用于:
    在将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境之前,依据开源工具或者基于TEE开发的SDK搭建可信赖执行环境。
  15. 一种终端设备,包括:处理器、存储器以及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述计算机程序时实现:
    当自定义模型生成时,依据所述自定义模型的模型结构文件计算得到对应 的第一校验值;
    将所述第一校验值添加至所述自定义模型并存储在可信赖执行环境中;
    当所述自定义模型读入时,在所述可信赖执行环境中读取所述模型结构文件以及所述第一校验值,计算所述模型结构文件对应的第二校验值;
    如果所述第一校验值和所述第二校验值不同,则触发篡改事件。。
  16. 根据权利要求15所述的终端设备,其中,所述处理器还用于执行:
    发送模型更新请求至服务器,用于所述服务器下发更新模型文件;
    接收所述更新模型文件。
  17. 根据权利要求15所述的终端设备,其中,所述可信赖执行环境用于对存储的文件自动进行加密,在所述存储的文件进行读取时自动进行解密。
  18. 根据权利要求15-17中任一项所述的终端设备,其中,所述自定义模型由训练完毕的神经网络模型转化而成,所述自定义模型中的算子配置有对应的期望运行设备类型,所述期望运行设备类型包括CPU、GPU、DSP和NPU中的至少一种。
  19. 根据权利要求18所述的终端设备,其中,所述处理器还用于执行:
    如果所述第一校验值和所述第二校验值相同,则确定所述自定义模型的运行设备类型,如果所述运行设备类型和所述自定义模型中记录的期望运行设备类型不同,则修改所述自定义模型中的期望运行设备类型为所述运行设备类型,并重新读入修改后的自定义模型。
  20. 一种包含终端设备可执行指令的存储介质,其中,所述终端设备可执行指令在由终端设备处理器执行时用于执行如权利要求1-7中任一项所述的自定义模型防篡改方法。
PCT/CN2019/109644 2018-12-19 2019-09-30 自定义模型防篡改方法、装置、终端设备及存储介质 WO2020125134A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811557543.8A CN109684839A (zh) 2018-12-19 2018-12-19 自定义模型防篡改方法、装置、终端设备及存储介质
CN201811557543.8 2018-12-19

Publications (1)

Publication Number Publication Date
WO2020125134A1 true WO2020125134A1 (zh) 2020-06-25

Family

ID=66186906

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/109644 WO2020125134A1 (zh) 2018-12-19 2019-09-30 自定义模型防篡改方法、装置、终端设备及存储介质

Country Status (2)

Country Link
CN (1) CN109684839A (zh)
WO (1) WO2020125134A1 (zh)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109684839A (zh) * 2018-12-19 2019-04-26 Oppo广东移动通信有限公司 自定义模型防篡改方法、装置、终端设备及存储介质
CN110619220B (zh) * 2019-08-09 2022-03-11 北京小米移动软件有限公司 对神经网络模型加密的方法及装置、存储介质
CN110619233A (zh) * 2019-09-05 2019-12-27 视联动力信息技术股份有限公司 一种文件保护方法和装置
CN111159776A (zh) * 2019-12-24 2020-05-15 山东浪潮人工智能研究院有限公司 一种自适应神经网络模型验证方法及系统
CN113268737A (zh) * 2020-02-15 2021-08-17 阿里巴巴集团控股有限公司 环境安全验证方法、系统和客户端
CN111628866B (zh) * 2020-05-22 2021-08-31 深圳前海微众银行股份有限公司 神经网络校验方法、装置、设备及可读存储介质
CN112287334B (zh) * 2020-11-06 2024-03-08 浙江中控技术股份有限公司 自定义库处理方法、装置及系统
CN114218166A (zh) * 2021-11-04 2022-03-22 北京百度网讯科技有限公司 数据处理方法、装置、电子设备及可读存储介质
CN117672417B (zh) * 2024-01-31 2024-04-05 中国空气动力研究与发展中心计算空气动力研究所 一种表面有限催化模型自定义接口设计方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104298913A (zh) * 2013-07-18 2015-01-21 中国科学院信息工程研究所 一种通用的智能终端安全启动方法
CN104850466A (zh) * 2015-05-22 2015-08-19 中国电力科学研究院 用于智能变电站icd模型之间的一致性校验方法
US20180285127A1 (en) * 2016-12-15 2018-10-04 Shenyang Institute Of Automation, Chinese Academy Of Sciences Method for trusted booting of plc based on measurement mechanism
CN109684839A (zh) * 2018-12-19 2019-04-26 Oppo广东移动通信有限公司 自定义模型防篡改方法、装置、终端设备及存储介质

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104219198B (zh) * 2013-05-30 2018-04-27 中国银联股份有限公司 一种WebApp的防篡改方法
KR101711024B1 (ko) * 2013-12-19 2017-02-28 한국전자통신연구원 부정조작방지 장치 접근 방법 및 그 방법을 채용한 단말 장치
CN104954353B (zh) * 2015-02-10 2018-03-30 腾讯科技(深圳)有限公司 Apk文件包的校验方法和装置
CN108764487B (zh) * 2018-05-29 2022-07-08 北京百度网讯科技有限公司 用于生成模型的方法和装置、用于识别信息的方法和装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104298913A (zh) * 2013-07-18 2015-01-21 中国科学院信息工程研究所 一种通用的智能终端安全启动方法
CN104850466A (zh) * 2015-05-22 2015-08-19 中国电力科学研究院 用于智能变电站icd模型之间的一致性校验方法
US20180285127A1 (en) * 2016-12-15 2018-10-04 Shenyang Institute Of Automation, Chinese Academy Of Sciences Method for trusted booting of plc based on measurement mechanism
CN109684839A (zh) * 2018-12-19 2019-04-26 Oppo广东移动通信有限公司 自定义模型防篡改方法、装置、终端设备及存储介质

Also Published As

Publication number Publication date
CN109684839A (zh) 2019-04-26

Similar Documents

Publication Publication Date Title
WO2020125134A1 (zh) 自定义模型防篡改方法、装置、终端设备及存储介质
CN108595970B (zh) 处理组件的配置方法、装置、终端及存储介质
US11057216B2 (en) Protection method and protection system of system partition key data and terminal
US9652610B1 (en) Hierarchical data security measures for a mobile device
WO2018177124A1 (zh) 业务处理方法、装置、数据共享系统及存储介质
CN108769027B (zh) 安全通信方法、装置、移动终端和存储介质
WO2017211205A1 (zh) 一种白名单更新方法和装置
US10078599B2 (en) Application access control method and electronic apparatus implementing the same
WO2018228199A1 (zh) 一种授权方法以及相关设备
CN113141610B (zh) 将设备标识符和用户标识符相关联的设备盗窃防护
US20150312759A1 (en) Mobile device and method of sharing content
US9582656B2 (en) Systems for validating hardware devices
WO2021115113A1 (zh) 数据处理方法、装置及存储介质
US20140258734A1 (en) Data security method and electronic device implementing the same
US10733594B1 (en) Data security measures for mobile devices
WO2017206833A1 (zh) 支付方法、支付设备和支付服务器
WO2017028711A1 (zh) 数据处理的方法、穿戴式电子设备和系统
CN107103211B (zh) Sdk发送、应用发布、应用运行方法及装置
CN111460516B (zh) 基于非侵入式的数据保护方法、装置、终端及存储介质
CN110457894A (zh) root权限的分配方法、装置、存储介质及终端设备
Mohsen et al. Android keylogging threat
CN108475304A (zh) 一种关联应用程序和生物特征的方法、装置以及移动终端
KR102180529B1 (ko) 어플리케이션 접근 제어 방법 및 이를 구현하는 전자 장치
KR102657388B1 (ko) 암호화될 데이터의 정보량에 기반하여 암호화에 사용될 키를 선택하는 전자 장치 및 전자 장치의 동작 방법
US20230177196A1 (en) Resource management method, computing device, computing equipment, and readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19901149

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19901149

Country of ref document: EP

Kind code of ref document: A1