WO2022126644A1

WO2022126644A1 - Model protection device, method, and computing device

Info

Publication number: WO2022126644A1
Application number: PCT/CN2020/137748
Authority: WO
Inventors: 谢时岳; 周海林; 查可拉博蒂·齐元吉; 闵新�
Original assignee: 华为技术有限公司
Priority date: 2020-12-18
Filing date: 2020-12-18
Publication date: 2022-06-23
Also published as: CN115956243A; CN115956243A8

Abstract

A model protection device (30), a method, and a computing device, related to the technical field of artificial intelligence. The model protection device (30) comprises: an access permission controller (302) and a memory controller (301). The access permission controller (302) is used for acquiring a read instruction. The read instruction is used for requesting to read an artificial intelligence (AI) model from a memory. The access permission controller (302) is also used for executing an authentication operation with respect to the read instruction and generating a control signal on the basis of the authentication result. The control signal is used for indicating whether to decrypt the AI model read from the memory. The access permission controller (302) is also used for transmitting the read instruction to the memory controller (301). The memory controller (301) is used for reading the AI model from the memory on the basis of the read instruction. The model protection device (30) prevents the copying, disclosure, and abuse of AI, thus implementing the protection of the AI model.

Description

Model protection device and method, computing device

technical field

The present application relates to the technical field of artificial intelligence (AI), and in particular, to a model protection device and method, and a computing device.

Background technique

With the rapid development of artificial intelligence technology, more and more application scenarios use AI models to solve problems. AI models are very valuable and valuable intellectual property, and it is of great significance to protect them.

At present, AI models are mainly protected by legal means such as contracts to prevent the leakage and abuse of AI models, and there is no effective solution to technically protect AI models.

SUMMARY OF THE INVENTION

The application provides a model protection device and method, and a computing device, which can protect the AI model. The technical solutions provided by the application are as follows:

In a first aspect, the present application provides a model protection device, where the model protection device includes: an access authority controller and a memory controller. The access authority controller is used to obtain a read command, and the read command is used to request to read the artificial intelligence AI model from the memory. The access authority controller is also used to perform an authentication operation on the read instruction, and generate a control signal based on the authentication result, where the control signal is used to indicate whether to decrypt the AI model read from the memory. The access rights controller is also used to send read commands to the memory controller. And the memory controller is used to read the AI model from the memory based on the read instruction.

The read command is authenticated by the access authority controller, and an indication of whether to decrypt the AI model read from the memory can be generated. When the AI model is stored in the memory in the form of an encrypted model, if the control signal indicates that the AI Only after the model is decrypted can the AI model be successfully used. If the control signal indicates that the AI model is not decrypted, the AI model cannot be used. Therefore, by controlling the process of decrypting the AI model, it can prevent the copying, leaking and misuse of AI, realize the protection of the AI model, help to establish a perfect AI model ecology, and build a safe and reasonable profit model.

Optionally, the access authority controller is specifically configured to: acquire a read address for reading the AI model included in the read instruction, and perform an authentication operation on the read instruction based on the read address. For example, in addition to obtaining the read address for reading the AI model contained in the read command, the access authority controller can also obtain the valid address range in the memory of the AI model read by the read command, and according to the read address and the valid address range Address range, perform the authentication operation on the read command. Among them, the effective address range of the AI model in the memory at least covers the real storage address of the AI model in the memory. The effective address range of the AI model in the memory may be set according to the storage address of the AI model in the memory after the driver module stores the AI model in the memory.

The control signal includes a first control signal and a second control signal, the first control signal is used to instruct the AI model to be decrypted, and the second control signal is used to instruct not to decrypt the AI model.

In an implementation manner, the access authority controller is specifically configured to: generate a first control signal when the read address is a legal address; and generate a second control signal when the read address is an illegal address. Among them, when the read address is within the valid address range of the AI model, the read address is called a legal address, and when the read address is outside the valid address range of the AI model, the read address is called an illegal address.

In another implementation manner, the access authority controller may also perform the authentication operation according to other conditions than the read address. For example, a decryption authority identifier is stored in the model protection device, and the decryption authority identifier is used to indicate whether the AI model used by the current computing task is allowed to be decrypted. Correspondingly, the access authority controller is specifically used for: when the read address is a legal address and meets the specified requirements When the condition is met, the first control signal is generated; when the read address is an illegal address, and/or the specified condition is not met, the second control signal is generated. The specified condition includes at least one of the following: the decryption permission identifier indicates that the AI model used by the current computing task is allowed to be decrypted, or the AI model is an encryption model.

Optionally, the access authority controller may also set the decryption authority identifier according to whether the read address is a legal address. In an implementation manner, when the access authority controller determines that the read address is an illegal address, it can control the decryption authority identifier to indicate that all AI models used by the current computing task are not allowed to be decrypted. In this way, the penalty mechanism for decrypting the AI model can be realized by judging the read address, that is, once the read address is determined to be an illegal address, the decryption permission flag is set to indicate that all AI models used in the current computing task are Decryption is not allowed. When attacking an AI model that needs to be protected through a malicious model, it is usually necessary to read the malicious model from the memory first, and the read address carried by the read instruction requesting to read the malicious model is not a legal address. In this case, the penalty is passed. The mechanism can set the decryption permission flag, so that the decryption permission flag indicates that all AI models used by the current computing task are not allowed to be decrypted, which can prevent the AI model from being attacked by the malicious model.

In addition, since the decryption authority identifier is used to indicate whether the AI model used by the current computing task is allowed to be decrypted, a decryption authority identifier can be set for multiple computing tasks serially executed by the computing device, and the decryption authority identifier can be used in different computing tasks. The value during the execution of the computing task indicates whether the AI model used during the corresponding computing task is allowed to be decrypted. Alternatively, decryption permission identifiers may be set for different computing tasks respectively, and the decryption permission identifier set for each computing task is used to indicate whether the AI model used by the corresponding computing task is allowed to be decrypted.

Correspondingly, when a decryption authority identifier is set for a plurality of computing tasks performed serially by the computing device, after completing the current computing task, the access authority controller may also reset the decryption authority identifier to indicate that decryption is permitted, so as to ensure that the The computing task executed after the computing task can obtain the AI model normally. Optionally, the decryption authority identifier can also be reset in other ways, for example, the decryption authority identifier can be reset by re-powering on the computing device.

Whether the AI model is an encrypted model can be determined according to the model manufacturer's protection requirements for the model. When the model manufacturer needs to protect the AI model, it can encrypt the AI model and set the encryption flag to indicate that the AI model is an encrypted model. When the model manufacturer does not need to protect the AI model, it does not need to encrypt the AI model, and set the encryption flag to indicate that the AI model is a non-encrypted model.

In an implementation manner, the process of performing the authentication operation by the access authority controller further includes: the access authority controller judges whether the received read command is a read command, and if the read command received by the access authority controller is not a read command, indicating The read command is not used to request to read the AI model from the memory, and the data read according to the read command does not need to be decrypted, and the access authority controller can generate a control signal for instructing not to decrypt the content read according to the read command. The read command is used for requesting to read content such as data and computer programs, the read command is one of the read commands, and the read command is used to request to read the computer program.

It should be noted that the process of judging whether the read address is a legal address by the access authority controller, the process of judging the content indicated by the decryption authority identifier, the process of judging whether the AI model is an encryption model, and the process of judging whether the received read command is a read command. The execution order of the procedures can be set according to the application requirements.

In an implementation manner, the process of the access authority controller performing the authentication operation and generating the control signal according to the authentication result includes: the access authority controller obtains a read command; after the access authority controller receives the read command, the access authority controller determines the decryption authority The identifier indicates whether the AI model used by the current computing task is allowed to be decrypted. When the decryption authority identifier indicates that the AI model used by the current computing task is not allowed to be decrypted, the access authority controller generates a second control signal; when the decryption authority identifier indicates the current computing task When the AI model used is allowed to be decrypted, the access authority controller determines whether the AI model is an encrypted model. When the AI model is a non-encrypted model, the access authority controller generates a second control signal. When the AI model is an encrypted model, the access authority The controller judges whether the read command is a read command for instructing to read the AI model, and when the read command is not a read command for instructing to read the AI model, the access authority controller generates a second control signal, when the read command is for When instructing to read the read command of the AI model, the access authority controller determines whether the read address is a legal address, and when the read address is a legal address, a first control signal is generated, and when the read address is an illegal address, the control decryption authority identifier indicates the current address. All AI models used by computing tasks are not allowed to be decrypted, and the access rights controller generates a second control signal.

Wherein, when any one of the above judgment conditions is not satisfied, the access authority controller generates the second control signal, and there is no need to judge according to other judgment conditions, which can reduce the workload of the access authority controller and ensure the authentication efficiency. In addition, when the authentication process is first judged according to the above-mentioned decryption authority identifier, then judge whether the AI model is an encryption model, then judge whether the read command is a read command, and then judge whether the read address is a legal address, which can be based on the judgment conditions from coarse-grained. To achieve fine-grained judgment, it can further ensure the reliability of authentication.

Optionally, the model protection device further includes: a first register, where the first register is used to store the effective address range of the AI model in the memory. The access authority controller is specifically configured to read the effective address range from the first register, and perform an authentication operation on the read instruction based on the effective address range and the read address.

In an implementation manner, the first register may be a collective term for one or more registers used to implement the storage effective address range. For example, the effective address range can be represented by variables stored in two registers, one register for storing the starting address of the effective address range and the other register for storing the length of the effective address range, or the other register with to store the end address of the valid address range.

Optionally, the model protection device further includes: a decryption circuit and a dedicated processor. A dedicated processor is used to generate read commands and send them to the access rights controller. The decryption circuit is used to receive the control signal generated by the access authority controller, and under the instruction of the control signal, decrypt the AI model and transmit it to the dedicated processor, or, under the instruction of the control signal, transparently transmit the AI to the dedicated processor Model. Dedicated processors are also used to perform current computing tasks based on the AI model transmitted by the decryption circuit.

In addition, the model protection device further includes: a key generation circuit. The key generation circuit is used to obtain the root key of the model protection device, the version ID of the AI model and the device ID of the model protection device, and based on the root key, version ID and device ID, generate a decryption key for decrypting the AI model. key.

Among them, in order to ensure that the AI model can be decrypted using the decryption key, the key generation circuit generates a decryption key based on the root key, version ID and device ID. Identity, the implementation of generating the encryption key used to encrypt the AI model remains consistent. For example, the algorithm for generating the decryption key and the algorithm for generating the encryption key may be the same.

Further, the model protection device further includes: a second register. The second register is used to store the decryption key. Correspondingly, the decryption circuit in the model protection device is specifically configured to read the decryption key from the second register, and under the instruction of the control signal, use the decryption key to decrypt the AI model.

Among them, when the decryption circuit decrypts the AI model, if the decryption key is the same as the encryption key used to encrypt the AI model, the decryption circuit can use the decryption key to successfully decrypt the AI model. If the encrypted encryption keys are different, the AI model cannot be decrypted.

In a second aspect, the present application provides a computing device, the computing device comprising: a memory and the model protection device provided in the first aspect and any possible implementation manner thereof.

Optionally, the computing device further includes a drive module, the drive module is used to receive the task request sent by the AI application, determine the AI model required by the task request according to the task request, and obtain the AI model from the non-volatile storage medium of the computing device. The AI model then applies for memory from the memory controller, stores the data to be calculated carried by the AI model and the task request in the memory allocated by the memory controller, and sends a task execution instruction to the dedicated processor to instruct the dedicated processor to execute The computational task requested by the task request to be performed. The task execution instruction is used to notify the dedicated processor of task information such as the storage address of the data to be calculated in the memory and the storage address of the AI model in the memory. Correspondingly, the dedicated processor is configured to send a read instruction after receiving the task execution instruction.

In a third aspect, the present application provides a model protection method. The model protection method is applied to a model protection device. The model protection device includes: an access authority controller and a memory controller. The model protection method includes: an access authority controller obtains a read instruction, and the read instruction is used to request to read an artificial intelligence AI model from a memory; the access authority controller performs an authentication operation on the read instruction, and generates a control signal based on the authentication result, The control signal is used to indicate whether to decrypt the AI model read from the memory; the access authority controller sends the read command to the memory controller; the memory controller reads the AI model from the memory based on the read command.

Optionally, the access authority controller performs an authentication operation on the read instruction, including: the access authority controller obtains a read address for reading the AI model included in the read instruction, and performs an authentication operation on the read instruction based on the read address.

Optionally, the control signal includes a first control signal and a second control signal, the first control signal is used to instruct the AI model to be decrypted, the second control signal is used to instruct not to decrypt the AI model, and the access authority controller is based on authentication. As a result, the control signal is generated, including: when the read address is a legal address, the access authority controller generates a first control signal; when the read address is an illegal address, the access authority controller generates a second control signal.

Optionally, the control signal includes a first control signal and a second control signal, the first control signal is used to instruct the AI model to be decrypted, the second control signal is used to instruct not to decrypt the AI model, and the decryption device is stored in the model protection device. Authority identifier, the decryption authority identifier is used to indicate whether the AI model used by the current computing task is allowed to be decrypted. The access authority controller generates a control signal based on the authentication result, including: when the read address is a legal address and meets the specified conditions, the access authority control The controller generates a first control signal; when the read address is an illegal address and/or does not meet a specified condition, the access authority controller generates a second control signal. The specified condition includes at least one of the following: the decryption permission identifier indicates that the AI model used by the current computing task is allowed to be decrypted; or, the AI model is an encryption model.

Optionally, after the access authority controller performs an authentication operation on the read instruction, the model protection method further includes: when the read address is an illegal address, the access authority controller controls the decryption authority identifier to indicate that all AI models used by the current computing task are Decryption is not allowed.

Optionally, after the access authority controller performs an authentication operation on the read instruction, the model protection method further includes: after completing the current computing task, the access authority controller resets the decryption authority identifier to indicate that decryption is permitted.

Optionally, the model protection device further includes: a first register, where the first register is used to store the effective address range of the AI model in the memory, and the access authority controller performs an authentication operation on the read instruction, including: the access authority controller starts from the first register. A valid address range is read from a register, and an authentication operation is performed on the read command based on the valid address range and the read address.

Optionally, the model protection device further includes: a decryption circuit and a dedicated processor. Before the access authority controller acquires the read instruction, the model protection method further includes: the dedicated processor generates a read instruction and sends the read instruction to the access authority controller. After the access authority controller generates the control signal based on the authentication result, the model protection method further includes: the decryption circuit receives the control signal generated by the access authority controller, and under the instruction of the control signal, decrypts the AI model and transmits it to the dedicated The processor, or, under the instruction of the control signal, transparently transmits the AI model to the dedicated processor; the dedicated processor executes the current computing task based on the AI model transmitted by the decryption circuit.

Optionally, the model protection device further includes: a key generation circuit. The model protection method further includes: the key generation circuit obtains the root key of the model protection device, the version identification of the AI model and the device identification of the model protection device, and based on the root key, the version identification and the device identification, generates a method for performing the execution of the AI model. Decrypted decryption key.

Optionally, the model protection device further includes: a second register, where the second register is used to store a decryption key, and after the access authority controller generates a control signal based on the authentication result, the model protection method further includes: decryption in the model protection device The circuit reads the decryption key from the second register, and uses the decryption key to decrypt the AI model under the instruction of the control signal.

In a fourth aspect, the present application provides a computer device, the computer device includes: a processor and a memory, and a computer program is stored in the memory. When the processor executes the computer program, the computer device implements the model protection method provided in the third aspect and any possible implementation manner thereof.

In a fifth aspect, the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed by a processor, the third aspect and any possible implementation manner thereof are implemented. Provided model protection method.

In a sixth aspect, the present application provides a model protection device. The model protection device is used to obtain a read command, perform an authentication operation on the read command, and control whether to read an AI model from a memory based on the authentication result.

The read command is authenticated by the access authority controller, and according to the authentication result, it is controlled whether to read the AI model requested by the read command from the memory according to the read command. When the AI model is stored in the memory in the form of an encrypted model If the AI model can be read from the memory only after the authentication is passed, it is possible to use the AI model successfully. If the AI model cannot be read from the memory after the authentication is not passed, the AI model cannot be used. Therefore, by controlling the process of reading the AI model from the memory, it can prevent the copying, leakage and abuse of AI, realize the protection of the AI model, help to establish a perfect AI model ecology, and build a safe and reasonable profit model .

In an implementation manner, the model protection device includes: an access authority controller and a memory controller. The access authority controller is used to acquire a read instruction, perform an authentication operation on the read instruction, generate a read instruction signal based on the authentication result, and send the read instruction signal and the read instruction to the memory controller. The read indication signal is used to indicate whether to read the AI model from memory. The memory controller is used to read the AI model from the memory based on the read instruction under the instruction of the read instruction signal, or, under the instruction of the read instruction signal, not to perform the operation of reading the AI model from the memory based on the read instruction.

The read indication signal includes a first read indication signal and a second read indication signal. The first read indication signal is used to instruct the AI model to be read from the memory. The second read indication signal is used to instruct not to read the AI model from the memory. Correspondingly, the access authority controller is configured to generate a first read instruction signal when the authentication of the read instruction is passed, and generate a second read instruction signal when the authentication of the read instruction fails.

In another implementation manner, the model protection device includes: an access authority controller and a memory controller. The access authority controller is used to acquire the read command, perform an authentication operation on the read command, and determine whether to send the read command to the memory controller based on the authentication result. Optionally, the access authority controller is used to send the read command to the memory controller when the authentication of the read command is passed, so that the memory controller can read the AI model from the memory based on the read command; When the authentication fails, the read command is intercepted, so that the memory controller cannot receive the read command, so that the AI model requested by the read command cannot be read from the memory.

In an implementation manner of the authentication of the access authority controller, the access authority controller is specifically used to: when the read address is a legal address, determine that the authentication of the read instruction is passed, and when the read address is an illegal address, determine the The authentication of the read command failed. Among them, when the read address is within the valid address range of the AI model, the read address is called a legal address, and when the read address is outside the valid address range of the AI model, the read address is called an illegal address.

In another possible implementation of authentication by the access authority controller, the model protection device stores a decryption authority identifier, and the decryption authority identifier is used to indicate whether the AI model used by the current computing task is allowed to be decrypted. In: when the read address is a legal address and meets the specified conditions, it is determined that the authentication of the read command is passed; when the read address is an illegal address, and/or the specified conditions are not met, it is determined that the authentication of the read command fails. The specified condition includes at least one of the following: the decryption permission identifier indicates that the AI model used by the current computing task is allowed to be decrypted, or the AI model is an encryption model.

In a seventh aspect, the present application provides a computing device, the computing device comprising: a memory and the model protection device provided in the sixth aspect and any possible implementation manner thereof.

In an eighth aspect, the present application provides a model protection method. The model protection method is applied to a model protection device. The model protection device includes: an access authority controller and a memory controller. The model protection method includes: acquiring a read instruction, performing an authentication operation on the read instruction, and controlling whether the memory controller reads out the AI model from the memory based on the authentication result.

In an implementation manner, the model protection method includes: the access authority controller obtains a read instruction, performs an authentication operation on the read instruction, generates a read indication signal based on the authentication result, and sends the read indication signal and the read instruction to a memory controller. The read indication signal is used to indicate whether to read the AI model from memory. Under the instruction of the read instruction signal, the memory controller reads the AI model from the memory based on the read instruction, or, under the instruction of the read instruction signal, does not perform the operation of reading the AI model from the memory based on the read instruction.

In another implementation manner, the model protection method includes: the access authority controller obtains a read instruction, performs an authentication operation on the read instruction, and determines whether to send the read instruction to the memory controller based on the authentication result. Optionally, when the authentication of the read instruction is passed, the access authority controller sends the read instruction to the memory controller, so that the memory controller can read the AI model from the memory based on the read instruction; When the right is not passed, the read command is intercepted, so that the memory controller cannot receive the read command, so that the AI model requested by the read command cannot be read from the memory.

In an achievable manner, the access authority controller performs an authentication operation on the read instruction, including: when the read address is a legal address, determining that the authentication of the read instruction is passed, and when the read address is an illegal address, determining that the read instruction is authenticated. The authentication of the command failed.

Optionally, a decryption authority identifier is stored in the model protection device, and the decryption authority identifier is used to indicate whether the AI model used by the current computing task is allowed to be decrypted, and the access authority controller performs an authentication operation on the read instruction, including: when the read address is When the address is legal and the specified conditions are met, it is determined that the authentication of the read instruction is passed; when the read address is an illegal address, and/or the specified conditions are not met, it is determined that the authentication of the read instruction fails. The specified condition includes at least one of the following: the decryption permission identifier indicates that the AI model used by the current computing task is allowed to be decrypted, or the AI model is an encryption model.

In a ninth aspect, the present application provides a computer device, the computer device includes: a processor and a memory, and a computer program is stored in the memory. When the processor executes the computer program, the computer device implements the model protection method provided in the eighth aspect and any possible implementation manner thereof.

In a tenth aspect, the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed by a processor, the eighth aspect and any possible implementation manner thereof are implemented. Provided model protection method.

In an eleventh aspect, the present application provides a model protection device. The model protection device includes: an access authority control module and a memory controller; the access authority control module is used to obtain a read instruction, and the read instruction is used to request to read the artificial intelligence AI model from the memory; the access authority control module is also used to read the instruction. Execute the authentication operation, and generate a control signal based on the authentication result. The control signal is used to indicate whether to decrypt the AI model read from the memory; the access authority control module is also used to send the read command to the memory controller; memory control The processor is used to read AI models from memory based on read instructions.

Optionally, the access authority control module is specifically configured to: obtain a read address for reading the AI model included in the read instruction, and perform an authentication operation on the read instruction based on the read address.

Optionally, the control signal includes a first control signal and a second control signal, the first control signal is used to instruct the AI model to be decrypted, the second control signal is used to instruct not to decrypt the AI model, and the access authority control module is specifically used for : When the read address is a legal address, the first control signal is generated; when the read address is an illegal address, the second control signal is generated.

Optionally, the control signal includes a first control signal and a second control signal, the first control signal is used to instruct the AI model to be decrypted, the second control signal is used to instruct not to decrypt the AI model, and the decryption device is stored in the model protection device. Authority identifier, the decryption authority identifier is used to indicate whether the AI model used by the current computing task is allowed to be decrypted, and the access authority control module is specifically used to: when the read address is a legal address and meet the specified conditions, generate the first control signal; when the read address is is an illegal address, and/or when the specified condition is not met, a second control signal is generated. The specified condition includes at least one of the following: the decryption permission identifier indicates that the AI model used by the current computing task is allowed to be decrypted; or, the AI model is an encryption model.

Optionally, the access authority control module is further configured to: when the read address is an illegal address, control the decryption authority identifier to indicate that all AI models used by the current computing task are not allowed to be decrypted.

Optionally, the access authority control module is further configured to reset the decryption authority identifier to indicate that decryption is permitted after completing the current computing task.

Optionally, the model protection device further includes: a first register, where the first register is used to store the effective address range of the AI model in the memory, and the access authority control module is specifically used for: reading the effective address range from the first register, based on The valid address range and read address perform the authentication operation on the read command.

Optionally, the model protection device further includes: a decryption module and a dedicated processor, where the dedicated processor is used to generate a read instruction and send the read instruction to the access authority control module; the decryption module is used to receive the control signal generated by the access authority control module, And under the instruction of the control signal, the AI model is decrypted and transmitted to the dedicated processor, or, under the instruction of the control signal, the AI model is transparently transmitted to the dedicated processor; the dedicated processor is also used for the AI transmitted based on the decryption module. model, which executes the current computing task.

Optionally, the model protection device further includes: a key generation module. The key generation module is used to obtain the root key of the model protection device, the version ID of the AI model and the device ID of the model protection device, and generate a decryption key for decrypting the AI model based on the root key, version ID and device ID. key.

Optionally, the model protection device further includes: a second register, the second register is used to store the decryption key, the decryption module is specifically configured to read the decryption key from the second register, and under the instruction of the control signal, the decryption key is used. key to decrypt the AI model.

In a twelfth aspect, the present application provides a model protection device. The model protection device includes: an access authority control module and a memory controller. The access authority control module is used to obtain the read command, perform an authentication operation on the read command, and control whether the memory controller reads the AI model from the memory based on the authentication result.

In an implementation manner, the access authority control module is specifically configured to acquire a read instruction, perform an authentication operation on the read instruction, generate a read indication signal based on the authentication result, and send the read indication signal and the read instruction to the memory controller . The read indication signal is used to indicate whether to read the AI model from memory. The memory controller is used to read the AI model from the memory based on the read instruction under the instruction of the read instruction signal, or, under the instruction of the read instruction signal, not to perform the operation of reading the AI model from the memory based on the read instruction.

The read indication signal includes a first read indication signal and a second read indication signal. The first read indication signal is used to instruct the AI model to be read from the memory. The second read indication signal is used to instruct not to read the AI model from the memory. Correspondingly, the access authority control module is specifically configured to generate a first read instruction signal when the authentication of the read instruction is passed, and generate a second read instruction signal when the authentication of the read instruction fails.

In another implementation manner, the access authority control module is specifically configured to acquire a read instruction, perform an authentication operation on the read instruction, and determine whether to send the read instruction to the memory controller based on the authentication result. Optionally, the access authority control module is specifically configured to send the read instruction to the memory controller when the authentication of the read instruction is passed, so that the memory controller can read the AI model from the memory based on the read instruction; When the authentication of the instruction fails, the read instruction is intercepted, so that the memory controller cannot receive the read instruction, so that the AI model requested by the read instruction cannot be read from the memory.

Optionally, the access authority control module is specifically configured to acquire a read address for reading the AI model included in the read instruction, and perform an authentication operation on the read instruction based on the read address.

In an achievable manner, the access authority control module is specifically configured to determine that the authentication of the read instruction passes when the read address is a legal address, and determines that the authentication of the read instruction fails when the read address is an illegal address.

Optionally, a decryption authority identifier is stored in the model protection device, and the decryption authority identifier is used to indicate whether the AI model used by the current computing task is allowed to be decrypted, and the access authority control module is specifically used for: when the read address is a legal address and meets the specified conditions. When the read instruction is passed, it is determined that the authentication of the read instruction is passed; when the read address is an illegal address, and/or the specified condition is not met, it is determined that the authentication of the read instruction is unsuccessful. The specified condition includes at least one of the following: the decryption permission identifier indicates that the AI model used by the current computing task is allowed to be decrypted, or the AI model is an encryption model.

Optionally, the model protection device further includes: a first register, where the first register is used to store the effective address range of the AI model in the memory. Correspondingly, the access authority control module is specifically configured to: read the effective address range from the first register, and perform an authentication operation on the read instruction based on the effective address range and the read address.

Optionally, the model protection device further includes: a decryption module and a dedicated processor. A dedicated processor is used to generate read instructions and send the read instructions to the access rights control module. The decryption module is used to decrypt the AI model, and transmit the decrypted AI model to the dedicated processor, or transparently transmit the AI model to the dedicated processor; the dedicated processor is also used to execute the current AI model based on the AI model transmitted by the decryption module. computing tasks.

Optionally, the model protection device further includes: a second register, where the second register is used to store the decryption key. Correspondingly, the decryption module is specifically configured to read the decryption key from the second register, and use the decryption key to decrypt the AI model.

In a thirteenth aspect, the present application provides a model protection method. The model protection method includes: a first computer device obtains a responsible party identifier and a root key of an artificial intelligence model; a third computer device obtains a model provided by a second computer device The device identification of the protection device, and the device identification of the model protection device is sent to the first computer equipment, the model protection device is deployed in the third computer equipment, and the model protection device is used to run the artificial intelligence model; the first computer equipment is allocated for the artificial intelligence model The version identification, according to the device identification of the model protection device, the version identification of the artificial intelligence model, and the root key, the encryption key of the artificial intelligence model is generated; the first computer equipment uses the encryption key to encrypt the artificial intelligence model, and sends it to the third computer equipment The encrypted artificial intelligence model is sent, and the third computer device burns the encrypted artificial intelligence model into the non-volatile storage medium of the third computer device.

Since the encryption key is obtained according to the device ID, the root key and the version ID, when any one of the device ID, the root key and the version ID is different, the obtained encryption keys are different. In addition, since the device identifiers of different model protection devices are different, the encryption keys generated according to the device identifiers of different model protection devices are different, so different model protection devices can be used to protect different AI models.

Optionally, the first computer device may generate a model manufacturer identification, and generate a root key according to the model manufacturer identification, so as to obtain the model manufacturer identification and the root key. Alternatively, the first computer device may request the second computer device to assign a root key, and the second computer device may assign a model manufacturer identifier to the model manufacturer according to the request of the first computer device, and then generate a root key according to the model manufacturer identifier, and The root key and model manufacturer identification are sent to the first computer device.

In an implementation manner, the root key is generated according to the model manufacturer ID and the basic root key provided by the chip manufacturer.

Further, in order to be able to store the root key securely, the root key may be preset in a non-volatile storage medium of the model protection device.

Optionally, in order for the computing device of the terminal manufacturer to be able to decrypt the encrypted AI model, the first computer device also needs to send the responsible party identifier and the version identifier to the third computer device.

Description of drawings

FIG. 1 is a schematic structural diagram of a computing device provided by an embodiment of the present application;

FIG. 2 is a schematic structural diagram of another computing device provided by an embodiment of the present application;

3 is a schematic structural diagram of a model protection device provided by an embodiment of the present application;

4 is a schematic structural diagram of a model protection device provided by an embodiment of the present application;

FIG. 5 is a schematic structural diagram of another computing device provided by an embodiment of the present application;

6 is a schematic diagram of a read instruction being transmitted between a dedicated processor and a memory controller according to an embodiment of the present application;

7 is a flowchart of a method for an access authority controller to perform an authentication operation and to generate a control signal according to an authentication result according to an embodiment of the present application;

8 is a flowchart of an encryption key for generating an AI model, and an encryption and decryption process for the AI model provided by an embodiment of the present application;

FIG. 9 is a schematic diagram of a process of information transmission in FIG. 8 provided by an embodiment of the present application;

10 is a flowchart of a model protection method provided by an embodiment of the present application;

11 is a schematic structural diagram of a computer device provided by an embodiment of the present application;

12 is a flowchart of another model protection method provided by an embodiment of the present application;

FIG. 13 is a flowchart of another model protection method provided by an embodiment of the present application.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

With the rapid development of artificial intelligence technology, more and more application scenarios use AI models to solve problems. AI models are very valuable and valuable intellectual property, and it is of great significance to protect them. By protecting the AI model, the risk of AI model being leaked and abused can be reduced, thereby guaranteeing the rights and interests of enterprises that invest in creating AI models.

The usage scenarios of the AI model generally involve the AI model, the special-purpose processor on which the AI model is implemented, and the computing device that uses the AI model to perform computing tasks. Among them, the AI model relies on a dedicated processor means that the realization of the functions of the AI model needs to occupy the hardware resources in the dedicated processor. Furthermore, in order for a computing device to be able to use an AI model, a dedicated processor on which the AI model is implemented needs to be deployed in the computing device. For example, the AI model may be a computer program for implementing face recognition, and the special-purpose processor may be a neural-network processing unit (NPU), which can implement the AI by using hardware in the neural-network processing unit. The face recognition function of the model, the camera of the special processor is deployed in the computing device, and the camera can realize functions such as access control through the face recognition function.

Among them, computing tasks usually include multiple operations. For example, the computational tasks used for face recognition include: face detection, face key point location, face correction, face feature extraction, and feature comparison and other operations.

Typically, the AI model, dedicated processor and computing device are provided by at least two vendors. In an implementation situation, the AI model is provided by the model manufacturer, the dedicated processor is provided by the chip manufacturer, and the computing device is provided by the terminal manufacturer. Among them, the dedicated processor can provide an interface, through which the AI model can cooperate with the hardware in the dedicated processor to realize the function of the AI model. Terminal manufacturers can assemble special processors and other devices such as non-volatile storage media to obtain a computing device, and program the AI model into the non-volatile storage medium of the computing device, so that the computing device can use the computing device. The AI model and this dedicated processor perform computational tasks. In another implementation, the AI model and the dedicated processor are provided by the same manufacturer, and the computing device is provided by the terminal manufacturer. At this time, the terminal manufacturer assembles other devices such as a dedicated processor and a non-volatile storage medium to obtain a computing device, and program the AI model into the non-volatile storage medium of the computing device.

The process of using the AI model by the computing device 0 will be described below by taking FIG. 1 as an example. FIG. 1 is a schematic structural diagram of a computing device 0 according to an embodiment of the present application. As shown in FIG. 1 , the computing device 0 includes: a driver module 10 , a memory 20 , a memory controller 301 and a dedicated processor 303 .

The driving module 10 is configured to receive the task request sent by the AI application, determine the AI model required by the task request according to the task request, and obtain the AI model from the non-volatile storage medium (not shown in FIG. 1 ) of the computing device 0, Then, apply for the memory 20 to the memory controller 301, store the data to be calculated carried by the AI model and the task request in the memory 20 allocated by the memory controller 301, and then send a task execution instruction to the dedicated processor 303 to instruct the dedicated processing The processor 303 executes the computing task requested by the task request. It should be understood that the driver module 10 is usually implemented in software, and in an optional case, the driver module may also be referred to as a driver. The task execution instruction is used to notify the dedicated processor 303 of task information such as the storage address of the data to be calculated in the memory 20 and the storage address of the AI model in the memory 20 . The driving module 10 does not need to decrypt the AI model, and can directly store the AI model in the memory 20 . Optionally, the AI application may send a task request to the driving module 10 through an application programming interface (application programming interface, API). In an implementation manner, the driving module 10 may be implemented by software.

The dedicated processor 303 is configured to obtain the data to be calculated and the AI model stored in the memory 20 according to the task execution instruction, use the AI model to perform a calculation task on the data to be calculated, and store the settlement result in the memory 20 . Wherein, when the dedicated processor 303 needs to acquire the data to be calculated and the AI model stored in the memory 20, it can send a read instruction for requesting to read the AI model and a read instruction for requesting to read the data to be calculated to the memory controller 301 command, so that the memory controller 301 reads the AI model and the data to be calculated from the memory 20 , and sends the AI model and the data to be calculated to the dedicated processor 303 .

As can be seen from the above, in the computing device 0 shown in FIG. 1 , when the AI model and the computing device 0 are provided by different manufacturers, if the AI model is not encrypted, the use of the AI model by the computing device 0 will not be effectively restricted. Therefore, in order to ensure the rights and interests of model manufacturers that provide AI models, it is urgent to protect the AI models provided by model manufacturers.

To this end, the embodiment of the present application provides a model protection device 30, the model protection device 30 can authenticate the operation of reading an AI model, and determine whether to perform an operation on the AI model read from the memory 20 according to the authentication result. Decryption is performed to control the process of decrypting the AI model, prevent the leakage and abuse of AI, and realize the protection of the AI model.

The model protector 30 may be deployed in the computing device 0 . Embodiments of the present application provide a computing device. The computing device 0 may be a camera, a desktop computer, a mobile phone, a tablet computer, a smart TV, a smart wearable device, an in-vehicle communication device, a computer, and the like. FIG. 2 is a schematic structural diagram of another computing device 0 according to an embodiment of the present application. As shown in FIG. 2, the computing device 0 includes: a driver module 10, a memory 20 and a model protection device 30, and the model protection device 30 includes a memory controller 301, an access permission controller (APC) 302, and a dedicated processor 303. The working process of the driving module 10 , the memory 20 and the dedicated processor 303 in the computing device 0 can be referred to the working process of the corresponding device in the computing device 0 in FIG. 1 , which will not be repeated here.

Optionally, the driver module 10 notifies the dedicated processor 303 of the storage address of the data to be calculated in the memory 20 and the storage address of the AI model in the memory 20 through the task execution instruction, which can be implemented through a linked list node. For example, the task execution instruction may carry the address of the linked list node in the memory 20, and the linked list node stores the storage address of the AI model in the memory 20. At this time, when the dedicated processor 303 receives the task execution instruction, it will read the address of the linked list node in the memory 20, and then the dedicated processor 303 obtains the linked list node in the memory 20 according to the address of the linked list node in the memory 20, And obtain the storage address of the AI model in the memory 20 from the linked list node, and then obtain the AI model from the memory 20 according to the address obtained from the linked list node. Among them, the linked list is a data structure, and the linked list includes a plurality of linked list nodes with logical order. Each linked list node consists of two parts: one is used to store the data field of the linked list node, and the other is used to indicate the link of the address of the next linked list node. In this embodiment of the present application, the data field of the linked list node is used to indicate the storage address of the AI model in the memory 20 .

Since the computing device 0 usually needs to process a large number of computing tasks, in order to ensure the orderly execution of the computing tasks, in the computing device 0 provided in the embodiment of the present application, the driver module 10 sends a task execution instruction to the special-purpose processor 303, and the special-purpose processor 303 sends a task execution instruction to the special-purpose processor 303 The process of acquiring the data to be calculated and the AI model stored in the memory 20 can be implemented through a hardware queue. There are usually multiple computing tasks queued in the hardware queue, and the dedicated processor 303 can execute the multiple computing tasks serially according to the order of the multiple computing tasks in the hardware queue. 1 and 2 do not show that the computing device 0 further includes a hardware queue.

For example, the driver module 10 can write the task execution instruction into the hardware queue, and the task execution instruction written in the hardware queue will be queued in the hardware queue in order, when the execution timing of the computing task indicated by the task execution instruction arrives , the hardware queue sends a task execution instruction to the dedicated processor 303 . After receiving the task execution instruction, the dedicated processor 303 sends a read instruction requesting to read the AI model from the memory 20 to the hardware queue. According to the read command, the hardware queue sends a read command requesting to read the AI model from the memory 20 to the memory controller 301 . In addition, after the hardware queue reads the AI model from the memory 20, the AI model is sent to the special-purpose processor 303, so that the special-purpose processor 303 uses the AI model to perform computing tasks on the data to be computed.

Also, the operation of the special purpose processor 303 to start executing the computing task indicated by the task execution instruction may be triggered by a register. When the computing task is implemented through the hardware queue and the linked list node, this register is used to trigger the hardware queue to obtain the linked list node from the memory 20, and obtain the storage address of the AI model in the memory 20 from the linked list node, and send it to the dedicated processor 303 The acquired address is sent, so that the special-purpose processor 303 sends a read command according to the corresponding address.

In addition, the computing device 0 may further include a memory management unit (MMU) (not shown in FIG. 2 ), the memory manager is used for between the address carried by the request for accessing the memory and the physical address where the data is stored in the memory Perform address mapping. In this way, the memory controller 301 can be indirectly connected to the memory 20 through the memory manager, and the interaction between the memory controller 301 and the memory 20 can be realized through the memory manager.

It should be noted that, after the dedicated processor 303 sends the read command to the hardware queue, the hardware queue will forward the read command to the memory controller 301 according to the read command, and after the hardware queue reads the AI model from the memory 20, it will send the AI model. to the special-purpose processor 303, therefore, this process can be regarded as a process in which the special-purpose processor 303 realizes reading the AI model from the memory 20 by sending a read command. In addition, when the driver module 10 sends a task execution instruction to the special-purpose processor 303, and the special-purpose processor 303 reads the data to be calculated and the AI model from the memory 20, when the process of reading the data to be calculated and the AI model from the memory 20 is not implemented through a hardware queue, the special-purpose processor 303 also needs to The memory controller 301 sends a read command to read the AI model from the memory 20 . Therefore, in the embodiments of the present application, for the convenience of description, no matter whether the drive module 10 sends a task execution instruction to the special-purpose processor 303, and the special-purpose processor 303 reads the data to be calculated and the AI model from the memory 20, whether the process passes The hardware queue implementation, the special processor 303 sending the read command can be regarded as the process of sending the read command to the memory controller 301, and sending the read command from the special processor 303 to the AI model read from the memory 20 by the special processor 303, It is abbreviated as the special-purpose processor 303 sends a read command to the memory controller 301 to realize the process of reading the AI model from the memory 20, and does not distinguish whether there is a hardware queue or not, nor does it send a read command to the special-purpose processor 303. objects are distinguished.

The implementation manner of the model protection device 30 provided by the embodiments of the present application will be described below. As shown in FIG. 3 , the model protection device 30 includes: an access authority controller 302 and a memory controller 301 .

The access authority controller 302 is configured to acquire a read instruction, perform an authentication operation on the read instruction, generate a control signal based on the authentication result, and send the read instruction to the memory controller 301 . Among them, the read instruction is used to request to read the AI model from the memory 20 . The control signal is used to indicate whether to decrypt the AI model read from the memory 20 . The control signal may include a first control signal and a second control signal. The first control signal is used to instruct to decrypt the AI model. The second control signal is used to indicate that the AI model is not decrypted.

The memory controller 301 is used to read the AI model from the memory 20 based on the read instruction.

Among them, there are various AI models, and different AI models can be used in different application scenarios. In an implementation manner, the AI model in this embodiment of the present application may be a neural network model.

As can be seen from the above, the access authority controller 302 authenticates the read instruction, and can generate an instruction whether to decrypt the AI model read from the memory 20. When the AI model is stored in the memory 20 in the form of an encrypted model, If the control signal indicates that the AI model is decrypted, it is possible to use the AI model successfully. If the control signal indicates that the AI model is not decrypted, the AI model cannot be used. Therefore, in the access authority controller 302 provided in the embodiment of the present application, by controlling the process of decrypting the AI model, the leakage and abuse of the AI can be prevented, and the protection of the AI model can be achieved.

Further, as shown in FIG. 4 , the model protection device 30 may further include: a decryption circuit 304 and a dedicated processor 303 .

The dedicated processor 303 is configured to generate a read instruction, and send the read instruction to the access authority controller 302, so that the access authority controller 302 can perform an authentication operation on the read instruction. Wherein, after the driving module 10 stores the AI model and the data to be calculated in the memory 20, the driving module 10 can send a task execution instruction to the special-purpose processor 303 to instruct the special-purpose processor 303 to execute the computing task requested by the task request. Correspondingly, the dedicated processor 303 may generate a read instruction according to the task execution instruction, and send the read instruction to the access authority controller 302 . Moreover, the task execution instruction may carry the memory 20 address of the AI model in the memory 20, and correspondingly, the read instruction sent by the dedicated processor 303 may carry the memory 20 address.

The decryption circuit 304 is used to receive the control signal generated by the access authority controller 302, and under the instruction of the control signal, decrypt the AI model and transmit it to the dedicated processor 303, or, under the instruction of the control signal, to the dedicated processor. 303 Transparent AI model. Optionally, the decryption circuit 304 can use a decryption algorithm to decrypt the AI model. The decryption algorithm used by the decryption circuit 304 may be a block cipher algorithm conforming to the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) international standard. For example, the decryption algorithm used by the decryption circuit 304 may be an advanced encryption standard (AES) algorithm.

The dedicated processor 303 is also used for executing the current computing task based on the AI model transmitted by the decryption circuit 304 . The dedicated processor 303 is specifically configured to run hardware such as circuits in the dedicated processor 303 to implement hardware acceleration of the AI model, so as to achieve the purpose of performing computing tasks based on the AI model. The dedicated processor 303 may be a processor dedicated to performing AI calculations, for example, the dedicated processor 303 may be an NPU.

In an implementation manner, as shown in FIG. 5 and FIG. 6 , the access authority controller 302 can be mounted on the read channel where the dedicated processor 303 sends the read command to the memory controller 301 , and the decryption circuit 304 can be mounted on the read channel. The memory controller 301 sends the read response to the special-purpose processor 303 on the response channel according to the read command. The read command is used for requesting to read content such as data and computer programs, the read command is one of the read commands, and the read command is used to request to read the computer program. At this time, the transmission path between the dedicated processor 303 and the memory controller 301 of the read instruction sent by the dedicated processor 303 is: firstly sent by the dedicated processor 303 to the access authority controller 302, and then sent by the access authority controller 302 to the memory controller 301 . Therefore, the access authority controller 302 can acquire the read command sent to the memory controller 301 and perform an authentication operation on the read command. In addition, the access authority controller 302 generates a control signal according to the authentication result of the read command, which can be sent to the memory controller 301 along with the read command. The memory controller 301 can carry the AI model read according to the read instruction in the read response, and send the control signal to the decryption circuit 304 along with the read response, so that the decryption circuit 304 decrypts the AI according to the control signal, and sends it to the dedicated processor. 303 sends the decrypted AI model, or the decryption circuit 304 transparently transmits the AI model to the dedicated processor 303 according to the control signal.

Alternatively, the access authority controller 302 can be mounted on the read channel through which the special purpose processor 303 sends commands or data to all other devices, so that the access authority controller 302 can obtain all commands and data sent by the special purpose processor 303 . At this time, the access authority controller 302 may also classify the acquired commands and data, and perform an authentication operation on the read command sent to the memory controller 301 as a result of the classification.

Alternatively, the access authority controller 302 can be implemented in other ways, as long as the access authority controller 302 can obtain the read command sent by the dedicated processor 303, generate a control signal according to the authentication result of the read command, and send the control signal To the decryption circuit 304 for decrypting the AI model, and the AI model sent to the decryption circuit 304 and the control signal for indicating whether to decrypt the AI model may have a corresponding relationship. For example, the access authority controller 302 may not be mounted on the read channel through which the special-purpose processor 303 sends the read command to the memory controller 301. When the special-purpose processor 303 sends the read command to the memory controller 301, the access authority control The device 302 sends the read instruction, and indicates that the AI model read according to the read instruction carries the identifier of the read instruction, and the control signal generated according to the read instruction carries the identifier of the read instruction, so as to pass the identifier of the read instruction. There is a corresponding relationship between the establishment of the AI model and the control signal used to indicate whether to decrypt the AI model, which is not specifically limited in this embodiment of the present application. Wherein, the AI model sent to the decryption circuit 304 has a corresponding relationship with the control signal used to indicate whether to decrypt the AI model, so that the decryption circuit 304 can determine whether the AI has a corresponding relationship with the control signal according to the control signal. The model is decrypted.

In an implementation manner, the indication function of the control signal on the decryption process can be realized by the value of the variable carried in the control signal. For example, when the value of the variable is 1, the control signal is used to instruct to decrypt the AI model read from the memory 20, and at this time, the control signal may be referred to as the first control signal. When the value of the variable is 0, the control signal is used to indicate that the AI model read from the memory 20 is not to be decrypted. At this time, the control signal may be referred to as a second control signal.

Moreover, the control signal can be implemented in the form of an associated signal. For example, the dashed arrow in FIG. 5 represents the transmission path of the control signal. As shown in FIG. 5 , after the access authority controller 302 sends the control signal to the memory controller 301, the memory controller 301 can send the control signal to the decryption device along with the AI model. circuit 304 . In an implementation manner, the content indicated by the control signal can be represented by the value of the variable. Correspondingly, the memory controller 301 can carry the value of the variable in the control signal in the extension field in the data sent to the decryption circuit 304 , the indication function of the control signal is expressed by the value in the extension field.

In an implementation manner in which the access authority controller 302 performs the authentication operation, the access authority controller 302 may obtain the read address for reading the AI model contained in the read instruction, and perform authentication on the read instruction based on the read address operate. For example, in addition to acquiring the read address for reading the AI model contained in the read instruction, the access authority controller 302 can also acquire the effective address range in the memory 20 of the AI model requested to be read by the read instruction, and according to the read address and The valid address range is used to authenticate the read command. The effective address range of the AI model in the memory 20 at least covers the real storage address of the AI model in the memory 20 . The effective address range of the AI model in the memory 20 may be set according to the storage address of the AI model in the memory 20 after the driver module 10 stores the AI model in the memory 20 .

Alternatively, the effective address range may be stored in registers. Correspondingly, as shown in FIG. 4 , the model protection device 30 may further include: a first register 305 , where the first register 305 is used to store the effective address range of the AI model in the memory 20 . In an implementation manner, the first register 305 may be a general term for one or more registers used to store the effective address range. For example, the effective address range can be represented by variables stored in two registers, one of which is used to store the starting address of the effective address range, the other register is used to store the length of the effective address range, or another register is used to store the length of the effective address range. The ending address for storing this valid address range.

In an implementation manner, the implementation process of the access authority controller 302 generating the control signal according to the authentication result may include: when the read address is a legal address, the access authority controller 302 generates the first control signal; when the read address is illegal address, the access authority controller 302 generates a second control signal. Among them, when the read address is within the valid address range of the AI model, the read address is called a legal address, and when the read address is outside the valid address range of the AI model, the read address is called an illegal address.

In another implementation manner, the access authority controller 302 may also perform the authentication operation according to other conditions than the read address. For example, when the read address is a legal address and the specified condition is met, the access authority controller 302 generates a first control signal; when the read address is an illegal address, and/or when the specified condition is not met, the access authority controller 302 generates a second control signal control signal. The specified condition includes at least one of the following: the decryption permission identifier indicates that the AI model used by the current computing task is allowed to be decrypted, or the AI model is an encryption model.

The decryption authority identifier is stored in the model protector 30 . For example, the decryption rights identification can be stored in a register. The decryption permission identifier is used to indicate whether the AI model used by the current computing task is allowed to be decrypted. Moreover, the indication function of the decryption authority identifier can be determined by the value of the decryption authority identifier. In an implementation manner, when the value of the decryption authority identifier is 0, the decryption authority identifier is used to indicate that the AI model used by the current computing task is allowed to be decrypted, and when the value of the decryption authority identifier is 1, The decryption permission identifier is used to indicate that the AI model used by the current computing task is not allowed to be decrypted, and the default value of the decryption permission identifier is 0.

Optionally, the access authority controller 302 may also set the decryption authority identifier according to whether the read address is a legal address. In an implementation manner, when the access authority controller 302 determines that the read address is an illegal address, it can control the decryption authority identifier to indicate that all AI models used by the current computing task are not allowed to be decrypted. In this way, the penalty mechanism for decrypting the AI model can be realized by judging the read address, that is, once the read address is determined to be an illegal address, the decryption permission flag is set to indicate that all AI models used in the current computing task are Decryption is not allowed. When attacking an AI model that needs to be protected through a malicious model, it is usually necessary to read the malicious model from the memory 20 first, and the read address carried by the read instruction requesting to read the malicious model is not a legal address. The penalty mechanism can set the decryption permission flag, so that the decryption permission flag indicates that all AI models used by the current computing task are not allowed to be decrypted, which can prevent the AI model from being attacked by this malicious model.

Moreover, since the decryption authority mark is used to indicate whether the AI model used by the current computing task is allowed to be decrypted, a decryption authority mark can be set for a plurality of computing tasks serially executed by the computing device 0, and the decryption authority mark is used in the The values during the execution of different computing tasks indicate whether the AI models used during the corresponding computing tasks are allowed to be decrypted. Alternatively, decryption permission identifiers may be set for different computing tasks respectively, and the decryption permission identifier set for each computing task is used to indicate whether the AI model used by the corresponding computing task is allowed to be decrypted.

Correspondingly, when a decryption authority identifier is set for a plurality of computing tasks performed serially by the computing device 0, after completing the current computing task, the access authority controller 302 can also reset the decryption authority identifier to indicate that decryption is permitted, so as to ensure that decryption is permitted. The computing task executed after the current computing task can obtain the AI model normally. Optionally, the decryption authority identifier may also be reset in other ways. For example, the decryption authority identifier may be reset by re-powering on the computing device 0, which is not specifically limited in this embodiment of the present application.

Whether the AI model is an encrypted model can be determined by the value of the encrypted identifier of the AI model. In an implementation manner, when the value of the encryption identifier is 0, the encryption identifier is used to indicate that the AI model is an encrypted model, and when the value of the encryption identifier is 1, the encryption identifier is used to indicate that the AI model is a non-encrypted model. encryption model. Whether the AI model is an encrypted model can be determined according to the model manufacturer's protection requirements for the model. When the model manufacturer needs to protect the AI model, it can encrypt the AI model and set the encryption flag to indicate that the AI model is an encrypted model. When the model manufacturer does not need to protect the AI model, it does not need to encrypt the AI model, and set the encryption flag to indicate that the AI model is a non-encrypted model. Moreover, the encrypted identifier can be stored in a register, and the value of the encrypted identifier stored in the register can be set by the driving module 10 . After the drive module 10 writes the model into the non-volatile storage medium of the computing device 0, the drive module 10 can read the file header of the AI model, and the file header carries the model information covering the AI model, and the model information includes Indicates whether the model is an encrypted model and information such as the size of the model, and the driving module 10 can set the value of the encrypted identifier in the register according to the model information.

In addition, since the dedicated processor 303 needs to obtain the data to be calculated in addition to using the AI model when performing the calculation task, the dedicated processor 303 also sends a request to the memory controller 301 to request data from the memory 20 A read command to read data, etc. In addition, the read command needs to be transmitted to the memory controller 301 via the read channel through which the dedicated processor 303 sends the read command to the memory controller 301. Therefore, the access authority controller 302 will not only receive the read command for requesting to read the AI model, but also A read command for requesting to read data, etc. from the memory 20 is received. Since the AI model is an object that needs to be protected by a control signal, the process of performing the authentication operation by the access authority controller 302 further includes: the access authority controller 302 determines whether the received read command is a read command, if the access authority controller 302 The received read command is not a read command, which means that the read command is not used to request to read the AI model from the memory 20, and the data read according to the read command does not need to be decrypted, then the access authority controller 302 can generate an instruction to indicate that the read command is not correct according to the read command. A control signal that commands the decryption of the read content. Wherein, the read command carries a command identifier, and the command identifier is used to indicate the content requested by the read command. Then, according to the command identifier carried by the read command, it can be determined whether the read command is a read command for requesting to read the AI model.

Because the read address in the read command sent by the dedicated processor 303 is determined according to the memory 20 address in the memory 20 of the AI model that can be carried in the task execution instruction, and when the malicious program attacks the AI model, the malicious program will modify the The AI model received by the dedicated processor 303 is at the memory 20 address in the memory 20, so that the read address carried by the read instruction sent by the dedicated processor 303 according to the memory 20 address is an illegal address. In the access authority controller 302 provided in this embodiment of the present application, the access authority controller 302 authenticates the read instruction, so that the read address sent by the dedicated processor 303 can be determined to be an illegal address, and a message indicating that the AI model is not to be decrypted can be generated. The control signal makes the computing device 0 unable to use the encryption model, so that the abuse and attack of the AI model by malicious programs can be prevented.

In another case, the malicious program can not only modify the memory 20 address in the memory 20 of the AI model received by the special-purpose processor 303, but also modify the effective address range of the AI model stored in the first register 305. The authority controller 302 will misjudge the read address as a legitimate address, but because the read address is a wrong address, the content read from the memory 20 according to the read address will not be the AI model originally required by the dedicated controller, but will be decrypted. The decryption key provided by the circuit 304 is the decryption key of the originally required AI model. Therefore, the decryption key cannot be used to correctly decrypt the content read from the memory 20, which can still prevent malicious programs from attacking the AI model. .

It should be noted that the access authority controller 302 judges whether the read address is a legal address, the process of judging the content indicated by the decryption authority identifier, the process of judging whether the AI model is an encryption model, and the process of judging whether the received read command is a read command. The execution order of the process can be set according to application requirements. FIG. 7 shows a schematic diagram of a possible execution sequence. As shown in FIG. 7 , the access authority controller 302 performs an authentication operation, and the process of generating a control signal according to the authentication result includes the following steps:

Step 701: The access authority controller obtains a read command.

Step 702: After receiving the read command, the access authority controller determines whether the decryption authority identifier indicates that the AI model used by the current computing task is allowed to be decrypted. When the decryption authority identifier indicates that the AI model used by the current computing task is allowed to be decrypted, step 703 is executed. , when the decryption authority identifier indicates that the AI model used by the current computing task is not allowed to be decrypted, step 706 is executed.

Step 703: The access authority controller determines whether the AI model is an encrypted model. When the AI model is an encrypted model, step 704 is performed, and when the AI model is a non-encrypted model, step 706 is performed.

Step 704: The access authority controller determines whether the read command is a read command for instructing to read the AI model. When the read command is a read command for instructing to read the AI model, step 705 is executed. When the read command is not a read command for instructing When the read instruction of the AI model is read, step 706 is executed.

Step 705: The access authority controller judges whether the read address is a legal address, and when the read address is a legal address, generates a first control signal, and when the read address is an illegal address, controls the decryption authority identifier to indicate all AI models used by the current computing task Neither are allowed to be decrypted, and step 706 is executed.

Step 706: The access authority controller generates a second control signal.

Wherein, when any one of the above judgment conditions is not satisfied, the access authority controller generates the second control signal, and there is no need to judge according to other judgment conditions, which can reduce the workload of the access authority controller and ensure the authentication efficiency. In addition, when the authentication process is first judged according to the above-mentioned decryption authority identifier, then judge whether the AI model is an encryption model, then judge whether the read command is a read command, and then judge whether the read address is a legal address, which can be based on the judgment conditions from coarse-grained. To achieve fine-grained judgment, the authentication efficiency can be further guaranteed.

In addition, as shown in FIG. 4 , the model protection device 30 may further include: a key generation circuit 306 . The key generation circuit 306 is used to obtain the root key of the model protection device 30, the version identification of the AI model and the device identification of the model protection device 30, and based on the root key, the version identification and the device identification, generate a device for decrypting the AI model. decryption key. Optionally, after the drive module 10 stores the AI model in the memory 20, it can send an instruction to the key generation circuit 306 to instruct to generate a decryption key, that is, the key generation circuit 306 is used to generate the decryption key under the instruction of the drive module 10. decryption key. Alternatively, the process of generating the decryption key by the key generation circuit 306 may be generated before the AI model is stored in the memory 20 . For example, after the AI model is programmed in the non-volatile storage medium of the computing device 0, the key generation circuit 306 can generate a decryption key of the AI model for subsequent decryption and use.

Wherein, in order to ensure that the AI model can be decrypted using the decryption key, the key generation circuit 306 generates a decryption key based on the root key, the version ID and the device ID. The device identification and the implementation manner of generating the encryption key used to encrypt the AI model shall be consistent. For example, the algorithm for generating the decryption key and the algorithm for generating the encryption key may be the same.

And, as shown in FIG. 4 , the model protection device 30 further includes: a second register 307, and the second register 307 is used for storing the decryption key. After the key generation circuit 306 generates the decryption key, the decryption key may be stored in the second register 307 . At this time, the decryption circuit 304 in the model protection device 30 is specifically configured to read the decryption key from the second register 307, and under the instruction of the control signal, use the read decryption key to decrypt the AI model. When the decryption circuit 304 decrypts the AI model, if the decryption key is the same as the encryption key used to encrypt the AI model, the decryption circuit 304 can use the decryption key to successfully decrypt the AI model. If the encryption key used to encrypt the model is different, the AI model cannot be decrypted.

In the following, the root key of the model protection device 30 and the device ID of the model protection device 30 are provided by the chip manufacturer, the version ID of the AI model is distributed by the model manufacturer, the operation of the model manufacturer is performed by the first computer equipment, and the operation of the chip manufacturer is performed by the first computer device. The second computer device performs the operation of the terminal manufacturer, and the operation of the terminal manufacturer is performed by the third computer device. As an example, the generation of the encryption key of the AI model and the implementation of the encryption and decryption process of the AI model are described. The operation of the model maker may be performed by one or more computer devices, and the one or more computer devices may be collectively referred to as the first computer device. Similarly, the operations of the chip manufacturer may be performed by one or more computer devices, which are collectively referred to as second computer devices. The operations of the terminal manufacturer may be performed by one or more computer devices, which are collectively referred to as third computer devices. As shown in Figure 8, the implementation process includes the following steps:

Step 801: The first computer device acquires the model manufacturer ID of the AI model and the root key of the model protection device.

Optionally, the first computer device may generate a model manufacturer identification, and generate a root key according to the model manufacturer identification, so as to obtain the model manufacturer identification and the root key. Alternatively, the first computer device may request the second computer device to distribute a root key, and the second computer device may assign a model manufacturer identifier to a model manufacturer according to the request of the first computer device, and then generate a root key according to the model manufacturer identifier, and The root key and model manufacturer identification are sent to the first computer device. Among them, the chip manufacturer is usually the trusted party of the model manufacturer. Therefore, as shown in Figure 9, the model manufacturer ID is usually assigned by the chip manufacturer to the model manufacturer, and the root key is usually based on the model manufacturer ID and the basic root provided by the chip manufacturer. key generation.

In addition, in order to ensure the security of the model manufacturer identification and the root key, the root key and the model manufacturer identification can be sent to the first computer device in a packaged and encrypted manner. Optionally, the method of encrypting the model manufacturer ID and the root key may be a PGP (pretty good privacy) encryption method. In one implementation, the process of generating the root key according to the model vendor identification can be performed offline using a server running in a secure environment. For example, the servers running in the secure environment may be hardware security modules (HSMs).

Further, in order to be able to securely store the root key, the root key may be preset in the non-volatile storage medium of the model protection device 30 . For example, the root key can be stored in a one-time programmable (OTP) storage medium. Since the OTP storage medium can only support writing data once, when a malicious program tampers with the root key stored in the OTP storage medium When the key is used, since the OTP storage medium cannot be written again, the security of the root key can be guaranteed.

Step 802: The third computer device acquires the device identifier of the model protection device, and sends the device identifier of the model protection device to the first computer device.

The model protection device 30 provided by the embodiment of the present application is deployed in the computing device 0 provided by the terminal manufacturer, and the model protection device 30 is used to implement the AI model. The model protector 30 has a built-in device identifier, and the third computer device can read the device identifier of the model protector 30 through the application program interface on the model protector 30 and send the device identifier to the first computer device. Wherein, when the model protection device 30 is a computing chip, the device identification is the chip identification of the computing chip.

In one implementation, the device identification may be stored in a non-volatile storage medium of model protector 30 . For example, the device identifier can be stored in an OTP storage medium. Since the OTP storage medium can only support writing data once, when a malicious program tampers with the device identifier stored in the OTP storage medium, the OTP storage medium cannot be written again because the OTP storage medium cannot be written again. , so the security of the device identification can be guaranteed.

Step 803: The first computer device assigns a version identifier to the AI model, and generates an encryption key for the AI model according to the device identifier of the model protection device, the version identifier of the AI model, and the root key of the model protection device.

In order for the model manufacturer to distinguish different AI models, as shown in FIG. 9 , the model manufacturer may assign version identifiers to different AI models through the first computer device. Moreover, as shown in FIG. 9 , the model manufacturer can generate the encryption key of the AI model according to the acquired device ID, root key and version ID. In an implementation manner, the chip manufacturer can provide the model manufacturer with a key generation unit for generating an encryption key, and the key generation unit can be implemented by software or hardware, and the model manufacturer can identify the version, device The identification and root key are input to the generation tool, and the output of the generation tool is received to obtain the encryption key of the AI model. Moreover, as shown in FIG. 9 , when generating the encryption key, the key generation unit may first generate an intermediate key according to the root key and the version identifier, and then generate the encryption key according to the intermediate key and the device identifier.

Since the encryption key is obtained according to the device ID, the root key and the version ID, when any one of the device ID, the root key and the version ID is different, the obtained encryption keys are different. In addition, since the device identifiers of different model protectors 30 are different, the encryption keys generated according to the device identifiers of different model protectors 30 are different, so different model protectors 30 can be used to protect different AI models. In addition, when the same model protection device 30 is used to protect multiple AI models provided by the same model manufacturer, the encryption keys for controlling the multiple AI models can be the same or different according to the model manufacturer's wishes. For example, when using the same model protection device 30 to protect multiple AI models, the model manufacturer can assign the same version identifier to the multiple AI models, and since the model manufacturer of the multiple AI models is the same, and the root key is Generated according to the model manufacturer identifiers of the AI models, that is, the device identifiers, version identifiers and root keys used to generate the encryption keys of the multiple AI models correspond to the same respectively, so the encryption keys of the multiple AI models are the same.

Step 804, the first computer equipment uses the encryption key to encrypt the AI model, sends the encrypted AI model to the third computer equipment, and sends the model manufacturer identification and version identification to the third computer equipment.

As shown in FIG. 9 , after the first computer device obtains the encryption key of the AI model, it can use the encryption key to encrypt the AI model (also called the plaintext model) stored in plaintext, and purchase the AI model of the model manufacturer from the terminal manufacturer. After that, the encrypted AI model is sent to the terminal manufacturer. In addition, in order to facilitate the computing device 0 of the terminal manufacturer to decrypt the encrypted AI model, the model manufacturer also needs to send the version identifier of the AI model and the model manufacturer identifier to the terminal manufacturer. Or, the model manufacturer sends the root key of the model protection device 30 and the AI model version identifier to the terminal manufacturer.

Step 805: The third computer device burns the encrypted AI model into the non-volatile storage medium of the computing device, and stores the model manufacturer ID and version ID in the non-volatile storage medium of the computing device.

After acquiring the encrypted AI model, the third computer device may program the encrypted AI model into the non-volatile storage medium of the computing device 0 . Optionally, the third computer device may burn the image file including the encrypted AI model into the non-volatile storage medium of the computing device 0 on the production line. The model manufacturer ID and version ID are stored in the non-volatile storage medium of the computing device 0 . Wherein, the non-volatile storage medium may be a flash memory (flash memory), a hard disk drive (hard disk drive, HDD), or a solid-state drive (solid-state drive, SSD) or the like.

Step 806: The key generation circuit acquires the model manufacturer ID, version ID and device ID from the non-volatile storage medium of the computing device.

Since the device identification of the model protection device 30 is built in the model protection device 30 , the third computer device can read the device identification and provide the key generation circuit 306 with the device identification. In addition, the non-volatile storage medium of the computing device 0 stores the model manufacturer ID model_owner_id and the version ID, and the key generation circuit 306 can obtain the model manufacturer ID and version ID.

Step 807: The key generation circuit generates a decryption key according to the model manufacturer ID, version ID and device ID, and stores the decryption key in the second register.

As shown in FIG. 9 , the key generation circuit 306 can generate the root key of the model protector 30 according to the model manufacturer ID, and generate the decryption key according to the root key, the device ID of the model protector 30 and the version ID of the AI model . In an implementation manner, since the key generation circuit 306 is provided by the chip manufacturer that provides the model protection device 30, the key generation circuit 306 can obtain the basic root key provided by the chip manufacturer, and obtain the basic root key provided by the chip manufacturer according to the model manufacturer ID and the chip manufacturer. The base root key provided by the manufacturer generates the root key. In addition, in order to ensure that the AI model can be decrypted using the decryption key, the implementation manner of the key generation circuit 306 generating the decryption key needs to be consistent with the implementation manner of the first computer device to generate the encryption key. For example, the algorithm for generating the decryption key and the algorithm for generating the encryption key may be the same. In addition, as shown in FIG. 9 , when generating the decryption key, the key generation circuit may first generate an intermediate key according to the root key and the version identifier, and then generate the decryption key according to the intermediate key and the device identifier.

When generating the root key according to the model manufacturer ID, the process of generating the root key according to the model manufacturer ID, and then generating the decryption key according to the root key requires more execution than the process of directly generating the decryption key according to the root key. One generation process can further ensure the security of the key.

When the model manufacturer sends the root key and version identifier to the terminal manufacturer in step 804, in step 807, the key generation circuit 306 can directly generate a decryption key according to the root key, version identifier and device identifier.

Step 808: The decryption circuit obtains the decryption key from the second register, and decrypts the encrypted AI model according to the decryption key.

As shown in FIG. 9 , after the decryption circuit obtains the decryption key, the decryption operation can be performed on the encrypted AI model to obtain the plaintext model.

Wherein, the dotted box in FIG. 9 represents an operation implemented by hardware or processed software, and its implementation logic cannot be intervened or tampered with by software, and the solid-line box represents an operation implemented by software. The processed software refers to processing such as curing the software so that the processed software cannot be interfered or tampered with. As can be seen from FIG. 9 , the device ID and root key of the model protection device 30 cannot be tampered with. Therefore, the encryption key generated according to the root key and the device ID is used to use the encryption key pair. The AI model can be protected to protect the AI model.

It should be noted that, the actual form of the model protection device provided in the embodiments of the present application may be set according to application requirements. For example, the actual form of the model protection device may be a system on chip (system on chip, SOC), and the model protection device may be implemented by hardware such as a circuit. Also, the SoC may be a chip running in a safe environment (SE). Moreover, the model protection device can be implemented by hardware or by a combination of hardware and software according to requirements. When the model protection device is implemented by hardware, since the logic implemented by the hardware cannot be changed after the hardware is manufactured, it can prevent terminal manufacturers or malicious programs from tampering with the implementation logic of the model protection device, thereby realizing the AI model. effective protection. When the model protection device is realized by a combination of hardware and software, the software used to realize the model protection device can execute a specified means to ensure that the terminal manufacturer or malicious programs cannot tamper with the realization logic of the model protection device, thereby Achieve effective protection of AI models.

For example, when the model protection device is implemented by a combination of hardware and software, the functions implemented by the dedicated processor, the memory controller, the first register and the second register in the model protection device can be implemented by hardware, and the access rights The functions implemented by the controller, the decryption circuit, and the key generation circuit can be implemented by software. For example, the function of the access authority controller is realized by the access authority control module, the function of the decryption circuit is realized by the decryption module, the function of the key generation circuit is realized by the key generation module, and the functions of the above modules can all be executed by the processor. accomplish.

To sum up, in the model protection device provided by the embodiment of the present application, the access authority controller authenticates the read instruction, and can generate an indication whether to decrypt the AI model read from the memory. When the encrypted model is stored in the memory, if the control signal indicates that the AI model is decrypted, it is possible to use the AI model successfully. If the control signal indicates that the AI model is not decrypted, the AI model cannot be used. Therefore, by controlling the process of decrypting the AI model, it can prevent the copying, leaking and misuse of AI, realize the protection of the AI model, help to establish a perfect AI model ecology, and build a safe and reasonable profit model. In addition, a model protection device provided by the embodiment of the present application can be implemented on a single SOC, does not require additional SOC cost and the cost of interaction between different SOC chips, and can realize the security of the AI model at a lower cost. Protect. At the same time, the protection of the AI model is realized by authenticating the read command, and a technology for checking the validity of the command is also provided, so that the embodiment of the present application can be applied to similar needs through the technology of checking the validity of the command. In scenarios where permission checks are performed.

The embodiment of the present application provides a model protection method. The model protection method is applied to a model protection device, and the model protection device includes an access authority controller and a memory controller. For example, the model protection method can be applied to the aforementioned model protection device provided in the embodiments of the present application.

In the model protection method, the access authority controller can obtain the read command, perform an authentication operation on the read command, generate a control signal based on the authentication result, and send the read command to the memory controller, and the memory controller can Read AI models in memory. In this way, the access authority controller can control the process of decrypting the AI model, preventing the leakage and abuse of the AI, and realizing the protection of the AI model.

The implementation process of the model protection method is described below by taking the application of the model protection method to the model protection device shown in FIG. 4 as an example. As shown in Figure 10, the model protection method includes:

Step 1001, the dedicated processor generates a read instruction, and sends the read instruction to the access authority controller.

Step 1002, the access authority controller obtains the read address for reading the AI model included in the read instruction, performs an authentication operation on the read instruction based on the read address, generates a control signal based on the authentication result, and sends the read instruction to the memory controller .

In an implementation manner, the access authority controller generates a control signal based on the authentication result, including: when the read address is a legal address, the access authority controller generates a first control signal; when the read address is an illegal address, the access authority The controller generates the second control signal.

In another implementation manner, the control signal includes a first control signal and a second control signal, the first control signal is used to instruct the AI model to be decrypted, the second control signal is used to instruct not to decrypt the AI model, and the model is protected. A decryption authority identifier is stored in the device, and the decryption authority identifier is used to indicate whether the AI model used by the current computing task is allowed to be decrypted. The access authority controller generates a control signal based on the authentication result, including: when the read address is a legal address and meets the specified conditions When , the access authority controller generates a first control signal; when the read address is an illegal address, and/or when the specified condition is not met, the access authority controller generates a second control signal. The specified condition includes at least one of the following: the decryption permission identifier indicates that the AI model used by the current computing task is allowed to be decrypted; or, the AI model is an encryption model.

Step 1003, the memory controller reads the AI model from the memory based on the read instruction, and provides the AI model to the decryption circuit.

Step 1004: The decryption circuit receives the control signal generated by the access authority controller, and under the instruction of the control signal, decrypts the AI model and transmits it to the dedicated processor, or, under the instruction of the control signal, transparently transmits it to the dedicated processor AI model.

Wherein, after the drive module 10 stores the AI model in the memory 20, it can send an instruction to the key generation circuit 306 to instruct to generate a decryption key, that is, the operation of the key generation circuit to generate the decryption key is under the instruction of the drive module 10 start execution. Alternatively, the process of generating the decryption key by the key generation circuit 306 may be generated before the AI model is stored in the memory 20 . For example, after the AI model is programmed in the non-volatile storage medium of the computing device 0, the key generation circuit 306 can generate a decryption key of the AI model for subsequent decryption and use.

Step 1005: The dedicated processor executes the current computing task based on the AI model transmitted by the decryption circuit.

It should be noted that the sequence of steps of the model protection method provided by the embodiments of the present application can be appropriately adjusted, and the steps can also be correspondingly increased or decreased according to the situation. Any person skilled in the art is within the technical scope disclosed in this application, Changes in methods that can be easily thought of should be covered within the scope of protection of the present application, and thus will not be repeated here.

To sum up, in the model protection method provided in the embodiment of the present application, the read instruction is authenticated by the access authority controller, and an indication of whether to decrypt the AI model read from the memory can be generated. When the encrypted model is stored in the memory, if the control signal indicates that the AI model is decrypted, it is possible to use the AI model successfully. If the control signal indicates that the AI model is not decrypted, the AI model cannot be used. Therefore, by controlling the process of decrypting the AI model, it can prevent the copying, leaking and misuse of AI, realize the protection of the AI model, help to establish a perfect AI model ecology, and build a safe and reasonable profit model. In addition, a model protection device provided by the embodiment of the present application can be implemented on a single SOC, does not require additional SOC cost and the cost of interaction between different SOC chips, and can realize the security of the AI model at a lower cost. Protect. At the same time, the protection of the AI model is realized by authenticating the read command, and a technology for checking the validity of the command is also provided, so that the embodiment of the present application can be applied to similar needs through the technology of checking the validity of the command. In scenarios where permission checks are performed.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, for the implementation manner and specific working process of each device in the model protection method described above, reference may be made to the model protection device provided in the embodiment of the present application. The corresponding content is not repeated here.

The embodiments of the present application provide a computer device. As shown in FIG. 11 , the computer device 1100 includes a processor 1110 , a communication interface 1120 and a memory 1130 . The processor 1110 , the communication interface 1120 and the memory 1130 are connected to each other through a bus 1140 . A computer program is stored in the memory 1130 . When the processor 1110 executes the computer program, the computer device implements the foregoing model protection method provided by the embodiments of the present application.

The bus 1140 can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is used in FIG. 11, but it does not mean that there is only one bus or one type of bus.

The memory 1130 may include volatile memory, such as random-access memory (RAM). The memory 1130 may also include non-volatile memory (non-volatile memory) such as flash memory (flash memory), hard disk drive (HDD) or solid-state drive (SSD). Memory 1130 may also include a combination of the above-described types of memory.

The processor 1110 may be a hardware chip, and is configured to implement the model protection method provided by the embodiments of the present application. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general-purpose array logic (generic array logic, GAL) or any combination thereof. Alternatively, the processor 1110 may also be a general-purpose processor, such as a central processing unit (CPU), a network processor (NP), or a combination of CPU and NP.

Correspondingly, the memory 1130 is used to store program instructions, and the processor 1110 invokes the program instructions stored in the memory 1130 to execute one or more steps in the model protection method provided by the embodiments of the present application, or optional implementations therein. , so that the computer device 1100 implements the model protection method provided by the above method embodiments. For example, the processor 1110 invokes the program instructions stored in the memory 1120, and the computer device 1100 can perform the following steps performed by the access authority controller: acquiring the read address for reading the AI model contained in the read instruction, and performing the read address based on the read address. The instruction performs an authentication operation, generates a control signal based on the authentication result, and sends the read instruction to the memory controller. Moreover, by executing the computer instructions in the memory 1120 by the computer device 1100, the implementation process of executing this step may refer to the corresponding description in the foregoing embodiments.

The communication interface 1130 may be any one or any combination of the following devices: a network interface (eg, an Ethernet interface), a wireless network card, and other devices with a network access function.

An embodiment of the present application provides a computer-readable storage medium, which may be a non-transitory readable storage medium, and stores instructions in the computer-readable storage medium. When the instructions are executed by a processor, the computer It is used to execute the foregoing model protection method provided by the embodiments of the present application. The storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, etc. that includes one or more available mediums integrated. The available media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, SSDs).

The present application also provides a computer program product, where the computer program product includes computer instructions, and when executed by a computer device, the computer device executes the aforementioned model protection method provided by the embodiments of the present application.

The embodiment of the present application also provides another model protection device, the model protection device can authenticate the operation of reading the AI model, and determine whether to read the AI model from the memory according to the authentication result, so as to pass the AI model It can control the reading process of AI, prevent the leakage and abuse of AI, and realize the protection of AI model.

The model protector may be deployed in a computing device. Embodiments of the present application provide a computing device. The computing device may be a camera, a desktop computer, a mobile phone, a tablet computer, a smart TV, a smart wearable device, an in-vehicle communication device, a computer, and the like. Please refer to FIG. 2 for a schematic structural diagram of the computing device. As shown in FIG. 2 , the computing device 0 includes a driver module 10 , a memory 20 and a model protection device 30 , and the model protection device 30 includes a memory controller 301 , an access authority controller 302 and a dedicated processor 303 . The working process of the driving module 10 , the memory 20 and the dedicated processor 303 in the computing device 0 corresponds to the working process of the corresponding device in the computing device 0 in the previous embodiment, and will not be repeated here.

The implementation manner of the model protection device 30 provided by the embodiments of the present application will be described below. In an implementation manner, as shown in FIG. 3 , the model protection device 30 includes: an access authority controller 302 and a memory controller 301 . The access authority controller 302 is configured to acquire a read instruction, perform an authentication operation on the read instruction, generate a read instruction signal based on the authentication result, and send the read instruction signal and the read instruction to the memory controller 301 . The read indication signal is used to indicate whether the AI model is allowed to be read from the memory 20 . The memory controller 301 is configured to read the AI model from the memory 20 based on the read instruction under the instruction of the read instruction signal, or not perform the operation of reading the AI model from the memory 20 based on the read instruction under the instruction of the read instruction signal.

The read indication signal includes a first read indication signal and a second read indication signal. The first read indication signal is used to indicate that the AI model is allowed to be read from the memory 20 . The second read indication signal is used to indicate that the AI model is not allowed to be read from the memory 20 . Correspondingly, the access authority controller 302 is configured to generate a first read instruction signal when the authentication of the read instruction is passed, and generate a second read instruction signal when the authentication of the read instruction fails.

Optionally, the read indication signal is also used to indicate whether to decrypt the AI model read from the memory 20 . At this time, the access authority controller 302 is further configured to send the read instruction signal to the decryption circuit 304 of the model protection device 30, so that the decryption circuit 304 can perform corresponding operations under the instruction of the read instruction signal. Correspondingly, the first read indication signal is used to indicate that the AI model is allowed to be read from the memory 20 and the AI model read from the memory 20 is allowed to be decrypted. The second read instruction signal is used to indicate that the AI model is not allowed to be read from the memory 20, and the AI model read from the memory 20 is not allowed to be decrypted.

In another implementation manner, as shown in FIG. 3 , the model protection device 30 includes: an access authority controller 302 and a memory controller 301 . The access authority controller 302 is configured to acquire the read command, perform an authentication operation on the read command, and determine whether to send the read command to the memory controller 301 based on the authentication result. Optionally, the access authority controller 302 is configured to send the read command to the memory controller 301 when the authentication of the read command is passed, so that the memory controller 301 can read the AI model from the memory 20 based on the read command; When the authentication of the read command fails, the read command is intercepted, so that the memory controller 301 cannot receive the read command, so that the AI model requested by the read command cannot be read from the memory 20 .

Optionally, the access authority controller 302 is specifically configured to: acquire a read address for reading the AI model included in the read instruction, and perform an authentication operation on the read instruction based on the read address.

In an implementation manner of the authentication of the access authority controller 302, the access authority controller 302 is specifically configured to: when the read address is a legal address, determine that the authentication of the read instruction has passed, and when the read address is an illegal address, It is determined that the authentication of the read command fails.

In another possible implementation of authentication by the access authority controller 302, the model protection device 30 stores a decryption authority identifier, and the decryption authority identifier is used to indicate whether the AI model used by the current computing task is allowed to be decrypted, and the access authority controller 302 is specifically used for: when the read address is a legal address and the specified condition is met, determine that the authentication of the read instruction is passed; when the read address is an illegal address, and/or, when the specified condition is not met, determine the authentication of the read instruction Fail. The specified condition includes at least one of the following: the decryption permission identifier indicates that the AI model used by the current computing task is allowed to be decrypted, or the AI model is an encryption model.

Optionally, the access authority controller 302 is further configured to: when the read address is an illegal address, control the decryption authority identifier to indicate that all AI models used by the current computing task are not allowed to be decrypted.

Optionally, the access authority controller 302 is further configured to reset the decryption authority identifier to indicate that decryption is permitted after the current computing task is completed.

Optionally, as shown in FIG. 4 , the model protection device 30 further includes: a first register 305, where the first register 305 is used to store the effective address range of the AI model in the memory 20; correspondingly, the access authority controller 302 specifically uses In order to read the effective address range from the first register 305, an authentication operation is performed on the read command based on the effective address range and the read address.

Moreover, as shown in FIG. 4 , the model protection device 30 further includes: a decryption circuit 304 and a dedicated processor 303 . The dedicated processor 303 is used to generate a read command and send the read command to the access rights controller 302 . The decryption circuit 304 is used to decrypt the AI model, and transmit the decrypted AI model to the special-purpose processor 303 , or transparently transmit the AI model to the special-purpose processor 303 . The dedicated processor 303 is also used for executing the current computing task based on the AI model transmitted by the decryption circuit 304 .

Further, as shown in FIG. 4 , the model protection device 30 further includes: a key generation circuit 306 ; the key generation circuit 306 is used to obtain the root key of the model protection device 30 , the version identifier of the AI model and the Device ID, based on the root key, version ID, and device ID, to generate a decryption key for decrypting the AI model.

Moreover, as shown in FIG. 4 , the model protection device 30 further includes: a second register 307 . The second register 307 is used to store the decryption key. Correspondingly, the decryption circuit 304 in the model protection device 30 is specifically configured to read the decryption key from the second register 307, and use the decryption key to decrypt the AI model.

To sum up, in the model protection device provided in the embodiment of the present application, the read command is authenticated by the access authority controller, and according to the authentication result, it is controlled whether to read the read command from the memory according to the read command. AI model, when the AI model is stored in the memory in the form of an encrypted model, if the authentication is passed, the AI model can be read from the memory, and it is possible to use the AI model successfully. Read the AI model, the AI model cannot be used. Therefore, by controlling the process of reading the AI model from the memory, it can prevent the copying, leakage and abuse of AI, realize the protection of the AI model, help to establish a perfect AI model ecology, and build a safe and reasonable profit model . In addition, a model protection device provided by the embodiment of the present application can be implemented on a single SOC, does not require additional SOC cost and the cost of interaction between different SOC chips, and can realize the security of the AI model at a lower cost. Protect. At the same time, the protection of the AI model is realized by authenticating the read command, and a technology for checking the validity of the command is also provided, so that the embodiment of the present application can be applied to similar needs through the technology of checking the validity of the command. In scenarios where permission checks are performed.

Those skilled in the art can clearly understand that, for the convenience and conciseness of the description, the implementation manner and specific working process of each device in the model protection device described above may refer to the model protection device provided in the embodiment of the present application. The corresponding content is not repeated here.

In the model protection method, the access authority controller can obtain a read instruction, perform an authentication operation on the read instruction, and control whether the memory controller reads the AI model from the memory based on the authentication result. In this way, the access authority controller can control the process of reading the AI model from the memory, prevent the leakage and abuse of the AI, and realize the protection of the AI model.

The first implementation manner of the model protection method will be described below by taking the model protection method applied to the model protection device shown in FIG. 4 as an example. As shown in Figure 12, the model protection method includes:

Step 1201: The dedicated processor generates a read instruction, and sends the read instruction to the access authority controller.

Step 1202, the access authority controller obtains the read address for reading the AI model contained in the read instruction, performs an authentication operation on the read instruction based on the read address, generates a read instruction signal based on the authentication result, and compares the read instruction signal with the read instruction signal. The read command is sent to the memory controller.

In an achievable manner, the access authority controller performs an authentication operation on the read instruction, including: when the read address is a legal address, determining that the authentication of the read instruction is passed, and when the read address is an illegal address, determining The authentication of the read command failed.

In another implementation manner, the access authority controller performs an authentication operation on the read instruction, including: when the read address is a legal address and meets a specified condition, determining that the authentication of the read instruction is passed; when the read address is If the address is illegal, and/or the specified condition is not met, it is determined that the authentication of the read command fails. The specified condition includes at least one of the following: the decryption permission identifier indicates that the AI model used by the current computing task is allowed to be decrypted, or the AI model is an encryption model.

Step 1203: Under the instruction of the read instruction signal, the memory controller reads the AI model from the memory based on the read instruction, and provides the AI model to the decryption circuit, or, under the instruction of the read instruction signal, does not execute the read instruction from the memory based on the read instruction. Take the operation of the AI model.

Step 1204: The decryption circuit decrypts the AI model, and transmits the decrypted AI model to the dedicated processor, or transparently transmits the AI model to the dedicated processor.

Step 1205: The dedicated processor executes the current computing task based on the AI model transmitted by the decryption circuit.

The second implementation manner of the model protection method is described below by taking the model protection method applied to the model protection device shown in FIG. 4 as an example. As shown in Figure 13, the model protection method includes:

Step 1301: The dedicated processor generates a read instruction, and sends the read instruction to the access authority controller.

Step 1302: The access authority controller obtains the read address for reading the AI model included in the read instruction, performs an authentication operation on the read instruction based on the read address, and determines whether to send the read instruction to the memory controller based on the authentication result.

The access authority controller sends the read instruction to the memory controller when the authentication of the read instruction passes, and then executes step 1303, so that the memory controller can read the AI model from the memory based on the read instruction; When the authentication of the instruction fails, the read instruction is intercepted, so that the memory controller cannot receive the read instruction, so that the AI model requested by the read instruction cannot be read from the memory, and the model based on the read instruction ends this time. process of protection.

Step 1303: The memory controller reads the AI model from the memory based on the read instruction, and provides the AI model to the decryption circuit.

Step 1304: The decryption circuit decrypts the AI model, and transmits the decrypted AI model to the dedicated processor, or transparently transmits the AI model to the dedicated processor.

Step 1305: The dedicated processor executes the current computing task based on the AI model transmitted by the decryption circuit.

To sum up, in the model protection method provided by the embodiment of the present application, the read instruction is authenticated by the access authority controller, and according to the authentication result, it is controlled whether to read the request to read the read instruction from the memory according to the read instruction. AI model, when the AI model is stored in the memory in the form of an encrypted model, if the authentication is passed, the AI model can be read from the memory, and it is possible to use the AI model successfully. Read the AI model, the AI model cannot be used. Therefore, by controlling the process of reading the AI model from the memory, it can prevent the copying, leakage and abuse of AI, realize the protection of the AI model, help to establish a perfect AI model ecology, and build a safe and reasonable profit model . In addition, a model protection device provided by the embodiment of the present application can be implemented on a single SOC, does not require additional SOC cost and the cost of interaction between different SOC chips, and can realize the security of the AI model at a lower cost. Protect. At the same time, the protection of the AI model is realized by authenticating the read command, and a technology for checking the validity of the command is also provided, so that the embodiment of the present application can be applied to similar needs through the technology of checking the validity of the command. In scenarios where permission checks are performed.

Those skilled in the art can clearly understand that, for the convenience and conciseness of the description, the implementation manner and specific working process of each device in the model protection method described above may refer to the corresponding correspondence in the model protection device provided in the embodiment of the present application. The content will not be repeated here.

The embodiments of the present application provide a computer device. The computer device includes a processor, a communication interface and a memory. The processor, the communication interface and the memory are connected to each other through a bus. A computer program is stored in the memory. When the processor executes the computer program, the computer device implements the foregoing model protection method provided by the embodiments of the present application. For the implementation manner and structure of the computer device, please refer to the corresponding content of the aforementioned computer device provided in the embodiments of the present application.

Those of ordinary skill in the art can understand that all or part of the steps of implementing the above embodiments can be completed by hardware, or can be completed by instructing relevant hardware through a program, and the program can be stored in a computer-readable storage medium. The storage medium mentioned may be a read-only memory, a magnetic disk or an optical disk, etc.

The above are only optional embodiments of the present application, and are not intended to limit the present application. Any modifications, equivalent replacements, improvements, etc. made within the principles of the present application shall be included in the protection scope of the present application. Inside.

Claims

A model protection device, characterized in that the model protection device comprises: an access authority controller and a memory controller;

The access authority controller is used to obtain a read instruction, and the read instruction is used to request to read the artificial intelligence AI model from the memory;

The access authority controller is further configured to perform an authentication operation on the read instruction, and generate a control signal based on the authentication result, where the control signal is used to indicate whether to perform an authentication operation on the AI model read from the memory. decrypt;

The access authority controller is further configured to send the read instruction to the memory controller;

The memory controller is configured to read the AI model from the memory based on the read instruction.
The model protection device according to claim 1, wherein the access authority controller is specifically used for:

Acquire a read address for reading the AI model included in the read instruction, and perform an authentication operation on the read instruction based on the read address.
The model protection device according to claim 2, wherein the control signal comprises a first control signal and a second control signal, the first control signal is used to instruct the AI model to be decrypted, and the first control signal is used for decrypting the AI model. The second control signal is used to indicate that the AI model is not to be decrypted, and the access authority controller is specifically used for:

When the read address is a legal address, generating the first control signal;

When the read address is an illegal address, the second control signal is generated.
The model protection device according to claim 2, wherein the control signal comprises a first control signal and a second control signal, the first control signal is used to instruct the AI model to be decrypted, and the first control signal is used for decrypting the AI model. The second control signal is used to indicate that the AI model is not to be decrypted, the model protection device stores a decryption authority identifier, the decryption authority identifier is used to indicate whether the AI model used by the current computing task is allowed to be decrypted, and the access authority The controller is specifically used for:

When the read address is a legal address and meets a specified condition, generating the first control signal;

When the read address is an illegal address, and/or the specified condition is not met, generating the second control signal;

Wherein, the specified condition includes at least one of the following:

The decryption authority identifier indicates that the AI model used by the current computing task is allowed to be decrypted;

Or, the AI model is an encryption model.
The model protection device according to claim 4, wherein the access authority controller is further used for:

When the read address is an illegal address, controlling the decryption permission identifier indicates that all AI models used by the current computing task are not allowed to be decrypted.
The model protection device according to claim 4 or 5, wherein the access authority controller is further used for:

After the current computing task is completed, the decryption authority identifier is reset to indicate that decryption is permitted.
The model protection device according to any one of claims 2 to 6, wherein the model protection device further comprises: a first register, where the first register is used to store an effective address range of the AI model in a memory ;

The access authority controller is specifically configured to read the effective address range from the first register, and perform an authentication operation on the read instruction based on the effective address range and the read address.
The model protection device according to any one of claims 1 to 7, wherein the model protection device further comprises: a decryption circuit and a dedicated processor;

The dedicated processor is configured to generate the read instruction and send the read instruction to the access rights controller;

The decryption circuit is configured to receive the control signal generated by the access authority controller, and under the instruction of the control signal, decrypt the AI model and transmit it to the special-purpose processor, or, in the control Under the instruction of the signal, transparently transmit the AI model to the dedicated processor;

The dedicated processor is further configured to execute the current computing task based on the AI model transmitted by the decryption circuit.
The model protection device according to any one of claims 1 to 8, wherein the model protection device further comprises: a key generation circuit;

The key generation circuit is used to obtain the root key of the model protection device, the version identification of the AI model and the device identification of the model protection device, based on the root key, the version identification and the Device identification, generating a decryption key for decrypting the AI model.
The model protection device according to claim 9, wherein the model protection device further comprises: a second register;

the second register is used to store the decryption key;

The decryption circuit in the model protection device is specifically configured to read the decryption key from the second register, and under the instruction of the control signal, use the decryption key to decrypt the AI model.
A computing device, characterized in that, the computing device comprises: a memory and the model protection device according to any one of claims 1 to 10.
A model protection method, characterized in that the model protection method is applied to a model protection device, the model protection device includes: an access authority controller and a memory controller, and the model protection method includes:

The access authority controller obtains a read instruction, and the read instruction is used to request to read the artificial intelligence AI model from the memory;

The access authority controller performs an authentication operation on the read instruction, and generates a control signal based on the authentication result, where the control signal is used to indicate whether to decrypt the AI model read from the memory;

the access authority controller sends the read instruction to the memory controller;

The memory controller reads the AI model from the memory based on the read instruction.
The model protection method according to claim 12, wherein the access authority controller performs an authentication operation on the read instruction, comprising:

The access authority controller acquires a read address for reading the AI model included in the read instruction, and performs an authentication operation on the read instruction based on the read address.
The model protection method according to claim 13, wherein the control signal comprises a first control signal and a second control signal, the first control signal is used to instruct to decrypt the AI model, and the first control signal is used to instruct the AI model to be decrypted. The second control signal is used to indicate that the AI model is not to be decrypted, and the access authority controller generates a control signal based on the authentication result, including:

When the read address is a legal address, the access authority controller generates the first control signal;

When the read address is an illegal address, the access authority controller generates the second control signal.
The model protection method according to claim 13, wherein the control signal comprises a first control signal and a second control signal, the first control signal is used to instruct to decrypt the AI model, and the first control signal is used to instruct the AI model to be decrypted. The second control signal is used to indicate that the AI model is not to be decrypted, the model protection device stores a decryption authority identifier, the decryption authority identifier is used to indicate whether the AI model used by the current computing task is allowed to be decrypted, and the access authority The controller generates a control signal based on the authentication result, including:

When the read address is a legal address and meets a specified condition, the access authority controller generates the first control signal;

When the read address is an illegal address, and/or the specified condition is not met, the access authority controller generates the second control signal;

Wherein, the specified condition includes at least one of the following:

The decryption authority identifier indicates that the AI model used by the current computing task is allowed to be decrypted;

Or, the AI model is an encryption model.
The model protection method according to claim 15, wherein after the access authority controller performs an authentication operation on the read instruction, the model protection method further comprises:

When the read address is an illegal address, the access authority controller controls the decryption authority identifier to indicate that all AI models used by the current computing task are not allowed to be decrypted.
The model protection method according to claim 15 or 16, wherein after the access authority controller performs an authentication operation on the read instruction, the model protection method further comprises:

After completing the current computing task, the access authority controller resets the decryption authority identifier to indicate that decryption is permitted.
The model protection method according to any one of claims 13 to 17, wherein the access authority controller performs an authentication operation on the read instruction, comprising:

The access authority controller reads the effective address range of the AI model in the memory from the first register, and performs an authentication operation on the read instruction based on the effective address range and the read address.
The model protection method according to any one of claims 12 to 18, wherein the model protection device further comprises: a decryption circuit and a dedicated processor, and before the access authority controller acquires a read instruction, the model protection device further comprises: Methods also include:

The dedicated processor generates the read instruction and sends the read instruction to the access rights controller;

After the access authority controller generates a control signal based on the authentication result, the model protection method further includes:

The decryption circuit receives the control signal generated by the access authority controller, and under the instruction of the control signal, decrypts the AI model and transmits it to the dedicated processor, or, under the instruction of the control signal, decrypts the AI model and transmits it to the special-purpose processor. Under the instruction, transparently transmit the AI model to the dedicated processor;

The dedicated processor executes the current computing task based on the AI model transmitted by the decryption circuit.
The model protection method according to any one of claims 12 to 19, wherein the model protection device further comprises: a key generation circuit, and the model protection method further comprises:

The key generation circuit obtains the root key of the model protection device, the version identification of the AI model and the device identification of the model protection device, based on the root key, the version identification and the device identification , and generate a decryption key for decrypting the AI model.
The model protection method according to claim 20, wherein the model protection device further comprises: a second register, the second register is used to store the decryption key, and the access rights controller is based on the authentication After the control signal is generated from the weighted result, the model protection method further includes:

The decryption circuit in the model protection device reads the decryption key from the second register, and under the instruction of the control signal, uses the decryption key to decrypt the AI model.