WO2023029447A1 - 模型保护方法、装置、设备、系统以及存储介质 - Google Patents
模型保护方法、装置、设备、系统以及存储介质 Download PDFInfo
- Publication number
- WO2023029447A1 WO2023029447A1 PCT/CN2022/082285 CN2022082285W WO2023029447A1 WO 2023029447 A1 WO2023029447 A1 WO 2023029447A1 CN 2022082285 W CN2022082285 W CN 2022082285W WO 2023029447 A1 WO2023029447 A1 WO 2023029447A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- model
- file
- wasm
- encrypted
- verification
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 155
- 238000012795 verification Methods 0.000 claims abstract description 133
- 230000008569 process Effects 0.000 claims abstract description 99
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 50
- 230000007246 mechanism Effects 0.000 claims description 22
- 230000004044 response Effects 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 13
- 238000013473 artificial intelligence Methods 0.000 abstract description 18
- 238000010586 diagram Methods 0.000 description 18
- 238000012545 processing Methods 0.000 description 14
- 238000004891 communication Methods 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 7
- 238000011161 development Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 239000013067 intermediate product Substances 0.000 description 4
- 239000000047 product Substances 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Definitions
- the present disclosure relates to the field of computers, in particular to the field of artificial intelligence, and can be used in application scenarios such as AI model protection.
- AI models may involve substantial financial and/or engineering resource commitments. Furthermore, the development of AI models is usually a unique domain-specific knowledge acquisition process that is time and resource intensive. Therefore, it is necessary to provide an effective protection mechanism to protect the AI model.
- the present disclosure provides a model protection method, device, equipment, system, storage medium and computer program product.
- a model protection method for the server including: generating a WASM file, wherein the WASM file is used to provide an operating environment for the target model, and the WASM file contains the corresponding model reasoning algorithm and a security verification algorithm, wherein the security verification algorithm implements at least one of the following security verification operations to protect the target model: verify the host environment; verify the integrity of the WASM file Verification; verify the integrity of the model file, wherein the model file is generated corresponding to the original model file of the target model; during the model reasoning process, perform timeout verification on the specified reasoning process; during the model reasoning process , for timeout verification of the entire reasoning process.
- a model protection method for a client including: loading a model file generated corresponding to a target model; loading a WASM file, wherein the WASM file is used to provide the target model with Operating environment; during the instantiation and running of the WASM file, the model file is passed into the operating environment to perform at least one of the following security verification operations, thereby starting a model protection mechanism for the target model: for the host Verify the environment; verify the integrity of the WASM file; verify the integrity of the model file; during the model reasoning process, verify the specified reasoning process overtime; during the model reasoning process, verify the entire reasoning process Validate with timeout.
- a model protection device for a server including: a generation module for generating a WASM file, wherein the WASM file is used to provide an operating environment for the target model, and the WASM file contains the corresponding model reasoning algorithm and security verification algorithm, wherein the security verification algorithm implements at least one of the following security verification operations to protect the target model: verify the host environment; verify the Verify the integrity of the WASM file; verify the integrity of the model file, wherein the model file is generated from the original model file corresponding to the target model; during the model reasoning process, perform timeout verification on the specified reasoning process ;
- timeout validation for the entire inference process.
- a model protection device for a client including: a first loading module, used to load a model file generated corresponding to a target model; a second loading module, used to load a WASM file, Wherein, the WASM file is used to provide an operating environment for the target model; the security verification module is used to pass the model file into the operating environment during the instantiation operation of the WASM file to perform the following security verification At least one of the operations, thereby starting the model protection mechanism for the target model: verifying the host environment; verifying the integrity of the WASM file; verifying the integrity of the model file; during the model reasoning process In, the timeout verification is performed on the specified inference process; in the model inference process, the timeout verification is performed on the entire inference process.
- an electronic device including: at least one processor; and a memory communicatively connected to the at least one processor; wherein, the memory stores Instructions to be executed, the instructions are executed by the at least one processor, so that the at least one processor can execute the method described in the embodiments of the present disclosure.
- a non-transitory computer-readable storage medium storing computer instructions, wherein the computer instructions are used to cause the computer to execute the method according to the embodiments of the present disclosure.
- a computer program product including a computer program, the computer program implements the method according to the embodiments of the present disclosure when executed by a processor.
- a model protection system including: a client and a server, wherein the client requests model information from the server; the server responds to the client's request , return the corresponding model information; the client performs the following operations based on the model information returned by the server: load the model file generated corresponding to the target model; load the WASM file, wherein the WASM file is used for the
- the target model provides an operating environment; the WASM file is instantiated for operation, and the model file is passed into the operating environment; wherein, the WASM file performs at least one of the following security verification operations during the instantiation operation , to start the model protection mechanism for the target model: verify the host environment; verify the integrity of the WASM file; verify the integrity of the model file; during the model reasoning process, specify the reasoning process Perform timeout verification; during model inference, perform timeout verification on the entire reasoning process.
- FIG. 1 exemplarily shows a system architecture suitable for an embodiment of the present disclosure
- FIG. 2A schematically shows a block diagram of a model protection system suitable for embodiments of the present disclosure
- Fig. 2B exemplarily shows a schematic diagram of model offline encryption and online reasoning suitable for embodiments of the present disclosure
- Fig. 3A exemplarily shows a flow chart of a model protection method for a server according to an embodiment of the present disclosure
- Fig. 3B exemplarily shows a schematic diagram of offline generation of model files and WASM files according to an embodiment of the present disclosure
- FIG. 4A exemplarily shows a flowchart of a model protection method for a client according to an embodiment of the present disclosure
- FIG. 4B exemplarily shows a sequence diagram of model online reasoning according to an embodiment of the present disclosure
- FIG. 5 exemplarily shows a schematic diagram of a model protection mechanism according to an embodiment of the present disclosure
- Fig. 6 exemplarily shows a block diagram of a model protection device for a server according to an embodiment of the present disclosure
- Fig. 7 exemplarily shows a block diagram of a model protection device for a client according to an embodiment of the present disclosure
- Fig. 8 exemplarily shows a block diagram of an electronic device used to implement the model protection method of the embodiment of the present disclosure.
- AI computing on the web platform can use the AI computing capabilities provided by the web environment such as browsers and applets to complete the model reasoning process in the host environment and obtain corresponding calculation results.
- the model information needs to be transmitted through the network, so it is easy to leak; the topology of the model needs to be generated and optimized during the JS (Java script) running process of the client, so the model is easy to be leaked. Debug or be tampered with; the model needs to complete the reasoning operation during the JS running process, so the topology and weight data of the model can be easily obtained or derived.
- AI computing on the web platform can protect model information through the following two solutions.
- Solution 1 deploy and reason the AI model on the server side.
- the client can carry model input data and send a model reasoning request to the server.
- the server performs the corresponding model inference operation, and returns the inference result through the network after the model inference is completed.
- Solution 2 relying on the model reasoning capabilities provided by the host where the web environment such as browsers and applets reside to complete AI calculations.
- the client invokes the AI computing capability provided by the host through JS Bridge and other methods when JS (Java script) is running.
- JS Java script
- the model input data also needs to be passed, and after the host completes the model inference, it needs to trigger the callback provided by the client to return the inference result.
- the embodiments of the present disclosure provide a model protection solution suitable for application scenarios with extremely high latency requirements, and can be used in scenarios such as real-time video stream processing. Moreover, model security can be more effectively guaranteed.
- FIG. 1 exemplarily shows a system architecture suitable for an embodiment of the present disclosure. It should be noted that, what is shown in FIG. 1 is only an example of the system architecture to which the embodiments of the present disclosure can be applied, so as to help those skilled in the art understand the technical content of the present disclosure, but it does not mean that the embodiments of the present disclosure cannot be used in other environment or scene.
- the system architecture 100 in the embodiment of the present disclosure may include: a server 110 and a client 120 .
- the server 110 can be used for offline encryption, that is, to complete the encryption of the model file and the encryption of the WASM file.
- the encryption of the model weight data, the encryption of the model configuration information, and the encryption of the decryption key can also be completed.
- the client 120 may request model information from the server 110 to load model files, WASM files, model weight data, model configuration information, and the like.
- WASM file is a file in WASM format, which is a binary bytecode file obtained by compiling source code through Web Assembly technology.
- the WASM file can be used to encapsulate the Web environment for model reasoning.
- a decryption algorithm can also be added to the WASM file for model decryption.
- a security verification algorithm can also be added to the WASM file to perform security verification-related operations.
- model files WASM files, model weight data, and model configuration information are encrypted to prevent user data from being leaked during transmission.
- WASM files are poorly readable since they are binary bytecode files. Therefore, encapsulating the web environment for model reasoning in WASM files can make it difficult to easily derive model topology (including operators, dependencies between operators, and attributes of operators) and model reasoning logic out, so as to protect the model.
- the encrypted model-related information (such as the encrypted model file, model weight data, and model configuration information, etc.) Leading to the disclosure of model-related information.
- the security of the host environment can be verified to ensure the security of the model.
- FIG. 1 the numbers of clients and servers in FIG. 1 are only illustrative. According to implementation needs, there can be any number of clients and servers.
- model protection solution provided by the embodiments of the present disclosure can be used in any type of data model protection scenario, for example, it can be used in the AI model protection scenario.
- the present disclosure provides a model protection system.
- FIG. 2A exemplarily shows a block diagram of a model protection system suitable for an embodiment of the present disclosure.
- the model protection system 200 may include: a client 210 and a server 220 .
- the client 210 requests model information from the server 220 .
- the server 220 returns corresponding model information.
- the client 210 Based on the model information returned by the server 220, the client 210 performs the following operations: load the model file generated corresponding to the target model; load the WASM file, wherein the WASM file is used to provide an operating environment for the target model; instantiate and run the WASM file, And pass the model file into the running environment.
- At least one of the following security verification operations is performed to start the model protection mechanism for the target model: verify the host environment; verify the integrity of the WASM file; verify the integrity of the model file
- the timeout verification is performed on the specified reasoning process; in the model reasoning process, the timeout verification is performed on the entire reasoning process.
- model information returned by the server 220 may include, but not limited to, the address of the encrypted model file, the address of the encrypted WASM file, and the corresponding encrypted model configuration information (mainly including the input/output configuration of the model ), the encrypted weight data of the corresponding model, etc.
- the model file generated corresponding to the target model may be the original model file of the target model or a product obtained by encrypting the original model file.
- the model file generated corresponding to the target model may be an intermediate product obtained by processing the original model file of the target model or a product obtained by encrypting the intermediate product.
- the topology of the target model can be determined based on the original model file of the target model, and then the intermediate product of the original model file can be obtained by obfuscating the attributes of operators in the topology and the dependencies between operators.
- the WASM file can be generated corresponding to the topology structure of the target model, so that the WASM file can provide an operating environment (such as a Web environment) for the target model during instantiation and running, thereby implementing corresponding model reasoning.
- an operating environment such as a Web environment
- a decryption algorithm can also be added to the WASM file for model decryption (for example, to decrypt encrypted model files, model weight data, and model configuration information, etc.).
- encrypted WASM files can be decrypted in the client's hosting environment.
- a security verification algorithm can also be added to the WASM file to perform security verification-related operations.
- the hosting environment is verified, such as verifying whether the domain name and/or username of the hosting environment are in the corresponding white list. If the verification result indicates that it is in the corresponding white list, the verification is passed. In response to passing this verification, the decryption algorithm and model inference algorithm can be executed during the instantiation and running of the WASM file to ensure the security of the model during the running process. In response to failing the current verification, the current model reasoning may be terminated.
- verifying the integrity of the WASM file can avoid model security problems caused by tampering of the WASM file.
- verifying the integrity of the model file can avoid model security problems caused by tampering of the model file.
- timeout verification is performed on the specified reasoning process.
- an anti-debugging mechanism can be set, such as burying key paths in advance, and then verify whether the inference process between the buried key paths (such as the inference process from A to B) times out during operation. It should be understood that if the verification result indicates that the specified reasoning process times out, it indicates that the model may be debugged during the reasoning process. In this case, the model inference can be terminated to ensure the safety of the model. If the verification result indicates that the specified reasoning process has not timed out, it indicates that the reasoning process is normal, and subsequent model reasoning operations can be continued.
- timeout verification is performed on the whole reasoning process. It should be understood that if the verification result indicates that the reasoning process is timed out, it indicates that the model may be debugged during the reasoning process. In this case, the model inference can be terminated to ensure the safety of the model. If the verification result indicates that the entire reasoning process has not timed out, it indicates that the reasoning process is normal.
- the server end by encrypting and compressing the model file before sending it to the client end, data leakage during transmission can be avoided, and network traffic can be saved for the user.
- the running environment of the model is encapsulated through the WASM file, and a limited call interface is exposed to the external web hosting environment, which can prevent the model content (such as the topology of the model, including the operators and attributes contained in the model and The dependencies between operators, etc.) are easily deduced and obtained.
- the file integrity verification mechanism is adopted to ensure the security of the model, and it can be found in time if the model is tampered with.
- the model anti-debugging mechanism can be used to ensure the safety of the model, such as preventing the model from being debugged during the running process in time. Therefore, adopting the instant security verification mechanism can more comprehensively guarantee the security of the model.
- the client may first send an authentication request to the server.
- the server performs authentication operations and returns corresponding authentication results.
- the client requests the model information from the server.
- the client cannot request model information from the server.
- the model information can be obtained through authentication during the client JS running process.
- the model information may include the address of the encrypted model file, the address of the encrypted WASM file, encrypted related model configuration information (mainly including the input/output configuration of the model) and the encrypted weight data of the model.
- the authentication service may follow the OAuth2.0 authorization standard.
- the AI model provider can hand over the AK (Access Key Id, used to identify the user) for authentication verification to the model user.
- the model user initiates an authentication request to the server such as the authentication server through the client to obtain the authentication token (token, before some data is transmitted, the token is checked first, and different tokens are authorized for different data operations before. ), and then the client sends a model information acquisition request carrying a token to the server, and the server returns the corresponding model information to the client based on the token carried in the request.
- model information is acquired in an authorized access manner, which can ensure model information security.
- Fig. 2B exemplarily shows a schematic diagram of model offline encryption and online reasoning suitable for the embodiments of the present disclosure.
- the model file and the corresponding WASM file used for decryption, inference and security verification can be encrypted separately through offline encryption, and the encrypted secure file hosting for your files.
- the client can obtain model information through user authentication (that is, authenticate the model user), and perform decryption, decoding, inference, and security verification (such as host environment verification and timeout verification) during the instantiation and running of the WASM file. ) and other operations.
- the present disclosure provides a model protection method for a server.
- Fig. 3A exemplarily shows a flowchart of a model protection method for a server according to an embodiment of the present disclosure.
- the model protection method 300 may include: operation S310.
- a WASM file is generated, wherein the WASM file is used to provide an operating environment for the target model, and the WASM file includes a corresponding model reasoning algorithm and a security verification algorithm.
- the security verification algorithm implements at least one of the following security verification operations to protect the target model: verify the host environment; verify the integrity of the WASM file; verify the integrity of the model file, where , the model file is generated corresponding to the original model file of the target model; during the model inference process, the timeout verification is performed on the specified inference process; during the model inference process, the timeout verification is performed on the entire inference process.
- the topology structure of the target model can be determined according to the original model file of the target model, and the model reasoning logic in the WASM file is generated based on the topology structure of the target model.
- the generated WASM file can provide the corresponding operating environment for the target model.
- a decryption algorithm can also be added to the WASM file for model decryption (for example, to decrypt encrypted model files, model weight data, and model configuration information, etc.).
- encrypted WASM files can be decrypted in the client's hosting environment.
- a security verification algorithm can also be added to the WASM file to perform security verification-related operations.
- the hosting environment is verified, such as verifying whether the domain name and/or username of the hosting environment are in the corresponding white list. If the verification result indicates that it is in the corresponding white list, the verification is passed. In response to passing the verification, the decryption algorithm and model inference algorithm can be executed during the instantiation and running of the WASM file to ensure the security of the model during the running process. In response to failing the current verification, the current model reasoning may be terminated.
- verifying the integrity of the WASM file can avoid model security problems caused by tampering of the WASM file.
- verifying the integrity of the model file can avoid model security problems caused by tampering of the model file.
- timeout verification is performed on the specified reasoning process.
- an anti-debugging mechanism can be set, such as burying key paths in advance, and then verify whether the inference process between the buried key paths (such as the inference process from A to B) times out during operation. It should be understood that if the verification result indicates that the specified reasoning process times out, it indicates that the model may be debugged during the reasoning process. In this case, the model reasoning can be terminated to ensure the safety of the model. If the verification result indicates that the specified reasoning process has not timed out, it indicates that the reasoning process is normal, and subsequent model reasoning operations can be continued.
- timeout verification is performed on the whole reasoning process. It should be understood that if the verification result indicates that the reasoning process is timed out, it indicates that the model may be debugged during the reasoning process. In this case, the model reasoning can be terminated to ensure the safety of the model. If the verification result indicates that the entire reasoning process has not timed out, it indicates that the reasoning process is normal.
- model protection method provided in this embodiment is applied to the server.
- the Plain JS backend calculation scheme of the model front-end reasoning engine can be selected to construct the topology of the model, and then the intermediate product is encrypted to generate an encrypted model file.
- the encryption algorithm may use the AES symmetric encryption algorithm.
- the information required by the WASM backend calculation scheme can be extracted based on the topology of the target model, and the WASM file can be generated based on the extracted information.
- the server end by encrypting and compressing the model file before sending it to the client end, data leakage during transmission can be avoided, and network traffic can be saved for the user.
- the running environment of the model is encapsulated through the WASM file, and a limited call interface is exposed to the external web hosting environment, which can prevent the topology of the model from being easily derived and obtained.
- the file integrity verification mechanism is adopted to ensure the security of the model, and it can be found in time if the model is tampered with.
- the model anti-debugging mechanism can be used to ensure the safety of the model, such as preventing the model from being debugged during the running process in time. Therefore, adopting the instant security verification mechanism can more comprehensively guarantee the security of the model.
- the model can be deployed and reasoned completely in the web environment, without the need to transmit user data to the server side through the network, which protects the privacy of users and provides users with It saves traffic and reduces network delay.
- the method may further include at least one of the following.
- the model configuration information of the target model is encrypted to obtain the encrypted model configuration information.
- the weight data of the target model is encrypted to obtain encrypted weight data.
- the WASM file also includes a corresponding decryption algorithm, which is used to decrypt at least one of the following: encrypted model files, encrypted model configuration information, and encrypted weight data.
- the encryption algorithm may adopt the AES symmetric encryption algorithm.
- model files can not only effectively prevent user data from being leaked during hosting, but also effectively prevent user data from being leaked during transmission.
- adding the corresponding decryption algorithm to the WASM file, and decrypting the encrypted model file, encrypted model configuration information, and encrypted weight data during the instantiation of the WASM file can prevent the above content from being easily decrypted.
- the privacy of the model can be further protected.
- the method may further include: encrypting the decryption key to obtain an encrypted key.
- secondary encryption can be achieved by encrypting the key used for decryption.
- the safe transmission of information can be guaranteed by hiding the key used for decryption.
- the decryption key may be encrypted using an RSA asymmetric encryption algorithm to generate an encrypted key for decryption.
- the encryption key may also be encrypted using the RSA asymmetric encryption algorithm to generate an encrypted key for encryption.
- the privacy of the model can be further protected by performing secondary encryption on the decryption key.
- the method may further include: for the target model, configuring an access key identifier for each of the at least one user.
- the at least one user refers to the user of the target model.
- a unique access key identifier AK
- the AK provided by the user (that is, the model user) can be used to identify whether the user is the model user of the trusted domain. If the authentication result indicates that the user requesting authentication is a model user of the trusted domain, then confirm that the authentication has passed, otherwise, confirm that the authentication has failed. Wherein, the user is allowed to obtain the model information only when the authentication is passed, otherwise the user is not allowed to obtain the model information.
- model users are authorized to access, which can prevent model information from being obtained illegally, thereby protecting the model.
- Fig. 3B exemplarily shows a schematic diagram of offline generation of model files and WASM files according to an embodiment of the present disclosure.
- the topology of the model can be generated in the Plain JS CPU computing solution.
- the model file of the model can be generated, and then the generated model file can be compressed and deployed.
- a WASM file containing algorithms such as analysis, decryption, decoding, reasoning, and security verification can be generated in the Plain JS WASM computing solution.
- the WASM file After the WASM file is generated, the file can also be encrypted, compressed, and deployed.
- the encryption key may be dynamically generated or specified.
- the present disclosure provides a model protection method for a client.
- Fig. 4A exemplarily shows a flowchart of a model protection method for a client according to an embodiment of the present disclosure.
- the model protection method 400 may include: operation S410-operation S430.
- the WASM file is loaded, wherein the WASM file is used to provide an execution environment for the target model.
- the WASM file is instantiated and run, and the model file is passed into the running environment provided by the WASM file, so that at least one of the following security verification operations is performed during the instantiation of the WASM file to start the model for the target model Protection mechanism: verify the host environment; verify the integrity of the WASM file; verify the integrity of the model file; during the model reasoning process, perform timeout verification on the specified reasoning process; during the model reasoning process, verify the entire reasoning process The process performs timeout verification.
- the model file and/or WASM file is an encrypted file. It should be understood that the encryption method of the type file and the WASM file in this embodiment is the same as or similar to the description in the previous embodiment, and will not be repeated here.
- the method may further include: performing the following operations during the instantiation and running of the WASM file.
- the encrypted model file is decrypted to obtain the decrypted model file. Perform model inference based on the decrypted model file.
- the preset security verification may include at least one of the following: host environment verification, model file integrity verification, and WASM file integrity verification.
- model content such as model topology
- data leakage can be prevented due to inappropriate decryption timing.
- decrypting the encrypted model file may include the following operations: obtaining an encrypted key for decryption.
- the encrypted key is decrypted to obtain the decrypted key.
- the decryption key can be dynamically read during decryption.
- the privacy of the model can be further protected by performing secondary encryption on the decryption key.
- FIG. 4B exemplarily shows a sequence diagram of model online reasoning according to an embodiment of the present disclosure.
- the timing of the online reasoning of the model is as follows: the client sends an authentication request to the server during the running of the JS; the server executes the authentication operation in response to the request, and returns the authentication token; the client JS carries the authentication token to send model information requests, such as model configuration information requests, model weight data requests, encrypted model file address requests, and encrypted WASM file address requests, to the server in parallel; The server returns the corresponding model information in response to these requests; the client JS loads the encrypted WASM file and the encrypted model file; the client JS instantiates the WASM file while the model weight data, model Write the input data, model structure content, etc.
- model information requests such as model configuration information requests, model weight data requests, encrypted model file address requests, and encrypted WASM file address requests
- the WASM module (obtained from the instantiation of the model file) performs host environment verification during operation (such as confirming the user's identity through the signature handshake mechanism with the server) , decryption, decoding, initialization, inference, and time limit verification (that is, verify whether the entire inference process has timed out, such as whether it exceeds 1h, and exit if it times out); the WASM module writes the inference result into the memory of the WASM module; the client JS running process You can call the calling interface exposed by the WASM module, such as calling the relevant interface to read the corresponding inference result.
- Fig. 5 exemplarily shows a schematic diagram of a model protection mechanism according to an embodiment of the present disclosure.
- the model protection mechanism can guarantee the security of the model from two aspects of confidentiality and controllability.
- confidentiality of the model the security of the model itself can be ensured through offline model encryption; by encapsulating the decryption and reasoning process into an unreadable WASM file (that is, encapsulating the operating environment) to prevent the leakage of the model structure and model at runtime Data; the key used for decryption has been encrypted twice asymmetrically and obtained through authorized access, thus ensuring the security of the key.
- the encryption of the model and the key adopts offline privatization deployment to ensure the security of the encryption environment; the key for decryption is obtained through a separate authorized access service (that is, the number of credit authorizations is managed) to ensure the security of the key ;
- the host environment verification, code integrity verification, and anti-debugging verification can be carried out during the model operation (such as the timeout verification of the specified inference process and the timeout verification of the entire inference process, and the latter is also the verification of the effective time limit of the operation), so that it can be guaranteed during operation.
- the model is safe and prevents the model from being stolen.
- the present disclosure also provides a model protection device for a server.
- Fig. 6 exemplarily shows a block diagram of a model protection device for a server according to an embodiment of the present disclosure.
- the model protection device 600 may include: a generating module 610 .
- the generating module 610 is configured to generate a WASM file, wherein the WASM file is used to provide an operating environment for the target model, and the WASM file includes a corresponding model reasoning algorithm and a security verification algorithm.
- the security verification algorithm implements at least one of the following security verification operations to protect the target model: verify the host environment; verify the integrity of the WASM file; verify the integrity of the model file Verification, wherein, the model file is generated corresponding to the original model file of the target model; during the model reasoning process, a timeout verification is performed on the specified reasoning process; during the model reasoning process, the timeout verification is performed on the entire reasoning process.
- the device also includes at least one of the following modules: a first encryption module, configured to encrypt the model file to obtain an encrypted model file; a second encryption module, used to encrypt The WASM file is encrypted to obtain an encrypted WASM file; the third encryption module is used to encrypt the model configuration information of the target model to obtain encrypted model configuration information; the fourth encryption module is used to the target model
- the weight data is encrypted to obtain the encrypted weight data; wherein, the WASM file also contains a corresponding decryption algorithm, and the decryption algorithm is used to decrypt at least one of the following: the encrypted model file, the encrypted model configuration information, the encrypted weight data.
- the device further includes: a fifth encryption module, configured to encrypt the decryption key to obtain an encrypted key.
- the device further includes: a configuration module configured to configure an access key identifier for each user in the at least one user with respect to the target model.
- the present disclosure also provides a model protection device for a client.
- Fig. 7 exemplarily shows a block diagram of a model protection device for a client according to an embodiment of the present disclosure.
- the model protection device 700 may include: a first loading module 710 , a second loading module 720 and a security verification module 730 .
- the first loading module 710 is configured to load the generated model file corresponding to the target model.
- the second loading module 720 is configured to load a WASM file, wherein the WASM file is used to provide an operating environment for the target model.
- the security verification module 730 is configured to pass the model file into the running environment during the instantiation and running of the WASM file and perform at least one of the following security verification operations to start the model protection mechanism for the target model: host environment Verify; verify the integrity of the WASM file; verify the integrity of the model file; during model reasoning, perform timeout verification of the specified reasoning process; during model reasoning, perform timeout verification of the entire reasoning process .
- the first loading module acquires and loads the model file
- the second loading module acquires and loads the WASM file.
- model file and/or the WASM file are encrypted files.
- the device further includes: a decryption module, configured to decrypt the encrypted model file in response to the passing of the preset security verification during the instantiation and operation of the WASM file, to obtain the decrypted model file; and a model reasoning module, configured to perform model reasoning based on the decrypted model file.
- a decryption module configured to decrypt the encrypted model file in response to the passing of the preset security verification during the instantiation and operation of the WASM file, to obtain the decrypted model file
- a model reasoning module configured to perform model reasoning based on the decrypted model file.
- the preset security verification includes at least one of the following: host environment verification, model file integrity verification, and WASM file integrity verification.
- the decryption module includes: an acquisition unit, configured to obtain an encrypted key for decryption; a first decryption unit, configured to decrypt the encrypted key, to obtain the decrypted a key; and a second decryption unit, configured to use the decrypted key to decrypt the encrypted model file.
- the present disclosure also provides an electronic device, a readable storage medium, and a computer program product.
- FIG. 8 shows a schematic block diagram of an example electronic device 800 that may be used to implement embodiments of the present disclosure.
- Electronic device is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other suitable computers.
- Electronic devices may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smart phones, wearable devices, and other similar computing devices.
- the components shown herein, their connections and relationships, and their functions, are by way of example only, and are not intended to limit implementations of the disclosure described and/or claimed herein.
- an electronic device 800 includes a computing unit 801, which can perform calculations according to a computer program stored in a read-only memory (ROM) 802 or a computer program loaded from a storage unit 808 into a random access memory (RAM) 803. Various appropriate actions and processes are performed. In the RAM 803, various programs and data necessary for the operation of the electronic device 800 can also be stored.
- the computing unit 801, ROM 802, and RAM 803 are connected to each other through a bus 804.
- An input/output (I/O) interface 805 is also connected to the bus 804 .
- the I/O interface 805 includes: an input unit 806, such as a keyboard, a mouse, etc.; an output unit 807, such as various types of displays, speakers, etc.; a storage unit 808, such as a magnetic disk, an optical disk etc.; and a communication unit 809, such as a network card, a modem, a wireless communication transceiver, and the like.
- the communication unit 809 allows the device 800 to exchange information/data with other devices over a computer network such as the Internet and/or various telecommunication networks.
- the computing unit 801 may be various general-purpose and/or special-purpose processing components having processing and computing capabilities. Some examples of computing units 801 include, but are not limited to, central processing units (CPUs), graphics processing units (GPUs), various dedicated artificial intelligence (AI) computing chips, various computing units that run machine learning model algorithms, digital signal processing processor (DSP), and any suitable processor, controller, microcontroller, etc.
- the calculation unit 801 executes various methods and processes described above, such as a model protection method.
- the model protection method may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 808 .
- part or all of the computer program may be loaded and/or installed on the device 800 via the ROM 802 and/or the communication unit 809.
- the computer program When the computer program is loaded into RAM 803 and executed by computing unit 801, one or more steps of the model protection method described above may be performed.
- the computing unit 801 may be configured to execute the model protection method in any other suitable manner (for example, by means of firmware).
- Various implementations of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), application specific standard products (ASSPs), systems on chips Implemented in a system of systems (SOC), load programmable logic device (CPLD), computer hardware, firmware, software, and/or combinations thereof.
- FPGAs field programmable gate arrays
- ASICs application specific integrated circuits
- ASSPs application specific standard products
- SOC system of systems
- CPLD load programmable logic device
- computer hardware firmware, software, and/or combinations thereof.
- programmable processor can be special-purpose or general-purpose programmable processor, can receive data and instruction from storage system, at least one input device, and at least one output device, and transmit data and instruction to this storage system, this at least one input device, and this at least one output device an output device.
- Program codes for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general-purpose computer, a special purpose computer, or other programmable data processing devices, so that the program codes, when executed by the processor or controller, make the functions/functions specified in the flow diagrams and/or block diagrams Action is implemented.
- the program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
- a machine-readable medium may be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device.
- a machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium.
- a machine-readable medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing.
- machine-readable storage media would include one or more wire-based electrical connections, portable computer discs, hard drives, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, compact disk read only memory (CD-ROM), optical storage, magnetic storage, or any suitable combination of the foregoing.
- RAM random access memory
- ROM read only memory
- EPROM or flash memory erasable programmable read only memory
- CD-ROM compact disk read only memory
- magnetic storage or any suitable combination of the foregoing.
- the systems and techniques described herein can be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user. ); and a keyboard and pointing device (eg, a mouse or a trackball) through which a user can provide input to the computer.
- a display device e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor
- a keyboard and pointing device eg, a mouse or a trackball
- Other kinds of devices can also be used to provide interaction with the user; for example, the feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and can be in any form (including Acoustic input, speech input or, tactile input) to receive input from the user.
- the systems and techniques described herein can be implemented in a computing system that includes back-end components (e.g., as a data server), or a computing system that includes middleware components (e.g., an application server), or a computing system that includes front-end components (e.g., as a a user computer having a graphical user interface or web browser through which a user can interact with embodiments of the systems and techniques described herein), or including such backend components, middleware components, Or any combination of front-end components in a computing system.
- the components of the system can be interconnected by any form or medium of digital data communication, eg, a communication network. Examples of communication networks include: Local Area Network (LAN), Wide Area Network (WAN) and the Internet.
- a computer system may include clients and servers.
- Clients and servers are generally remote from each other and typically interact through a communication network.
- the relationship of client and server arises by computer programs running on the respective computers and having a client-server relationship to each other.
- the server can be a cloud server, also known as cloud computing server or cloud host, which is a host product in the cloud computing service system to solve the problem of traditional physical host and VPS service ("Virtual Private Server", or "VPS”) Among them, there are defects such as difficult management and weak business scalability.
- the server can also be a server of a distributed system, or a server combined with a blockchain.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims (25)
- 一种模型保护方法,包括:生成WASM文件,其中,所述WASM文件用于为目标模型提供运行环境,所述WASM文件中包含对应的模型推理算法以及安全验证算法,其中,所述安全验证算法通过执行以下安全验证操作中的至少之一,以实现对所述目标模型的保护:对宿主环境进行验证;对所述WASM文件的完整性进行验证;对模型文件的完整性进行验证,其中,所述模型文件是对应于所述目标模型的原模型文件生成的;在模型推理过程中,对指定推理过程进行超时验证;在模型推理过程中,对整个推理过程进行超时验证。
- 根据权利要求1所述的方法,还包括以下至少之一:对所述模型文件进行加密,得到经加密的模型文件;对所述WASM文件进行加密,得到经加密的WASM文件;对所述目标模型的模型配置信息进行加密,得到经加密的模型配置信息;对所述目标模型的权重数据进行加密,得到经加密的权重数据;其中,所述WASM文件中还包含对应的解密算法,所述解密算法用于对以下至少之一进行解密:所述经加密的模型文件、所述经加密的模型配置信息、所述经加密的权重数据。
- 根据权利要求2所述的方法,还包括:对解密用的密钥进行加密,得到经加密的密钥。
- 根据权利要求1至3中任一项所述的方法,还包括:针对所述目标模型,为至少一个用户中的每个用户配置一个访问密钥标识。
- 一种模型保护方法,包括:加载对应于目标模型生成的模型文件;加载WASM文件,其中,所述WASM文件用于为所述目标模型提供运行环境;在所述WASM文件实例化运行中,将所述模型文件传入所述运行环境, 以执行以下安全验证操作中的至少之一,从而对所述目标模型启动模型保护机制:对宿主环境进行验证;对所述WASM文件的完整性进行验证;对所述模型文件的完整性进行验证;在模型推理过程中,对指定推理过程进行超时验证;在模型推理过程中,对整个推理过程进行超时验证。
- 根据权利要求5所述的方法,其中:响应于对用户鉴权通过,获取并加载所述模型文件和所述WASM文件。
- 根据权利要求5或6所述的方法,其中:所述模型文件和/或所述WASM文件为经加密的文件。
- 根据权利要求7所述的方法,还包括:在所述WASM文件实例化运行中,响应于预设安全验证通过,对经加密的模型文件进行解密,得到解密后的模型文件;以及基于所述解密后的模型文件进行模型推理。
- 根据权利要求8所述的方法,其中,所述预设安全验证包括以下中的至少之一:宿主环境验证、模型文件完整性验证、WASM文件完整性验证。
- 根据权利要求8所述的方法,其中,所述对经加密的模型文件进行解密,包括:获取解密用的经加密的密钥;对所述经加密的密钥进行解密,得到解密后的密钥;以及利用所述解密后的密钥,对所述经加密的模型文件进行解密。
- 一种模型保护装置,包括:生成模块,用于生成WASM文件,其中,所述WASM文件用于为目标模型提供运行环境,所述WASM文件中包含对应的模型推理算法以及安全验证算法,其中,所述安全验证算法通过执行以下安全验证操作中的至少之一,以实现对所述目标模型的保护:对宿主环境进行验证;对所述WASM文件的完整性进行验证;对模型文件的完整性进行验证,其中,所述模型文件是对应于所述目标模型的原模型文件生成的;在模型推理过程中,对指定推理过程进行超时验证;在模型推理过程中,对整个推理过程进行超时验证。
- 根据权利要求11所述的装置,还包括以下模块中的至少之一:第一加密模块,用于对所述模型文件进行加密,得到经加密的模型文件;第二加密模块,用于对所述WASM文件进行加密,得到经加密的WASM文件;第三加密模块,用于对所述目标模型的模型配置信息进行加密,得到经加密的模型配置信息;第四加密模块,用于对所述目标模型的权重数据进行加密,得到经加密的权重数据;其中,所述WASM文件中还包含对应的解密算法,所述解密算法用于对以下至少之一进行解密:所述经加密的模型文件、所述经加密的模型配置信息、所述经加密的权重数据。
- 根据权利要求12所述的装置,还包括:第五加密模块,用于对解密用的密钥进行加密,得到经加密的密钥。
- 根据权利要求11至13中任一项所述的装置,还包括:配置模块,用于针对所述目标模型,为至少一个用户中的每个用户配置一个访问密钥标识。
- 一种模型保护装置,包括:第一加载模块,用于加载对应于目标模型生成的模型文件;第二加载模块,用于加载WASM文件,其中,所述WASM文件用于为所述目标模型提供运行环境;安全验证模块,用于在所述WASM文件实例化运行中,将所述模型文件传入所述运行环境,以执行以下安全验证操作中的至少之一,从而对所述目标模型启动模型保护机制:对宿主环境进行验证;对所述WASM文件的完整性进行验证;对所述模型文件的完整性进行验证;在模型推理过程中,对指定推理过程进行超时验证;在模型推理过程中,对整个推理过程进行超时验证。
- 根据权利要求15所述的装置,其中:响应于对用户鉴权通过,由所述第一加载模块获取并加载所述模型文件,以及由所述第二加载模块获取并加载所述WASM文件。
- 根据权利要求15或16所述的装置,其中:所述模型文件和/或所述WASM文件为经加密的文件。
- 根据权利要求17所述的装置,还包括:解密模块,用于在所述WASM文件实例化运行中,响应于预设安全验证通过,对经加密的模型文件进行解密,得到解密后的模型文件;以及模型推理模块,用于基于所述解密后的模型文件进行模型推理。
- 根据权利要求18所述的装置,其中,所述预设安全验证包括以下中的至少之一:宿主环境验证、模型文件完整性验证、WASM文件完整性验证。
- 根据权利要求18所述的装置,其中,所述解密模块包括:获取单元,用于获取解密用的经加密的密钥;第一解密单元,用于对所述经加密的密钥进行解密,得到解密后的密钥;以及第二解密单元,用于利用所述解密后的密钥,对所述经加密的模型文件进行解密。
- 一种电子设备,包括:至少一个处理器;以及与所述至少一个处理器通信连接的存储器;其中,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行权利要求1-10中任一项所述的方法。
- 一种存储有计算机指令的非瞬时计算机可读存储介质,其中,所述计算机指令用于使所述计算机执行根据权利要求1-10中任一项所述的方法。
- 一种计算机程序产品,包括计算机程序,所述计算机程序在被处理器执行时实现根据权利要求1-10中任一项所述的方法。
- 一种模型保护系统,包括:客户端和服务端,其中,所述客户端向所述服务端请求模型信息;所述服务端响应于所述客户端的请求,返回对应的模型信息;所述客户端基于所述服务端返回的模型信息,执行以下操作:加载对应于目标模型生成的模型文件;加载WASM文件,其中,所述WASM文件用于为所述目标模型提供运行环境;使所述WASM文件实例化运行,并将所述模型文件传入所述运行环境;其中,所述WASM文件在实例化运行中,执行以下安全验证操作中的至少之一,以对所述目标模型启动模型保护机制:对宿主环境进行验证;对所述WASM文件的完整性进行验证;对所述模型文件的完整性进行验证;在模型推理过程中,对指定推理过程进行超时验证;在模型推理过程中,对整个推理过程进行超时验证。
- 根据权利要求24所述的系统,其中:所述客户端在向所述服务端请求模型信息之前,先向所述服务端发送鉴权请求;所述服务端响应于来自所述客户端的鉴权请求,执行鉴权操作并返回鉴权结果;以及所述客户端在所述鉴权结果表征鉴权通过的情况下,再向所述服务端请求模型信息。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2022559937A JP2023542574A (ja) | 2021-08-30 | 2022-03-22 | モデル保護方法、装置、機器、システム、記憶媒体及びプログラム |
US17/915,705 US20240211609A1 (en) | 2021-08-30 | 2022-03-22 | Method and system of protecting model, device, and storage medium |
KR1020227033945A KR20220140638A (ko) | 2021-08-30 | 2022-03-22 | 모델 보호 방법과 장치, 전자 기기, 모델 보호 시스템, 저장 매체 및 컴퓨터 프로그램 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111007976.8A CN113722683B (zh) | 2021-08-30 | 2021-08-30 | 模型保护方法、装置、设备、系统以及存储介质 |
CN202111007976.8 | 2021-08-30 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023029447A1 true WO2023029447A1 (zh) | 2023-03-09 |
Family
ID=78679505
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/082285 WO2023029447A1 (zh) | 2021-08-30 | 2022-03-22 | 模型保护方法、装置、设备、系统以及存储介质 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN113722683B (zh) |
WO (1) | WO2023029447A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116319763A (zh) * | 2023-05-19 | 2023-06-23 | 北京长亭科技有限公司 | 一种基于wasm技术的文件上传方法以及装置 |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113722683B (zh) * | 2021-08-30 | 2023-10-13 | 北京百度网讯科技有限公司 | 模型保护方法、装置、设备、系统以及存储介质 |
CN115146237B (zh) * | 2022-09-05 | 2022-11-15 | 南湖实验室 | 一种基于机密计算的深度学习模型保护方法 |
CN115495714B (zh) * | 2022-09-14 | 2023-07-07 | 湖南大学 | 基于区块链的金融人工智能算法集成方法及系统 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200184037A1 (en) * | 2018-12-10 | 2020-06-11 | XNOR.ai, Inc. | Integrating Binary Inference Engines and Model Data for Efficiency of Inference Tasks |
US20200250312A1 (en) * | 2019-02-04 | 2020-08-06 | Pathtronic Inc. | Systems and methods of security for trusted artificial intelligence hardware processing |
CN112015470A (zh) * | 2020-09-09 | 2020-12-01 | 平安科技(深圳)有限公司 | 模型部署方法、装置、设备及存储介质 |
CN113268737A (zh) * | 2020-02-15 | 2021-08-17 | 阿里巴巴集团控股有限公司 | 环境安全验证方法、系统和客户端 |
CN113722683A (zh) * | 2021-08-30 | 2021-11-30 | 北京百度网讯科技有限公司 | 模型保护方法、装置、设备、系统以及存储介质 |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CA2492328A1 (en) * | 2002-08-09 | 2004-02-19 | Universite De Sherbrooke | Image model based on n-pixels and defined in algebraic topology, and applications thereof |
US10594564B2 (en) * | 2016-10-31 | 2020-03-17 | International Business Machines Corporation | Network topology-preserving internet protocol address anonymization |
EP3555785A1 (en) * | 2016-12-15 | 2019-10-23 | Irdeto B.V. | Software integrity verification |
CN108632251B (zh) * | 2018-03-28 | 2020-09-01 | 杭州电子科技大学 | 基于云计算数据服务的可信认证方法及其加密算法 |
CN108965258B (zh) * | 2018-06-21 | 2021-07-16 | 河南科技大学 | 一种基于全同态加密的云环境数据完整性验证方法 |
CN110138596A (zh) * | 2019-04-13 | 2019-08-16 | 山东公链信息科技有限公司 | 一种基于切换网络拓扑方式的区块链共识方法 |
CN110852011B (zh) * | 2019-11-08 | 2022-09-20 | 大连理工大学 | 一种基于序列Kriging代理模型的结构非梯度拓扑优化方法 |
CN111949972B (zh) * | 2020-02-19 | 2023-10-03 | 华控清交信息科技(北京)有限公司 | 人工智能模型的验证方法、系统、设备及存储介质 |
CN111859379B (zh) * | 2020-07-31 | 2023-08-25 | 中国工商银行股份有限公司 | 保护数据模型的处理方法和装置 |
-
2021
- 2021-08-30 CN CN202111007976.8A patent/CN113722683B/zh active Active
-
2022
- 2022-03-22 WO PCT/CN2022/082285 patent/WO2023029447A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200184037A1 (en) * | 2018-12-10 | 2020-06-11 | XNOR.ai, Inc. | Integrating Binary Inference Engines and Model Data for Efficiency of Inference Tasks |
US20200250312A1 (en) * | 2019-02-04 | 2020-08-06 | Pathtronic Inc. | Systems and methods of security for trusted artificial intelligence hardware processing |
CN113268737A (zh) * | 2020-02-15 | 2021-08-17 | 阿里巴巴集团控股有限公司 | 环境安全验证方法、系统和客户端 |
CN112015470A (zh) * | 2020-09-09 | 2020-12-01 | 平安科技(深圳)有限公司 | 模型部署方法、装置、设备及存储介质 |
CN113722683A (zh) * | 2021-08-30 | 2021-11-30 | 北京百度网讯科技有限公司 | 模型保护方法、装置、设备、系统以及存储介质 |
Non-Patent Citations (1)
Title |
---|
YUN SHUI MU SHI: "Why does TensorFlow.js introduce the WASM backend", TENCENT CLOUD, pages 1 - 4, XP009544142, Retrieved from the Internet <URL:https://cloud.tencent.com/developer/article/1646410> [retrieved on 20220518] * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116319763A (zh) * | 2023-05-19 | 2023-06-23 | 北京长亭科技有限公司 | 一种基于wasm技术的文件上传方法以及装置 |
CN116319763B (zh) * | 2023-05-19 | 2023-08-11 | 北京长亭科技有限公司 | 一种基于wasm技术的文件上传方法以及装置 |
Also Published As
Publication number | Publication date |
---|---|
CN113722683B (zh) | 2023-10-13 |
CN113722683A (zh) | 2021-11-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2023029447A1 (zh) | 模型保护方法、装置、设备、系统以及存储介质 | |
US20240126930A1 (en) | Secure Collaboration Between Processors And Processing Accelerators In Enclaves | |
KR101091465B1 (ko) | 프로세서의 가상 머신 내 기밀 콘텐츠의 보안 처리를 위한 방법 및 장치 | |
CN110008745B (zh) | 一种加密方法、计算机设备和计算机存储介质 | |
CN111262889B (zh) | 一种云服务的权限认证方法、装置、设备及介质 | |
US10797868B2 (en) | Shared secret establishment | |
US9208319B2 (en) | Code base partitioning system | |
CN109992987B (zh) | 基于Nginx的脚本文件保护方法、装置及终端设备 | |
CN113438086A (zh) | 一种数据安全防护方法和系统 | |
CN113014444A (zh) | 一种物联网设备生产测试系统及安全保护方法 | |
CN115580413B (zh) | 一种零信任的多方数据融合计算方法和装置 | |
Ozkan et al. | Security analysis of mobile authenticator applications | |
CN112308236A (zh) | 用于处理用户请求的方法、装置、电子设备及存储介质 | |
Vella et al. | RV-TEE: secure cryptographic protocol execution based on runtime verification | |
Lee et al. | Classification and analysis of security techniques for the user terminal area in the internet banking service | |
Pop et al. | Towards securely migrating webassembly enclaves | |
CN112115430A (zh) | 一种apk的加固方法、电子设备及存储介质 | |
CN111475844A (zh) | 一种数据共享方法、装置、设备及计算机可读存储介质 | |
CN114676392B (zh) | 应用的可信授权方法、装置及电子设备 | |
CN115883078A (zh) | 文件加密方法、文件解密方法、装置、设备及存储介质 | |
US20240211609A1 (en) | Method and system of protecting model, device, and storage medium | |
CN113434887A (zh) | App业务数据处理方法及装置 | |
DONG et al. | Sesoa: Security enhancement system with online authentication for android apk | |
Zhang et al. | Design and implementation of trustzone-based blockchain chip wallet | |
CN111460464A (zh) | 数据加解密方法、装置、电子设备及计算机存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 20227033945 Country of ref document: KR Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 17915705 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2022559937 Country of ref document: JP Kind code of ref document: A |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22862594 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 22862594 Country of ref document: EP Kind code of ref document: A1 |