Solution Overview
Artificial Intelligence (AI) has become a popular technology for improving production efficiency in various industries. As core assets of enterprises, AI models need to be protected against illegal abuse and stealing. This document describes the model protection solution in the edge inference scenario and provides configuration guide for interconnection with third-party platforms. It also describes how to configure the model protection function in inference scenarios.
Figure 1 shows the overall model protection solution. The AI-VAULT component provides the central key control service, controls the master key and pre-shared key, deploys the encryption/decryption working key, and completes a series of key preparations, you can use AI-GUARD to encrypt the model file, upload it to the edge device, and deploy Crypto_fs (CFS) in the edge device container. CFS provides imperceptible decryption capabilities. It requests the decryption working key from AI-VAULT through KMSAgent, decrypts the model file in the container, and then executes the inference job. For details about each component, see Component Preparation.
Model protection applies to edge inference scenarios. During data (models and inference programs) transmission and storage, user models and inference programs are encrypted to prevent external attackers from stealing model assets by cracking edge devices. Attacks in the following scenarios cannot be prevented. Be cautious about such attacks during model deployment and running:
- Stealing of models or encrypted PSK passwords and KMSAgent private keys from the memory by high-privilege users (such as the inference device administrator and users with related capability and sudo permissions) of the inference device
- Obtaining keys or destroying OS programs and files by high-privilege users (such as the management node device administrator and users with related capability and sudo permissions) of AI-VAULT
- Tampering of programs and applications on which the inference program outside the user encrypted directory depends, and attacks initiated from the device side