Overall Solution

Artificial Intelligence (AI) has become a popular technology for improving production efficiency in various industries. As core assets of enterprises, AI models need to be protected against illegal abuse and stealing. This document describes the model protection solution in the edge inference scenario and provides configuration guide for interconnection with third-party platforms. It also describes how to configure the model protection function in inference scenarios.

The following figure shows the overall model protection solution. The ISV platform (third-party service) integrates the AI-VAULT function, provides the central key service, generates and controls master keys and pre-shared keys, deploys encryption and decryption working keys, and completes a series of key preparation tasks. You can use the AI-GUARD tool to encrypt data and upload the data to the edge device. After decrypting the data in the container of the edge device to obtain the inference model file, deploy the container and execute the inference task. For details, see Procedure.

Figure 1 Model protection solution

Procedure

Create a master key. The ISV platform integrates AI-VAULT, uses the key service provided by AI-VAULT to create a master key, and exports the master key to AI-GUARD, the encryption and decryption tool.
Create a pre-shared key. The ISV platform integrates AI-VAULT, uses the key service provided by AI-VAULT to create a pre-shared key, and delivers the pre-shared key to the container. The edge device inference container uses the pre-shared key to perform authentication with AI-VAULT.
Encrypt data. You can use the AI-GUARD tool to encrypt data (model files used for inference). The encrypted data is then uploaded in ciphertext to the ISV platform.
Perform inference on edge devices. Before edge inference, the driver needs to be updated on the inference node. KMSAgent in the driver package provides the message forwarding service to communicate with AI-VAULT. Before inference, pack the encryption and decryption tool Crypto-fs (CFS) into the image. Decrypt the model file to perform inference jobs.

Key Points

Full process (model life cycle) protection: Data and inference are protected throughout the entire process, and ciphertext transmission and storage are supported.
Imperceptible encryption and decryption: Inference applications directly use data and models, which are automatically encrypted and decrypted in the memory file system protection state (with access control).
Protection against device theft: The local device does not store the master key. The decryption is implemented through the central component. If the device is stolen, the master key cannot be obtained and the model cannot run.

Prerequisites

The model protection components are installed. For details about the installation, see the MindX DL AI Model Protection User Guide.
The Docker is installed.

Deployment Scenarios

Container-based deployment: In container-based deployment scenarios, AI-VAULT runs in an independent POD. AI-VAULT is bound to the API Gateway (APIGW) of the ISV platform. Only the APIGW is allowed to access AI-VAULT. AI-VAULT does not directly provide services for external systems.
Figure 2 Containerized deployment
VM-based deployment (host machine): In VM deployment scenarios, AI-VAULT needs to be independently uploaded and deployed in a separate VM environment. AI-VAULT directly provides services for external systems. The ISV platform can configure the Nginx to forward requests. It is recommended that AI-VAULT encapsulate system services and use the daemon process to check whether the system services are running properly. This ensures that the system services can be automatically started when the program exits abnormally.
Figure 3 VM deployment

Parent topic: Overall Solution for Model Protection