[go: up one dir, main page]

WO2022261878A1 - Method for using artificial intelligence model and related apparatus - Google Patents

Method for using artificial intelligence model and related apparatus Download PDF

Info

Publication number
WO2022261878A1
WO2022261878A1 PCT/CN2021/100455 CN2021100455W WO2022261878A1 WO 2022261878 A1 WO2022261878 A1 WO 2022261878A1 CN 2021100455 W CN2021100455 W CN 2021100455W WO 2022261878 A1 WO2022261878 A1 WO 2022261878A1
Authority
WO
WIPO (PCT)
Prior art keywords
model
chip
encrypted
computer
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2021/100455
Other languages
French (fr)
Chinese (zh)
Inventor
赵品华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202180098116.1A priority Critical patent/CN117280342A/en
Priority to PCT/CN2021/100455 priority patent/WO2022261878A1/en
Publication of WO2022261878A1 publication Critical patent/WO2022261878A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Definitions

  • the present application relates to the technical field of artificial intelligence, in particular to a method for using an artificial intelligence model and related devices.
  • Artificial intelligence is a theory, method, technology and application system that uses digital computers or machines controlled by digital computers to simulate, extend and expand human intelligence, perceive the environment, acquire knowledge and use knowledge to obtain the best results.
  • artificial intelligence is the branch of computer science that attempts to understand the nature of intelligence and produce a new class of intelligent machines that respond in ways similar to human intelligence.
  • Artificial intelligence is to study the design principles and implementation methods of various intelligent machines, so that various intelligent machines have the functions of perception, reasoning and decision-making.
  • the design principles and implementation methods of the above-mentioned intelligent machines all rely on the AI model obtained after training and processing of big data, and the AI model is stored in the operating environment of the AI application in the form of a file.
  • AI models as the core assets of AI applications, need to be strictly protected in the actual operating environment to prevent them from being stolen.
  • a commonly used AI model protection method is mainly realized by software, that is, the trained AI model is encrypted and decrypted inside the AI application, and then the decrypted AI model is sent to the AI chip, and the AI chip performs Reasoning; another commonly used method is realized through a hardware dongle. After the hardware dongle receives the encrypted AI model sent by the AI chip, it decrypts it, and then sends the decrypted AI model to the AI chip. Then reasoning; however, in the process of use, it is found that the security of these two commonly used methods is not high.
  • the present application provides a method and device for using an AI model, which can improve the security of the AI model without increasing hardware costs.
  • the present application provides a method for using an AI model, the method is applied to an AI chip, and the method includes: receiving an encrypted AI model from the main chip; decrypting the encrypted AI model to obtain the first AI model; use the first AI model to perform inference to obtain an inference result; send the inference result to the main chip.
  • the decrypted AI model is directly used by the AI chip, so it avoids The problem that the decrypted AI model is intercepted or stolen during the transmission process, that is to say, greatly reduces the risk of leakage of the AI model and improves security.
  • the decrypting the encrypted AI model includes: using a trusted root stored in a secure storage area of the AI chip to decrypt the encrypted AI model decrypt.
  • the root of trust since the root of trust is stored in the secure storage area of the AI chip, it can only be read and used by the AI chip itself, and cannot be obtained from the outside. That is to say, the re-encrypted AI model can only be used in the The AI chip is decrypted and run, so the security of the AI model can be further improved.
  • the method further includes: receiving the first AI model from the main chip; using The root of trust encrypts the first AI model to obtain the encrypted AI model; and sends the encrypted AI model to the main chip.
  • the AI chip can automatically realize the encryption protection of the AI model, without deploying a special hardware dongle, etc., which can reduce the complexity of the user's implementation of the AI model hardware-level protection scheme.
  • the present application provides a method for using an artificial intelligence AI model, the method is applied to the main chip, and the method includes: sending an encrypted AI model to the AI chip, and the encrypted AI model is the AI chip pair A model obtained by encrypting the first AI model; receiving an inference result from the AI chip, where the inference result is an inference result obtained by the AI chip using the first AI model for inference.
  • the method before sending the encrypted AI model to the AI chip, the method further includes: sending the first AI model to the AI chip; receiving the AI chip The encrypted AI model obtained by encrypting the first AI model using a root of trust; storing the encrypted AI model.
  • the root of trust is a root of trust stored in a secure storage area of the AI chip.
  • the present application provides a device for using an artificial intelligence AI model, the device is applied to the AI chip side, and the device includes: a receiving module for receiving the encrypted AI model from the main chip; a decryption module for The encrypted AI model is decrypted to obtain a first AI model; the reasoning module is used to use the first AI model to perform reasoning to obtain a reasoning result; the sending module is used to send the reasoning result to the main chip.
  • the decryption module is configured to decrypt the encrypted AI model, including: the decryption module is configured to use the data stored in the secure storage area of the AI chip The root of trust decrypts the encrypted AI model.
  • the device before the AI chip receives the encrypted AI model, the device further includes: an encryption module; the receiving module is also configured to receive the encrypted AI model from the The first AI model of the main chip; the encryption module is used to encrypt the first AI model by using the root of trust to obtain the encrypted AI model; the sending module is also used to send to the The main chip sends the encrypted AI model.
  • the present application provides a device for using an artificial intelligence AI model, the device is applied to the main chip side, and the device includes: a sending module for sending an encrypted AI model to the AI chip, and the encrypted AI model is the A model obtained by encrypting the first AI model by the AI chip; the receiving module is used to receive an inference result from the AI chip, and the inference result is an inference result obtained by the AI chip using the first AI model for inference .
  • the device before the sending module is configured to send the encrypted AI model to the AI chip, the device further includes: a storage module; the sending module is also configured to send the encrypted AI model to the AI chip.
  • the chip sends the first AI model; the receiving module is also used to receive the encrypted AI model obtained by encrypting the first AI model by the AI chip using a root of trust; the storage module is used to store the Encrypted AI model described above.
  • the root of trust is a root of trust stored in a secure storage area of the AI chip.
  • the present application provides an AI chip
  • the AI chip includes a processor coupled to a memory, and the processor is used to execute the program code in the memory, so as to realize the first aspect or any one of the possible method in the implementation.
  • the present application provides a chip, the chip includes a processor coupled to a memory, and the processor is configured to execute program codes in the memory to implement the second aspect or any one of the possible implementations method in .
  • the present application provides a computer-readable storage medium, in which computer programs or instructions are stored, and when the computer programs or instructions are executed by a processor, the first aspect or the second aspect or A method in any of the possible implementations.
  • the present application provides a computer program product, the computer program product includes computer program code, and when the computer program code is run on a computer, the computer implements the first aspect or the second aspect or A method in any of the possible implementations.
  • Figure 1 is a schematic diagram of a convolutional neural network architecture
  • FIG. 2 is an architecture diagram of an application scenario of an embodiment of the present application
  • Fig. 3 is a schematic diagram of deployment of a dedicated hardware dongle in the prior art
  • FIG. 4 is a schematic flowchart of a method for using an AI model according to an embodiment of the present application
  • FIG. 5 is a schematic flowchart of a method for using an AI model according to another embodiment of the present application.
  • FIG. 6 is a schematic flowchart of a method for using an AI model according to another embodiment of the present application.
  • FIG. 7 is a schematic diagram of a device for using an AI model according to an embodiment of the present application.
  • FIG. 8 is a schematic diagram of an AI model using device according to another embodiment of the present application.
  • Fig. 9 is a schematic block diagram of a device provided by an embodiment of the present application.
  • the AI model can be regarded as the core of an intelligent machine.
  • intelligent machines can be applied in various fields, such as natural language processing, computer vision, decision-making and reasoning, human-computer interaction, recommendation and search etc.
  • the more popular AI models include convolutional neural network (CNN), linear regression model, etc.
  • FIG. 1 is a schematic diagram of a convolutional neural network architecture.
  • the CNN 100 shown in FIG. 1 includes an input layer 110 , a convolutional/pooling layer 120 , where the pooling layer is optional, and a neural network layer 130 .
  • the convolutional layer/pooling layer 120 may include layers 121 to 126 as examples.
  • the 121st layer is a convolutional layer
  • the 122nd layer is a pooling layer
  • the 123rd layer is a convolutional layer
  • the 124th layer is a convolutional layer.
  • Layer is a pooling layer
  • 125 is a convolutional layer
  • 126 is a pooling layer
  • 121 and 122 are convolutional layers
  • 123 is a pooling layer
  • 124 and 125 are convolutional layers
  • 126 is pooling layer. That is, the output of the convolutional layer can be used as the input of the subsequent pooling layer, or as the input of another convolutional layer to continue the convolution operation.
  • the convolutional layer in the convolutional layer/pooling layer 120 may include many convolutional operators, and the convolutional operator is also called a kernel, and its role in image processing is equivalent to a method for extracting specific information from the input image matrix.
  • Filters, convolution operators can essentially be a weight matrix, this weight matrix is usually pre-defined, in the process of convolution operation on the image, the weight matrix is usually pixel by pixel along the horizontal direction on the input image (or two pixels followed by two pixels...it depends on the value of the stride) to complete the work of extracting specific features from the image.
  • the size of the weight matrix should be related to the size of the image. It should be noted that the depth dimension of the weight matrix is the same as the depth dimension of the input image.
  • the weight matrix will be extended to The entire depth of the input image.
  • convolving with a single weight matrix produces a convolutional output with a single depth dimension, but in most cases instead of using a single weight matrix, multiple weight matrices of the same dimension are applied.
  • the output of each weight matrix is stacked to form the depth dimension of the convolved image.
  • Different weight matrices can be used to extract different features in the image. For example, one weight matrix is used to extract image edge information, another weight matrix is used to extract specific colors of the image, and another weight matrix is used to filter unwanted noise in the image.
  • weight values in these weight matrices need to be obtained through a lot of training in practical applications, and each weight matrix formed by the weight values obtained through training can extract information from the input image, thereby helping the convolutional neural network 100 to make correct predictions.
  • the initial convolutional layer When the convolutional neural network 100 has multiple convolutional layers, the initial convolutional layer often extracts more general features, which can also be referred to as low-level features; with the depth of the convolutional neural network 100 Deepen, the features extracted by the later convolutional layers (such as 126) become more and more complex, such as high-level semantic features, and the higher semantic features are more suitable for the problem to be solved.
  • the layers indicated by 121 and 126 are convolutional layers
  • the initial convolutional layer may be 121
  • the subsequent convolutional layer may be 126 .
  • the pooling layer in the convolutional layer/pooling layer 120 often needs to reduce the number of training parameters, so it is often necessary to periodically introduce the pooling layer after the convolutional layer, that is, the 121 to 126 exemplified by 120 in FIG. 1 Layer, which can be a convolutional layer followed by a pooling layer, or a multi-layer convolutional layer followed by one or more pooling layers.
  • the sole purpose of pooling layers is to reduce the spatial size of the image.
  • the pooling layer may include an average pooling operator and/or a maximum pooling operator for sampling an input image to obtain an image of a smaller size.
  • the average pooling operator can calculate the average value of the pixel values in the image within a specific range.
  • the maximum pooling operator can take the pixel with the largest value within a specific range as the result of maximum pooling. Also, just like the size of the weight matrix used in the convolutional layer should be related to the size of the image, the operators in the pooling layer should also be related to the size of the image.
  • the size of the image output after being processed by the pooling layer may be smaller than the size of the image input to the pooling layer, and each pixel in the image output by the pooling layer represents the average or maximum value of the corresponding sub-region of the image input to the pooling layer.
  • the neural network layer 130 after being processed by the convolutional layer/pooling layer 120, the convolutional neural network 100 is not enough to output the required output information. Because as mentioned earlier, the convolutional/pooling layer 120 only extracts features and reduces the dimensionality of the input data. However, in order to generate the final output data (required class information or other relevant information), the convolutional neural network 100 needs to use the neural network layer 130 to generate one or a set of outputs of the required class number. Therefore, the neural network layer 130 may include multiple hidden layers (131, 132 to 13n as shown in FIG. 1 ) and an output layer 140, and the model parameters contained in the multi-layer hidden layers may be determined according to specific tasks. Types of related training data are pre-trained, for example, the task type can include image recognition, image classification, image super-resolution reconstruction, and so on.
  • the output layer 140 which has a loss function similar to the classification cross entropy, and is specifically used to calculate the prediction error.
  • the forward propagation of the entire convolutional neural network 100 (as shown in Figure 1, the propagation from 110 to 140 is forward propagation)
  • the backpropagation (as shown in Figure 1, the propagation from 140 to 110 is backward propagation) will start to update
  • the aforementioned weight values and deviations of each layer are used to reduce the loss of the convolutional neural network 100 and the error between the result output by the convolutional neural network 100 through the output layer and the ideal result.
  • the convolutional neural network 100 shown in FIG. 1 is only an example of a convolutional neural network.
  • the convolutional neural network can also exist in the form of other network models.
  • multiple Each convolutional layer/pooling layer is parallelized, and the features extracted respectively are input to the full neural network layer 130 for processing.
  • the method in the embodiment of the present application can also be applied to CNNs with other structures.
  • AI model refers to the data processing process in the AI model, and does not include the model parameters used in the data processing process.
  • the AI model only refers to the convolution operations and pooling operations that need to be performed by each layer in the CNN shown in Figure 1, and does not include the weights involved in the convolution operations and pooling operations.
  • AI models such as CNN shown in Figure 1
  • Fingerprint unlocking image recognition
  • voice recognition voice recognition
  • enterprises will invest a lot of material resources and manpower to collect and purchase data to increase the training scale of the AI model and optimize the training parameters of the AI model in order to enhance and optimize the AI model. From this, it can be seen that the AI model has become an asset of the enterprise.
  • the current artificial intelligence AI application based on deep neural network is mainly divided into two stages: training and reasoning.
  • the training is to train the initial neural network model into the target neural network model (AI model) through the training process of a large amount of data, so that it can be applied to the actual scene; and the reasoning is to apply the trained AI model to the actual The process of the scene.
  • AI model target neural network model
  • the AI model is obtained after a huge investment in training, and is the core asset of the AI application, but it needs to be strictly protected in the actual running environment of the reasoning stage to prevent it from being stolen.
  • the AI model is stored in the running environment of the AI application in the form of a file.
  • the protection of the AI model file is mainly realized through encryption and decryption, that is, the AI model file is encrypted and stored, and when the AI reasoning application is running, the file is decrypted and used.
  • FIG. 2 is an architecture diagram of an application scenario according to an embodiment of the present application.
  • the application scenario architecture diagram includes: a hardware device 200
  • the hardware device 200 includes: a main chip 201 and an AI chip 202 , where an AI application program is deployed on the main chip 201 .
  • the hardware device 200 may be an automatic driving box device of the vehicle; the main chip 201 may be the main controller of the vehicle, and the main chip 201 may contain an AI application program, such as an automatic driving program; the AI chip 202 may be an AI computing chips. It should be understood that the above descriptions are examples only.
  • the AI model is deployed in the AI application program on the main chip 201 in the form of a file.
  • the implementation process of encryption and decryption can be implemented in the main chip 201, or in the AI chip 202, or can use other hardware devices.
  • the pure software solution is mainly to store the trained AI model in the storage (such as disk) of the operating environment in the form of ciphertext files after being encrypted by software.
  • the AI application When the AI application is running, it reads the ciphertext and directly uses the key to decrypt it before using it. Keys are managed by the AI application itself and can be hardcoded or stored in configuration files.
  • the AI application deployed on the main chip 201 carries a trained AI model, and the AI application uses related programs to encrypt the AI model, and then stores the encrypted AI model in the form of a ciphertext file in the operating environment.
  • the key is hard-coded or stored in a file.
  • the AI application itself directly uses the key to decrypt the encrypted AI model before using it.
  • the dongle is also called dongle.
  • the dongle is an encryption product combined with software and hardware inserted into the parallel port of the computer. It is a popular security tool for identity authentication. Plug and unplug directly on the universal serial bus (USB) interface of the computer; for dongles, each dog has an independent product identification code and an independent latest encryption algorithm. When the user logs in to the platform, only the specific encryption is detected Normal login is only allowed after dog and accurate physical verification.
  • USB universal serial bus
  • Fig. 3 is a schematic diagram of deployment of a dedicated hardware dongle in the prior art.
  • the AI application is deployed on the host device.
  • the host device can be understood as the main chip 201.
  • a dedicated hardware dongle module is deployed on the host device.
  • the hardware dongle module decrypts the ciphertext of the AI model to obtain the plaintext of the AI model, and then sends the plaintext of the AI model back to the AI application, and the AI application will receive the AI model
  • the plaintext is sent to the AI computing device for processing, where the AI computing device can be understood as the AI chip 202 .
  • cameras, dongles, and AI models are all deployed on the cameras, and the cameras are generally outdoors, posing a risk of being stolen.
  • this application provides a method for using the AI model, which realizes the purpose of strictly protecting the AI model, and avoids the need to increase the implementation cost of the AI application when protecting the AI model in the prior art, and the security is low.
  • Using at least one dongle on a device deployed with an AI application results in increased hardware cost and deployment complexity as well as insecure issues in the process of transmitting the decrypted AI model to the AI chip.
  • FIG. 4 is a schematic flowchart of a method for using an artificial intelligence AI model provided by an embodiment of the present application. As shown in Fig. 4, the method may include S410 to S440. An example of the main chip in this method is the main chip 201 , and an example of the AI chip in this method is the AI chip 202 .
  • the main chip sends the encrypted AI model to the AI chip.
  • the AI chip receives the encrypted AI model sent by the main chip, wherein the encrypted AI model is a model obtained by encrypting the first AI model by the AI chip.
  • the main chip may send the encrypted AI model obtained by encrypting the first AI model to the AI chip.
  • the main chip is deployed with an automatic driving program, and the automatic driving program is realized through the first AI model as an example.
  • the main chip runs the automatic driving program, the main chip An encrypted model of the first AI model may be sent to the AI chip.
  • the first AI model is the convolutional neural network model shown in FIG. 1 .
  • the AI chip decrypts the encrypted AI model to obtain the first AI model.
  • the AI chip After receiving the encrypted AI model sent by the main chip, the AI chip performs a decryption operation on the encrypted AI model, and obtains the first AI model after decryption.
  • the AI chip uses the first AI model to perform inference to obtain an inference result.
  • the reasoning process is the process of applying the trained AI model to the actual scene.
  • the process of using a trained model to infer various conclusions using new data that is, using the existing neural network model to perform calculations and using new input data to obtain correct conclusions at one time, can also be called prediction or inference.
  • PCIE peripheral component interconnect express
  • the first AI model is an algorithm that uses big data in advance to determine the optimal configuration parameters.
  • the process of AI chip reasoning using the first AI model is to input the input data into the first AI model.
  • the corresponding algorithm is used to obtain the inference result.
  • the acquired vehicle operation data is obtained through the above method to obtain input data, and then the input data is input into the first AI model to obtain the vehicle condition information required by the user.
  • the AI chip sends an inference result to the main chip.
  • the main chip receives the inference results from the AI chip.
  • the AI chip directly reasoning uses , so the problem of the decrypted AI model being intercepted or stolen during the transmission process is avoided, that is to say, the risk of leaking the AI model is greatly reduced and the security is improved.
  • an implementation manner in which the AI chip decrypts the encrypted AI model to obtain the first AI model includes: using a root of trust stored in a secure storage area of the AI chip to decrypt the encrypted AI model.
  • the AI chip uses the root of trust of the chip to generate a decryption key, and then uses the decryption key to decrypt the encrypted AI model to obtain the first AI model.
  • the chip root of trust can be understood as the unconditionally trusted information in the chip, which is stored in the secure storage area of the AI chip, and the storage content in this secure storage area can only be read by the AI chip, and cannot be read by external devices.
  • the re-encrypted AI model can only be decrypted and run on the AI chip, so the security of the AI model can be further improved.
  • the encrypted AI model in the main chip can be obtained in various ways, and a method for obtaining the encrypted AI model will be introduced below with reference to FIG. 5 .
  • an achievable way of acquiring the encrypted AI model in the usage method of the embodiment of the present application may include the following steps:
  • the main chip sends the first AI model to the AI chip.
  • the AI chip receives the first AI model sent by the main chip.
  • the main chip may send the first AI model to the AI chip.
  • what is stored on the main chip is an AI model obtained by encrypting the first AI model by software.
  • the main chip may first decrypt the software-encrypted AI model, and after obtaining the first AI model, send the first AI model to the AI chip.
  • the first AI model is stored on the main chip.
  • the main chip can directly send the first AI model to the AI chip.
  • the AI chip sends to the main chip an encrypted AI model obtained by encrypting the first AI model using the root of trust.
  • the main chip receives the encrypted AI model.
  • the AI chip After the AI chip receives the first AI model from the main chip, it uses the root of trust stored in the secure storage area of the AI chip to generate a key, and then uses the key to encrypt the received first AI model to obtain Encrypt the AI model and return the encrypted AI model to the main chip.
  • the root of trust in the AI chip refers to the unconditionally trusted information in the chip, which can be stored in the secure storage area of the AI chip, and only the AI chip can store the content in this secure storage area. read, the external device cannot read. In this way, the security of the key can be improved, so that the security of the first AI model can be further improved.
  • the main chip stores the encrypted AI model.
  • the main chip after receiving the encrypted AI model corresponding to the first AI model, saves the encrypted AI model, and records the mapping relationship between the encrypted AI model and the first AI model, so that the first AI model can be used , the encrypted AI model can be obtained based on the mapping relationship.
  • the previously stored first AI model may be deleted, so as to avoid waste of storage space corresponding to the main chip.
  • the main chip may execute S401, S402 and S403.
  • the main chip directly loads the locally stored encrypted AI model to the AI chip; then the AI chip decrypts the encrypted AI model, and uses the decrypted first AI model to perform inference to obtain an inference result, and return the inference result to the main chip.
  • the AI chip can automatically realize the encryption protection of the AI model, without deploying a dedicated hardware dongle, etc., which can reduce the complexity of the user's implementation of the AI model hardware-level protection scheme.
  • the following takes the main chip and the AI chip as the chips in the autopilot box as an example, and in combination with Figure 6, an example of how to use the AI model is introduced.
  • the maintenance and testing personnel install the autopilot program into the autopilot box device of the vehicle, then start the autopilot program for the first time, and perform debugging.
  • the autopilot box device includes a main chip and an AI computing chip, and the autopilot program is deployed on the main chip, and the autopilot program can include an AI model encrypted by software.
  • the automatic driving program decrypts the AI model to obtain plaintext of the AI model.
  • the main chip deployed with the autopilot program sends the AI model plaintext to the AI computing chip.
  • the autopilot program calls the interface of the AI computing chip, and loads the plain text of the AI model onto the AI computing chip for subsequent calculations.
  • the AI computing chip generates a unique key, and re-encrypts the AI model.
  • the AI computing chip automatically generates the key of the AI computing chip according to the root of trust of its own chip, and encrypts the plaintext of the AI model according to the key to obtain the encrypted AI model.
  • the root of trust is stored in the secure storage area of the AI computing chip and cannot be obtained externally.
  • the AI computing chip sends the re-encrypted AI model to the main chip.
  • the main chip deployed with the autopilot program deletes the original stored AI model and key, and saves the re-encrypted AI model.
  • the main chip does not need to delete the original stored AI model and key.
  • the main chip deployed with the autopilot program sends the re-encrypted AI model to the AI computing chip.
  • the main chip deployed with the automatic driving program can directly load the re-encrypted AI model to the AI computing chip.
  • the AI computing chip After obtaining the encrypted AI model, the AI computing chip uses the decryption key generated by its own root of trust to decrypt the encrypted AI model to obtain the plaintext of the AI model, and then perform corresponding operations.
  • the AI computing chip is used to automatically generate a key based on its own root of trust, and the plaintext of the AI model is encrypted and decrypted. That is to say, the protection of the AI model is converted from software-level key encryption protection to chip hardware Level key encryption protection, and the trusted root of the generated key is stored in the secure storage of the chip and cannot be obtained from the outside, so when decrypting, it can only be decrypted and run on the AI computing chip, which greatly reduces the risk of AI model leakage ; AI chips can automatically implement hardware-level key encryption protection for AI models, which greatly reduces the complexity of AI users implementing hardware-level protection solutions for AI models, and also does not need to deploy special hardware dongles, thereby reducing development and product costs .
  • FIG. 7 is a schematic diagram of an apparatus for using an artificial intelligence AI model provided by an embodiment of the present application. It should be understood that the device 700 shown in FIG. 7 is only an example, and the device 700 in this embodiment of the present application may further include other modules or units. The device 700 may be used to implement the method shown in FIG. 4 .
  • the apparatus 700 may include an encryption module 701 , a receiving module 702 , a decryption module 703 , an inference module 704 and a sending module 705 .
  • the encryption module 701 and the receiving module 702 are used to perform S410
  • the decryption module 703 is used to perform S420
  • the reasoning module 704 is used to perform S430
  • the sending module 705 is used to perform S440.
  • Fig. 8 is a schematic diagram of an apparatus for using an artificial intelligence AI model provided by another embodiment of the present application. It should be understood that the device 800 shown in FIG. 8 is only an example, and the device 800 in this embodiment of the present application may further include other modules or units. The device 800 may be used to implement the method shown in FIG. 5 .
  • the apparatus 800 may include a sending module 801 , a receiving module 802 and a storage module 803 .
  • the sending module 801 is used to perform S401
  • the receiving module 803 is used to perform S402
  • the storage module 804 is used to perform S403.
  • module here may be implemented in the form of software and/or hardware, which is not specifically limited.
  • a “module” may be a software program, a hardware circuit or a combination of both to realize the above functions.
  • the hardware circuitry may include application specific integrated circuits (ASICs), electronic circuits, processors (such as shared processors, dedicated processors, or group processors) for executing one or more software or firmware programs. etc.) and memory, incorporating logic, and/or other suitable components to support the described functionality.
  • ASICs application specific integrated circuits
  • processors such as shared processors, dedicated processors, or group processors
  • memory incorporating logic, and/or other suitable components to support the described functionality.
  • Fig. 9 is a schematic block diagram of a device provided by an embodiment of the present application.
  • the device 900 shown in FIG. 9 includes a memory 901 , a processor 902 , a communication interface 903 and a bus 904 .
  • the memory 901 , the processor 902 , and the communication interface 903 are connected to each other through a bus 904 .
  • the memory 901 may be a read only memory (read only memory, ROM), a static storage device, a dynamic storage device or a random access memory (random access memory, RAM).
  • the memory 901 may store a program, and when the program stored in the memory 901 is executed by the processor 902, the processor 902 is configured to execute each step of the method shown in FIG. 4 and FIG. 5 .
  • the processor 902 may adopt a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (application specific integrated circuit, ASIC), or one or more integrated circuits for executing related programs to Implement the method in the method embodiment of the present application.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • the processor 902 may also be an integrated circuit chip, which has a signal processing capability.
  • each step of the method in the embodiment of the present application may be completed by an integrated logic circuit of hardware in the processor 902 or instructions in the form of software.
  • the above-mentioned processor 902 can also be a general-purpose processor, a digital signal processor (digital signal processing, DSP), an application-specific integrated circuit (ASIC), a ready-made programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, Discrete gate or transistor logic devices, discrete hardware components.
  • DSP digital signal processing
  • ASIC application-specific integrated circuit
  • FPGA field programmable gate array
  • a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
  • the steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register.
  • the storage medium is located in the memory 901, and the processor 902 reads the information in the memory 901, and combines its hardware to complete the functions required by the units included in the temperature measuring device of the present application.
  • the embodiments shown in FIGS. 4 and 5 can be executed. individual steps/functions.
  • the communication interface 903 may use, but is not limited to, a transceiver device such as a transceiver to implement communication between the device 900 and other devices or communication networks.
  • the bus 904 may include a pathway for transferring information between various components of the device 900 (eg, memory 901 , processor 902 , communication interface 903 ).
  • the apparatus 900 shown in the embodiment of the present application may be an electronic device, or may also be a chip configured in the electronic device.
  • the processor in the embodiment of the present application may be a central processing unit (central processing unit, CPU), and the processor may also be other general processors, digital signal processors (digital signal processor, DSP), application specific integrated circuits (application specific integrated circuit, ASIC), off-the-shelf programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
  • the memory in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memories.
  • the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • Volatile memory can be random access memory (RAM), which acts as external cache memory.
  • RAM random access memory
  • static random access memory static random access memory
  • DRAM dynamic random access memory
  • DRAM synchronous dynamic random access memory Access memory
  • SDRAM synchronous dynamic random access memory
  • double data rate synchronous dynamic random access memory double data rate SDRAM, DDR SDRAM
  • enhanced synchronous dynamic random access memory enhanced SDRAM, ESDRAM
  • serial link DRAM SLDRAM
  • direct memory bus random access memory direct rambus RAM, DR RAM
  • the above-mentioned embodiments may be implemented in whole or in part by software, hardware, firmware or other arbitrary combinations.
  • the above-described embodiments may be implemented in whole or in part in the form of computer program products.
  • the computer program product comprises one or more computer instructions or computer programs.
  • the processes or functions according to the embodiments of the present application will be generated in whole or in part.
  • the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server or data center by wired (such as infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center that includes one or more sets of available media.
  • the available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media.
  • the semiconductor medium may be a solid state drive.
  • At least one means one or more, and “multiple” means two or more.
  • At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items.
  • at least one item (piece) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .
  • sequence numbers of the above-mentioned processes do not mean the order of execution, and the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present application.
  • the implementation process constitutes any limitation.
  • the disclosed systems, devices and methods may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
  • the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes: various media capable of storing program codes such as U disk, mobile hard disk, read-only memory, random access memory, magnetic disk or optical disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Technology Law (AREA)
  • Artificial Intelligence (AREA)
  • Computer Security & Cryptography (AREA)
  • Multimedia (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Medical Informatics (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Storage Device Security (AREA)

Abstract

A method and apparatus for using an artificial intelligence (AI) model, which can be applied to the field of AI. In the use method, a master chip sends an encrypted AI model to an AI chip. The encrypted AI model is a model obtained by the AI chip encrypting a first AI model by using a trusted root. The AI chip decrypts the encrypted AI model by using the trusted root so as to obtain the first AI model. Then, the AI chip performs inference by using the first AI model so as to obtain an inference result. Finally, the master chip receives the inference result obtained through inference by the AI chip using the first AI model. According to the method, by encrypting and decrypting the first AI model by means of the trusted root, the security of a use environment of AI models is ensured, while preventing the problem of excessively high software and hardware costs during the encryption and decryption of AI models in existing technology.

Description

人工智能模型的使用方法和相关装置Method for using artificial intelligence model and related device 技术领域technical field

本申请涉及人工智能技术领域,尤其涉及人工智能模型的使用方法和相关装置。The present application relates to the technical field of artificial intelligence, in particular to a method for using an artificial intelligence model and related devices.

背景技术Background technique

人工智能(artificial intelligence,AI)是利用数字计算机或者数字计算机控制的机器模拟、延伸和扩展人的智能,感知环境、获取知识并使用知识获得最佳结果的理论、方法、技术及应用系统。换句话说,人工智能是计算机科学的一个分支,它企图了解智能的实质,并生产出一种新的能以人类智能相似的方式作出反应的智能机器。人工智能也就是研究各种智能机器的设计原理与实现方法,使各种智能机器具有感知、推理与决策的功能。Artificial intelligence (AI) is a theory, method, technology and application system that uses digital computers or machines controlled by digital computers to simulate, extend and expand human intelligence, perceive the environment, acquire knowledge and use knowledge to obtain the best results. In other words, artificial intelligence is the branch of computer science that attempts to understand the nature of intelligence and produce a new class of intelligent machines that respond in ways similar to human intelligence. Artificial intelligence is to study the design principles and implementation methods of various intelligent machines, so that various intelligent machines have the functions of perception, reasoning and decision-making.

通常,上述智能机器的设计原理与实现方法都依赖于经过大数据训练处理后得到的AI模型,该AI模型以文件的方式存放在AI应用的运行环境中。然而,AI模型作为AI应用的核心资产,在实际运行环境中需要被严格保护,防止被盗取。Usually, the design principles and implementation methods of the above-mentioned intelligent machines all rely on the AI model obtained after training and processing of big data, and the AI model is stored in the operating environment of the AI application in the form of a file. However, AI models, as the core assets of AI applications, need to be strictly protected in the actual operating environment to prevent them from being stolen.

目前一种常用的AI模型保护方法主要是由软件来实现的,即训练好的AI模型,在AI应用的内部进行加密解密操作,然后把解密后的AI模型发送给AI芯片,AI芯片再进行推理;另一种常用的方式是通过硬件加密狗来实现的,硬件加密狗接收到AI芯片发送的加密AI模型后,对其进行解密,再将解密后的AI模型发送给AI芯片,AI芯片再进行推理;然而,在使用过程中发现,这两种常用的方式安全性不高。At present, a commonly used AI model protection method is mainly realized by software, that is, the trained AI model is encrypted and decrypted inside the AI application, and then the decrypted AI model is sent to the AI chip, and the AI chip performs Reasoning; another commonly used method is realized through a hardware dongle. After the hardware dongle receives the encrypted AI model sent by the AI chip, it decrypts it, and then sends the decrypted AI model to the AI chip. Then reasoning; however, in the process of use, it is found that the security of these two commonly used methods is not high.

发明内容Contents of the invention

本申请提供了AI模型的使用方法和装置,可以在不增加硬件成本的前提下提高AI模型的安全性。The present application provides a method and device for using an AI model, which can improve the security of the AI model without increasing hardware costs.

第一方面,本申请提供一种AI模型的使用方法,所述方法应用于AI芯片中,所述方法包括:接收来自主芯片的加密AI模型;对所述加密AI模型进行解密,得到第一AI模型;使用所述第一AI模型进行推理得到推理结果;向所述主芯片发送所述推理结果。In the first aspect, the present application provides a method for using an AI model, the method is applied to an AI chip, and the method includes: receiving an encrypted AI model from the main chip; decrypting the encrypted AI model to obtain the first AI model; use the first AI model to perform inference to obtain an inference result; send the inference result to the main chip.

本方法中,与由AI芯片之外的其他芯片或者加密狗进行解密相比,由于对AI模型的解密是在AI芯片上执行的,对于解密后的AI模型AI芯片直接使用,所以就避免了在传输过程中解密后的AI模型被截取或者盗取的问题,也就是说,极大降低了AI模型的泄露风险,提升了安全性。In this method, compared with decryption by other chips or dongles other than the AI chip, since the decryption of the AI model is performed on the AI chip, the decrypted AI model is directly used by the AI chip, so it avoids The problem that the decrypted AI model is intercepted or stolen during the transmission process, that is to say, greatly reduces the risk of leakage of the AI model and improves security.

结合第一方面,在第一种可能的实现方式中,所述对所述加密AI模型进行解密,包括:使用所述AI芯片的安全存储区域内存储的可信根对所述加密AI模型进行解密。With reference to the first aspect, in a first possible implementation manner, the decrypting the encrypted AI model includes: using a trusted root stored in a secure storage area of the AI chip to decrypt the encrypted AI model decrypt.

在该实现方式中,由于可信根是存储于AI芯片的安全存储区域内的,只能由AI芯片本身来读取使用,外部不可获取,也就是说,重加密后的AI模型只能在本AI芯片上解密运行,所以可以进一步提高AI模型的安全性。In this implementation, since the root of trust is stored in the secure storage area of the AI chip, it can only be read and used by the AI chip itself, and cannot be obtained from the outside. That is to say, the re-encrypted AI model can only be used in the The AI chip is decrypted and run, so the security of the AI model can be further improved.

结合第一种可能的实现方式,在第二种可能的实现方式中,所述AI芯片接收加密AI模型之前,所述方法还包括:接收来自所述主芯片的所述第一AI模型;使用所述可信根对所述第一AI模型进行加密,得到所述加密AI模型;向所述主芯片发送所述加密AI模型。With reference to the first possible implementation manner, in a second possible implementation manner, before the AI chip receives the encrypted AI model, the method further includes: receiving the first AI model from the main chip; using The root of trust encrypts the first AI model to obtain the encrypted AI model; and sends the encrypted AI model to the main chip.

在该实现方式中,AI芯片可以自动实现对AI模型的加密保护,无需部署专用硬件加密狗等,可以降低用户实现AI模型硬件级保护方案的复杂度。In this implementation, the AI chip can automatically realize the encryption protection of the AI model, without deploying a special hardware dongle, etc., which can reduce the complexity of the user's implementation of the AI model hardware-level protection scheme.

第二方面,本申请提供一种人工智能AI模型的使用方法,所述方法应用于主芯片中,所述方法包括:向AI芯片发送加密AI模型,所述加密AI模型为所述AI芯片对第一AI模型进行加密得到的模型;接收来自所述AI芯片的推理结果,所述推理结果是所述AI芯片使用所述第一AI模型进行推理得到的推理结果。In a second aspect, the present application provides a method for using an artificial intelligence AI model, the method is applied to the main chip, and the method includes: sending an encrypted AI model to the AI chip, and the encrypted AI model is the AI chip pair A model obtained by encrypting the first AI model; receiving an inference result from the AI chip, where the inference result is an inference result obtained by the AI chip using the first AI model for inference.

结合第二方面,在第一种可能的实现方式中,所述向AI芯片发送加密AI模型之前,所述方法还包括:向所述AI芯片发送所述第一AI模型;接收所述AI芯片使用可信根对所述第一AI模型进行加密得到的所述加密AI模型;存储所述加密AI模型。With reference to the second aspect, in a first possible implementation manner, before sending the encrypted AI model to the AI chip, the method further includes: sending the first AI model to the AI chip; receiving the AI chip The encrypted AI model obtained by encrypting the first AI model using a root of trust; storing the encrypted AI model.

结合第一种可能的实现方式,在第二种可能的实现方式中,所述可信根为存储在所述AI芯片的安全存储区域内的可信根。With reference to the first possible implementation manner, in a second possible implementation manner, the root of trust is a root of trust stored in a secure storage area of the AI chip.

第三方面,本申请提供一种人工智能AI模型的使用装置,所述装置应用于AI芯片侧,所述装置包括:接收模块用于接收来自主芯片的加密AI模型;解密模块用于对所述加密AI模型进行解密,得到第一AI模型;推理模块用于使用所述第一AI模型进行推理,得到推理结果;发送模块,用于向所述主芯片发送所述推理结果。In a third aspect, the present application provides a device for using an artificial intelligence AI model, the device is applied to the AI chip side, and the device includes: a receiving module for receiving the encrypted AI model from the main chip; a decryption module for The encrypted AI model is decrypted to obtain a first AI model; the reasoning module is used to use the first AI model to perform reasoning to obtain a reasoning result; the sending module is used to send the reasoning result to the main chip.

结合第三方面,在第一种可能的实现方式中,所述解密模块用于对所述加密AI模型进行解密,包括:所述解密模块用于使用所述AI芯片的安全存储区域内存储的可信根对所述加密AI模型进行解密。With reference to the third aspect, in a first possible implementation manner, the decryption module is configured to decrypt the encrypted AI model, including: the decryption module is configured to use the data stored in the secure storage area of the AI chip The root of trust decrypts the encrypted AI model.

结合第一种可能的实现方式,在第二种可能的实现方式中,所述AI芯片接收加密AI模型之前,所述装置还包括:加密模块;所述接收模块,还用于接收来自所述主芯片的所述第一AI模型;所述加密模块,用于使用所述可信根对所述第一AI模型进行加密,得到所述加密AI模型;所述发送模块,还用于向所述主芯片发送所述加密AI模型。With reference to the first possible implementation, in the second possible implementation, before the AI chip receives the encrypted AI model, the device further includes: an encryption module; the receiving module is also configured to receive the encrypted AI model from the The first AI model of the main chip; the encryption module is used to encrypt the first AI model by using the root of trust to obtain the encrypted AI model; the sending module is also used to send to the The main chip sends the encrypted AI model.

第四方面,本申请提供一种人工智能AI模型的使用装置,所述装置应用于主芯片侧,所述装置包括:发送模块用于向AI芯片发送加密AI模型,所述加密AI模型为所述AI芯片对第一AI模型进行加密得到的模型;接收模块用于接收来自所述AI芯片的推理结果,所述推理结果是所述AI芯片使用所述第一AI模型进行推理得到的推理结果。In a fourth aspect, the present application provides a device for using an artificial intelligence AI model, the device is applied to the main chip side, and the device includes: a sending module for sending an encrypted AI model to the AI chip, and the encrypted AI model is the A model obtained by encrypting the first AI model by the AI chip; the receiving module is used to receive an inference result from the AI chip, and the inference result is an inference result obtained by the AI chip using the first AI model for inference .

结合第四方面,在第一种可能的实现方式中,所述发送模块用于向AI芯片发送加密AI模型之前,所述装置还包括:存储模块;所述发送模块还用于向所述AI芯片发送所述第一AI模型;所述接收模块还用于接收所述AI芯片使用可信根对所述第一AI模型进行加密得到的所述加密AI模型;所述存储模块用于存储所述加密AI模型。With reference to the fourth aspect, in a first possible implementation manner, before the sending module is configured to send the encrypted AI model to the AI chip, the device further includes: a storage module; the sending module is also configured to send the encrypted AI model to the AI chip. The chip sends the first AI model; the receiving module is also used to receive the encrypted AI model obtained by encrypting the first AI model by the AI chip using a root of trust; the storage module is used to store the Encrypted AI model described above.

结合第一种可能的实现方式,在第二种可能的实现方式中,所述可信根为存储在所述AI芯片的安全存储区域内的可信根。With reference to the first possible implementation manner, in a second possible implementation manner, the root of trust is a root of trust stored in a secure storage area of the AI chip.

第五方面,本申请提供一种AI芯片,所述AI芯片包括与存储器耦合的处理器, 所述处理器用于执行所述存储器中的程序代码,以实现第一方面或其中任意一种可能的实现方式中的方法。In a fifth aspect, the present application provides an AI chip, the AI chip includes a processor coupled to a memory, and the processor is used to execute the program code in the memory, so as to realize the first aspect or any one of the possible method in the implementation.

第六方面,本申请提供一种芯片,所述芯片包括与存储器耦合的处理器,所述处理器用于执行所述存储器中的程序代码,以实现第二方面或其中任意一种可能的实现方式中的方法。In a sixth aspect, the present application provides a chip, the chip includes a processor coupled to a memory, and the processor is configured to execute program codes in the memory to implement the second aspect or any one of the possible implementations method in .

第七方面,本申请提供一种计算机可读存储介质,所述存储介质中存储有计算机程序或指令,当所述计算机程序或指令被处理器执行时,以实现第一方面或第二方面或其中任意一种可能的实现方式中的方法。In a seventh aspect, the present application provides a computer-readable storage medium, in which computer programs or instructions are stored, and when the computer programs or instructions are executed by a processor, the first aspect or the second aspect or A method in any of the possible implementations.

第八方面,本申请提供一种计算机程序产品,所述计算机程序产品中包括计算机程序代码,当所述计算机程序代码在计算机上运行时,使得所述计算机实现如第一方面或第二方面或其中任意一种可能的实现方式中的方法。In an eighth aspect, the present application provides a computer program product, the computer program product includes computer program code, and when the computer program code is run on a computer, the computer implements the first aspect or the second aspect or A method in any of the possible implementations.

附图说明Description of drawings

图1为卷积神经网络架构的示意图;Figure 1 is a schematic diagram of a convolutional neural network architecture;

图2为本申请实施例的应用场景架构图;FIG. 2 is an architecture diagram of an application scenario of an embodiment of the present application;

图3为现有技术中专用硬件加密狗的部署示意图;Fig. 3 is a schematic diagram of deployment of a dedicated hardware dongle in the prior art;

图4为本申请一个实施例的AI模型的使用方法的示意性流程图;FIG. 4 is a schematic flowchart of a method for using an AI model according to an embodiment of the present application;

图5为本申请另一个实施例的AI模型的使用方法的示意性流程图;FIG. 5 is a schematic flowchart of a method for using an AI model according to another embodiment of the present application;

图6为本申请又一个实施例的AI模型的使用方法的示意性流程图;FIG. 6 is a schematic flowchart of a method for using an AI model according to another embodiment of the present application;

图7为本申请一个实施例的AI模型的使用装置的示意图;FIG. 7 is a schematic diagram of a device for using an AI model according to an embodiment of the present application;

图8为本申请另一个实施例的AI模型的使用装置的示意图;FIG. 8 is a schematic diagram of an AI model using device according to another embodiment of the present application;

图9为本申请一个实施例提供的装置示意性框图。Fig. 9 is a schematic block diagram of a device provided by an embodiment of the present application.

具体实施方式detailed description

下面将结合附图对本申请实施例的实施方式进行详细描述。The implementation of the embodiment of the present application will be described in detail below with reference to the accompanying drawings.

为了便于理解,先结合图1介绍本申请实施例中涉及的“AI模型”。For ease of understanding, the "AI model" involved in the embodiment of the present application is introduced first with reference to FIG. 1 .

如前文所述,AI模型可以视为智能机器的核心,基于AI模型的类型不同,使得智能机器可以应用于各个领域,例如,自然语言处理,计算机视觉,决策与推理,人机交互,推荐与搜索等。目前,比较流行的AI模型包括卷积神经网络(convolutional neural network,CNN)、线性回归模型等。As mentioned earlier, the AI model can be regarded as the core of an intelligent machine. Based on different types of AI models, intelligent machines can be applied in various fields, such as natural language processing, computer vision, decision-making and reasoning, human-computer interaction, recommendation and search etc. At present, the more popular AI models include convolutional neural network (CNN), linear regression model, etc.

下文以卷积神经网络为例介绍AI模型。需要说明的是,本申请实施例的方法还可以应用于其他AI模型。图1是卷积神经网络架构的示意图。图1所示的CNN100包括输入层110,卷积层/池化层120,其中池化层为可选的,以及神经网络层130。The AI model is introduced below by taking the convolutional neural network as an example. It should be noted that the method in the embodiment of the present application can also be applied to other AI models. Figure 1 is a schematic diagram of a convolutional neural network architecture. The CNN 100 shown in FIG. 1 includes an input layer 110 , a convolutional/pooling layer 120 , where the pooling layer is optional, and a neural network layer 130 .

如图1所示卷积层/池化层120可以包括如示例121至126层,在一种实现中,121层为卷积层,122层为池化层,123层为卷积层,124层为池化层,125为卷积层,126为池化层;在另一种实现方式中,121、122为卷积层,123为池化层,124、125为卷积层,126为池化层。即卷积层的输出可以作为随后的池化层的输入,也可以作为另 一个卷积层的输入以继续进行卷积操作。As shown in Figure 1, the convolutional layer/pooling layer 120 may include layers 121 to 126 as examples. In one implementation, the 121st layer is a convolutional layer, the 122nd layer is a pooling layer, the 123rd layer is a convolutional layer, and the 124th layer is a convolutional layer. Layer is a pooling layer, 125 is a convolutional layer, and 126 is a pooling layer; in another implementation, 121 and 122 are convolutional layers, 123 is a pooling layer, 124 and 125 are convolutional layers, and 126 is pooling layer. That is, the output of the convolutional layer can be used as the input of the subsequent pooling layer, or as the input of another convolutional layer to continue the convolution operation.

卷积层/池化层120中的卷积层可以包括很多个卷积算子,卷积算子也称为核,其在图像处理中的作用相当于一个从输入图像矩阵中提取特定信息的过滤器,卷积算子本质上可以是一个权重矩阵,这个权重矩阵通常被预先定义,在对图像进行卷积操作的过程中,权重矩阵通常在输入图像上沿着水平方向一个像素接着一个像素(或两个像素接着两个像素……这取决于步长stride的取值)的进行处理,从而完成从图像中提取特定特征的工作。该权重矩阵的大小应该与图像的大小相关,需要注意的是,权重矩阵的纵深维度(depth dimension)和输入图像的纵深维度是相同的,在进行卷积运算的过程中,权重矩阵会延伸到输入图像的整个深度。因此,和一个单一的权重矩阵进行卷积会产生一个单一纵深维度的卷积化输出,但是大多数情况下不使用单一权重矩阵,而是应用维度相同的多个权重矩阵。每个权重矩阵的输出被堆叠起来形成卷积图像的纵深维度。不同的权重矩阵可以用来提取图像中不同的特征,例如一个权重矩阵用来提取图像边缘信息,另一个权重矩阵用来提取图像的特定颜色,又一个权重矩阵用来对图像中不需要的噪点进行模糊化……该多个权重矩阵维度相同,经过该多个维度相同的权重矩阵提取后的特征图维度也相同,再将提取到的多个维度相同的特征图合并形成卷积运算的输出。The convolutional layer in the convolutional layer/pooling layer 120 may include many convolutional operators, and the convolutional operator is also called a kernel, and its role in image processing is equivalent to a method for extracting specific information from the input image matrix. Filters, convolution operators can essentially be a weight matrix, this weight matrix is usually pre-defined, in the process of convolution operation on the image, the weight matrix is usually pixel by pixel along the horizontal direction on the input image (or two pixels followed by two pixels...it depends on the value of the stride) to complete the work of extracting specific features from the image. The size of the weight matrix should be related to the size of the image. It should be noted that the depth dimension of the weight matrix is the same as the depth dimension of the input image. During the convolution operation, the weight matrix will be extended to The entire depth of the input image. Thus, convolving with a single weight matrix produces a convolutional output with a single depth dimension, but in most cases instead of using a single weight matrix, multiple weight matrices of the same dimension are applied. The output of each weight matrix is stacked to form the depth dimension of the convolved image. Different weight matrices can be used to extract different features in the image. For example, one weight matrix is used to extract image edge information, another weight matrix is used to extract specific colors of the image, and another weight matrix is used to filter unwanted noise in the image. Perform fuzzification...the dimensions of the multiple weight matrices are the same, and the dimension of the feature maps extracted by the weight matrices with the same dimensions are also the same, and then the extracted feature maps with the same dimensions are combined to form the output of the convolution operation .

这些权重矩阵中的权重值在实际应用中需要经过大量的训练得到,通过训练得到的权重值形成的各个权重矩阵可以从输入图像中提取信息,从而帮助卷积神经网络100进行正确的预测。The weight values in these weight matrices need to be obtained through a lot of training in practical applications, and each weight matrix formed by the weight values obtained through training can extract information from the input image, thereby helping the convolutional neural network 100 to make correct predictions.

当卷积神经网络100有多个卷积层的时候,初始的卷积层往往提取较多的一般特征,该一般特征也可以称之为低级别的特征;随着卷积神经网络100深度的加深,越往后的卷积层(例如126)提取到的特征越来越复杂,比如高级别的语义之类的特征,语义越高的特征越适用于待解决的问题。例如,121和126所示的层为的卷积层时,上述初始卷积层可以是121,上述越往后的卷积层可以是126。When the convolutional neural network 100 has multiple convolutional layers, the initial convolutional layer often extracts more general features, which can also be referred to as low-level features; with the depth of the convolutional neural network 100 Deepen, the features extracted by the later convolutional layers (such as 126) become more and more complex, such as high-level semantic features, and the higher semantic features are more suitable for the problem to be solved. For example, when the layers indicated by 121 and 126 are convolutional layers, the initial convolutional layer may be 121 , and the subsequent convolutional layer may be 126 .

卷积层/池化层120中的池化层由于常常需要减少训练参数的数量,因此卷积层之后常常需要周期性的引入池化层,即如图1中120所示例的121至126各层,可以是一层卷积层后面跟一层池化层,也可以是在多层卷积层后接一层或多层池化层。在图像处理过程中,池化层的唯一目的就是减少图像的空间大小。池化层可以包括平均池化算子和/或最大池化算子,以用于对输入图像进行采样得到较小尺寸的图像。平均池化算子可以在特定范围内对图像中的像素值进行计算产生平均值。最大池化算子可以在特定范围内取该范围内值最大的像素作为最大池化的结果。另外,就像卷积层中用权重矩阵的大小应该与图像大小相关一样,池化层中的运算符也应该与图像的大小相关。通过池化层处理后输出的图像尺寸可以小于输入池化层的图像的尺寸,池化层输出的图像中每个像素点表示输入池化层的图像的对应子区域的平均值或最大值。The pooling layer in the convolutional layer/pooling layer 120 often needs to reduce the number of training parameters, so it is often necessary to periodically introduce the pooling layer after the convolutional layer, that is, the 121 to 126 exemplified by 120 in FIG. 1 Layer, which can be a convolutional layer followed by a pooling layer, or a multi-layer convolutional layer followed by one or more pooling layers. In image processing, the sole purpose of pooling layers is to reduce the spatial size of the image. The pooling layer may include an average pooling operator and/or a maximum pooling operator for sampling an input image to obtain an image of a smaller size. The average pooling operator can calculate the average value of the pixel values in the image within a specific range. The maximum pooling operator can take the pixel with the largest value within a specific range as the result of maximum pooling. Also, just like the size of the weight matrix used in the convolutional layer should be related to the size of the image, the operators in the pooling layer should also be related to the size of the image. The size of the image output after being processed by the pooling layer may be smaller than the size of the image input to the pooling layer, and each pixel in the image output by the pooling layer represents the average or maximum value of the corresponding sub-region of the image input to the pooling layer.

神经网络层130,在经过卷积层/池化层120的处理后,卷积神经网络100还不足以输出所需要的输出信息。因为如前所述,卷积层/池化层120只会提取特征,并减少输入数据的维度。然而,为了生成最终的输出数据(所需要的类信息或别的相关信息),卷积神经网络100需要利用神经网络层130来生成一个或者一组所需要的类的数量的输出。因此,在神经网络层130中可以包括多层隐含层(如图1所示的131、132至 13n)以及输出层140,该多层隐含层中所包含的模型参数可以根据具体的任务类型的相关训练数据进行预先训练得到,例如该任务类型可以包括图像识别,图像分类,图像超分辨率重建等等。The neural network layer 130, after being processed by the convolutional layer/pooling layer 120, the convolutional neural network 100 is not enough to output the required output information. Because as mentioned earlier, the convolutional/pooling layer 120 only extracts features and reduces the dimensionality of the input data. However, in order to generate the final output data (required class information or other relevant information), the convolutional neural network 100 needs to use the neural network layer 130 to generate one or a set of outputs of the required class number. Therefore, the neural network layer 130 may include multiple hidden layers (131, 132 to 13n as shown in FIG. 1 ) and an output layer 140, and the model parameters contained in the multi-layer hidden layers may be determined according to specific tasks. Types of related training data are pre-trained, for example, the task type can include image recognition, image classification, image super-resolution reconstruction, and so on.

在神经网络层130中的多层隐含层之后,也就是整个卷积神经网络100的最后层为输出层140,该输出层140具有类似分类交叉熵的损失函数,具体用于计算预测误差,一旦整个卷积神经网络100的前向传播(如图1由110至140的传播为前向传播)完成,反向传播(如图1由140至110的传播为反向传播)就会开始更新前面提到的各层的权重值以及偏差,以减少卷积神经网络100的损失及卷积神经网络100通过输出层输出的结果和理想结果之间的误差。After the multi-layer hidden layer in the neural network layer 130, that is, the last layer of the entire convolutional neural network 100 is the output layer 140, which has a loss function similar to the classification cross entropy, and is specifically used to calculate the prediction error, Once the forward propagation of the entire convolutional neural network 100 (as shown in Figure 1, the propagation from 110 to 140 is forward propagation), the backpropagation (as shown in Figure 1, the propagation from 140 to 110 is backward propagation) will start to update The aforementioned weight values and deviations of each layer are used to reduce the loss of the convolutional neural network 100 and the error between the result output by the convolutional neural network 100 through the output layer and the ideal result.

需要说明的是,如图1所示的卷积神经网络100仅作为一种卷积神经网络的示例,在具体的应用中,卷积神经网络还可以以其他网络模型的形式存在,例如,多个卷积层/池化层并行,将分别提取的特征均输入给全神经网络层130进行处理。本申请实施例的方法还可以应用于其他结构的CNN。It should be noted that the convolutional neural network 100 shown in FIG. 1 is only an example of a convolutional neural network. In specific applications, the convolutional neural network can also exist in the form of other network models. For example, multiple Each convolutional layer/pooling layer is parallelized, and the features extracted respectively are input to the full neural network layer 130 for processing. The method in the embodiment of the present application can also be applied to CNNs with other structures.

进一步需要说明的是,在下文涉及的“AI模型”仅仅指AI模型中的数据处理过程,并不包含数据处理过程中使用的模型参数。例如,AI模型仅仅指图1所示的CNN中各层需要执行的卷积运算、池化运算等,并不包括卷积运算、池化运算中涉及的权重。It should be further noted that the "AI model" mentioned below only refers to the data processing process in the AI model, and does not include the model parameters used in the data processing process. For example, the AI model only refers to the convolution operations and pooling operations that need to be performed by each layer in the CNN shown in Figure 1, and does not include the weights involved in the convolution operations and pooling operations.

随着人工智能和深度学习的发展,越来越多的企业在电子设备上部署了AI芯片,使用了AI技术,即通过AI模型(例如图1所示的CNN)实现特定的功能,例如,指纹解锁,图像识别,语音识别等。通常,企业为了提高AI模型的竞争力,会投入大量的物力、人力去收集、购买数据,以提升AI模型的训练规模,优化AI模型的训练参数等,以求增强、优化AI模型。由此,可以看出AI模型已经成为企业的一种资产。With the development of artificial intelligence and deep learning, more and more enterprises have deployed AI chips on electronic devices and used AI technology, that is, to achieve specific functions through AI models (such as CNN shown in Figure 1), for example, Fingerprint unlocking, image recognition, voice recognition, etc. Usually, in order to improve the competitiveness of the AI model, enterprises will invest a lot of material resources and manpower to collect and purchase data to increase the training scale of the AI model and optimize the training parameters of the AI model in order to enhance and optimize the AI model. From this, it can be seen that the AI model has become an asset of the enterprise.

当前基于深度神经网络的人工智能AI应用主要分为两个阶段:训练和推理。具体的,训练是通过大数据量的训练处理,将初始神经网络模型训练成目标神经网络模型(AI模型),以便可以应用到实际场景中;而推理是将训练好的AI模型,应用到实际场景的过程。The current artificial intelligence AI application based on deep neural network is mainly divided into two stages: training and reasoning. Specifically, the training is to train the initial neural network model into the target neural network model (AI model) through the training process of a large amount of data, so that it can be applied to the actual scene; and the reasoning is to apply the trained AI model to the actual The process of the scene.

通常情况下,AI模型经过巨大的训练投入后得到,是AI应用的核心资产,而在推理阶段的实际运行环境中需要被严格保护,防止被盗取。其中,AI模型以文件的方式,存放在AI应用的运行环境中。对该AI模型文件的保护,主要通过加解密来实现,即AI模型文件加密后存放,AI推理应用运行时,将该文件解密后使用。Usually, the AI model is obtained after a huge investment in training, and is the core asset of the AI application, but it needs to be strictly protected in the actual running environment of the reasoning stage to prevent it from being stolen. Among them, the AI model is stored in the running environment of the AI application in the form of a file. The protection of the AI model file is mainly realized through encryption and decryption, that is, the AI model file is encrypted and stored, and when the AI reasoning application is running, the file is decrypted and used.

图2为本申请实施例的一种应用场景架构图。如图2所示,该应用场景架构图包括:硬件设备200,该硬件设备200包括:主芯片201和AI芯片202,其中,主芯片201上部署有AI应用程序。FIG. 2 is an architecture diagram of an application scenario according to an embodiment of the present application. As shown in FIG. 2 , the application scenario architecture diagram includes: a hardware device 200 , and the hardware device 200 includes: a main chip 201 and an AI chip 202 , where an AI application program is deployed on the main chip 201 .

作为一种示例,硬件设备200可以是车辆的自动驾驶盒子设备;主芯片201可以是车辆的主控制器,主芯片201中可以包含AI应用程序,例如包含自动驾驶程序;AI芯片202可以是AI计算芯片。应理解,上述说明仅为示例。As an example, the hardware device 200 may be an automatic driving box device of the vehicle; the main chip 201 may be the main controller of the vehicle, and the main chip 201 may contain an AI application program, such as an automatic driving program; the AI chip 202 may be an AI computing chips. It should be understood that the above descriptions are examples only.

其中,AI模型以文件的形式部署在主芯片201上的AI应用程序中。Wherein, the AI model is deployed in the AI application program on the main chip 201 in the form of a file.

作为一种可选的实施方式,对AI模型的保护通过加解密来实现时,加解密的实现过程可以在主芯片201中执行,也可以在AI芯片202中执行,或者可以借助其他硬 件设备。As an optional implementation, when the protection of the AI model is implemented through encryption and decryption, the implementation process of encryption and decryption can be implemented in the main chip 201, or in the AI chip 202, or can use other hardware devices.

现有技术中对AI模型的加解密方案主要有两种:纯软件方案和专用硬件加密狗方案。There are mainly two encryption and decryption schemes for AI models in the prior art: a pure software scheme and a dedicated hardware dongle scheme.

其中,纯软件方案主要是将训练好的AI模型,经过软件加密后,以密文文件的形式存放在运行环境的存储(如磁盘)中。当AI应用运行时,将密文读取后,直接使用密钥进行解密后使用。密钥是由AI应用软件自己管理,可以硬编码或存储在配置文件中。Among them, the pure software solution is mainly to store the trained AI model in the storage (such as disk) of the operating environment in the form of ciphertext files after being encrypted by software. When the AI application is running, it reads the ciphertext and directly uses the key to decrypt it before using it. Keys are managed by the AI application itself and can be hardcoded or stored in configuration files.

例如,部署在主芯片201上的AI应用中携带有训练好的AI模型,AI应用利用相关程序对该AI模型进行加密,然后将加密后的AI模型以密文文件的形式存放在运行环境的存储中,同时密钥被硬编码或者存储在文件中,当AI应用运行时,AI应用本身直接利用密钥对加密后的AI模型进行解密后使用。For example, the AI application deployed on the main chip 201 carries a trained AI model, and the AI application uses related programs to encrypt the AI model, and then stores the encrypted AI model in the form of a ciphertext file in the operating environment. In storage, the key is hard-coded or stored in a file. When the AI application is running, the AI application itself directly uses the key to decrypt the encrypted AI model before using it.

这种加解密方案由于加解密的过程都由纯软件实现,也就是说需要AI应用自己实现,所以这就增加了AI应用的实现成本;同时其解密密钥硬编码或存储在文件中,容易被逆向破解;当解密后的AI模型传输到AI芯片202的过程中,也存在安全问题,所以这种方案整体安全性较低。Since the encryption and decryption process of this encryption and decryption scheme is implemented by pure software, that is to say, it needs to be implemented by the AI application itself, so this increases the implementation cost of the AI application; at the same time, the decryption key is hard-coded or stored in a file, which is easy to implement. It is reverse cracked; when the decrypted AI model is transmitted to the AI chip 202, there are also security issues, so the overall security of this solution is low.

在专用硬件加密狗方案中,加密狗也叫做加密锁,加密锁是一种插在计算机并行口上的软硬件结合的加密产品,是目前流行的一种身份认证安全工具,大小类似U盘,可直接在电脑的通用串行总线(universal serial bus,USB)接口插拔;对于加密狗,每只狗有独立的产品识别码,独立最新加密算法,用户在登陆平台时,只有检测到特定的加密狗和准确的物理验证后,才允许正常登陆。In the special hardware dongle solution, the dongle is also called dongle. The dongle is an encryption product combined with software and hardware inserted into the parallel port of the computer. It is a popular security tool for identity authentication. Plug and unplug directly on the universal serial bus (USB) interface of the computer; for dongles, each dog has an independent product identification code and an independent latest encryption algorithm. When the user logs in to the platform, only the specific encryption is detected Normal login is only allowed after dog and accurate physical verification.

图3为现有技术中专用硬件加密狗的部署示意图。如图3所示,AI应用部署在主机设备上,主机设备可以理解为主芯片201,同时在主机设备上增加部署专用硬件加密狗模块,当硬件加密狗模块接收到AI应用中的AI模型密文时,也就是说在AI模型运行的时候,硬件加密狗模块对AI模型密文进行解密,得到AI模型明文,然后将该AI模型明文发送回AI应用中,AI应用将收到的AI模型明文发送给AI计算设备去进行处理,其中,该AI计算设备可以理解为AI芯片202。Fig. 3 is a schematic diagram of deployment of a dedicated hardware dongle in the prior art. As shown in Figure 3, the AI application is deployed on the host device. The host device can be understood as the main chip 201. At the same time, a dedicated hardware dongle module is deployed on the host device. When the AI model is running, the hardware dongle module decrypts the ciphertext of the AI model to obtain the plaintext of the AI model, and then sends the plaintext of the AI model back to the AI application, and the AI application will receive the AI model The plaintext is sent to the AI computing device for processing, where the AI computing device can be understood as the AI chip 202 .

可以理解的是,专用硬件加密狗方案在使用过程中,由于AI应用设备上需要部署一个或多个(不同模型厂商的模型)加密狗,成本较高且部署复杂;且通常加密狗能力较弱,加密算法难度低于公开的加密算法,安全性不是很高;当使用硬件加密狗解密后的AI模型传输至AI计算设备的过程中,也存在安全问题。It is understandable that during the use of the dedicated hardware dongle solution, since one or more dongles (models from different model manufacturers) need to be deployed on the AI application device, the cost is high and the deployment is complicated; and usually the dongle capability is weak , the encryption algorithm is less difficult than the public encryption algorithm, and the security is not very high; when the AI model decrypted by the hardware dongle is transmitted to the AI computing device, there are also security problems.

作为一种示例,在边缘计算部署场景中,例如摄像头,加密狗和AI模型都部署在摄像头上,而摄像头一般情况下都在室外,有被盗的风险。As an example, in an edge computing deployment scenario, for example, cameras, dongles, and AI models are all deployed on the cameras, and the cameras are generally outdoors, posing a risk of being stolen.

有鉴于此,本申请提供了一种AI模型的使用方法,实现了AI模型被严格保护的目的,避免了现有技术中保护AI模型时,需要增加AI应用的实现成本且安全性较低、在部署有AI应用的设备上使用至少一个加密狗导致增加硬件成本和部署复杂性以及将解密后的AI模型传输至AI芯片的过程中不安全的问题。In view of this, this application provides a method for using the AI model, which realizes the purpose of strictly protecting the AI model, and avoids the need to increase the implementation cost of the AI application when protecting the AI model in the prior art, and the security is low. Using at least one dongle on a device deployed with an AI application results in increased hardware cost and deployment complexity as well as insecure issues in the process of transmitting the decrypted AI model to the AI chip.

下面以图2所示的应用场景示意图为例,通过附图及具体实施例对本申请的技术方案进行详细说明。需要说明的是,下面这几个具体的实施例可以相互结合,对于相同或相似的概念或过程可能在某些实施例中不再赘述。Taking the schematic diagram of the application scenario shown in FIG. 2 as an example, the technical solution of the present application will be described in detail through the accompanying drawings and specific embodiments. It should be noted that the following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments.

图4为本申请一个实施例提供的人工智能AI模型的使用方法的示意性流程图。如图4所示,该方法可以包括S410至S440。该方法中的主芯片的一种示例为主芯片201,该方法中的AI芯片的一种示例为AI芯片202。FIG. 4 is a schematic flowchart of a method for using an artificial intelligence AI model provided by an embodiment of the present application. As shown in Fig. 4, the method may include S410 to S440. An example of the main chip in this method is the main chip 201 , and an example of the AI chip in this method is the AI chip 202 .

S410、主芯片向AI芯片发送加密AI模型。相应地,AI芯片接收主芯片发送的加密AI模型,其中,加密AI模型为AI芯片对第一AI模型进行加密得到的模型。S410. The main chip sends the encrypted AI model to the AI chip. Correspondingly, the AI chip receives the encrypted AI model sent by the main chip, wherein the encrypted AI model is a model obtained by encrypting the first AI model by the AI chip.

例如,主芯片需要AI芯片使用第一AI模型来进行推理时,主芯片可以向AI芯片发送第一AI模型加密得到的加密AI模型。For example, when the main chip needs the AI chip to use the first AI model to perform inference, the main chip may send the encrypted AI model obtained by encrypting the first AI model to the AI chip.

以主芯片和AI芯片为自动驾驶盒子设备中的芯片,该主芯片中部署有自动驾驶程序,且该自动驾驶程序通过第一AI模型实现为例,当主芯片中运行自动驾驶程序时,主芯片可以向AI芯片发送该第一AI模型的加密模型。Taking the main chip and AI chip as the chips in the automatic driving box device, the main chip is deployed with an automatic driving program, and the automatic driving program is realized through the first AI model as an example. When the main chip runs the automatic driving program, the main chip An encrypted model of the first AI model may be sent to the AI chip.

作为一种示例,第一AI模型为图1所示的卷积神经网络模型。As an example, the first AI model is the convolutional neural network model shown in FIG. 1 .

S420、AI芯片对加密AI模型进行解密,得到第一AI模型。S420. The AI chip decrypts the encrypted AI model to obtain the first AI model.

AI芯片接收到来自主芯片发送的加密AI模型后,对该加密AI模型进行解密操作,解密后得到第一AI模型。After receiving the encrypted AI model sent by the main chip, the AI chip performs a decryption operation on the encrypted AI model, and obtains the first AI model after decryption.

S430、AI芯片使用第一AI模型进行推理,得到推理结果。S430. The AI chip uses the first AI model to perform inference to obtain an inference result.

可以理解的是,推理的过程就是将训练好的AI模型应用到实际场景中的过程。例如,利用训练好的模型,使用新数据推理出各种结论,也即借助现有神经网络模型进行运算,利用新的输入数据来一次性获得正确结论的过程,也可叫做预测或推断。It can be understood that the reasoning process is the process of applying the trained AI model to the actual scene. For example, the process of using a trained model to infer various conclusions using new data, that is, using the existing neural network model to perform calculations and using new input data to obtain correct conclusions at one time, can also be called prediction or inference.

作为一种示例,在实际的场景中,需要从运行设备中获取真实的运行数据也叫做现场数据,然后通过CPU自带解码器解码,得到AI芯片所需的输入数据,再通过高速串行计算机扩展总线标准(peripheral component interconnect express,PCIE)将输入数据传输到AI芯片,使用第一AI模型进行推理。As an example, in the actual scene, it is necessary to obtain real operating data from the operating equipment, also called field data, and then decode it through the built-in decoder of the CPU to obtain the input data required by the AI chip, and then pass it through the high-speed serial computer. The expansion bus standard (peripheral component interconnect express, PCIE) transmits the input data to the AI chip, and uses the first AI model for reasoning.

作为另一种示例,第一AI模型是预先使用大数据,确定出的最优配置参数的算法,AI芯片使用第一AI模型进行推理的过程也即将输入数据输入至第一AI模型中,结合相应的算法,得到推理结果。例如,将获取到的汽车运行数据通过上述方法,得到输入数据,之后将输入数据输入至第一AI模型,得到用户需要的车况信息。As another example, the first AI model is an algorithm that uses big data in advance to determine the optimal configuration parameters. The process of AI chip reasoning using the first AI model is to input the input data into the first AI model. The corresponding algorithm is used to obtain the inference result. For example, the acquired vehicle operation data is obtained through the above method to obtain input data, and then the input data is input into the first AI model to obtain the vehicle condition information required by the user.

S440、AI芯片向主芯片发送推理结果。相应地,主芯片接收来自AI芯片的推理结果。S440. The AI chip sends an inference result to the main chip. Correspondingly, the main chip receives the inference results from the AI chip.

本实施例的方法,与由AI芯片之外的其他芯片或者加密狗进行解密相比,由于对加密AI模型的解密是在AI芯片上执行的,对于解密后的AI模型,AI芯片直接推理使用,所以就避免了在传输过程中解密后的AI模型被截取或者盗取的问题,也就是说,极大降低了AI模型的泄露风险,提升了安全性。In the method of this embodiment, compared with the decryption by other chips or dongles other than the AI chip, since the decryption of the encrypted AI model is performed on the AI chip, for the decrypted AI model, the AI chip directly reasoning uses , so the problem of the decrypted AI model being intercepted or stolen during the transmission process is avoided, that is to say, the risk of leaking the AI model is greatly reduced and the security is improved.

作为一种示例,AI芯片对加密AI模型进行解密得到第一AI模型的一种可实现方式包括:使用所述AI芯片的安全存储区域内存储的可信根对所述加密AI模型进行解密。As an example, an implementation manner in which the AI chip decrypts the encrypted AI model to obtain the first AI model includes: using a root of trust stored in a secure storage area of the AI chip to decrypt the encrypted AI model.

例如,AI芯片利用芯片的可信根生成解密密钥,然后利用该解密密钥对加密AI模型进行解密操作,得到第一AI模型。For example, the AI chip uses the root of trust of the chip to generate a decryption key, and then uses the decryption key to decrypt the encrypted AI model to obtain the first AI model.

芯片可信根可以理解为芯片中无前提被信任的信息,其存储在AI芯片的安全存储区域内,且这个安全存储区域内的存储内容只有该AI芯片能够读取,外部设备不能读 取,也就是说,重加密后的AI模型只能在本AI芯片上解密运行,所以可以进一步提高AI模型的安全性。The chip root of trust can be understood as the unconditionally trusted information in the chip, which is stored in the secure storage area of the AI chip, and the storage content in this secure storage area can only be read by the AI chip, and cannot be read by external devices. In other words, the re-encrypted AI model can only be decrypted and run on the AI chip, so the security of the AI model can be further improved.

本实施例中,主芯片中的加密AI模型可以通过多种方式获取,下面结合图5介绍加密AI模型的一种获取方式。In this embodiment, the encrypted AI model in the main chip can be obtained in various ways, and a method for obtaining the encrypted AI model will be introduced below with reference to FIG. 5 .

如图5所示,在S410之前,本申请实施例的使用方法中加密AI模型的获取的一种可实现方式可以包括如下步骤:As shown in FIG. 5 , before S410, an achievable way of acquiring the encrypted AI model in the usage method of the embodiment of the present application may include the following steps:

S401、主芯片向AI芯片发送第一AI模型。相应地,AI芯片接收主芯片发送的第一AI模型。S401. The main chip sends the first AI model to the AI chip. Correspondingly, the AI chip receives the first AI model sent by the main chip.

例如,主芯片需要AI芯片使用第一AI模型来进行加密时,主芯片可以向AI芯片发送第一AI模型。For example, when the main chip needs the AI chip to use the first AI model for encryption, the main chip may send the first AI model to the AI chip.

作为一种可选的方式,主芯片上存储的是该第一AI模型经过软件加密得到AI模型。这种情况下,主芯片可以先对软件加密的AI模型进行解密,得到第一AI模型之后,向AI芯片发送该第一AI模型。As an optional manner, what is stored on the main chip is an AI model obtained by encrypting the first AI model by software. In this case, the main chip may first decrypt the software-encrypted AI model, and after obtaining the first AI model, send the first AI model to the AI chip.

作为另一种可选方式,主芯片上存储第一AI模型。这种情况下,主芯片可以直接向AI芯片发送第一AI模型。As another optional manner, the first AI model is stored on the main chip. In this case, the main chip can directly send the first AI model to the AI chip.

S402、AI芯片向主芯片发送使用可信根对第一AI模型进行加密得到的加密AI模型。相应地,主芯片接收该加密AI模型。S402. The AI chip sends to the main chip an encrypted AI model obtained by encrypting the first AI model using the root of trust. Correspondingly, the main chip receives the encrypted AI model.

例如,AI芯片接收到来自主芯片的第一AI模型之后,利用存储在AI芯片安全存储区域内的可信根生成密钥,然后利用该密钥对接收到的第一AI模型进行加密操作,得到加密AI模型,并将加密AI模型返回给主芯片。For example, after the AI chip receives the first AI model from the main chip, it uses the root of trust stored in the secure storage area of the AI chip to generate a key, and then uses the key to encrypt the received first AI model to obtain Encrypt the AI model and return the encrypted AI model to the main chip.

可以理解的是,AI芯片内的可信根指的是芯片中无前提被信任的信息,其可以存储在AI芯片的安全存储区域内,且这个安全存储区域内的存储内容只有该AI芯片能够读取,外部设备不能读取。这样可以提高密钥的安全性,从而可以进一步提高第一AI模型的安全性。It can be understood that the root of trust in the AI chip refers to the unconditionally trusted information in the chip, which can be stored in the secure storage area of the AI chip, and only the AI chip can store the content in this secure storage area. read, the external device cannot read. In this way, the security of the key can be improved, so that the security of the first AI model can be further improved.

S403、主芯片存储加密AI模型。S403. The main chip stores the encrypted AI model.

作为一种实现方式,主芯片接收到第一AI模型对应的加密AI模型之后,保存该加密AI模型,并记录该加密AI模型与第一AI模型的映射关系,以便于需要使用第一AI模型时,可以基于该映射关系获取该加密AI模型。As an implementation, after receiving the encrypted AI model corresponding to the first AI model, the main chip saves the encrypted AI model, and records the mapping relationship between the encrypted AI model and the first AI model, so that the first AI model can be used , the encrypted AI model can be obtained based on the mapping relationship.

可选地,主芯片存储该加密AI模型时,可以删除之前存储的第一AI模型,以避免主芯片对应的存储空间的浪费。Optionally, when the main chip stores the encrypted AI model, the previously stored first AI model may be deleted, so as to avoid waste of storage space corresponding to the main chip.

作为一种示例,第一AI模型所属的AI应用程序首次在主芯片上被安装运行时,主芯片可以执行S401、S402和S403。As an example, when the AI application to which the first AI model belongs is installed and executed on the main chip for the first time, the main chip may execute S401, S402 and S403.

当AI应用程序再次被运行时,主芯片直接将本地存储的加密AI模型加载到AI芯片上;然后AI芯片对加密AI模型进行解密操作,并使用解密得到的第一AI模型进行推理,得到推理结果,并向主芯片返回推理结果。When the AI application program is run again, the main chip directly loads the locally stored encrypted AI model to the AI chip; then the AI chip decrypts the encrypted AI model, and uses the decrypted first AI model to perform inference to obtain an inference result, and return the inference result to the main chip.

本实施例中,AI芯片可以自动实现对AI模型的加密保护,无需部署专用硬件加密狗等,可以降低用户实现AI模型硬件级保护方案的复杂度。In this embodiment, the AI chip can automatically realize the encryption protection of the AI model, without deploying a dedicated hardware dongle, etc., which can reduce the complexity of the user's implementation of the AI model hardware-level protection scheme.

下面以主芯片和AI芯片为自动驾驶盒子中芯片为例,结合图6,介绍AI模型的使用方法的一种示例。The following takes the main chip and the AI chip as the chips in the autopilot box as an example, and in combination with Figure 6, an example of how to use the AI model is introduced.

S601、安装并首次启动自动驾驶程序。S601. Install and start an automatic driving program for the first time.

维测人员将自动驾驶程序安装至车辆的自动驾驶盒子设备中,然后首次启动该自动驾驶程序,并进行调试。其中,自动驾驶盒子设备中包括主芯片和AI计算芯片,自动驾驶程序部署在主芯片上,该自动驾驶程序中可以包含使用软件方式加密得到的AI模型。The maintenance and testing personnel install the autopilot program into the autopilot box device of the vehicle, then start the autopilot program for the first time, and perform debugging. Among them, the autopilot box device includes a main chip and an AI computing chip, and the autopilot program is deployed on the main chip, and the autopilot program can include an AI model encrypted by software.

S602、自动驾驶程序解密AI模型,得到AI模型明文。S602. The automatic driving program decrypts the AI model to obtain plaintext of the AI model.

S603、部署有自动驾驶程序的主芯片向AI计算芯片发送AI模型明文。S603. The main chip deployed with the autopilot program sends the AI model plaintext to the AI computing chip.

可以理解的是,若自动驾驶程序中部署的AI模型是不加密的,则S601之后,可以跳过S602,直接执行S603。It can be understood that if the AI model deployed in the autopilot program is not encrypted, after S601, S602 can be skipped and S603 can be executed directly.

例如,自动驾驶程序调用AI计算芯片的接口,把AI模型明文加载到AI计算芯片上进行后续计算。For example, the autopilot program calls the interface of the AI computing chip, and loads the plain text of the AI model onto the AI computing chip for subsequent calculations.

S604、AI计算芯片生成唯一密钥,重新加密AI模型。S604. The AI computing chip generates a unique key, and re-encrypts the AI model.

AI计算芯片自动根据自身芯片的可信根生成AI计算芯片的密钥,并根据该密钥对AI模型明文进行加密,得到加密后的AI模型。The AI computing chip automatically generates the key of the AI computing chip according to the root of trust of its own chip, and encrypts the plaintext of the AI model according to the key to obtain the encrypted AI model.

在该步骤中,可信根保存在AI计算芯片的安全存储区域,不能由外部获取。In this step, the root of trust is stored in the secure storage area of the AI computing chip and cannot be obtained externally.

S605、AI计算芯片将重新加密后的AI模型发送至主芯片中。S605. The AI computing chip sends the re-encrypted AI model to the main chip.

S606、部署有自动驾驶程序的主芯片删除原来存储的AI模型和密钥,保存重新加密后的AI模型。S606. The main chip deployed with the autopilot program deletes the original stored AI model and key, and saves the re-encrypted AI model.

可以理解的是,主芯片也可以不删除原来存储的AI模型和密钥。It is understandable that the main chip does not need to delete the original stored AI model and key.

S607、部署有自动驾驶程序的主芯片将重新加密后的AI模型发送至AI计算芯片。S607. The main chip deployed with the autopilot program sends the re-encrypted AI model to the AI computing chip.

作为一种可选的方式,后续维测人员再次调试或者汽车车主启动自动驾驶时,部署有自动驾驶程序的主芯片可以直接将重新加密后的AI模型加载到AI计算芯片上。As an optional method, when subsequent maintenance personnel debug again or the car owner starts automatic driving, the main chip deployed with the automatic driving program can directly load the re-encrypted AI model to the AI computing chip.

S608、解密加密后的AI模型。S608. Decrypt the encrypted AI model.

得到加密AI模型后,AI计算芯片利用自身的可信根生成的解密密钥对加密后的AI模型进行解密,得到AI模型明文,之后进行相应的运算。After obtaining the encrypted AI model, the AI computing chip uses the decryption key generated by its own root of trust to decrypt the encrypted AI model to obtain the plaintext of the AI model, and then perform corresponding operations.

该实施例中,利用AI计算芯片自动根据自身的可信根生成密钥,对AI模型明文进行加解密操作,也就说,对AI模型的保护从软件级密钥加密保护,转换为了芯片硬件级密钥加密保护,且生成密钥的可信根保存在芯片的安全存储中,外部不可获取,所以在解密时,只能该AI计算芯片上解密运行,极大降低了AI模型泄露的风险;AI芯片可以自动实现对AI模型的硬件级密钥加密保护,极大降低了AI用户实现AI模型硬件级保护方案的复杂度,同时也不需要部署专用硬件加密狗,从而降低开发和产品成本。In this embodiment, the AI computing chip is used to automatically generate a key based on its own root of trust, and the plaintext of the AI model is encrypted and decrypted. That is to say, the protection of the AI model is converted from software-level key encryption protection to chip hardware Level key encryption protection, and the trusted root of the generated key is stored in the secure storage of the chip and cannot be obtained from the outside, so when decrypting, it can only be decrypted and run on the AI computing chip, which greatly reduces the risk of AI model leakage ; AI chips can automatically implement hardware-level key encryption protection for AI models, which greatly reduces the complexity of AI users implementing hardware-level protection solutions for AI models, and also does not need to deploy special hardware dongles, thereby reducing development and product costs .

图7为本申请一个实施例提供的人工智能AI模型的使用装置示意图。应理解,图7示出的装置700仅是示例,本申请实施例的装置700还可包括其他模块或单元。装置700可以用于实现图4所示的方法。FIG. 7 is a schematic diagram of an apparatus for using an artificial intelligence AI model provided by an embodiment of the present application. It should be understood that the device 700 shown in FIG. 7 is only an example, and the device 700 in this embodiment of the present application may further include other modules or units. The device 700 may be used to implement the method shown in FIG. 4 .

例如,装置700可以包括加密模块701、接收模块702、解密模块703、推理模块704和发送模块705。其中,加密模块701和接收模块702用于执行S410,解密模块703用于执行S420,推理模块704用于执行S430,发送模块705用于执行S440。For example, the apparatus 700 may include an encryption module 701 , a receiving module 702 , a decryption module 703 , an inference module 704 and a sending module 705 . Wherein, the encryption module 701 and the receiving module 702 are used to perform S410, the decryption module 703 is used to perform S420, the reasoning module 704 is used to perform S430, and the sending module 705 is used to perform S440.

图8为本申请另一个实施例提供的人工智能AI模型的使用装置示意图。应理解,图8示出的装置800仅是示例,本申请实施例的装置800还可包括其他模块或单元。装置800可以用于实现图5所示的方法。Fig. 8 is a schematic diagram of an apparatus for using an artificial intelligence AI model provided by another embodiment of the present application. It should be understood that the device 800 shown in FIG. 8 is only an example, and the device 800 in this embodiment of the present application may further include other modules or units. The device 800 may be used to implement the method shown in FIG. 5 .

例如,装置800可以包括发送模块801、接收模块802和存储模块803。其中,发送模块801用于执行S401,接收模块803用于执行S402,存储模块804用于执行S403。For example, the apparatus 800 may include a sending module 801 , a receiving module 802 and a storage module 803 . Wherein, the sending module 801 is used to perform S401, the receiving module 803 is used to perform S402, and the storage module 804 is used to perform S403.

应理解,这里的术语“模块”可以通过软件和/或硬件形式实现,对此不作具体限定。例如,“模块”可以是实现上述功能的软件程序、硬件电路或二者结合。所述硬件电路可能包括应用特有集成电路(application specific integrated circuit,ASIC)、电子电路、用于执行一个或多个软件或固件程序的处理器(例如共享处理器、专有处理器或组处理器等)和存储器、合并逻辑电路和/或其它支持所描述的功能的合适组件。It should be understood that the term "module" here may be implemented in the form of software and/or hardware, which is not specifically limited. For example, a "module" may be a software program, a hardware circuit or a combination of both to realize the above functions. The hardware circuitry may include application specific integrated circuits (ASICs), electronic circuits, processors (such as shared processors, dedicated processors, or group processors) for executing one or more software or firmware programs. etc.) and memory, incorporating logic, and/or other suitable components to support the described functionality.

图9为本申请一个实施例提供的装置示意性框图。图9所示的装置900包括存储器901、处理器902、通信接口903以及总线904。其中,存储器901、处理器902、通信接口903通过总线904实现彼此之间的通信连接。Fig. 9 is a schematic block diagram of a device provided by an embodiment of the present application. The device 900 shown in FIG. 9 includes a memory 901 , a processor 902 , a communication interface 903 and a bus 904 . Wherein, the memory 901 , the processor 902 , and the communication interface 903 are connected to each other through a bus 904 .

存储器901可以是只读存储器(read only memory,ROM),静态存储设备,动态存储设备或者随机存取存储器(random access memory,RAM)。存储器901可以存储程序,当存储器901中存储的程序被处理器902执行时,处理器902用于执行图4和图5所示的方法的各个步骤。The memory 901 may be a read only memory (read only memory, ROM), a static storage device, a dynamic storage device or a random access memory (random access memory, RAM). The memory 901 may store a program, and when the program stored in the memory 901 is executed by the processor 902, the processor 902 is configured to execute each step of the method shown in FIG. 4 and FIG. 5 .

处理器902可以采用通用的中央处理器(central processing unit,CPU),微处理器,应用专用集成电路(application specific integrated circuit,ASIC),或者一个或多个集成电路,用于执行相关程序,以实现本申请方法实施例中的方法。The processor 902 may adopt a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (application specific integrated circuit, ASIC), or one or more integrated circuits for executing related programs to Implement the method in the method embodiment of the present application.

处理器902还可以是一种集成电路芯片,具有信号的处理能力。在实现过程中,本申请实施例中的方法的各个步骤可以通过处理器902中的硬件的集成逻辑电路或者软件形式的指令完成。The processor 902 may also be an integrated circuit chip, which has a signal processing capability. In the implementation process, each step of the method in the embodiment of the present application may be completed by an integrated logic circuit of hardware in the processor 902 or instructions in the form of software.

上述处理器902还可以是通用处理器、数字信号处理器(digital signal processing,DSP)、专用集成电路(ASIC)、现成可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The above-mentioned processor 902 can also be a general-purpose processor, a digital signal processor (digital signal processing, DSP), an application-specific integrated circuit (ASIC), a ready-made programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, Discrete gate or transistor logic devices, discrete hardware components. Various methods, steps, and logic block diagrams disclosed in the embodiments of the present application may be implemented or executed. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.

结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器901,处理器902读取存储器901中的信息,结合其硬件完成本申请测温装置包括的单元所需执行的功能,例如,可以执行图4和图5所示实施例的各个步骤/功能。The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register. The storage medium is located in the memory 901, and the processor 902 reads the information in the memory 901, and combines its hardware to complete the functions required by the units included in the temperature measuring device of the present application. For example, the embodiments shown in FIGS. 4 and 5 can be executed. individual steps/functions.

通信接口903可以使用但不限于收发器一类的收发装置,来实现装置900与其他设备或通信网络之间的通信。The communication interface 903 may use, but is not limited to, a transceiver device such as a transceiver to implement communication between the device 900 and other devices or communication networks.

总线904可以包括在装置900各个部件(例如,存储器901、处理器902、通信接口903)之间传送信息的通路。The bus 904 may include a pathway for transferring information between various components of the device 900 (eg, memory 901 , processor 902 , communication interface 903 ).

应理解,本申请实施例所示的装置900可以是电子设备,或者,也可以是配置于电子设备中的芯片。It should be understood that the apparatus 900 shown in the embodiment of the present application may be an electronic device, or may also be a chip configured in the electronic device.

应理解,本申请实施例中的处理器可以为中央处理单元(central processing unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(digital signal processor, DSP)、专用集成电路(application specific integrated circuit,ASIC)、现成可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that the processor in the embodiment of the present application may be a central processing unit (central processing unit, CPU), and the processor may also be other general processors, digital signal processors (digital signal processor, DSP), application specific integrated circuits (application specific integrated circuit, ASIC), off-the-shelf programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.

还应理解,本申请实施例中的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的随机存取存储器(random access memory,RAM)可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DR RAM)。It should also be understood that the memory in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memories. Among them, the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory can be random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, many forms of random access memory (RAM) are available, such as static random access memory (static RAM, SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory Access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory Access memory (synchlink DRAM, SLDRAM) and direct memory bus random access memory (direct rambus RAM, DR RAM).

上述实施例,可以全部或部分地通过软件、硬件、固件或其他任意组合来实现。当使用软件实现时,上述实施例可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令或计算机程序。在计算机上加载或执行所述计算机指令或计算机程序时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以为通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集合的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质。半导体介质可以是固态硬盘。The above-mentioned embodiments may be implemented in whole or in part by software, hardware, firmware or other arbitrary combinations. When implemented using software, the above-described embodiments may be implemented in whole or in part in the form of computer program products. The computer program product comprises one or more computer instructions or computer programs. When the computer instruction or computer program is loaded or executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server or data center by wired (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center that includes one or more sets of available media. The available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media. The semiconductor medium may be a solid state drive.

应理解,本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,其中A,B可以是单数或者复数。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系,但也可能表示的是一种“和/或”的关系,具体可参考前后文进行理解。It should be understood that the term "and/or" in this article is only an association relationship describing associated objects, which means that there may be three relationships, for example, A and/or B may mean: A exists alone, and A and B exist at the same time , there are three cases of B alone, where A and B can be singular or plural. In addition, the character "/" in this article generally indicates that the related objects are an "or" relationship, but it may also indicate an "and/or" relationship, which can be understood by referring to the context.

本申请中,“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。In this application, "at least one" means one or more, and "multiple" means two or more. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one item (piece) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .

应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的 实施过程构成任何限定。It should be understood that, in various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the order of execution, and the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present application. The implementation process constitutes any limitation.

本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器、随机存取存储器、磁碟或者光盘等各种可以存储程序代码的介质。If the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: various media capable of storing program codes such as U disk, mobile hard disk, read-only memory, random access memory, magnetic disk or optical disk.

以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above is only a specific implementation of the application, but the scope of protection of the application is not limited thereto. Anyone familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the application. Should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims (11)

一种人工智能AI模型的使用方法,其特征在于,所述方法应用于AI芯片中,所述方法包括:A method for using an artificial intelligence AI model, wherein the method is applied to an AI chip, and the method includes: 接收来自主芯片的加密AI模型;Receive the encrypted AI model from the main chip; 对所述加密AI模型进行解密,得到第一AI模型;Decrypting the encrypted AI model to obtain a first AI model; 使用所述第一AI模型进行推理,得到推理结果;Using the first AI model to perform reasoning to obtain a reasoning result; 向所述主芯片发送所述推理结果。sending the reasoning result to the main chip. 根据权利要求1所述的方法,其特征在于,所述对所述加密AI模型进行解密,包括:The method according to claim 1, wherein the decrypting the encrypted AI model comprises: 使用所述AI芯片的安全存储区域内存储的可信根对所述加密AI模型进行解密。The encrypted AI model is decrypted using the root of trust stored in the secure storage area of the AI chip. 根据权利要求2所述的方法,其特征在于,所述AI芯片接收加密AI模型之前,所述方法还包括:The method according to claim 2, wherein before the AI chip receives the encrypted AI model, the method further comprises: 接收来自所述主芯片的所述第一AI模型;receiving the first AI model from the main chip; 使用所述可信根对所述第一AI模型进行加密,得到所述加密AI模型;Encrypting the first AI model using the root of trust to obtain the encrypted AI model; 向所述主芯片发送所述加密AI模型。sending the encrypted AI model to the main chip. 一种人工智能AI模型的使用方法,其特征在于,所述方法应用于主芯片中,所述方法包括:A method for using an artificial intelligence AI model, characterized in that the method is applied to a main chip, and the method includes: 向AI芯片发送加密AI模型,所述加密AI模型为所述AI芯片对第一AI模型进行加密得到的模型;Sending an encrypted AI model to the AI chip, where the encrypted AI model is a model obtained by encrypting the first AI model by the AI chip; 接收来自所述AI芯片的推理结果,所述推理结果是所述AI芯片使用所述第一AI模型进行推理得到的推理结果。An inference result from the AI chip is received, where the inference result is an inference result obtained by the AI chip using the first AI model for inference. 根据权利要求4所述的方法,其特征在于,所述向AI芯片发送加密AI模型之前,所述方法还包括:The method according to claim 4, wherein before sending the encrypted AI model to the AI chip, the method further comprises: 向所述AI芯片发送所述第一AI模型;sending the first AI model to the AI chip; 接收所述AI芯片使用可信根对所述第一AI模型进行加密得到的所述加密AI模型;receiving the encrypted AI model obtained by encrypting the first AI model by the AI chip using a root of trust; 存储所述加密AI模型。The encrypted AI model is stored. 根据权利要求5所述的方法,其特征在于,所述可信根为存储在所述AI芯片的安全存储区域内的可信根。The method according to claim 5, wherein the root of trust is a root of trust stored in a secure storage area of the AI chip. 一种人工智能AI模型的使用装置,其特征在于,所述装置包括用于实现如权利要求1至6中任一项所述的方法的模块。A device for using an artificial intelligence AI model, characterized in that the device includes a module for implementing the method according to any one of claims 1 to 6. 一种人工智能AI芯片,其特征在于,所述AI芯片包括与存储器耦合的处理器,所述处理器用于执行所述存储器中的程序代码,以实现如权利要求1至3中任一项所述的方法。An artificial intelligence AI chip, characterized in that the AI chip includes a processor coupled to a memory, and the processor is used to execute the program code in the memory, so as to realize the process described in any one of claims 1 to 3. described method. 一种芯片,其特征在于,所述芯片包括与存储器耦合的处理器,所述处理器用于执行所述存储器中的程序代码,以实现如权利要求4至6中任一项所述的方法。A chip, characterized in that the chip includes a processor coupled to a memory, and the processor is configured to execute program codes in the memory to implement the method as claimed in any one of claims 4 to 6. 一种计算机可读存储介质,其特征在于,所述存储介质中存储有计算机程序或指令,当所述计算机程序或指令被处理器执行时,实现如权利要求1至6中任一项所述的方法。A computer-readable storage medium, characterized in that the storage medium stores computer programs or instructions, and when the computer programs or instructions are executed by a processor, the implementation of any one of claims 1 to 6 Methods. 一种计算机程序产品,所述计算机程序产品中包括计算机程序代码,其特征在于,当所述计算机程序代码在计算机上运行时,使得所述计算机实现如权利要求1至6中任一项所述的方法。A computer program product, the computer program product comprising computer program code, characterized in that, when the computer program code is run on a computer, the computer is made to implement the computer program described in any one of claims 1 to 6 Methods.
PCT/CN2021/100455 2021-06-16 2021-06-16 Method for using artificial intelligence model and related apparatus Ceased WO2022261878A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202180098116.1A CN117280342A (en) 2021-06-16 2021-06-16 How to use artificial intelligence models and related devices
PCT/CN2021/100455 WO2022261878A1 (en) 2021-06-16 2021-06-16 Method for using artificial intelligence model and related apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/100455 WO2022261878A1 (en) 2021-06-16 2021-06-16 Method for using artificial intelligence model and related apparatus

Publications (1)

Publication Number Publication Date
WO2022261878A1 true WO2022261878A1 (en) 2022-12-22

Family

ID=84525880

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/100455 Ceased WO2022261878A1 (en) 2021-06-16 2021-06-16 Method for using artificial intelligence model and related apparatus

Country Status (2)

Country Link
CN (1) CN117280342A (en)
WO (1) WO2022261878A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2025087367A1 (en) * 2023-10-27 2025-05-01 天翼数字生活科技有限公司 Edge ai inference service invocation method and apparatus, device, and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995720A (en) * 2019-12-09 2020-04-10 北京天融信网络安全技术有限公司 Encryption method, device, host terminal and encryption chip
CN111783078A (en) * 2020-07-14 2020-10-16 大唐终端技术有限公司 Android platform security chip control system
CN112650983A (en) * 2019-10-10 2021-04-13 百度(美国)有限责任公司 Data processing accelerator and computer-implemented method executed by the same
CN112650981A (en) * 2019-10-10 2021-04-13 百度(美国)有限责任公司 Data processing accelerator and computer-implemented method executed by the same
CN112650984A (en) * 2019-10-10 2021-04-13 百度(美国)有限责任公司 Data processing accelerator and computer-implemented method executed by the same
CN112650986A (en) * 2019-10-10 2021-04-13 百度(美国)有限责任公司 Watermarking unit for data processing accelerator
US20210125051A1 (en) * 2019-10-24 2021-04-29 International Business Machines Corporation Private transfer learning

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112650983A (en) * 2019-10-10 2021-04-13 百度(美国)有限责任公司 Data processing accelerator and computer-implemented method executed by the same
CN112650981A (en) * 2019-10-10 2021-04-13 百度(美国)有限责任公司 Data processing accelerator and computer-implemented method executed by the same
CN112650984A (en) * 2019-10-10 2021-04-13 百度(美国)有限责任公司 Data processing accelerator and computer-implemented method executed by the same
CN112650986A (en) * 2019-10-10 2021-04-13 百度(美国)有限责任公司 Watermarking unit for data processing accelerator
US20210125051A1 (en) * 2019-10-24 2021-04-29 International Business Machines Corporation Private transfer learning
CN110995720A (en) * 2019-12-09 2020-04-10 北京天融信网络安全技术有限公司 Encryption method, device, host terminal and encryption chip
CN111783078A (en) * 2020-07-14 2020-10-16 大唐终端技术有限公司 Android platform security chip control system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2025087367A1 (en) * 2023-10-27 2025-05-01 天翼数字生活科技有限公司 Edge ai inference service invocation method and apparatus, device, and storage medium

Also Published As

Publication number Publication date
CN117280342A (en) 2023-12-22

Similar Documents

Publication Publication Date Title
US11902413B2 (en) Secure machine learning analytics using homomorphic encryption
CN110704850A (en) Artificial intelligence AI model operation method and device
US11381381B2 (en) Privacy preserving oracle
WO2013148052A1 (en) Systems and methods for secure third-party data storage
CN115756516A (en) A device-side deployment method, device, equipment and storage medium of a model
US20120233712A1 (en) Method and Device for Accessing Control Data According to Provided Permission Information
US10719613B1 (en) Systems and methods for protecting neural network weights
CN118643521B (en) Data processing method, device, equipment and storage medium
Sultan et al. A novel image-based homomorphic approach for preserving the privacy of autonomous vehicles connected to the cloud
CN113098938B (en) A method, device and electronic device for sharing video
WO2022261878A1 (en) Method for using artificial intelligence model and related apparatus
CN114168981B (en) A method and terminal for protecting a model in a computing stick
CN113839773B (en) LUKS key offline extraction method, terminal equipment and storage medium
CN114996741A (en) Data interaction method, device, device and storage medium based on federated learning
CN120179379A (en) Digital resource management method, device, cluster, medium and program product
EP4339819A1 (en) Model protection method and apparatus
CN114338241B (en) Data encryption and decryption method and device and network router adopting device
CN106570410B (en) Data encryption method, data decryption method, device and system
CN109450878A (en) Biological feather recognition method, device and system
US20240169270A1 (en) Model training method and apparatus, electronic device and storage medium
CN116055651B (en) Shared access method, device, equipment and medium for multi-center energy economic data
JP7502390B2 (en) Authentication system and authentication method
Chen et al. Beyond Life: A Digital Will Solution for Posthumous Data Management
CN116933296B (en) Open format document OFD access control method and device
CN117132790A (en) Digestive tract tumor diagnosis auxiliary system based on artificial intelligence

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21945465

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 202180098116.1

Country of ref document: CN

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21945465

Country of ref document: EP

Kind code of ref document: A1