Model protection apparatus and method, computing apparatus

By authenticating read commands through an access control controller and generating control signals to determine whether to decrypt the AI ​​model, and combining decryption permission identifiers and valid address ranges, the problem of AI model leakage and abuse in existing technologies is solved, realizing the security protection of AI models and a reasonable profit model.

CN115956243BActive Publication Date: 2026-06-23HUAWEI TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HUAWEI TECH CO LTD
Filing Date
2020-12-18
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing technologies lack effective means to protect artificial intelligence models and prevent their leakage and misuse, relying mainly on legal contracts rather than technological safeguards.

Method used

The access control controller authenticates read commands and generates control signals to determine whether to decrypt the AI ​​model in memory. By combining the decryption permission identifier and the effective address range, the AI ​​model is protected.

Benefits of technology

Effectively prevent the copying and misuse of AI models, build a safe and reasonable profit model, and ensure the safe use of AI models.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115956243B_ABST
    Figure CN115956243B_ABST
Patent Text Reader

Abstract

The application discloses a model protection device (30) and method and a computing device, and relates to the technical field of artificial intelligence, the model protection device (30) comprises an access permission controller (302) and a memory controller (301); the access permission controller (302) is used for acquiring a read instruction, the read instruction is used for requesting to read an artificial intelligence (AI) model from the memory; the access permission controller (302) is further used for performing an authentication operation on the read instruction, and generating a control signal based on an authentication result, the control signal is used for indicating whether to decrypt the AI model read from the memory; and the access permission controller (302) is further used for sending the read instruction to the memory controller (301), and the memory controller (301) is used for reading the AI model from the memory based on the read instruction. The model protection device (30) can prevent copying, leakage and abuse of the AI, and protection of the AI model is realized.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of artificial intelligence (AI) technology, and in particular to a model protection device and method, and a computing device. Background Technology

[0002] With the rapid development of artificial intelligence technology, AI models are being used to solve problems in an increasing number of application scenarios. AI models are invaluable intellectual property, and protecting them is of great significance.

[0003] Currently, AI models are mainly protected through legal means such as contracts to prevent their leakage and misuse. There is no effective technical solution for protecting AI models. Summary of the Invention

[0004] This application provides a model protection device and method, as well as a computing device, capable of protecting AI models. The technical solution provided by this application is as follows:

[0005] Firstly, this application provides a model protection device, comprising an access control controller and a memory controller. The access control controller is used to acquire a read instruction, which requests to read an artificial intelligence (AI) model from memory. The access control controller is also used to perform authentication on the read instruction and generate a control signal based on the authentication result. The control signal indicates whether to decrypt the AI ​​model read from memory. The access control controller is also used to send the read instruction to the memory controller. The memory controller is used to read the AI ​​model from memory based on the read instruction.

[0006] By authenticating read commands through an access control system, an indication can be generated regarding whether to decrypt the AI ​​model read from memory. When the AI ​​model is stored in memory as an encrypted model, it can only be used successfully if the control signal instructs decryption; otherwise, it cannot be used. Therefore, controlling the decryption process of the AI ​​model can prevent its copying, leakage, and misuse, thus protecting the AI ​​model and contributing to the establishment of a sound AI model ecosystem and a secure and reasonable profit model.

[0007] Optionally, the access control is specifically used to: obtain the read address for reading the AI ​​model contained in the read instruction, and perform authentication operations on the read instruction based on the read address. For example, in addition to obtaining the read address for reading the AI ​​model contained in the read instruction, the access control can also obtain the effective address range of the AI ​​model in memory requested by the read instruction, and perform authentication operations on the read instruction based on the read address and the effective address range. The effective address range of the AI ​​model in memory at least covers the actual storage address of the AI ​​model in memory. The effective address range of the AI ​​model in memory can be set by the driver module after storing the AI ​​model in memory, based on the storage address of the AI ​​model in memory.

[0008] The control signals include a first control signal and a second control signal. The first control signal is used to instruct the AI ​​model to be decrypted, and the second control signal is used to instruct the AI ​​model not to be decrypted.

[0009] In one possible implementation, the access control is specifically used to: generate a first control signal when the read address is a valid address; and generate a second control signal when the read address is an invalid address. Specifically, when the read address is within the valid address range of the AI ​​model, it is considered a valid address; when the read address is outside the valid address range of the AI ​​model, it is considered an invalid address.

[0010] In another possible implementation, the access control can also perform authentication operations based on conditions other than the read address. For example, the model protection device stores a decryption permission identifier, which indicates whether the AI ​​model used by the current computing task is allowed to be decrypted. Accordingly, the access control is specifically used to: generate a first control signal when the read address is a valid address and meets specified conditions; and generate a second control signal when the read address is an invalid address and / or does not meet the specified conditions. The specified conditions include at least one of the following: the decryption permission identifier indicates that the AI ​​model used by the current computing task is allowed to be decrypted, or the AI ​​model is an encrypted model.

[0011] Optionally, the access control can also set a decryption permission flag based on whether the read address is a valid address. In one implementation, when the access control determines that the read address is invalid, it can control the decryption permission flag to indicate that all AI models used by the current computing task are not allowed to be decrypted. This allows for a penalty mechanism against decrypting AI models by judging the read address; that is, once the read address is determined to be invalid, the decryption permission flag is set to indicate that all AI models used by the current computing task are not allowed to be decrypted. When a malicious model attacks a protected AI model, it is usually necessary to first read the malicious model from memory. However, if the read instruction requesting to read the malicious model carries a invalid read address, this penalty mechanism can set the decryption permission flag to indicate that all AI models used by the current computing task are not allowed to be decrypted, thus preventing attacks on the AI ​​model using the malicious model.

[0012] Furthermore, since this decryption permission identifier is used to indicate whether the AI ​​model used in the current computing task is allowed to be decrypted, a single decryption permission identifier can be set for multiple computing tasks executed serially by the computing device. The value of this identifier during the execution of different computing tasks can then indicate whether the AI ​​model used in the corresponding computing task is allowed to be decrypted. Alternatively, separate decryption permission identifiers can be set for different computing tasks, with each identifier indicating whether the AI ​​model used in the corresponding task is allowed to be decrypted.

[0013] Correspondingly, when a decryption permission identifier is set for multiple computing tasks executed serially by the computing device, after the current computing task is completed, the access control can also reset the decryption permission identifier to indicate that decryption is allowed, so as to ensure that the computing tasks executed after the current computing task can obtain the AI ​​model normally. Optionally, the decryption permission identifier can also be reset in other ways, for example, by powering on the computing device.

[0014] Whether an AI model is encrypted or not depends on the protection requirements of the model manufacturer. When the manufacturer needs to protect the AI ​​model, they can encrypt it and set an encryption flag to indicate that it is encrypted. If the manufacturer does not need to protect the AI ​​model, they do not need to encrypt it and can set an encryption flag to indicate that it is unencrypted.

[0015] In one possible implementation, the authentication process performed by the access control further includes: the access control determining whether the received read command is a read instruction; if the read command received by the access control is not a read instruction, it indicates that the read command is not used to request reading the AI ​​model from memory, and the data read according to the read command does not require decryption. The access control can then generate a control signal indicating that the content read according to the read command should not be decrypted. Here, the read command is used to request reading data and computer programs, and the read instruction is one type of read command used to request reading the computer program.

[0016] It should be noted that the execution order of the access control's processes for determining whether the read address is a valid address, determining the content indicated by the decryption permission identifier, determining whether the AI ​​model is an encrypted model, and determining whether the received read command is a read instruction can be configured according to application requirements.

[0017] In one possible implementation, the process of the access control controller performing authentication and generating control signals based on the authentication result includes: the access control controller obtaining a read command; after receiving the read command, the access control controller determines whether the decryption permission identifier indicates whether the AI ​​model used by the current computing task is allowed to be decrypted; when the decryption permission identifier indicates that the AI ​​model used by the current computing task is not allowed to be decrypted, the access control controller generates a second control signal; when the decryption permission identifier indicates that the AI ​​model used by the current computing task is allowed to be decrypted, the access control controller determines whether the AI ​​model is an encrypted model; when the AI ​​model is an unencrypted model, the access control controller generates a second control signal; when the AI ​​model is an encrypted model, the access control controller determines whether the read command is a read instruction used to indicate reading the AI ​​model; when the read command is not a read instruction used to indicate reading the AI ​​model, the access control controller generates a second control signal; when the read command is a read instruction used to indicate reading the AI ​​model, the access control controller determines whether the read address is a valid address; when the read address is a valid address, a first control signal is generated; when the read address is an invalid address, the access control controller controls the decryption permission identifier to indicate that all AI models used by the current computing task are not allowed to be decrypted, and the access control controller generates a second control signal.

[0018] When any of the above judgment conditions is not met, the access control controller generates a second control signal, eliminating the need for judgments based on other conditions. This reduces the workload of the access control controller and ensures authentication efficiency. Furthermore, when the authentication process follows the above procedure—first judging based on the decryption permission identifier, then judging whether the AI ​​model is an encrypted model, then judging whether the read command is a read instruction, and then judging whether the read address is a valid address—it can perform judgments from coarse-grained to fine-grained, further ensuring authentication reliability.

[0019] Optionally, the model protection device further includes: a first register, which stores the effective address range of the AI ​​model in memory. The access control is specifically used to read the effective address range from the first register and perform authentication operations on the read instruction based on the effective address range and the read address.

[0020] In one possible implementation, the first register can be a collective term for one or more registers used to store a valid address range. For example, the valid address range can be represented by variables stored in two registers, one register storing the starting address of the valid address range and the other register storing the length of the valid address range, or another register storing the ending address of the valid address range.

[0021] Optionally, the model protection device further includes a decryption circuit and a dedicated processor. The dedicated processor generates read instructions and sends them to the access control controller. The decryption circuit receives control signals generated by the access control controller and, under the instruction of the control signals, decrypts the AI ​​model and transmits it to the dedicated processor, or, under the instruction of the control signals, transparently transmits the AI ​​model to the dedicated processor. The dedicated processor also performs the current computational task based on the AI ​​model transmitted by the decryption circuit.

[0022] Furthermore, the model protection device also includes a key generation circuit. The key generation circuit is used to obtain the root key of the model protection device, the version identifier of the AI ​​model, and the device identifier of the model protection device, and to generate a decryption key for decrypting the AI ​​model based on the root key, version identifier, and device identifier.

[0023] To ensure that the decryption key can be used to decrypt the AI ​​model, the implementation method of generating the decryption key based on the root key, version identifier, and device identifier in this key generation circuit needs to be consistent with the implementation method of generating the encryption key used to encrypt the AI ​​model, which is based on the root key, version identifier, and device identifier. For example, the algorithm for generating the decryption key and the algorithm for generating the encryption key can be the same.

[0024] Furthermore, the model protection device also includes a second register. The second register stores the decryption key. Correspondingly, the decryption circuit in the model protection device specifically reads the decryption key from the second register and, under the instruction of a control signal, uses the decryption key to decrypt the AI ​​model.

[0025] When the decryption circuit decrypts the AI ​​model, if the decryption key is the same as the encryption key used to encrypt the AI ​​model, the decryption circuit can successfully decrypt the AI ​​model using the decryption key. If the decryption key is different from the encryption key used to encrypt the AI ​​model, the decryption of the AI ​​model cannot be achieved.

[0026] In a second aspect, this application provides a computing device comprising: memory and model protection means as provided in the first aspect and any possible implementation thereof.

[0027] Optionally, the computing device further includes a driver module, which receives a task request sent by an AI application, determines the AI ​​model required by the task request, retrieves the AI ​​model from the non-volatile storage medium of the computing device, requests memory from the memory controller, stores the AI ​​model and the data to be computed carried in the task request in the memory allocated by the memory controller, and then sends a task execution instruction to a dedicated processor to instruct the dedicated processor to execute the computational task requested by the task request. The task execution instruction informs the dedicated processor of task information such as the storage address of the data to be computed in memory and the storage address of the AI ​​model in memory. Correspondingly, the dedicated processor sends a read instruction after receiving the task execution instruction.

[0028] Thirdly, this application provides a model protection method. This model protection method is applied to a model protection device. The model protection device includes an access control controller and a memory controller. The model protection method includes: the access control controller acquiring a read instruction, the read instruction requesting to read an artificial intelligence (AI) model from memory; the access control controller performing an authentication operation on the read instruction and generating a control signal based on the authentication result, the control signal indicating whether to decrypt the AI ​​model read from memory; the access control controller sending the read instruction to the memory controller; and the memory controller reading the AI ​​model from memory based on the read instruction.

[0029] Optionally, the access control performs an authentication operation on the read instruction, including: the access control obtains the read address for reading the AI ​​model contained in the read instruction, and performs an authentication operation on the read instruction based on the read address.

[0030] Optionally, the control signal includes a first control signal and a second control signal. The first control signal is used to instruct the AI ​​model to be decrypted, and the second control signal is used to instruct the AI ​​model not to be decrypted. The access control controller generates the control signal based on the authentication result, including: when the read address is a valid address, the access control controller generates the first control signal; when the read address is an invalid address, the access control controller generates the second control signal.

[0031] Optionally, the control signals include a first control signal and a second control signal. The first control signal is used to instruct the AI ​​model to be decrypted, and the second control signal is used to instruct the AI ​​model not to be decrypted. The model protection device stores a decryption permission identifier, which indicates whether the AI ​​model used by the current computing task is allowed to be decrypted. The access control controller generates control signals based on the authentication result, including: when the read address is a valid address and meets specified conditions, the access control controller generates the first control signal; when the read address is an invalid address, and / or, does not meet the specified conditions, the access control controller generates the second control signal. The specified conditions include at least one of the following: the decryption permission identifier indicates that the AI ​​model used by the current computing task is allowed to be decrypted; or, the AI ​​model is an encrypted model.

[0032] Optionally, after the access control performs authentication on the read instruction, the model protection method further includes: when the read address is an illegal address, the access control controls the decryption permission flag to indicate that all AI models used by the current computing task are not allowed to be decrypted.

[0033] Optionally, after the access control performs authentication on the read command, the model protection method further includes: after completing the current computation task, the access control resets the decryption permission flag to indicate that decryption is allowed.

[0034] Optionally, the model protection device further includes: a first register, which stores the effective address range of the AI ​​model in memory, and the access control performs an authentication operation on the read instruction, including: the access control reads the effective address range from the first register, and performs an authentication operation on the read instruction based on the effective address range and the read address.

[0035] Optionally, the model protection device further includes a decryption circuit and a dedicated processor. Before the access control obtains the read instruction, the model protection method further includes: the dedicated processor generating the read instruction and sending the read instruction to the access control; after the access control generates a control signal based on the authentication result, the model protection method further includes: the decryption circuit receiving the control signal generated by the access control and, under the instruction of the control signal, decrypting the AI ​​model and transmitting it to the dedicated processor, or, under the instruction of the control signal, transparently transmitting the AI ​​model to the dedicated processor; the dedicated processor executes the current computing task based on the AI ​​model transmitted by the decryption circuit.

[0036] Optionally, the model protection device further includes a key generation circuit. The model protection method further includes: the key generation circuit acquiring the root key of the model protection device, the version identifier of the AI ​​model, and the device identifier of the model protection device, and generating a decryption key for decrypting the AI ​​model based on the root key, the version identifier, and the device identifier.

[0037] Optionally, the model protection device further includes a second register for storing a decryption key. After the access control controller generates a control signal based on the authentication result, the model protection method further includes: the decryption circuit in the model protection device reads the decryption key from the second register and, under the instruction of the control signal, uses the decryption key to decrypt the AI ​​model.

[0038] Fourthly, this application provides a computer device comprising a processor and a memory, wherein a computer program is stored in the memory. When the processor executes the computer program, the computer device implements the model protection method provided in the third aspect and any of its possible implementations.

[0039] Fifthly, this application provides a computer-readable storage medium storing instructions that, when executed by a processor, implement the model protection method provided in the third aspect and any possible implementation thereof.

[0040] Sixthly, this application provides a model protection device, which is used to acquire a read instruction, perform an authentication operation on the read instruction, and control whether to read the AI ​​model from memory based on the authentication result.

[0041] Access control is used to authenticate read commands and, based on the authentication result, to determine whether the requested AI model can be retrieved from memory. When the AI ​​model is stored in memory as an encrypted model, successful authentication is required for retrieval and use of the AI ​​model; otherwise, it cannot be used. Therefore, controlling the process of retrieving the AI ​​model from memory prevents copying, leakage, and misuse of the AI, protecting it and contributing to a robust AI model ecosystem and a secure and reasonable profit model.

[0042] In one possible implementation, the model protection device includes an access control controller and a memory controller. The access control controller acquires a read instruction, performs authentication on the read instruction, generates a read instruction signal based on the authentication result, and sends the read instruction signal and the read instruction to the memory controller. The read instruction signal indicates whether to read the AI ​​model from memory. The memory controller, upon receiving the read instruction signal, reads the AI ​​model from memory based on the read instruction; or, upon receiving the read instruction signal, does not perform the operation of reading the AI ​​model from memory based on the read instruction.

[0043] The read instruction signals include a first read instruction signal and a second read instruction signal. The first read instruction signal indicates that the AI ​​model should be read from memory. The second read instruction signal indicates that the AI ​​model should not be read from memory. Accordingly, the access control controller generates the first read instruction signal when the read instruction is authenticated and generates the second read instruction signal when the read instruction is not authenticated.

[0044] In another possible implementation, the model protection device includes an access control controller and a memory controller. The access control controller is used to acquire read instructions, perform authentication operations on the read instructions, and determine whether to send the read instruction to the memory controller based on the authentication result. Optionally, the access control controller is used to send the read instruction to the memory controller when the authentication of the read instruction is successful, so that the memory controller can read the AI ​​model from memory based on the read instruction; when the authentication of the read instruction fails, the read instruction is intercepted, so that the memory controller cannot receive the read instruction, and therefore cannot read the AI ​​model requested by the read instruction from memory.

[0045] In one possible implementation of access control authentication, the access control is specifically used to: determine that the authentication of the read instruction is successful when the read address is a valid address, and determine that the authentication of the read instruction is unsuccessful when the read address is an invalid address. Specifically, when the read address is within the valid address range of the AI ​​model, the read address is called a valid address; when the read address is outside the valid address range of the AI ​​model, the read address is called an invalid address.

[0046] In another possible implementation of access control authentication, the model protection device stores a decryption permission identifier. This identifier indicates whether the AI ​​model used by the current computing task is allowed to be decrypted. Specifically, the access control is used to: determine that authentication of the read instruction is successful when the read address is a valid address and meets specified conditions; and determine that authentication of the read instruction fails when the read address is an invalid address and / or the specified conditions are not met. The specified conditions include at least one of the following: the decryption permission identifier indicates that the AI ​​model used by the current computing task is allowed to be decrypted, or the AI ​​model is an encrypted model.

[0047] In a seventh aspect, this application provides a computing device comprising: memory and model protection means as provided in the sixth aspect and any possible implementation thereof.

[0048] Eighthly, this application provides a model protection method. This model protection method is applied to a model protection device. The model protection device includes an access control controller and a memory controller. The model protection method includes: acquiring a read instruction, performing an authentication operation on the read instruction, and controlling the memory controller to read the AI ​​model from memory based on the authentication result.

[0049] In one possible implementation, the model protection method includes: an access control obtaining a read instruction, performing an authentication operation on the read instruction, generating a read indication signal based on the authentication result, and sending the read indication signal and the read instruction to a memory controller. The read indication signal indicates whether to read the AI ​​model from memory. The memory controller, under the instruction of the read indication signal, reads the AI ​​model from memory based on the read instruction; or, under the instruction of the read indication signal, does not perform the operation of reading the AI ​​model from memory based on the read instruction.

[0050] The read instruction signals include a first read instruction signal and a second read instruction signal. The first read instruction signal indicates that the AI ​​model should be read from memory. The second read instruction signal indicates that the AI ​​model should not be read from memory. Accordingly, the access control controller generates the first read instruction signal when the read instruction is authenticated and generates the second read instruction signal when the read instruction is not authenticated.

[0051] In another possible implementation, the model protection method includes: an access control controller acquiring a read instruction, performing an authentication operation on the read instruction, and determining whether to send the read instruction to the memory controller based on the authentication result. Optionally, if the access control controller successfully authenticates the read instruction, it sends the read instruction to the memory controller, allowing the memory controller to read the AI ​​model from memory based on the read instruction; if the authentication of the read instruction fails, the read instruction is intercepted, preventing the memory controller from receiving the read instruction and thus preventing it from reading the AI ​​model requested by the read instruction from memory.

[0052] In one possible implementation, the access control performs an authentication operation on the read instruction, including: determining that the authentication of the read instruction is successful when the read address is a valid address, and determining that the authentication of the read instruction is unsuccessful when the read address is an invalid address.

[0053] Optionally, the model protection device stores a decryption permission identifier, which indicates whether the AI ​​model used by the current computing task is allowed to be decrypted. The access control performs an authentication operation on the read command, including: determining that the authentication of the read command is successful when the read address is a valid address and meets specified conditions; and determining that the authentication of the read command fails when the read address is an invalid address and / or does not meet the specified conditions. The specified conditions include at least one of the following: the decryption permission identifier indicates that the AI ​​model used by the current computing task is allowed to be decrypted, or the AI ​​model is an encrypted model.

[0054] Ninthly, this application provides a computer device comprising: a processor and a memory, wherein a computer program is stored in the memory. When the processor executes the computer program, the computer device implements the model protection method provided in the eighth aspect and any of its possible implementations.

[0055] In a tenth aspect, this application provides a computer-readable storage medium storing instructions that, when executed by a processor, implement the model protection method provided in the eighth aspect and any possible implementation thereof.

[0056] Eleventhly, this application provides a model protection device. The model protection device includes: an access control module and a memory controller; the access control module is used to acquire a read instruction, which requests to read an artificial intelligence (AI) model from memory; the access control module is also used to perform authentication on the read instruction and generate a control signal based on the authentication result, the control signal indicating whether to decrypt the AI ​​model read from memory; the access control module is also used to send the read instruction to the memory controller; the memory controller is used to read the AI ​​model from memory based on the read instruction.

[0057] Optionally, the access control module is specifically used to: obtain the read address for reading the AI ​​model contained in the read instruction, and perform authentication operations on the read instruction based on the read address.

[0058] Optionally, the control signal includes a first control signal and a second control signal. The first control signal is used to instruct the AI ​​model to be decrypted, and the second control signal is used to instruct the AI ​​model not to be decrypted. The access control module is specifically used to: generate the first control signal when the read address is a valid address; and generate the second control signal when the read address is an invalid address.

[0059] Optionally, the control signals include a first control signal and a second control signal. The first control signal is used to instruct the AI ​​model to be decrypted, and the second control signal is used to instruct the AI ​​model not to be decrypted. The model protection device stores a decryption permission identifier, which indicates whether the AI ​​model used by the current computing task is allowed to be decrypted. The access control module is specifically used to: generate the first control signal when the read address is a valid address and meets specified conditions; and generate the second control signal when the read address is an invalid address and / or does not meet specified conditions. The specified conditions include at least one of the following: the decryption permission identifier indicates that the AI ​​model used by the current computing task is allowed to be decrypted; or, the AI ​​model is an encrypted model.

[0060] Optionally, the access control module is also used to: when the read address is an illegal address, control the decryption permission flag to indicate that all AI models used by the current computing task are not allowed to be decrypted.

[0061] Optionally, the access control module is also used to: reset the decryption permission flag to indicate that decryption is allowed after the current computing task is completed.

[0062] Optionally, the model protection device further includes: a first register, which is used to store the effective address range of the AI ​​model in memory, and the access control module is specifically used to: read the effective address range from the first register, and perform authentication operations on the read instruction based on the effective address range and the read address.

[0063] Optionally, the model protection device further includes: a decryption module and a dedicated processor. The dedicated processor generates read instructions and sends them to the access control module. The decryption module receives control signals generated by the access control module and, under the instruction of the control signals, decrypts the AI ​​model and transmits it to the dedicated processor, or, under the instruction of the control signals, transmits the AI ​​model to the dedicated processor. The dedicated processor also performs the current computation task based on the AI ​​model transmitted by the decryption module.

[0064] Optionally, the model protection device further includes a key generation module. The key generation module is used to obtain the root key of the model protection device, the version identifier of the AI ​​model, and the device identifier of the model protection device, and generate a decryption key for decrypting the AI ​​model based on the root key, version identifier, and device identifier.

[0065] Optionally, the model protection device further includes a second register for storing a decryption key. The decryption module is specifically used to read the decryption key from the second register and, under the instruction of a control signal, decrypt the AI ​​model using the decryption key.

[0066] In a twelfth aspect, this application provides a model protection device. The model protection device includes an access control module and a memory controller. The access control module is used to acquire read instructions, perform authentication operations on the read instructions, and control whether the memory controller reads the AI ​​model from memory based on the authentication result.

[0067] In one possible implementation, the access control module is specifically used to acquire a read instruction, perform an authentication operation on the read instruction, generate a read indication signal based on the authentication result, and send the read indication signal and the read instruction to the memory controller. The read indication signal indicates whether to read the AI ​​model from memory. The memory controller, upon receiving the read indication signal, reads the AI ​​model from memory based on the read instruction; or, upon receiving the read indication signal, does not perform the operation of reading the AI ​​model from memory based on the read instruction.

[0068] The read instruction signals include a first read instruction signal and a second read instruction signal. The first read instruction signal indicates that the AI ​​model should be read from memory. The second read instruction signal indicates that the AI ​​model should not be read from memory. Accordingly, the access control module specifically generates the first read instruction signal when the read instruction is authenticated and generates the second read instruction signal when the read instruction is not authenticated.

[0069] In another possible implementation, the access control module is specifically used to acquire read instructions, perform authentication operations on the read instructions, and determine whether to send the read instructions to the memory controller based on the authentication result. Optionally, the access control module is specifically used to send the read instructions to the memory controller when the authentication of the read instructions is successful, so that the memory controller can read the AI ​​model from memory based on the read instructions; when the authentication of the read instructions fails, the read instructions are intercepted, so that the memory controller cannot receive the read instructions, and therefore cannot read the AI ​​model requested by the read instructions from memory.

[0070] Optionally, the access control module is specifically used to obtain the read address for reading the AI ​​model contained in the read instruction, and to perform authentication operations on the read instruction based on the read address.

[0071] In one possible implementation, the access control module is specifically used to determine that the authentication of the read instruction is successful when the read address is a valid address, and to determine that the authentication of the read instruction is unsuccessful when the read address is an invalid address.

[0072] Optionally, the model protection device stores a decryption permission identifier, which indicates whether the AI ​​model used by the current computing task is allowed to be decrypted. The access control module specifically determines that: when the read address is a valid address and meets specified conditions, the authentication of the read command is successful; when the read address is an invalid address, and / or the specified conditions are not met, the authentication of the read command fails. The specified conditions include at least one of the following: the decryption permission identifier indicates that the AI ​​model used by the current computing task is allowed to be decrypted, or the AI ​​model is an encrypted model.

[0073] Optionally, the access control module is also used to: when the read address is an illegal address, control the decryption permission flag to indicate that all AI models used by the current computing task are not allowed to be decrypted.

[0074] Optionally, the access control module is also used to: reset the decryption permission flag to indicate that decryption is allowed after the current computing task is completed.

[0075] Optionally, the model protection device further includes a first register, which stores the effective address range of the AI ​​model in memory. Correspondingly, the access control module is specifically used to: read the effective address range from the first register, and perform authentication operations on the read instruction based on the effective address range and the read address.

[0076] Optionally, the model protection device further includes a decryption module and a dedicated processor. The dedicated processor generates read instructions and sends them to the access control module. The decryption module decrypts the AI ​​model and transmits the decrypted AI model to the dedicated processor, or transmits the AI ​​model to the dedicated processor; the dedicated processor also performs the current computational task based on the AI ​​model transmitted by the decryption module.

[0077] Optionally, the model protection device further includes a key generation module. The key generation module is used to obtain the root key of the model protection device, the version identifier of the AI ​​model, and the device identifier of the model protection device, and generate a decryption key for decrypting the AI ​​model based on the root key, version identifier, and device identifier.

[0078] Optionally, the model protection device further includes a second register for storing a decryption key. Correspondingly, the decryption module is specifically used to read the decryption key from the second register and use the decryption key to decrypt the AI ​​model.

[0079] In a thirteenth aspect, this application provides a model protection method, which includes: a first computer device acquiring the responsible party identifier and root key of an artificial intelligence model; a third computer device acquiring the device identifier of a model protection device provided by a second computer device and sending the device identifier of the model protection device to the first computer device, wherein the third computer device is equipped with a model protection device for running the artificial intelligence model; the first computer device assigning a version identifier to the artificial intelligence model and generating an encryption key for the artificial intelligence model based on the device identifier of the model protection device, the version identifier of the artificial intelligence model, and the root key; the first computer device encrypting the artificial intelligence model using the encryption key and sending the encrypted artificial intelligence model to the third computer device; and the third computer device writing the encrypted artificial intelligence model to a non-volatile storage medium of the third computer device.

[0080] Since the encryption key is derived from the device identifier, root key, and version identifier, a different encryption key will be obtained if any of these three identifiers are different. Furthermore, because different model protection devices have different device identifiers, the encryption keys generated based on these device identifiers will also be different. Therefore, different model protection devices can be used to protect different AI models.

[0081] Optionally, the first computer device can generate a model manufacturer identifier and generate a root key based on the model manufacturer identifier to obtain the model manufacturer identifier and the root key. Alternatively, the first computer device can request the allocation of a root key from the second computer device. The second computer device can allocate a model manufacturer identifier to the model manufacturer based on the request of the first computer device, then generate a root key based on the model manufacturer identifier, and send the root key and the model manufacturer identifier to the first computer device.

[0082] In one possible implementation, the root key is generated based on the model vendor identifier and the base root key provided by the chip vendor.

[0083] Furthermore, in order to securely store the root key, it can be pre-installed in the non-volatile storage medium of the model protection device.

[0084] Optionally, in order to facilitate the decryption of the encrypted AI model by the terminal manufacturer's computing device, the first computer device also needs to send the responsible party identifier and version identifier to the third computer device. Attached Figure Description

[0085] Figure 1 This is a schematic diagram of the structure of a computing device provided in an embodiment of this application;

[0086] Figure 2 This is a schematic diagram of the structure of another computing device provided in an embodiment of this application;

[0087] Figure 3 This is a schematic diagram of the structure of a model protection device provided in an embodiment of this application;

[0088] Figure 4 This is a schematic diagram of the structure of a model protection device provided in an embodiment of this application;

[0089] Figure 5 This is a schematic diagram of the structure of another computing device provided in the embodiments of this application;

[0090] Figure 6 This is a schematic diagram illustrating the transmission of a read instruction between a dedicated processor and a memory controller, as provided in an embodiment of this application.

[0091] Figure 7 This is a flowchart of a method provided in this application embodiment for an access control controller to perform an authentication operation and generate a control signal based on the authentication result;

[0092] Figure 8 This is a flowchart illustrating the process of generating an encryption key for an AI model, as well as the encryption and decryption process of the AI ​​model, provided in an embodiment of this application.

[0093] Figure 9This is one of the embodiments provided in this application. Figure 8 A schematic diagram illustrating the information transmission process in China;

[0094] Figure 10 This is a flowchart of a model protection method provided in an embodiment of this application;

[0095] Figure 11 This is a schematic diagram of the structure of a computer device provided in an embodiment of this application;

[0096] Figure 12 This is a flowchart of another model protection method provided in the embodiments of this application;

[0097] Figure 13 This is a flowchart of another model protection method provided in the embodiments of this application. Detailed Implementation

[0098] To make the objectives, technical solutions, and advantages of this application clearer, the embodiments of this application will be described in further detail below with reference to the accompanying drawings.

[0099] With the rapid development of artificial intelligence technology, AI models are being used to solve problems in an increasing number of application scenarios. AI models are invaluable intellectual property, and protecting them is of paramount importance. Protecting AI models can reduce the risk of their leakage and misuse, thereby safeguarding the rights and interests of companies that invest in creating them.

[0100] The use cases of AI models typically involve the AI ​​model itself, the dedicated processor on which it is implemented, and the computing device that uses the AI ​​model to perform computational tasks. The AI ​​model's reliance on a dedicated processor means that the implementation of its functionality requires the hardware resources of that dedicated processor. Furthermore, for a computing device to use the AI ​​model, it needs to have the dedicated processor deployed to implement it. For example, the AI ​​model could be a computer program for facial recognition, the dedicated processor could be a neural network processing unit (NPU), and the facial recognition function of the AI ​​model could be implemented using the hardware in the NPU. The computing device could then have a camera equipped with this dedicated processor, which could use facial recognition to implement functions such as access control.

[0101] Computational tasks typically involve multiple operations. For example, computational tasks used for face recognition include face detection, facial landmark localization, face correction, facial feature extraction, and feature comparison.

[0102] Typically, the AI ​​model, dedicated processor, and computing device are provided by at least two manufacturers. In one implementation, the AI ​​model is provided by the model manufacturer, the dedicated processor by the chip manufacturer, and the computing device by the terminal manufacturer. The dedicated processor provides an interface through which the AI ​​model can work collaboratively with the hardware within the dedicated processor to achieve its functionality. The terminal manufacturer can assemble the dedicated processor and other devices, such as non-volatile storage media, to obtain the computing device, and then program the AI ​​model onto the non-volatile storage media of the computing device, enabling the computing device to perform computational tasks using the AI ​​model and the dedicated processor. In another implementation, the AI ​​model and dedicated processor are provided by the same manufacturer, while the computing device is provided by the terminal manufacturer. In this case, the terminal manufacturer assembles the dedicated processor and other devices, such as non-volatile storage media, to obtain the computing device, and then programs the AI ​​model onto the non-volatile storage media of the computing device.

[0103] The following is based on Figure 1 For example, the process of using an AI model in computing device 0 will be explained. Figure 1 This is a schematic diagram of the structure of a computing device 0 provided in an embodiment of this application. Figure 1 As shown, the computing device 0 includes: a driver module 10, a memory 20, a memory controller 301, and a dedicated processor 303.

[0104] The driver module 10 is used to receive task requests sent by the AI ​​application, determine the AI ​​model required for the task request based on the task request, and retrieve the model from the non-volatile storage medium of the computing device 0. Figure 1 The AI ​​model is obtained from the memory controller 301 (not shown). Then, memory 20 is requested from the memory controller 301, and the AI ​​model and the data to be computed carried in the task request are stored in the memory 20 allocated by the memory controller 301. A task execution instruction is then sent to the dedicated processor 303 to instruct the dedicated processor 303 to execute the computational task requested by the task request. It should be understood that the driver module 10 is typically implemented in software; alternatively, the driver module can also be called a driver program. The task execution instruction is used to notify the dedicated processor 303 of task information such as the storage address of the data to be computed in memory 20 and the storage address of the AI ​​model in memory 20. The driver module 10 does not need to decrypt the AI ​​model and can directly store the AI ​​model in memory 20. Optionally, the AI ​​application can send a task request to the driver module 10 through an application programming interface (API). In one possible implementation, the driver module 10 can be implemented in software.

[0105] The dedicated processor 303 is used to retrieve the data to be computed and the AI ​​model stored in memory 20 according to the task execution instruction, and to perform a computation task on the data to be computed using the AI ​​model, and store the calculation result in memory 20. Specifically, when the dedicated processor 303 needs to retrieve the data to be computed and the AI ​​model stored in memory 20, it can send a read instruction to the memory controller 301 to request to read the AI ​​model and a read command to request to read the data to be computed, so that the memory controller 301 can read the AI ​​model and the data to be computed from memory 20 and send them to the dedicated processor 303.

[0106] As can be seen from the above, in Figure 1 In the computing device 0 shown, when the AI ​​model and computing device 0 are provided by different manufacturers, the use of the AI ​​model by computing device 0 will not be effectively restricted if the AI ​​model is not encrypted. Therefore, in order to protect the rights and interests of the model manufacturers providing the AI ​​model, it is urgent to protect the AI ​​model provided by the model manufacturers.

[0107] To this end, this application provides a model protection device 30, which can authenticate the operation of reading the AI ​​model and determine whether to decrypt the AI ​​model read from the memory 20 based on the authentication result, so as to control the process of decrypting the AI ​​model, prevent the leakage and abuse of AI, and achieve the protection of the AI ​​model.

[0108] The model protection device 30 can be deployed in the computing device 0. This application embodiment provides a computing device. The computing device 0 can be a camera, desktop computer, mobile phone, tablet computer, smart TV, smart wearable device, vehicle communication device, and computer, etc. Figure 2 This is a schematic diagram of another computing device 0 provided in an embodiment of this application. (See attached diagram.) Figure 2 As shown, the computing device 0 includes a driver module 10, memory 20, and a model protection device 30. The model protection device 30 includes a memory controller 301, an access permission controller (APC) 302, and a dedicated processor 303. The operation of the driver module 10, memory 20, and dedicated processor 303 in the computing device 0 can be found in the relevant documentation. Figure 1 The working process of the corresponding device in the computing device 0 will not be described in detail here.

[0109] Optionally, the driver module 10 notifies the dedicated processor 303 of the storage addresses of the data to be computed and the AI ​​model in memory 20 via a task execution instruction. This can be implemented using linked list nodes. For example, the task execution instruction may carry the address of a linked list node in memory 20, and this linked list node stores the storage address of the AI ​​model in memory 20. When the dedicated processor 303 receives the task execution instruction, it reads the address of the linked list node in memory 20. Then, the dedicated processor 303 retrieves the linked list node in memory 20 based on its address, obtains the storage address of the AI ​​model from that linked list node, and then retrieves the AI ​​model from memory 20 based on the address obtained from the linked list node. Here, a linked list is a data structure comprising multiple linked list nodes with a logical order. Each linked list node includes two parts: a data field for storing the linked list node's data, and a link indicating the address of the next linked list node. In this embodiment, the data field of the linked list node is used to indicate the storage address of the AI ​​model in memory 20.

[0110] Since computing device 0 typically needs to handle a large number of computational tasks, to ensure the orderly execution of these tasks, in the computing device 0 provided in this application embodiment, the process from the driver module 10 sending a task execution instruction to the dedicated processor 303 to the dedicated processor 303 retrieving the data to be computed and the AI ​​model stored in memory 20 can be implemented through a hardware queue. The hardware queue typically contains multiple computational tasks, and the dedicated processor 303 can execute these multiple computational tasks serially according to the order in which they are queued. Figure 1 and Figure 2 The computing device 0, which is not shown, also includes a hardware queue.

[0111] For example, the driver module 10 can write task execution instructions into a hardware queue. These instructions are queued sequentially within the hardware queue. When the execution time for the computational task indicated by the instruction is reached, the hardware queue sends the task execution instruction to the dedicated processor 303. Upon receiving the instruction, the dedicated processor 303 sends a read instruction to the hardware queue requesting to read the AI ​​model from memory 20. Based on this read instruction, the hardware queue sends a read instruction to the memory controller 301 requesting to read the AI ​​model from memory 20. After reading the AI ​​model from memory 20, the hardware queue sends the AI ​​model to the dedicated processor 303, enabling the dedicated processor 303 to use the AI ​​model to perform computational tasks on the data to be computed.

[0112] Furthermore, the operation of the dedicated processor 303 to start executing the computational task indicated by the task execution instruction can be triggered by a register. When the computational task is implemented through a hardware queue and linked list nodes, the register is used to trigger the hardware queue to retrieve a linked list node from memory 20, retrieve the storage address of the AI ​​model in memory 20 from the linked list node, and send the retrieved address to the dedicated processor 303 so that the dedicated processor 303 can send a read instruction according to the corresponding address.

[0113] Additionally, computing device 0 may also include a memory management unit (MMU). Figure 2 (Not shown in the image), this memory manager is used to perform address mapping between the address carried in a memory access request and the physical address where the data is stored in memory. In this way, the memory controller 301 can be indirectly connected to the memory 20 through the memory manager, and the interaction between the memory controller 301 and the memory 20 can be realized through the memory manager.

[0114] It should be noted that after the dedicated processor 303 sends a read instruction to the hardware queue, the hardware queue forwards the read instruction to the memory controller 301. Furthermore, after the hardware queue reads the AI ​​model from memory 20, it sends the AI ​​model back to the dedicated processor 303. Therefore, this process can be viewed as the dedicated processor 303 reading the AI ​​model from memory 20 by sending a read command. Moreover, even when the process from when the driver module 10 sends a task execution instruction to the dedicated processor 303 to when the dedicated processor 303 reads the data to be computed and the AI ​​model from memory 20 without going through the hardware queue, the dedicated processor 303 still needs to send a read instruction to the memory controller 301 to read the AI ​​model from memory 20. Therefore, in this embodiment of the application, for the sake of simplicity, regardless of whether the process from the driver module 10 sending a task execution instruction to the dedicated processor 303 to the dedicated processor 303 reading the data to be calculated and the AI ​​model from the memory 20 is implemented through a hardware queue, the dedicated processor 303 sending a read instruction can be regarded as sending a read instruction to the memory controller 301. The process from the dedicated processor 303 sending a read instruction to the dedicated processor 303 reading the AI ​​model from the memory 20 is simply referred to as the dedicated processor 303 sending a read instruction to the memory controller 301 to implement the process of reading the AI ​​model from the memory 20. The implementation method of whether or not a hardware queue exists is not distinguished, nor is the object to which the dedicated processor 303 sends a read instruction.

[0115] The implementation of the model protection device 30 provided in the embodiments of this application will be described below. For example... Figure 3 As shown, the model protection device 30 includes an access control controller 302 and a memory controller 301.

[0116] Access control 302 is used to acquire read commands, perform authentication operations on the read commands, generate control signals based on the authentication results, and send the read commands to memory controller 301. The read command requests to read an AI model from memory 20. The control signals indicate whether to decrypt the AI ​​model read from memory 20. These control signals may include a first control signal and a second control signal. The first control signal indicates that the AI ​​model should be decrypted. The second control signal indicates that the AI ​​model should not be decrypted.

[0117] The memory controller 301 is used to read the AI ​​model from memory 20 based on read instructions.

[0118] AI models are diverse, and different AI models can be used for different application scenarios. In one possible implementation, the AI ​​model in this application embodiment can be a neural network model.

[0119] As can be seen from the above, by authenticating the read command through the access control 302, an indication can be generated as to whether the AI ​​model read from memory 20 should be decrypted. When the AI ​​model is stored in memory 20 in the form of an encrypted model, the AI ​​model can only be successfully used if the control signal indicates that the AI ​​model should be decrypted. If the control signal indicates that the AI ​​model should not be decrypted, the AI ​​model cannot be used. Therefore, in the access control 302 provided in this application embodiment, by controlling the process of decrypting the AI ​​model, the leakage and misuse of AI can be prevented, thereby protecting the AI ​​model.

[0120] Furthermore, such as Figure 4 As shown, the model protection device 30 may also include: a decryption circuit 304 and a dedicated processor 303.

[0121] The dedicated processor 303 generates read instructions and sends them to the access control 302, enabling the access control 302 to perform authentication on the read instructions. After the driver module 10 stores the AI ​​model and data to be computed in memory 20, it can send a task execution instruction to the dedicated processor 303, instructing the dedicated processor 303 to execute the computational task requested by the task request. Correspondingly, the dedicated processor 303 can generate read instructions based on the task execution instruction and send them to the access control 302. Furthermore, the task execution instruction may carry the memory address of the AI ​​model in memory 20, and the read instruction sent by the dedicated processor 303 may carry that memory address.

[0122] The decryption circuit 304 receives control signals generated by the access control controller 302 and, under the instruction of the control signals, decrypts the AI ​​model and transmits it to the dedicated processor 303; alternatively, under the instruction of the control signals, it transmits the AI ​​model to the dedicated processor 303. Optionally, the decryption circuit 304 can use a decryption algorithm to decrypt the AI ​​model. The decryption algorithm used by the decryption circuit 304 can be a block cipher algorithm conforming to the international standards of the International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC). For example, the decryption algorithm used by the decryption circuit 304 can be the Advanced Encryption Standard (AES) algorithm.

[0123] The dedicated processor 303 is also used to execute the current computational task based on the AI ​​model transmitted by the decryption circuit 304. Specifically, the dedicated processor 303 is used to run hardware such as circuits within itself to accelerate the AI ​​model, thereby achieving the goal of performing computational tasks based on the AI ​​model. The dedicated processor 303 can be a processor specifically designed for AI computation; for example, it can be an NPU.

[0124] In one possible implementation, such as Figure 5 and Figure 6As shown, the access control 302 can be mounted on the read channel where the dedicated processor 303 sends read commands to the memory controller 301, and the decryption circuit 304 can be mounted on the response channel where the memory controller 301 sends read responses to the dedicated processor 303 based on the read commands. The read command is used to request the reading of data and computer programs, while the read instruction is one type of read command used to request the reading of a computer program. In this case, the transmission path of the read instruction sent by the dedicated processor 303 between the dedicated processor 303 and the memory controller 301 is as follows: first, the dedicated processor 303 sends it to the access control 302, and then the access control 302 sends it to the memory controller 301. Therefore, the access control 302 can obtain the read instruction sent to the memory controller 301 and perform authentication on the read instruction. Furthermore, the access control 302 generates a control signal based on the authentication result of the read instruction, which can be sent to the memory controller 301 along with the read instruction. The memory controller 301 can carry the AI ​​model read according to the read instruction in the read response and send the control signal to the decryption circuit 304 along with the read response. The decryption circuit 304 can decrypt the AI ​​according to the control signal and send the decrypted AI model to the dedicated processor 303, or the decryption circuit 304 can transmit the AI ​​model to the dedicated processor 303 according to the control signal.

[0125] Alternatively, the access control 302 can be mounted on the read channel through which the dedicated processor 303 sends commands or data to all other devices, allowing the access control 302 to acquire all commands and data sent by the dedicated processor 303. In this case, the access control 302 can also classify the acquired commands and data and perform authentication operations on read commands sent to the memory controller 301 based on the classification result.

[0126] Alternatively, the access control 302 can be implemented in other ways, as long as it can obtain the read command sent by the dedicated processor 303, generate a control signal based on the authentication result of the read command, and send the control signal to the decryption circuit 304 for decrypting the AI ​​model, and the AI ​​model sent to the decryption circuit 304 and the control signal indicating whether to decrypt the AI ​​model have a corresponding relationship. For example, the access control 302 may not be mounted on the read channel through which the dedicated processor 303 sends read commands to the memory controller 301. When the dedicated processor 303 sends a read command to the memory controller 301, it can simultaneously send the read command to the access control 302, indicating that the AI ​​model read according to the read command carries the identifier of the read command, and the control signal generated according to the read command carries the identifier of the read command, so that the AI ​​model and the control signal indicating whether to decrypt the AI ​​model have a corresponding relationship through the identifier of the read command. This application embodiment does not specifically limit it. The AI ​​model sent to the decryption circuit 304 and the control signal used to indicate whether to decrypt the AI ​​model are corresponding to each other, so that the decryption circuit 304 can determine whether to decrypt the AI ​​model corresponding to the control signal based on the control signal.

[0127] In one possible implementation, the control signal's instructive role in the decryption process can be achieved by setting the value of a variable carried in the control signal. For example, when the variable's value is 1, the control signal instructs the AI ​​model read from memory 20 to be decrypted; in this case, the control signal can be called the first control signal. When the variable's value is 0, the control signal instructs that the AI ​​model read from memory 20 not to be decrypted; in this case, the control signal can be called the second control signal.

[0128] Furthermore, control signals can be implemented using in-path signals. For example, Figure 5 The dashed arrow indicates the transmission path of the control signal, such as... Figure 5 As shown, after the access control controller 302 sends a control signal to the memory controller 301, the memory controller 301 can send the control signal along with the AI ​​model to the decryption circuit 304. In one implementation, the content indicated by the control signal can be represented by the value of a variable. Accordingly, the memory controller 301 can carry the value of the variable in the control signal in an extended field of the data sent to the decryption circuit 304, so that the indication function of the control signal can be represented by the value in the extended field.

[0129] In one possible implementation of the authentication operation performed by the access control 302, the access control 302 can obtain the read address for reading the AI ​​model contained in the read instruction, and perform an authentication operation on the read instruction based on the read address. For example, in addition to obtaining the read address for reading the AI ​​model contained in the read instruction, the access control 302 can also obtain the effective address range of the AI ​​model requested to be read in memory 20, and perform an authentication operation on the read instruction based on the read address and the effective address range. The effective address range of the AI ​​model in memory 20 at least covers the actual storage address of the AI ​​model in memory 20. The effective address range of the AI ​​model in memory 20 can be set by the driver module 10 after storing the AI ​​model in memory 20, based on the storage address of the AI ​​model in memory 20.

[0130] Optionally, this effective address range can be stored in registers. Correspondingly, such as Figure 4 As shown, the model protection device 30 may further include a first register 305, which stores the effective address range of the AI ​​model in memory 20. In one implementation, the first register 305 may be a collective term for one or more registers used to store the effective address range. For example, the effective address range may be represented by variables stored in two registers, one register storing the starting address of the effective address range and the other register storing the length of the effective address range, or another register storing the ending address of the effective address range.

[0131] In one possible implementation, the process by which the access control controller 302 generates a control signal based on the authentication result may include: when the read address is a valid address, the access control controller 302 generates a first control signal; when the read address is an invalid address, the access control controller 302 generates a second control signal. Specifically, when the read address is within the valid address range of the AI ​​model, the read address is considered a valid address; when the read address is outside the valid address range of the AI ​​model, the read address is considered an invalid address.

[0132] In another possible implementation, the access control 302 can also perform authentication operations based on conditions other than the read address. For example, when the read address is a valid address and a specified condition is met, the access control 302 generates a first control signal; when the read address is an invalid address, and / or the specified condition is not met, the access control 302 generates a second control signal. The specified conditions include at least one of the following: a decryption permission identifier indicating that the AI ​​model used by the current computing task is allowed to be decrypted, or the AI ​​model is an encrypted model.

[0133] The decryption permission identifier is stored in the model protection device 30. For example, the decryption permission identifier can be stored in a register. This decryption permission identifier is used to indicate whether the AI ​​model used by the current computing task is allowed to be decrypted. Furthermore, the indicative function of the decryption permission identifier can be determined by the value of the decryption permission identifier. In one implementation, when the value of the decryption permission identifier is 0, the decryption permission identifier is used to indicate that the AI ​​model used by the current computing task is allowed to be decrypted; when the value of the decryption permission identifier is 1, the decryption permission identifier is used to indicate that the AI ​​model used by the current computing task is not allowed to be decrypted; and the default value of the decryption permission identifier is 0.

[0134] Optionally, the access control 302 can also set the decryption permission flag based on whether the read address is a valid address. In one implementation, when the access control 302 determines that the read address is an invalid address, it can control the decryption permission flag to indicate that all AI models used by the current computing task are not allowed to be decrypted. In this way, a penalty mechanism for decrypting AI models can be implemented by judging the read address; that is, once the read address is determined to be invalid, the decryption permission flag is set to indicate that all AI models used by the current computing task are not allowed to be decrypted. When an attack is launched against a protected AI model using a malicious model, it is usually necessary to first read the malicious model from memory 20. However, the read address carried by the read instruction requesting to read the malicious model is not a valid address. At this time, the penalty mechanism can set the decryption permission flag so that the decryption permission flag indicates that all AI models used by the current computing task are not allowed to be decrypted, thus preventing attacks on the AI ​​model using the malicious model.

[0135] Furthermore, since this decryption permission identifier is used to indicate whether the AI ​​model used by the current computing task is allowed to be decrypted, a single decryption permission identifier can be set for multiple computing tasks executed serially by computing device 0. The value of this identifier during the execution of different computing tasks can then indicate whether the AI ​​model used in the corresponding computing task is allowed to be decrypted. Alternatively, a separate decryption permission identifier can be set for each computing task, with each identifier indicating whether the AI ​​model used by that task is allowed to be decrypted.

[0136] Correspondingly, when a decryption permission identifier is set for multiple computing tasks executed serially by computing device 0, after the current computing task is completed, the access control 302 can also reset the decryption permission identifier to indicate that decryption is allowed, so as to ensure that computing tasks executed after the current computing task can obtain the AI ​​model normally. Optionally, the decryption permission identifier can also be reset in other ways, for example, by powering on computing device 0 again to reset the decryption permission identifier. This application embodiment does not specifically limit the method.

[0137] Whether an AI model is encrypted can be determined by the value of its encryption flag. In one implementation, when the encryption flag is 0, it indicates that the AI ​​model is encrypted; when it is 1, it indicates that the AI ​​model is unencrypted. Whether an AI model is encrypted can be determined based on the protection requirements of the model manufacturer. When the model manufacturer needs to protect the AI ​​model, it can encrypt the AI ​​model and set an encryption flag to indicate that the AI ​​model is encrypted. When the model manufacturer does not need to protect the AI ​​model, it does not need to encrypt the AI ​​model and sets an encryption flag to indicate that the AI ​​model is unencrypted. Furthermore, the encryption flag can be stored in a register, and the value of the encryption flag stored in the register can be set by the driver module 10. After the driver module 10 writes the model to the non-volatile storage medium of the computing device 0, the driver module 10 can read the file header of the AI ​​model. The file header carries model information that overwrites the AI ​​model. The model information includes information such as whether the model is an encrypted model and the size of the model. The driver module 10 can set the value of the encryption flag in the register according to the model information.

[0138] In addition, since the dedicated processor 303 needs to use the AI ​​model and acquire data to be calculated when performing computational tasks, it also sends read commands to the memory controller 301 to request data to be read from memory 20. Furthermore, the read commands need to be transmitted to the memory controller 301 via the read channel used by the dedicated processor 303. Therefore, the access control 302 receives not only read commands requesting the reading of the AI ​​model but also read commands requesting the reading of data from memory 20. Since the AI ​​model is an object that needs to be protected by control signals, the authentication process performed by the access control 302 also includes: the access control 302 determining whether the received read command is a read command. If the read command received by the access control 302 is not a read command, it means that the read command is not used to request the reading of the AI ​​model from memory 20, and the data read according to the read command does not need to be decrypted. The access control 302 can then generate a control signal indicating that the content read according to the read command should not be decrypted. The read command carries a command identifier, which indicates the content that the read command requests to read. Therefore, based on the command identifier carried by the read command, it can be determined whether the read command is a read instruction used to request to read the AI ​​model.

[0139] Since the read address in the read command sent by the dedicated processor 303 is determined based on the memory address of the AI ​​model in memory 20 that can be carried in the task execution instruction, and when a malicious program attacks the AI ​​model, the malicious program will modify the memory address of the AI ​​model in memory 20 received by the dedicated processor 303, causing the read address carried by the read command sent by the dedicated processor 303 based on the memory address to be an illegal address. In the access control 302 provided in this application embodiment, by authenticating the read command, it is possible to determine that the read address sent by the dedicated processor 303 is an illegal address, and generate a control signal indicating that the AI ​​model should not be decrypted, so that the computing device 0 cannot use the encrypted model, thus preventing the abuse and attack of the AI ​​model by malicious programs.

[0140] In another scenario, a malicious program can not only modify the address of the AI ​​model received by the dedicated processor 303 in memory 20, but also modify the effective address range of the AI ​​model stored in the first register 305. In this case, although the access controller 302 may misjudge the read address as a legitimate address, the content read from memory 20 based on the incorrect address will not be the AI ​​model originally required by the dedicated controller. Since the decryption key provided by the decryption circuit 304 is the decryption key of the originally required AI model, the decryption key cannot be used to correctly decrypt the content read from memory 20, thus preventing the malicious program from attacking the AI ​​model.

[0141] It should be noted that the execution order of the access control 302 in determining whether the read address is a valid address, determining the content indicated by the decryption permission identifier, determining whether the AI ​​model is an encrypted model, and determining whether the received read command is a read instruction can be set according to application requirements. Figure 7 A schematic diagram of a possible execution order is shown, such as Figure 7 As shown, the process by which the access control controller 302 performs authentication and generates control signals based on the authentication results includes the following steps:

[0142] Step 701: Obtain the read command from the access control controller.

[0143] Step 702: After receiving the read command, the access control determines whether the decryption permission identifier indicates whether the AI ​​model used by the current computing task is allowed to be decrypted. If the decryption permission identifier indicates that the AI ​​model used by the current computing task is allowed to be decrypted, step 703 is executed. If the decryption permission identifier indicates that the AI ​​model used by the current computing task is not allowed to be decrypted, step 706 is executed.

[0144] Step 703: The access control determines whether the AI ​​model is an encrypted model. If the AI ​​model is an encrypted model, proceed to step 704. If the AI ​​model is an unencrypted model, proceed to step 706.

[0145] Step 704: The access control determines whether the read command is a read instruction used to indicate reading the AI ​​model. If the read command is a read instruction used to indicate reading the AI ​​model, proceed to step 705. If the read command is not a read instruction used to indicate reading the AI ​​model, proceed to step 706.

[0146] Step 705: The access control determines whether the read address is a valid address. When the read address is a valid address, a first control signal is generated. When the read address is an invalid address, the control decryption permission flag indicates that all AI models used by the current computing task are not allowed to be decrypted, and step 706 is executed.

[0147] Step 706: The access control controller generates a second control signal.

[0148] When any of the above judgment conditions is not met, the access control controller generates a second control signal, eliminating the need for judgments based on other conditions. This reduces the workload of the access control controller and ensures authentication efficiency. Furthermore, when the authentication process follows the above procedure—first judging based on the decryption permission identifier, then judging whether the AI ​​model is an encrypted model, then judging whether the read command is a read instruction, and then judging whether the read address is a valid address—it can perform judgments from coarse to fine granular, further ensuring authentication efficiency.

[0149] In addition, such as Figure 4 As shown, the model protection device 30 may further include a key generation circuit 306. The key generation circuit 306 is used to obtain the root key of the model protection device 30, the version identifier of the AI ​​model, and the device identifier of the model protection device 30. Based on the root key, version identifier, and device identifier, it generates a decryption key for decrypting the AI ​​model. Optionally, after the driver module 10 stores the AI ​​model in the memory 20, it can send an instruction to the key generation circuit 306 to generate a decryption key, i.e., the key generation circuit 306 generates the decryption key under the instruction of the driver module 10. Alternatively, the process of the key generation circuit 306 generating the decryption key can be performed before the AI ​​model is stored in the memory 20. For example, after the AI ​​model is burned into the non-volatile storage medium of the computing device 0, the key generation circuit 306 can generate the decryption key for the AI ​​model for subsequent decryption.

[0150] To ensure that the decryption key can be used to decrypt the AI ​​model, the implementation method of the key generation circuit 306 in generating the decryption key based on the root key, version identifier, and device identifier must be consistent with the implementation method of generating the encryption key used to encrypt the AI ​​model, based on the root key, version identifier, and device identifier. For example, the algorithm for generating the decryption key and the algorithm for generating the encryption key can be the same.

[0151] And, as Figure 4As shown, the model protection device 30 further includes a second register 307, which stores the decryption key. After the key generation circuit 306 generates the decryption key, it can store the decryption key in the second register 307. At this time, the decryption circuit 304 in the model protection device 30 is specifically used to read the decryption key from the second register 307 and, under the instruction of a control signal, decrypt the AI ​​model using the read decryption key. Specifically, when the decryption circuit 304 decrypts the AI ​​model, if the decryption key is the same as the encryption key used to encrypt the AI ​​model, the decryption circuit 304 can successfully decrypt the AI ​​model using the decryption key; if the decryption key is different from the encryption key used to encrypt the AI ​​model, decryption of the AI ​​model cannot be achieved.

[0152] The following example illustrates the implementation of the encryption key for generating the AI ​​model and the encryption and decryption processes of the AI ​​model, using the following scenario: the root key and device identifier of the model protection device 30 are provided by the chip manufacturer; the version identifier of the AI ​​model is assigned by the model manufacturer; the model manufacturer's operations are executed by a first computer device; the chip manufacturer's operations are executed by a second computer device; and the terminal manufacturer's operations are executed by a third computer device. The model manufacturer's operations can be executed by one or more computer devices, collectively referred to as the first computer device. Similarly, the chip manufacturer's operations can be executed by one or more computer devices, collectively referred to as the second computer device. The terminal manufacturer's operations can be executed by one or more computer devices, collectively referred to as the third computer device. Figure 8 The implementation process includes the following steps:

[0153] Step 801: The first computer device obtains the model manufacturer's identifier and the root key of the model protection device for the AI ​​model.

[0154] Optionally, the first computer device can generate a model vendor identifier and generate a root key based on the model vendor identifier to obtain the model vendor identifier and the root key. Alternatively, the first computer device can request the allocation of a root key from the second computer device. The second computer device can allocate a model vendor identifier to the model vendor based on the request from the first computer device, then generate a root key based on the model vendor identifier, and send the root key and the model vendor identifier to the first computer device. Here, the chip manufacturer is typically a trusted party of the model vendor; therefore, if... Figure 9 As shown, the model vendor identifier is usually assigned by the chip manufacturer to the model vendor, and the root key is usually generated based on the model vendor identifier and the basic root key provided by the chip manufacturer.

[0155] Furthermore, to ensure the security of the model vendor identifier and root key, the root key and model vendor identifier can be sent to the first computer device in a packaged and encrypted manner. Optionally, the encryption method for the model vendor identifier and root key can be PGP (pretty good privacy) encryption. In one implementation, the process of generating the root key based on the model vendor identifier can be performed offline using a server running in a secure environment. For example, this server running in a secure environment can be a hardware security module (HSM).

[0156] Furthermore, to securely store the root key, it can be pre-installed in a non-volatile storage medium of the model protection device 30. For example, the root key can be stored in a one-time programmable (OTP) storage medium. Since the OTP storage medium can only support writing data once, when a malicious program tampers with the root key stored in the OTP storage medium, it cannot write to the OTP storage medium again, thus ensuring the security of the root key.

[0157] Step 802: The third computer device obtains the device identifier of the model protection device and sends the device identifier of the model protection device to the first computer device.

[0158] The computing device 0 provided by the terminal manufacturer is equipped with the model protection device 30 provided in this application embodiment. This model protection device 30 is used to implement an AI model. The model protection device 30 has a built-in device identifier. A third computer device can read the device identifier of the model protection device 30 through the application programming interface on the model protection device 30 and send the device identifier to the first computer device. When the model protection device 30 is a computing chip, the device identifier is the chip identifier of that computing chip.

[0159] In one possible implementation, the device identifier can be stored in a non-volatile storage medium of the model protection device 30. For example, the device identifier can be stored in an OTP storage medium. Since the OTP storage medium can only support writing data once, when a malicious program tampers with the device identifier stored in the OTP storage medium, it cannot write to the OTP storage medium again, thus ensuring the security of the device identifier.

[0160] Step 803: The first computer device assigns a version identifier to the AI ​​model and generates an encryption key for the AI ​​model based on the device identifier of the model protection device, the version identifier of the AI ​​model, and the root key of the model protection device.

[0161] Model manufacturers differentiate their various AI models, such as Figure 9 As shown, model manufacturers can assign version identifiers to different AI models using a first computer device. Furthermore, as... Figure 9 As shown, the model manufacturer can generate an encryption key for the AI ​​model based on the obtained device identifier, root key, and version identifier. In one possible implementation, the chip manufacturer can provide the model manufacturer with a key generation unit for generating the encryption key. This key generation unit can be implemented in software or hardware. The model manufacturer can obtain the encryption key for the AI ​​model by inputting the version identifier, device identifier, and root key into the generation tool and receiving the output of the generation tool. Furthermore, as... Figure 9 As shown, when generating an encryption key, the key generation unit can first generate an intermediate key based on the root key and the version identifier, and then generate an encryption key based on the intermediate key and the device identifier.

[0162] Since the encryption key is derived from the device identifier, root key, and version identifier, different encryption keys are obtained when any of these three identifiers differ. Furthermore, because different model protection devices 30 have different device identifiers, the encryption keys generated based on these device identifiers are also different, thus allowing different model protection devices 30 to protect different AI models. Moreover, when using the same model protection device 30 to protect multiple AI models provided by the same model manufacturer, the encryption keys controlling these multiple AI models can be made the same or different according to the model manufacturer's wishes. For example, when using the same model protection device 30 to protect multiple AI models, the model manufacturer can assign the same version identifier to these multiple AI models. Since the model manufacturer of these multiple AI models is the same, and the root key is generated based on the model manufacturer's identifier, the device identifier, version identifier, and root key used to generate the encryption keys for these multiple AI models are all the same; therefore, the encryption keys for these multiple AI models are identical.

[0163] Step 804: The first computer device encrypts the AI ​​model using an encryption key, sends the encrypted AI model to the third computer device, and sends the model manufacturer identifier and version identifier to the third computer device.

[0164] like Figure 9 As shown, after obtaining the encryption key for the AI ​​model, the first computer device can use this encryption key to encrypt the plaintext stored AI model (also known as the plaintext model). After the terminal manufacturer purchases the AI ​​model from the model manufacturer, the encrypted AI model is sent to the terminal manufacturer. Furthermore, in order for the terminal manufacturer's computing device 0 to decrypt the encrypted AI model, the model manufacturer also needs to send the AI ​​model's version identifier and the model manufacturer's identifier to the terminal manufacturer. Alternatively, the model manufacturer can send the root key of the model protection device 30 and the AI ​​model's version identifier to the terminal manufacturer.

[0165] Step 805: The third computer device writes the encrypted AI model to the non-volatile storage medium of the computing device, and stores the model manufacturer's identifier and version identifier in the non-volatile storage medium of the computing device.

[0166] After obtaining the encrypted AI model, the third computer device can write the encrypted AI model to the non-volatile storage medium of computing device 0. Optionally, the third computer device can write an image file containing the encrypted AI model to the non-volatile storage medium of computing device 0 on the production line. The model manufacturer's identifier and version identifier are stored in the non-volatile storage medium of computing device 0. This non-volatile storage medium can be flash memory, hard disk drive (HDD), or solid-state drive (SSD), etc.

[0167] Step 806: The key generation circuit obtains the model manufacturer identifier, version identifier, and device identifier from the non-volatile storage medium of the computing device.

[0168] Since the model protection device 30 has a built-in device identifier, the third computer device can read the device identifier and provide it to the key generation circuit 306. Furthermore, the non-volatile storage medium of the computing device 0 stores the model manufacturer identifier (model_owner_id) and the version identifier, which the key generation circuit 306 can obtain.

[0169] Step 807: The key generation circuit generates a decryption key based on the model manufacturer identifier, version identifier, and device identifier, and stores the decryption key in the second register.

[0170] like Figure 9 As shown, the key generation circuit 306 can generate a root key for the model protection device 30 based on the model manufacturer's identifier, and generate a decryption key based on the root key, the device identifier of the model protection device 30, and the version identifier of the AI ​​model. In one possible implementation, since the key generation circuit 306 is provided by the chip manufacturer that provides the model protection device 30, the key generation circuit 306 can obtain the basic root key provided by the chip manufacturer and generate a root key based on the model manufacturer's identifier and the basic root key provided by the chip manufacturer. Furthermore, to ensure that the decryption key can be used to decrypt the AI ​​model, the implementation method of the key generation circuit 306 in generating the decryption key needs to be consistent with the implementation method of the first computer device in generating the encryption key. For example, the algorithm for generating the decryption key and the algorithm for generating the encryption key can be the same. Additionally, as... Figure 9As shown, when generating the decryption key, the key generation circuit can first generate an intermediate key based on the root key and the version identifier, and then generate the decryption key based on the intermediate key and the device identifier.

[0171] When generating a root key based on the model manufacturer's identifier, the process of generating the root key based on the model manufacturer's identifier and then generating the decryption key based on the root key requires an extra generation process compared to directly generating the decryption key based on the root key. This process further ensures the security of the key.

[0172] When the model manufacturer sends the root key and version identifier to the terminal manufacturer in step 804, in step 807, the key generation circuit 306 can directly generate a decryption key based on the root key, version identifier and device identifier.

[0173] Step 808: The decryption circuit obtains the decryption key from the second register and decrypts the encrypted AI model based on the decryption key.

[0174] like Figure 9 As shown, after obtaining the decryption key, the decryption circuit can perform a decryption operation on the encrypted AI model to obtain the plaintext model.

[0175] in, Figure 9 The dashed box represents an operation implemented through hardware or processed software, the logic of which cannot be interfered with or tampered with by software. The solid box represents an operation implemented through software. Processed software refers to software that has undergone hardening or other modifications to prevent interference or tampering. Figure 9 As can be seen, the device identifier and root key of the model protection device 30 cannot be tampered with. Therefore, the encryption key generated based on the root key and device identifier, and the AI ​​model protected by using the encryption key, can achieve the protection of the AI ​​model.

[0176] It should be noted that the actual form of the model protection device provided in this application embodiment can be set according to application requirements. For example, the actual form of the model protection device can be a system on a chip (SOC), which can be implemented by hardware such as circuits. Furthermore, the SOC can be a chip running in a safe environment (SE). The model protection device can be implemented using hardware or a combination of hardware and software, depending on the requirements. When the model protection device is implemented in hardware, the logic implemented by the hardware cannot be changed after the hardware is manufactured, preventing terminal manufacturers or malicious programs from tampering with the implementation logic of the model protection device, thereby achieving effective protection of the AI ​​model. When the model protection device is implemented using a combination of hardware and software, specific means can be executed on the software used to implement the model protection device to ensure that terminal manufacturers or malicious programs cannot tamper with the implementation logic of the model protection device, thereby achieving effective protection of the AI ​​model.

[0177] For example, when the model protection device is implemented using a combination of hardware and software, the functions of the dedicated processor, memory controller, first register, and second register in the model protection device can be implemented in hardware, while the functions of the access control controller, decryption circuit, and key generation circuit can be implemented in software. For instance, the function of the access control controller is implemented through an access control module, the function of the decryption circuit is implemented through a decryption module, and the function of the key generation circuit is implemented through a key generation module, and the functions of all the above modules can be implemented by the processor executing a computer program.

[0178] In summary, the model protection device provided in this application provides an access control controller to authenticate read commands and generate an indication of whether to decrypt the AI ​​model read from memory. When the AI ​​model is stored in memory as an encrypted model, it can only be used successfully if the control signal indicates that the AI ​​model should be decrypted; otherwise, it cannot be used. Therefore, by controlling the decryption process of the AI ​​model, the copying, leakage, and misuse of the AI ​​can be prevented, thus protecting the AI ​​model and contributing to the establishment of a sound AI model ecosystem and the construction of a safe and reasonable profit model. Furthermore, the model protection device provided in this application can be implemented on a single SOC, eliminating the need for additional SOC costs and the cost of interaction between different SOC chips, enabling low-cost security protection of AI models. Simultaneously, the authentication of read commands to protect the AI ​​model also provides a technique for verifying the legality of commands, allowing this technique to be applied to similar scenarios requiring access control checks.

[0179] This application provides a model protection method. This model protection method is applied to a model protection device, which includes an access control controller and a memory controller. For example, this model protection method can be applied to the aforementioned model protection device provided in this application.

[0180] In this model protection method, the access control controller can obtain read commands, perform authentication operations on the read commands, and generate control signals based on the authentication results. The read commands are then sent to the memory controller, which can read the AI ​​model from memory based on the read commands. In this way, the access control controller can control the decryption process of the AI ​​model, preventing its leakage and misuse, and thus protecting the AI ​​model.

[0181] The following section applies this model protection method to... Figure 4 Taking the model protection device shown as an example, the implementation process of this model protection method will be explained. Figure 10 As shown, the model protection method includes:

[0182] Step 1001: The dedicated processor generates a read instruction and sends the read instruction to the access control controller.

[0183] Step 1002: The access control obtains the read address for reading the AI ​​model contained in the read instruction, performs an authentication operation on the read instruction based on the read address, generates a control signal based on the authentication result, and sends the read instruction to the memory controller.

[0184] The control signals include a first control signal and a second control signal. The first control signal is used to instruct the AI ​​model to be decrypted, and the second control signal is used to instruct the AI ​​model not to be decrypted.

[0185] In one possible implementation, the access control controller generates control signals based on the authentication result, including: when the read address is a valid address, the access control controller generates a first control signal; when the read address is an invalid address, the access control controller generates a second control signal.

[0186] In another possible implementation, the control signals include a first control signal and a second control signal. The first control signal instructs the AI ​​model to be decrypted, and the second control signal instructs that the AI ​​model not to be decrypted. The model protection device stores a decryption permission identifier, which indicates whether the AI ​​model used by the current computing task is allowed to be decrypted. The access control controller generates control signals based on the authentication result, including: generating the first control signal when the read address is a valid address and meets specified conditions; and generating the second control signal when the read address is an invalid address and / or the specified conditions are not met. The specified conditions include at least one of the following: the decryption permission identifier indicates that the AI ​​model used by the current computing task is allowed to be decrypted; or, the AI ​​model is an encrypted model.

[0187] Optionally, the model protection device further includes: a first register, which stores the effective address range of the AI ​​model in memory, and the access control performs an authentication operation on the read instruction, including: the access control reads the effective address range from the first register, and performs an authentication operation on the read instruction based on the effective address range and the read address.

[0188] Optionally, after the access control performs authentication on the read instruction, the model protection method further includes: when the read address is an illegal address, the access control controls the decryption permission flag to indicate that all AI models used by the current computing task are not allowed to be decrypted.

[0189] Optionally, after the access control performs authentication on the read command, the model protection method further includes: after completing the current computation task, the access control resets the decryption permission flag to indicate that decryption is allowed.

[0190] Step 1003: The memory controller reads the AI ​​model from memory based on the read instruction and provides the AI ​​model to the decryption circuit.

[0191] Step 1004: The decryption circuit receives the control signal generated by the access control controller, and under the instruction of the control signal, decrypts the AI ​​model and transmits it to the dedicated processor, or, under the instruction of the control signal, transmits the AI ​​model to the dedicated processor.

[0192] Optionally, the model protection device further includes a key generation circuit. The model protection method further includes: the key generation circuit acquiring the root key of the model protection device, the version identifier of the AI ​​model, and the device identifier of the model protection device, and generating a decryption key for decrypting the AI ​​model based on the root key, the version identifier, and the device identifier.

[0193] Optionally, the model protection device further includes a second register for storing a decryption key. After the access control controller generates a control signal based on the authentication result, the model protection method further includes: the decryption circuit in the model protection device reads the decryption key from the second register and, under the instruction of the control signal, uses the decryption key to decrypt the AI ​​model.

[0194] After storing the AI ​​model in the memory 20, the driver module 10 can send an instruction to the key generation circuit 306 to generate a decryption key. That is, the key generation circuit begins generating the decryption key under the instruction of the driver module 10. Alternatively, the key generation circuit 306 can generate the decryption key before storing the AI ​​model in the memory 20. For example, after burning the AI ​​model into the non-volatile storage medium of the computing device 0, the key generation circuit 306 can generate the decryption key for the AI ​​model for subsequent decryption.

[0195] Step 1005: The dedicated processor executes the current computational task based on the AI ​​model transmitted by the decryption circuit.

[0196] It should be noted that the order of steps in the model protection method provided in this application embodiment can be appropriately adjusted, and the steps can also be added or removed as appropriate. Any variation methods that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the protection scope of this application, and therefore will not be elaborated further.

[0197] In summary, the model protection method provided in this application, by authenticating read commands through an access control controller, can generate an indication of whether to decrypt the AI ​​model read from memory. When the AI ​​model is stored in memory as an encrypted model, if the control signal indicates that the AI ​​model should be decrypted, it is possible to successfully use the AI ​​model; if the control signal indicates that the AI ​​model should not be decrypted, it cannot be used. Therefore, by controlling the decryption process of the AI ​​model, the copying, leakage, and misuse of the AI ​​can be prevented, thus protecting the AI ​​model and contributing to the establishment of a sound AI model ecosystem and the construction of a safe and reasonable profit model. Furthermore, the model protection device provided in this application can be implemented on a single SOC, without incurring additional SOC costs or the cost of interaction between different SOC chips, enabling the security protection of AI models at a lower cost. Simultaneously, by authenticating read commands to protect the AI ​​model, a technique for verifying the legality of commands is also provided, allowing the technique of verifying the legality of commands in this application to be applied to similar scenarios requiring permission checks.

[0198] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the implementation methods and specific working processes of each device in the model protection method described above can be referred to the corresponding content in the aforementioned model protection device provided in the embodiments of this application, and will not be repeated here.

[0199] This application provides a computer device. For example... Figure 11 As shown, the computer device 1100 includes a processor 1110, a communication interface 1120, and a memory 1130. The processor 1110, the communication interface 1120, and the memory 1130 are interconnected via a bus 1140. The memory 1130 stores a computer program. When the processor 1110 executes the computer program, the computer device implements the aforementioned model protection method provided in the embodiments of this application.

[0200] The 1140 bus can be divided into address bus, data bus, control bus, etc. For ease of representation, Figure 11 The bus is represented by a single thick line, but this does not mean that there is only one bus or one type of bus.

[0201] Memory 1130 may include volatile memory, such as random-access memory (RAM). Memory 1130 may also include non-volatile memory, such as flash memory, hard disk drive (HDD), or solid-state drive (SSD). Memory 1130 may also include combinations of the above types of memory.

[0202] The processor 1110 may be a hardware chip used to implement the model protection method provided in the embodiments of this application. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof. The PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof. Alternatively, the processor 1110 may also be a general-purpose processor, such as a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.

[0203] Accordingly, memory 1130 is used to store program instructions. Processor 1110 calls the program instructions stored in memory 1130 to execute one or more steps of the model protection method provided in the embodiments of this application, or optional implementations thereof, so that computer device 1100 implements the model protection method provided in the above-described method embodiments. For example, when processor 1110 calls the program instructions stored in memory 1120, computer device 1100 can execute the following steps executed by the access control: obtaining the read address for reading the AI ​​model contained in the read instruction, performing an authentication operation on the read instruction based on the read address, generating a control signal based on the authentication result, and sending the read instruction to the memory controller. Furthermore, the implementation process of computer device 1100 executing the computer instructions in memory 1120 can be referred to the corresponding description in the foregoing embodiments.

[0204] The communication interface 1130 can be any one or any combination of the following devices: network interface (such as Ethernet interface), wireless network card, or other devices with network access function.

[0205] This application provides a computer-readable storage medium, which can be a non-transient readable storage medium storing instructions. When these instructions are executed by a processor, the computer performs the aforementioned model protection method provided in this application. The storage medium can be any available medium accessible to a computer or a data storage device such as a server or data center that integrates one or more available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., SSD).

[0206] This application also provides a computer program product that includes computer instructions, which, when executed by a computer device, perform the aforementioned model protection method provided in the embodiments of this application.

[0207] This application embodiment also provides another model protection device, which can authenticate the operation of reading the AI ​​model and determine whether to read the AI ​​model from memory based on the authentication result, so as to prevent the leakage and abuse of AI by controlling the reading process of AI model and thus protect the AI ​​model.

[0208] This model protection device can be deployed in a computing device. This application provides a computing device. The computing device can be a camera, desktop computer, mobile phone, tablet computer, smart TV, smart wearable device, vehicle communication device, and computer, etc. Please refer to the structural schematic diagram of this computing device. Figure 2 .like Figure 2 As shown, the computing device 0 includes a driver module 10, memory 20, and a model protection device 30. The model protection device 30 includes a memory controller 301, an access control controller 302, and a dedicated processor 303. The operation of the driver module 10, memory 20, and dedicated processor 303 in the computing device 0 is described in the corresponding manner to the operation of the devices in the computing device 0 in the previous embodiments, and will not be repeated here.

[0209] The implementation of the model protection device 30 provided in the embodiments of this application will be described below. In one possible implementation, such as... Figure 3As shown, the model protection device 30 includes an access control 302 and a memory controller 301. The access control 302 acquires a read instruction, performs authentication on the read instruction, generates a read instruction signal based on the authentication result, and sends the read instruction signal and the read instruction to the memory controller 301. The read instruction signal indicates whether reading the AI ​​model from memory 20 is permitted. The memory controller 301, upon receiving the read instruction signal, reads the AI ​​model from memory 20 based on the read instruction; or, upon receiving the read instruction signal, does not perform the operation of reading the AI ​​model from memory 20 based on the read instruction.

[0210] The read instruction signal includes a first read instruction signal and a second read instruction signal. The first read instruction signal indicates that reading the AI ​​model from memory 20 is permitted. The second read instruction signal indicates that reading the AI ​​model from memory 20 is not permitted. Accordingly, the access control 302 generates the first read instruction signal when authentication of the read instruction is successful, and generates the second read instruction signal when authentication of the read instruction fails.

[0211] Optionally, the read indication signal can also be used to indicate whether the AI ​​model read from memory 20 should be decrypted. In this case, the access control 302 also sends the read indication signal to the decryption circuit 304 of the model protection device 30, so that the decryption circuit 304 performs the corresponding operation under the instruction of the read indication signal. Accordingly, the first read indication signal indicates that reading the AI ​​model from memory 20 is permitted, and decryption of the AI ​​model read from memory 20 is also permitted. The second read indication signal indicates that reading the AI ​​model from memory 20 is not permitted, and decryption of the AI ​​model read from memory 20 is also not permitted.

[0212] In another possible implementation, such as Figure 3 As shown, the model protection device 30 includes an access control 302 and a memory controller 301. The access control 302 is used to acquire read instructions, perform authentication operations on the read instructions, and determine whether to send the read instructions to the memory controller 301 based on the authentication result. Optionally, the access control 302 is used to send the read instructions to the memory controller 301 when the authentication of the read instructions is successful, so that the memory controller 301 can read the AI ​​model from the memory 20 based on the read instructions; when the authentication of the read instructions fails, the read instructions are intercepted, so that the memory controller 301 cannot receive the read instructions, and thus cannot read the AI ​​model requested by the read instructions from the memory 20.

[0213] Optionally, the access control 302 is specifically used to: obtain the read address for reading the AI ​​model contained in the read instruction, and perform an authentication operation on the read instruction based on the read address.

[0214] In one possible implementation of the access control controller 302 authentication, the access control controller 302 is specifically used to: determine that the authentication of the read instruction is successful when the read address is a valid address, and determine that the authentication of the read instruction is unsuccessful when the read address is an invalid address.

[0215] In another possible implementation of the access control 302 authentication, the model protection device 30 stores a decryption permission identifier. This identifier indicates whether the AI ​​model used by the current computing task is allowed to be decrypted. Specifically, the access control 302 is used to: determine that the authentication of the read instruction is successful when the read address is a valid address and meets specified conditions; and determine that the authentication of the read instruction is unsuccessful when the read address is an invalid address and / or the specified conditions are not met. The specified conditions include at least one of the following: the decryption permission identifier indicates that the AI ​​model used by the current computing task is allowed to be decrypted, or the AI ​​model is an encrypted model.

[0216] Optionally, the access control 302 is also configured to: when the read address is an illegal address, control the decryption permission identifier to indicate that all AI models used by the current computing task are not allowed to be decrypted.

[0217] Optionally, the access control 302 is also configured to: reset the decryption permission flag to indicate that decryption is allowed after the current computing task is completed.

[0218] Optionally, such as Figure 4 As shown, the model protection device 30 also includes: a first register 305, which is used to store the effective address range of the AI ​​model in the memory 20; correspondingly, the access control 302 is specifically used to read the effective address range from the first register 305 and perform authentication operations on the read instruction based on the effective address range and the read address.

[0219] And, as Figure 4 As shown, the model protection device 30 further includes a decryption circuit 304 and a dedicated processor 303. The dedicated processor 303 generates read instructions and sends them to the access control 302. The decryption circuit 304 decrypts the AI ​​model and transmits the decrypted AI model to the dedicated processor 303, or transmits the AI ​​model to the dedicated processor 303. The dedicated processor 303 also performs current computational tasks based on the AI ​​model transmitted by the decryption circuit 304.

[0220] Furthermore, such as Figure 4 As shown, the model protection device 30 also includes a key generation circuit 306; the key generation circuit 306 is used to obtain the root key of the model protection device 30, the version identifier of the AI ​​model and the device identifier of the model protection device 30, and generate a decryption key for decrypting the AI ​​model based on the root key, the version identifier and the device identifier.

[0221] And, as Figure 4 As shown, the model protection device 30 also includes a second register 307. The second register 307 is used to store the decryption key. Accordingly, the decryption circuit 304 in the model protection device 30 is specifically used to read the decryption key from the second register 307 and use the decryption key to decrypt the AI ​​model.

[0222] In summary, the model protection device provided in this application authenticates read commands through an access control controller and controls whether to read the AI ​​model requested by the read command from memory based on the authentication result. When the AI ​​model is stored in memory as an encrypted model, it can only be read from memory and used successfully if authentication is successful. If authentication fails, the AI ​​model cannot be read from memory and therefore cannot be used. Therefore, by controlling the process of reading the AI ​​model from memory, the copying, leakage, and misuse of the AI ​​can be prevented, thus protecting the AI ​​model and contributing to the establishment of a sound AI model ecosystem and the construction of a safe and reasonable profit model. Furthermore, the model protection device provided in this application can be implemented on a single SOC, eliminating the need for additional SOC costs and the cost of interaction between different SOC chips, enabling low-cost security protection of the AI ​​model. Simultaneously, the authentication of read commands to protect the AI ​​model also provides a technique for verifying the legality of commands, allowing this technique to be applied to similar scenarios requiring access control.

[0223] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the implementation methods and specific working processes of each device in the above-described model protection device can be referred to the corresponding content in the aforementioned model protection device provided in the embodiments of this application, and will not be repeated here.

[0224] This application provides a model protection method. This model protection method is applied to a model protection device, which includes an access control controller and a memory controller. For example, this model protection method can be applied to the aforementioned model protection device provided in this application.

[0225] In this model protection method, the access control controller can obtain read instructions, perform authentication operations on the read instructions, and control the memory controller to read the AI ​​model from memory based on the authentication result. In this way, the access control controller can prevent the leakage and misuse of AI by controlling the process of reading the AI ​​model from memory, thus protecting the AI ​​model.

[0226] The following section applies this model protection method to... Figure 4 Taking the model protection device shown as an example, the first implementation of this model protection method will be explained. Figure 12 As shown, the model protection method includes:

[0227] Step 1201: The dedicated processor generates a read instruction and sends the read instruction to the access control controller.

[0228] Step 1202: The access control obtains the read address for reading the AI ​​model contained in the read instruction, performs an authentication operation on the read instruction based on the read address, generates a read indication signal based on the authentication result, and sends the read indication signal and the read instruction to the memory controller.

[0229] The read instruction signals include a first read instruction signal and a second read instruction signal. The first read instruction signal indicates that the AI ​​model should be read from memory. The second read instruction signal indicates that the AI ​​model should not be read from memory. Accordingly, the access control controller generates the first read instruction signal when the read instruction is authenticated and generates the second read instruction signal when the read instruction is not authenticated.

[0230] In one possible implementation, the access control performs an authentication operation on the read instruction, including: determining that the authentication of the read instruction is successful when the read address is a valid address, and determining that the authentication of the read instruction is unsuccessful when the read address is an invalid address.

[0231] In another possible implementation, the access control performs an authentication operation on the read instruction, including: determining that the authentication of the read instruction is successful when the read address is a valid address and meets specified conditions; and determining that the authentication of the read instruction is unsuccessful when the read address is an invalid address and / or does not meet the specified conditions. The specified conditions include at least one of the following: a decryption permission identifier indicating that the AI ​​model used by the current computing task is allowed to be decrypted, or the AI ​​model is an encrypted model.

[0232] Step 1203: Under the instruction of the read instruction signal, the memory controller reads the AI ​​model from the memory based on the read instruction and provides the AI ​​model to the decryption circuit; or, under the instruction of the read instruction signal, it does not perform the operation of reading the AI ​​model from the memory based on the read instruction.

[0233] Step 1204: The decryption circuit decrypts the AI ​​model and transmits the decrypted AI model to a dedicated processor, or transmits the AI ​​model to the dedicated processor.

[0234] Step 1205: The dedicated processor executes the current computational task based on the AI ​​model transmitted by the decryption circuit.

[0235] The following section applies this model protection method to... Figure 4Taking the model protection device shown as an example, the second implementation of this model protection method will be explained. For example... Figure 13 As shown, the model protection method includes:

[0236] Step 1301: The dedicated processor generates a read instruction and sends the read instruction to the access control controller.

[0237] Step 1302: The access control obtains the read address for reading the AI ​​model contained in the read instruction, performs an authentication operation on the read instruction based on the read address, and determines whether to send the read instruction to the memory controller based on the authentication result.

[0238] When the access control passes the authentication of the read instruction, it sends the read instruction to the memory controller and then executes step 1303 so that the memory controller can read the AI ​​model from the memory based on the read instruction. When the authentication of the read instruction fails, the read instruction is intercepted so that the memory controller cannot receive the read instruction and thus cannot read the AI ​​model requested by the read instruction from the memory, thus ending the process of protecting the model based on the read instruction.

[0239] Step 1303: The memory controller reads the AI ​​model from memory based on the read instruction and provides the AI ​​model to the decryption circuit.

[0240] Step 1304: The decryption circuit decrypts the AI ​​model and transmits the decrypted AI model to a dedicated processor, or transmits the AI ​​model to the dedicated processor.

[0241] Step 1305: The dedicated processor executes the current computational task based on the AI ​​model transmitted by the decryption circuit.

[0242] It should be noted that the order of steps in the model protection method provided in this application embodiment can be appropriately adjusted, and the steps can also be added or removed as appropriate. Any variation methods that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the protection scope of this application, and therefore will not be elaborated further.

[0243] In summary, the model protection method provided in this application authenticates read commands through an access control controller and controls whether to read the AI ​​model requested by the read command from memory based on the authentication result. When the AI ​​model is stored in memory in the form of an encrypted model, the AI ​​model can only be read from memory if the authentication is successful, and only then can the AI ​​model be successfully used. If the authentication fails, the AI ​​model cannot be read from memory and therefore cannot be used. Therefore, by controlling the process of reading the AI ​​model from memory, the copying, leakage, and misuse of the AI ​​can be prevented, thus protecting the AI ​​model and contributing to the establishment of a sound AI model ecosystem and the construction of a safe and reasonable profit model. Furthermore, the model protection device provided in this application can be implemented on a single SOC, without incurring additional SOC costs or the cost of interaction between different SOC chips, enabling low-cost security protection of the AI ​​model. Simultaneously, by authenticating read commands to protect the AI ​​model, a technique for verifying the legality of commands is also provided, allowing the application of this technique to scenarios requiring permission checks.

[0244] Those skilled in the art will understand that, for the sake of convenience and brevity, the implementation methods and specific working processes of each device in the model protection method described above can be referred to the corresponding content in the model protection device provided in the embodiments of this application, and will not be repeated here.

[0245] This application provides a computer device. The computer device includes a processor, a communication interface, and a memory. The processor, communication interface, and memory are interconnected via a bus. The memory stores a computer program. When the processor executes the computer program, the computer device implements the aforementioned model protection method provided in this application. For the implementation and structure of this computer device, please refer to the corresponding content of the aforementioned computer device provided in this application.

[0246] This application provides a computer-readable storage medium, which can be a non-transient readable storage medium storing instructions. When these instructions are executed by a processor, the computer performs the aforementioned model protection method provided in this application. The storage medium can be any available medium accessible to a computer or a data storage device such as a server or data center that integrates one or more available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., SSD).

[0247] This application also provides a computer program product that includes computer instructions, which, when executed by a computer device, perform the aforementioned model protection method provided in the embodiments of this application.

[0248] Those skilled in the art will understand that all or part of the steps of the above embodiments can be implemented by hardware or by a program instructing related hardware. The program can be stored in a computer-readable storage medium, such as a read-only memory, a disk, or an optical disk.

[0249] The above description is merely an optional embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the principles of this application should be included within the protection scope of this application.

Claims

1. A model protection apparatus characterized by comprising: The model protection device includes: an access control controller and a memory controller; The access control controller is used to obtain a read instruction, which is used to request to read an artificial intelligence (AI) model from memory; The access control controller is further configured to obtain the read address for reading the AI ​​model contained in the read instruction, perform an authentication operation on the read instruction based on the read address, the authentication operation being used to authenticate the operation of reading the AI ​​model; and generate a control signal based on the authentication result, the control signal being used to indicate whether to decrypt the AI ​​model read from the memory; when the AI ​​model is stored in the memory in the form of an encrypted model, if the control signal indicates that the AI ​​model should be decrypted, the AI ​​model can be used successfully; if the control signal indicates that the AI ​​model should not be decrypted, the AI ​​model cannot be used. The control signal includes a first control signal and a second control signal. The first control signal is used to indicate that the AI ​​model should be decrypted, and the second control signal is used to indicate that the AI ​​model should not be decrypted. The model protection device stores a decryption permission identifier. The decryption permission identifier is used to indicate whether the AI ​​model used by the current computing task is allowed to be decrypted. The access control controller is also used to control the decryption permission identifier to indicate that all AI models used by the current computing task are not allowed to be decrypted when the read address is an illegal address. The access control controller is also used to send the read instruction to the memory controller; The memory controller is used to read the AI ​​model from the memory based on the read instruction.

2. The model protection apparatus according to claim 1, characterized by, The access control controller is specifically used for: When the read address is a valid address, the first control signal is generated; When the read address is an illegal address, the second control signal is generated.

3. The model protection apparatus according to claim 1, characterized by, The access control controller is specifically used for: The first control signal is generated when the read address is a valid address and meets the specified conditions; When the read address is an illegal address, and / or the specified conditions are not met, the second control signal is generated; The specified conditions include at least one of the following: The decryption permission identifier indicates that the AI ​​model used by the current computing task is allowed to be decrypted; Alternatively, the AI ​​model may be an encrypted model.

4. The model protection device according to claim 3, characterized in that, The access control controller is also used for: After completing the current computation task, the decryption permission flag is reset to indicate that decryption is allowed.

5. The model protection device according to any one of claims 1 to 3, characterized in that, The model protection device further includes: a first register, which is used to store the effective address range of the AI ​​model in memory; The access control is specifically used to read the valid address range from the first register and perform authentication operations on the read instruction based on the valid address range and the read address.

6. The model protection device according to any one of claims 1 to 3, characterized in that, The model protection device also includes: a decryption circuit and a dedicated processor; The dedicated processor is used to generate the read instruction and send the read instruction to the access control controller; The decryption circuit is used to receive the control signal generated by the access control controller, and under the instruction of the control signal, decrypt the AI ​​model and transmit it to the dedicated processor, or, under the instruction of the control signal, transmit the AI ​​model to the dedicated processor. The dedicated processor is also used to execute the current computing task based on the AI ​​model transmitted by the decryption circuit.

7. The model protection device according to any one of claims 1 to 3, characterized in that, The model protection device further includes: a key generation circuit; The key generation circuit is used to obtain the root key of the model protection device, the version identifier of the AI ​​model, and the device identifier of the model protection device, and to generate a decryption key for decrypting the AI ​​model based on the root key, the version identifier, and the device identifier.

8. The model protection device according to claim 7, characterized in that, The model protection device further includes: a second register; The second register is used to store the decryption key; The decryption circuit in the model protection device is specifically used to read the decryption key from the second register and, under the instruction of the control signal, to decrypt the AI ​​model using the decryption key.

9. A computing device, characterized in that, The computing device includes: memory and a model protection device as described in any one of claims 1 to 8.

10. A model protection method, characterized in that, The model protection method is applied to a model protection device, which includes an access control controller and a memory controller. The model protection method includes: The access control obtains a read instruction, which is used to request the reading of an artificial intelligence (AI) model from memory; The access control obtains the read address for reading the AI ​​model contained in the read instruction, performs an authentication operation on the read instruction based on the read address, and the authentication operation is used to authenticate the operation of reading the AI ​​model; and generates a control signal based on the authentication result, the control signal is used to indicate whether to decrypt the AI ​​model read from the memory; when the AI ​​model is stored in the memory in the form of an encrypted model, if the control signal indicates that the AI ​​model should be decrypted, the AI ​​model can be used successfully; if the control signal indicates that the AI ​​model should not be decrypted, the AI ​​model cannot be used. The control signal includes a first control signal and a second control signal. The first control signal is used to indicate that the AI ​​model should be decrypted, and the second control signal is used to indicate that the AI ​​model should not be decrypted. The model protection device stores a decryption permission identifier. The decryption permission identifier is used to indicate whether the AI ​​model used by the current computing task is allowed to be decrypted. When the read address is an illegal address, the access control controller controls the decryption permission identifier to indicate that all AI models used by the current computing task are not allowed to be decrypted. The access control controller sends the read instruction to the memory controller; The memory controller reads the AI ​​model from the memory based on the read instruction.

11. The model protection method according to claim 10, characterized in that, The access control controller generates control signals based on the authentication results, including: When the read address is a valid address, the access control controller generates the first control signal; When the read address is an illegal address, the access control controller generates the second control signal.

12. The model protection method according to claim 10, characterized in that, The access control controller generates control signals based on the authentication results, including: When the read address is a valid address and meets the specified conditions, the access control controller generates the first control signal; When the read address is an illegal address and / or the specified conditions are not met, the access control controller generates the second control signal; The specified conditions include at least one of the following: The decryption permission identifier indicates that the AI ​​model used by the current computing task is allowed to be decrypted; Alternatively, the AI ​​model may be an encrypted model.

13. The model protection method according to claim 12, characterized in that, After the access control performs authentication on the read instruction, the model protection method further includes: After completing the current computing task, the access control resets the decryption permission flag to indicate that decryption is allowed.

14. The model protection method according to any one of claims 10 to 12, characterized in that, The access control performs authentication operations on the read command, including: The access control reads the effective address range of the AI ​​model in memory from the first register, and performs an authentication operation on the read instruction based on the effective address range and the read address.

15. The model protection method according to any one of claims 10 to 12, characterized in that, The model protection device further includes: a decryption circuit and a dedicated processor; before the access control obtains the read instruction, the model protection method further includes: The dedicated processor generates the read instruction and sends the read instruction to the access control controller; After the access control controller generates a control signal based on the authentication result, the model protection method further includes: The decryption circuit receives the control signal generated by the access control controller, and under the instruction of the control signal, decrypts the AI ​​model and transmits it to the dedicated processor, or, under the instruction of the control signal, transmits the AI ​​model to the dedicated processor. The dedicated processor executes the current computational task based on the AI ​​model transmitted by the decryption circuit.

16. The model protection method according to any one of claims 10 to 12, characterized in that, The model protection device further includes a key generation circuit, and the model protection method further includes: The key generation circuit obtains the root key of the model protection device, the version identifier of the AI ​​model, and the device identifier of the model protection device, and generates a decryption key for decrypting the AI ​​model based on the root key, the version identifier, and the device identifier.

17. The model protection method according to claim 16, characterized in that, The model protection device further includes: a second register for storing the decryption key; and after the access control generates a control signal based on the authentication result, the model protection method further includes: The decryption circuit in the model protection device reads the decryption key from the second register and, under the instruction of the control signal, uses the decryption key to decrypt the AI ​​model.