部署时如何隐藏或加密我自己的keras模型文件(如h5)? [英] How to hide or encrypt my own keras model file(like h5) when deploying?
问题描述
我为应用程序创建了自己的模型,并将其保存为Keras.h5文件.我使用PyQt5制作了GUI应用程序,此应用程序使用了该模型.我正在尝试部署此应用程序而没有有关深度学习模型的任何信息.我对此情况有疑问.
I made my own model for application and saved this in Keras as .h5 file. and I made GUI Application using PyQt5 and this application uses this model. I'm trying to deploy this application without any information about deep learning model. I have some questions about this situation.
- 我可以隐藏或加密我的模型以防止其架构和重量暴露吗?
- 如果Keras不支持加密模型,是否还有其他支持此功能的库(例如PyTorch)?
我期待听到任何建议.谢谢您的回答.
I'm looking forward to hearing any advice. Thank you for your answer.
推荐答案
模型加密不是 keras 或 pytorch 的正式组成部分.
Model encryption is not officially part of either keras nor pytorch.
如果您想隐藏某些东西,我认为Python是个大问题.AFAIK并不能完全使用它来隐藏您的解决方案,我将概述为保护模型而要做的事情(这些工作很长,因此请确保您确实需要此保护[或确切级别的保护])
I think Python is a big problem if you want to hide something. AFAIK it's not really possible to hide your solution well enough using it, I will outline what I would do to "protect" the model (those are quite lengthy, so make sure you really need this protection [or what level of protection exactly]).
存在 PySyft ,它可以同时处理PyTorch和Keras但用于安全的多方计算.当用户可以访问您的Python代码(您提到过PyQT5)和所有敏感数据(在这种情况下为模型)时,他们将能够非常轻松地恢复它.
There exists PySyft which handles both PyTorch and Keras but it's used for Secure Multi-Party Computation. As users have access to your Python code (you mentioned PyQT5) and all the sensible data (model in this case) they would be able to recover it quite easily.
如果您是我,我会去使用简单的受密码保护的存档(AES或 .zip ).对于第一种情况,我发现这篇文章和相关的 TFSecured存储库,该存储库通过Python对tensorflow模型进行AES加密,并允许您在C ++中加载已保存的加密protobuf模型文件(应该这样做,以下原因).
If I were you I would go for simple password-protected archive (AES or .zip). For the first case I've found this post and related TFSecured repository, which does AES encryption of tensorflow model via Python and allows you to load saved encrypted protobuf model file in C++ (which should be your way to go, reasons below).
您是否要认真保护模型(不是某种单纯的混淆),而根本不应该在用户端使用Python.
Is you want to seriously secure your model (not some kind of mere obfuscation) you shouldn't use Python at the user's side at all.
没有办法编译Python的代码,尤其是使用Keras,Tensorflow或PyTorch等沉重的ML库的代码.尽管有 PyInstaller 之类的程序,但是要使其与复杂的依赖项一起使用仍然非常困难.即使这样做,用户仍然可以使用该代码,尽管这可能会有些困难(PyInstaller只是将Python,您的依赖项和应用程序捆绑为单个存档,然后将其解压缩).
There is no way to compile Python's code, especially the one using heavy ML libraries like Keras, Tensorflow or PyTorch. Although there are programs like PyInstaller it's notoriously hard to make it work with complex dependencies. Even if you do, users will still be able to get to the code albeit it might be a little harder (PyInstaller just bundles Python, your dependencies and app as a single archive which is later unzipped).
您可以使用 pyarmor 或类似方法进一步混淆代码,但是如果有人确定.
You could further obfuscate the code using pyarmor or a-like but it's all quite easily reversible if someone's determined.
无论您是使用 keras/tensorflow 还是 pytorch ,您都可以进入较低级别并使用C ++加载网络.
Whether you go for keras/tensorflow or pytorch you can go lower level and use C++ to load your network.
由于它是一种编译语言,所以您要做的就是提供一个二进制文件(如果是静态链接)或一个带有共享库的二进制文件.在C ++源代码中,您保留AES/zip密钥,如关于 TFSecured :
As it is a compiled language all you have to do is to provide a binary file (if linking statically) or binary file with shared libraries. Inside C++ source code you keep your AES/zip key as shown by blog post about TFSecured:
#include <GraphDefDecryptor.hpp>
........
tensorflow::GraphDef graph;
// Decryption:
const std::string key = "JHEW8F7FE6F8E76W8F687WE6F8W8EF5";
auto status = tfsecured::GraphDefDecryptAES(path, // path to *.pb file (encrypted graph)
graph,
key); // your key
if (!status.ok()) {
std::cout << status.error_message() << std::endl;
return;
}
// Create session :
std::unique_ptr<Session> session(NewSession(options));
status = session->Create(graph);
对已编译的C ++代码进行反向工程以获取埋在里面的密钥将要困难得多.也可以通过一些第三方工具/库对 PyTorch 执行类似的过程.另一方面,您必须使用Qt5用C ++重写PyQt5应用.
It would be much harder to reverse engineer compiled C++ code to get to key buried inside. Similar procedure could be done for PyTorch as well via some third party tools/libraries. On the other hand you would have to rewrite your PyQt5 app in C++ with Qt5.
这篇关于部署时如何隐藏或加密我自己的keras模型文件(如h5)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
