部署时如何隐藏或加密我自己的 keras 模型文件(如 h5)? [英] How to hide or encrypt my own keras model file(like h5) when deploying?

问题描述

我为应用程序制作了自己的模型并将其作为 .h5 文件保存在 Keras 中.我使用 PyQt5 制作了 GUI 应用程序，这个应用程序使用了这个模型.我正在尝试在没有任何关于深度学习模型的信息的情况下部署此应用程序.我对这种情况有一些疑问.

I made my own model for application and saved this in Keras as .h5 file. and I made GUI Application using PyQt5 and this application uses this model. I'm trying to deploy this application without any information about deep learning model. I have some questions about this situation.

1. 我可以隐藏或加密我的模型以防止其架构和权重暴露吗?
2. 如果 Keras 不支持加密模型，是否还有其他库(如 PyTorch)支持此功能?

我期待听到任何建议.谢谢你的回答.

I'm looking forward to hearing any advice. Thank you for your answer.

推荐答案

模型加密不是 keras 和 pytorch 的正式组成部分.

Model encryption is not officially part of either keras nor pytorch.

如果你想隐藏一些东西，我认为 Python 是一个大问题.AFAIK 使用它来隐藏你的解决方案是不可能的，我将概述我将如何保护"模型(那些很长，所以确保你真的需要这种保护[或确切的保护级别]).

I think Python is a big problem if you want to hide something. AFAIK it's not really possible to hide your solution well enough using it, I will outline what I would do to "protect" the model (those are quite lengthy, so make sure you really need this protection [or what level of protection exactly]).

存在处理 PyTorch 和 Keras 的 PySyft但它用于安全多方计算.由于用户可以访问您的 Python 代码(您提到了 PyQT5)和所有合理的数据(在本例中为模型)，他们将能够很容易地恢复它.

There exists PySyft which handles both PyTorch and Keras but it's used for Secure Multi-Party Computation. As users have access to your Python code (you mentioned PyQT5) and all the sensible data (model in this case) they would be able to recover it quite easily.

如果我是你，我会选择简单的受密码保护的存档(AES 或 .zip).对于第一种情况，我发现 这篇文章和相关的TFSecured存储库，它通过Python对tensorflow模型进行AES加密，并允许您在 C++ 中加载保存的加密 protobuf 模型文件(这应该是你的方式，原因如下).

If I were you I would go for simple password-protected archive (AES or .zip). For the first case I've found this post and related TFSecured repository, which does AES encryption of tensorflow model via Python and allows you to load saved encrypted protobuf model file in C++ (which should be your way to go, reasons below).

您是否想认真保护您的模型(而不是某种单纯的混淆)，您根本不应该在用户端使用 Python.

Is you want to seriously secure your model (not some kind of mere obfuscation) you shouldn't use Python at the user's side at all.

没有办法编译 Python 的代码，尤其是那些使用 Keras、Tensorflow 或 PyTorch 等重型机器学习库的代码.尽管有像 PyInstaller 这样的程序，但众所周知，让它处理复杂的依赖项非常困难.即使您这样做了，用户仍然可以获取代码，尽管这可能会有点困难(PyInstaller 只是将 Python、您的依赖项和应用程序打包为一个单独的存档，然后再解压).

There is no way to compile Python's code, especially the one using heavy ML libraries like Keras, Tensorflow or PyTorch. Although there are programs like PyInstaller it's notoriously hard to make it work with complex dependencies. Even if you do, users will still be able to get to the code albeit it might be a little harder (PyInstaller just bundles Python, your dependencies and app as a single archive which is later unzipped).

您可以使用 pyarmor 或类似方法进一步混淆代码，但如果有人确定.

You could further obfuscate the code using pyarmor or a-like but it's all quite easily reversible if someone's determined.

无论您选择 keras/tensorflow 还是 pytorch，您都可以使用较低级别的 C++ 来加载您的网络.

Whether you go for keras/tensorflow or pytorch you can go lower level and use C++ to load your network.

因为它是一种编译语言，所以你所要做的就是提供一个二进制文件(如果静态链接)或带有共享库的二进制文件.在 C++ 源代码中，您保留 AES/zip 密钥，如关于 TFSecured 的博客文章所示:

As it is a compiled language all you have to do is to provide a binary file (if linking statically) or binary file with shared libraries. Inside C++ source code you keep your AES/zip key as shown by blog post about TFSecured:

#include <GraphDefDecryptor.hpp>

    ........


    tensorflow::GraphDef graph;
    // Decryption: 
    const std::string key = "JHEW8F7FE6F8E76W8F687WE6F8W8EF5";
    auto status = tfsecured::GraphDefDecryptAES(path,         // path to *.pb file (encrypted graph)
                                                graph,
                                                key);         // your key
    if (!status.ok()) {
        std::cout << status.error_message() << std::endl;
        return;
    }

    // Create session :
    std::unique_ptr<Session> session(NewSession(options));
    status = session->Create(graph);

对已编译的 C++ 代码进行逆向工程以获取埋在其中的密钥要困难得多.类似的过程也可以通过一些第三方工具/库为 PyTorch 完成.另一方面，您必须使用 Qt5 用 C++ 重写您的 PyQt5 应用程序.

It would be much harder to reverse engineer compiled C++ code to get to key buried inside. Similar procedure could be done for PyTorch as well via some third party tools/libraries. On the other hand you would have to rewrite your PyQt5 app in C++ with Qt5.

这篇关于部署时如何隐藏或加密我自己的 keras 模型文件(如 h5)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！