Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to hide or encrypt my own keras model file(like h5) when deploying?

I made my own model for application and saved this in Keras as .h5 file. and I made GUI Application using PyQt5 and this application uses this model. I'm trying to deploy this application without any information about deep learning model. I have some questions about this situation.

  1. Can I hide or encrypt my model to prevent its architecture and weight exposure?
  2. If Keras doesn't support encrypting model, are there any other libraries(like PyTorch) that support this function?

I'm looking forward to hearing any advice. Thank you for your answer.

like image 604
Twinparadox Avatar asked Apr 16 '20 07:04

Twinparadox


People also ask

What is h5 file in keras?

H5 is a file format to store structured data, it's not a model by itself. Keras saves models in this format as it can easily store the weights and model configuration in a single file.

How do I encrypt a TensorFlow model?

Model encryption for TensorFlow is quite simple. Every TensorFlow model is serialized like a protobuff object into a file via Google Protocol Buffers Library. It demonstrates the structure of saved pb-model. Every “Node” contains some params, such as “name”, “op”, “attr”, etc.

How do you encrypt a machine learning model?

You carefully add encryption: the backend will encrypt each ML model per user per video using ephemeral keys and an HPKE-like approach. It means that every ML model will be explicitly encrypted for specific videos by your backend code. This approach is known as application-level encryption (ALE).

How do you save model weights in keras?

The weights are saved directly from the model using the save_weights() function and later loaded using the symmetrical load_weights() function.


1 Answers

Model encryption is not officially part of either keras nor pytorch.

I think Python is a big problem if you want to hide something. AFAIK it's not really possible to hide your solution well enough using it, I will outline what I would do to "protect" the model (those are quite lengthy, so make sure you really need this protection [or what level of protection exactly]).

Provided Python solutions

There exists PySyft which handles both PyTorch and Keras but it's used for Secure Multi-Party Computation. As users have access to your Python code (you mentioned PyQT5) and all the sensible data (model in this case) they would be able to recover it quite easily.

Possible solution

If I were you I would go for simple password-protected archive (AES or .zip). For the first case I've found this post and related TFSecured repository, which does AES encryption of tensorflow model via Python and allows you to load saved encrypted protobuf model file in C++ (which should be your way to go, reasons below).

Leave Python alone

Is you want to seriously secure your model (not some kind of mere obfuscation) you shouldn't use Python at the user's side at all.

There is no way to compile Python's code, especially the one using heavy ML libraries like Keras, Tensorflow or PyTorch. Although there are programs like PyInstaller it's notoriously hard to make it work with complex dependencies. Even if you do, users will still be able to get to the code albeit it might be a little harder (PyInstaller just bundles Python, your dependencies and app as a single archive which is later unzipped).

You could further obfuscate the code using pyarmor or a-like but it's all quite easily reversible if someone's determined.

C++

Whether you go for keras/tensorflow or pytorch you can go lower level and use C++ to load your network.

As it is a compiled language all you have to do is to provide a binary file (if linking statically) or binary file with shared libraries. Inside C++ source code you keep your AES/zip key as shown by blog post about TFSecured:

#include <GraphDefDecryptor.hpp>

    ........


    tensorflow::GraphDef graph;
    // Decryption: 
    const std::string key = "JHEW8F7FE6F8E76W8F687WE6F8W8EF5";
    auto status = tfsecured::GraphDefDecryptAES(path,         // path to *.pb file (encrypted graph)
                                                graph,
                                                key);         // your key
    if (!status.ok()) {
        std::cout << status.error_message() << std::endl;
        return;
    }

    // Create session :
    std::unique_ptr<Session> session(NewSession(options));
    status = session->Create(graph);

It would be much harder to reverse engineer compiled C++ code to get to key buried inside. Similar procedure could be done for PyTorch as well via some third party tools/libraries. On the other hand you would have to rewrite your PyQt5 app in C++ with Qt5.

like image 170
Szymon Maszke Avatar answered Oct 07 '22 09:10

Szymon Maszke