One possible solution is to use cryptography to protect models as they are deployed and stored on edge devices. Model encryption, decryption and authentication are not provided by OpenVINO™ but can be implemented with third-party tools, like OpenSSL*. While implementing encryption, ensure that you use the latest versions of tools and follow cryptography best practices.
This guide demonstrates how to use OpenVINO securely with protected models.
After a model is optimized by the OpenVINO Model Optimizer, it's then deployed to target devices in the Intermediate Representation (IR) format. An optimized model is stored on an edge device and executed by the Inference Engine.
To protect deep-learning models, you can encrypt an optimized model before deploying it to the edge device. The edge device should keep the stored model protected at all times and have the model decrypted in runtime only for use by the Inference Engine.
The OpenVINO Inference Engine requires model decryption before loading. Allocate a temporary memory block for model decryption, and use
InferenceEngine::Core::ReadNetwork method to load the model from memory buffer. For more information, see the
InferenceEngine::Core Class Reference Documentation.
Hardware-based protection, such as Intel® Software Guard Extensions (Intel® SGX), can be utilized to protect decryption operation secrets and bind them to a device. For more information, go to Intel® Software Guard Extensions.
InferenceEngine::Core::ReadNetwork() to set model representations and weights respectively.
Currently there are no possibility to read external weights from memory for ONNX models. The
ReadNetwork(const std::string& model, const Blob::CPtr& weights) function should be called with
weights passed as an empty