Once the model is deployed, the real-time unlabeled data that is provided as input to the model can also be tampered with. The trained model is used for inference and provides a label to this data. To protect data against tampering, we need to protect the data at rest and in communication. To protect the data at rest, symmetric encryption can be used to encode it. To transfer the data, SSL/TLS-based secure channels can be established to provide a secure tunnel. This secure tunnel can be used to transfer the symmetric key and the data can be decrypted on the server before it is provided to the trained model.
This is one of the more efficient and foolproof ways to protect data against tampering.
Symmetric encryption can also be used to encrypt a model when it has been trained, before deploying it to a server. This will prevent any unauthorized access to the model before it is deployed.
Let's see how we can encrypt a trained model at the source, using symmetric encryption with the help of the following steps, and then decrypt it at the destination before using it:
- Let's first train a simple model using the Iris dataset:
import cryptography as crypt
from sklearn.linear_model
import LogisticRegression
from cryptography.fernet
import Fernet from sklearn.model_selection
import train_test_split
from sklearn.datasets import load_iris
iris = load_iris()
X = iris.data
y = iris.target
X_train, X_test, y_train, y_test = train_test_split(X, y)
model = LogisticRegression()
model.fit(X_train, y_train)
- Now, let's define the names of the files that will store the model:
filename_source = 'myModel_source.sav'
filename_destination = "myModel_destination.sav"
filename_sec = "myModel_sec.sav"
Note that filename_source is the file that will store the trained unencrypted model at the source. filename_destination is the file that will store the trained unencrypted model at the destination, and filename_sec is the encrypted trained model.
- We will use pickle to store the trained model in a file:
from pickle import dump dump(model, open(filename_source, 'wb'))
- Let's define a function named write_key() that will generate a symmetric key and store it in a file named key.key:
def write_key():
key = Fernet.generate_key()
with open("key.key", "wb") as key_file:
key_file.write(key)
- Now, let's define a function named load_key() that can read the stored key from the key.key file:
def load_key():
return open("key.key", "rb").read()
- Next, let's define an encrypt() function that can encrypt and train the model, and store it in a file named filename_sec:
def encrypt(filename, key):
f = Fernet(key)
with open(filename_source,"rb") as file:
file_data = file.read()
encrypted_data = f.encrypt(file_data)
with open(filename_sec,"wb") as file:
file.write(encrypted_data)
- We will use these functions to generate a symmetric key and store it in a file. Then, we will read this key and use it to store our trained model in a file named filename_sec:
write_key()
encrypt(filename_source,load_key())
Now the model is encrypted. It will be transferred to the destination where it will be used for prediction:
- First, we will define a function named decrypt() that we can use to decrypt the model from filename_sec to filename_destination using the key stored in the key.key file:
def decrypt(filename, key):
f = Fernet(key)
with open(filename_sec, "rb") as file:
encrypted_data = file.read()
decrypted_data = f.decrypt(encrypted_data)
with open(filename_destination, "wb") as file: file.write(decrypted_data)
- Now let's use this function to decrypt the model and store it in a file named filename_destination:
decrypt(filename_sec,load_key())
- Now let's use this unencrypted file to load the model and use it for predictions:
Note that we have used symmetric encryption to encode the model. The same technique can be used to encrypt data as well, if needed.