Shulou(Shulou.com)06/01 Report--

I. demand background

Three core elements of artificial intelligence: algorithm, computing power and data. In addition to algorithms and computing power, the most important core factor is data. There are two stages to realize artificial intelligence, namely, preparing data and training model. The workload of data preparation accounts for more than 70%, but the more important labor behind the data is data preprocessing, model selection and parameter adjustment. In the process of data preprocessing, a large amount of data transmission needs to be carried out on the personal PC side, which can easily be regarded as data leakage, and a large amount of data can be easily taken out through various behaviors such as network access and network outsourcing. through a variety of network transmission methods are the main channels to easily leak data. Model selection and training are generally carried out in the company terminal server, but there are also some models that do not occupy high resources in personal PC training. The transfer of model data between personal PC and company server may lead to the leakage of model training results and data leakage. And there is also a great storage risk, the disk is the main medium of data storage, and the daily data of the terminal is saved on the local hard disk. In any link, the data storage will be a serious security threat, and the theft of the disk and the loss of the laptop bring great security risks to the disk data. When the data is exported through other core business systems, it is finally stored on the local disk, and the data is easily copied out by means of hard disk disassembly and so on. Even with many audits or other controls, data can be taken out through multiple systems or linked to other systems.

II. Requirements for data protection

Internal protection requirements

Internal protection is mainly to manage and control the code protection of software developers and the training materials used by algorithm trainers and the generated algorithm models.

External protection requirements

Mainly in the intelligent module of the export terminal, the algorithms, programs and other anti-compilation, anti-cracking, anti-tampering, as well as the overall anti-poisoning of intelligent equipment.

Third, the overall solution of data security in artificial intelligence industry

To sum up, the ways of data leakage are nothing more than networks, mobile devices, third-party protocols and peripherals, because the code, algorithm models and other data are generated on the employee pc side, mainly between pc-pc and application server-pc, so the main object is the pc and server that use these data. We recommend using SDC anti-disclosure system for data protection. For the intelligent device terminals sold to the outside, we provide CBS cyber locks to ensure that the data algorithms contained in the equipment are decompiled, tampered with, and plagiarized board, so as to ensure the data security of intelligent devices.

1. The solution of office data security in intranet

The SDC platform takes the "environment encryption technology" as the technical concept, and the so-called "environment" refers to the carriers, users and transmission channels that the data come into contact with in the process of generation, storage, interaction and use. The "environmental encryption technology" uses a variety of management methods to protect the security control of data in the process of generation, storage, interaction and use. In the security system, disk encryption, network transmission control, mobile storage encryption, peripheral control and other technical means are mainly used to ensure the establishment of data security environment. Disk encryption mainly uses disk drive encryption technology to encrypt the disk sector. once the disk is disassembled or lost, the data can not be obtained. Peripheral control can control the computer to transmit data and leak secrets through abnormal means, such as Bluetooth, infrared and other devices. Mobile storage encryption can provide powerful mobile storage management functions, which not only facilitates the use of internal communication, but also encrypts data to prevent data leakage. Network admission control can control that all terminals within the scope of management are only allowed to access the core application system, while other unrelated networks cannot. Log audit terminal all burning joint adjustment, decryption, printing will generate logs, and backup files to the server.

As shown below:

Figure 1-1 schematic diagram of the establishment of data security system

1.1 scenario system

The data security scheme designed based on the anti-disclosure platform can achieve the following effects:

Improve the login security level of the server, authenticate the identity and authority of visitors, filter illegal access requests; achieve omni-directional encryption and approval protection for data in the process of its flow (storage, internal transmission, media exchange, outward transmission), and effectively control the living environment of the data; alarm and record sensitive and illegal operations, and generate logs. At the same time, support to import the log into the database, combined with the log viewing program, generate custom reports as needed; protect the mobile office to ensure work efficiency while protecting the security of the data; ensure that the outgoing data will not be leaked again, which greatly increases the controllability of the data; it configures policies and formulates management and control efforts in different roles (R & D personnel, business personnel, partners) Provide the function of multi-level management, form a cascading management and control system, and achieve vertical supervision under the authority at the same time; for large-scale deployment, in order to ensure the stable operation of the server of the anti-disclosure platform, the load balance of multiple server operating environment is realized.

1.2 Features and advantages of the scheme

The features and advantages of the scheme based on the information security platform are as follows:

1. A holistic solution. The formulation of the overall scheme architecture is realized based on the anti-disclosure platform, and many functions such as server authentication management, data operating environment encryption, data terminal operation behavior monitoring and audit are realized, and the data protection is improved from many angles. Based on the data backup platform, automatic, planned and centralized data backup is realized to ensure the integrity of the company's data.

two。 The compatibility is good. Under the unified product platform, the compound management and security functions are realized, which will not interfere and influence each other among the sub-functions, and ensure the stable operation of the terminal.

3. The solution based on environment encryption has good adaptability. By providing data protection in the existing environment and state, it can also meet the new confidentiality requirements arising from the implementation or upgrading of various application systems and terminal software in the future.

The unique switching of working mode can take into account the balance of work and life, reduce the constraints of data confidentiality on users, and enhance the use value of computers; from the point of view of offline risk, because the scheme is controlled based on the environment, if an emergency is needed, the company can quickly remove the environmental control measures in a short period of time, and the dependence on manufacturers and the risk of data encryption and decryption are low.

1.3. Deployment diagram

Fig. 1 schematic diagram of Mutual 2 deployment

1.4 Summary of the scheme

According to the different risks faced by the data, this scheme provides a variety of protection means, and through the control of the data leakage port, it can effectively prevent the active and passive disclosure of the data. whether users are through clipboard, copy screen, network outgoing, etc., are protected by network encryption, hard disk encryption, mobile storage encryption, peripheral control, network security access and so on. All in all, the data can be used freely within the environment, but it cannot break the rules and break away from the environment.

2. Safety of peripheral terminal equipment

CBS (CyberSandbox) lock is a protective lock of edge computing terminal developed by Shenxinda Company, which realizes terminal security by embedding the security container into the operating system and locking the application and data in the container.

Figure 2-1 schematic diagram of CBS function

CBS lock takes over the operating system through the container, redefines the permission module of the operating system, allows programs and data behaviors to run in the whitelist in the container, and forbids the startup of unauthorized programs and scripts. All data, * accounts, passwords and other core data in the container are stored in the container and cannot be obtained without authorization, so the whole container is encrypted. CBS locks provide symmetric and asymmetric encryption algorithms with high security and ease of use, which can be called by the outside world. CBS provides identity unique ID and binds hardware environment to prevent system from being cloned

2.1. Installation effect

1. Only necessary work scenarios can be run, and unfamiliar programs are prohibited.

two。 No poisoning and *

3. Data against theft and leakage

4. The program in the container runs with a shell to prevent others from cracking and copying the board.

5. Even if the administrator account is stolen, it is still safe.

6. Can be used for key generation and destruction management

7. You are free to choose the desired encryption algorithm.

2.2.2.The characteristics of CBS products

System state maintenance

When deployed, the normal running state of the system is maintained, and the resource consumption is low, so it will not affect performance. It supports networking and stand-alone offline mode.

Prevent unauthorized software installation

Unauthorized software can not be installed and run, put an end to disassembly and poisoning from the root.

Encryption protection of data area in container

The core data of the terminal is encrypted to prevent information leakage.

Apply decompilation in the container

The application runs in the container with a shell to prevent decompilation.

2.3.The CBS centralized management platform

CBS is available in both stand-alone and online versions. The network version has a centralized management platform for the maintenance and audit of each network terminal.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.