Artificial Intelligence Industry Data Security Solutions

One. Demand background

   人工智能三大核心要素：算法、算力、数据。除了算法、算力外，最重要核心因素是数据。实现人工智能有两个阶段，即准备数据与训练模型。数据准备工作量占比达 70% 以上，但更重要的数据背后的人工，即数据预处理、模型选择与参数调整。数据预处理过程中的需要在个人PC端进行大量的数据传输，这种传输很容易照成数据的泄露，通过网络的接入、网络的外发等各种行为都可轻易的将大量的数据外带，通过各种网络传输方式都是轻易将数据泄密的主要通道。
   模型选择和训练一般都在公司终端服务器进行但是也有部分占用资源不高的模型在个人PC训练。个人PC与公司服务器传输模型数据就可能导致模型训练成果外泄，数据泄密。
   并且还存在很大的存储风险，磁盘是数据存储的主要介质，终端日常的数据都保存在本地硬盘上。在任何一个环节中，数据的存储都将是严重的安全威胁，磁盘的被盗和笔记本电脑的遗失给磁盘的数据带来了极大的安全隐患。数据在经过其他核心业务系统导出时最终还是存储在本地磁盘，通过硬盘拆卸等方式轻易将数据拷贝出去。即使结合了很多审计或者其他控制手段，但也可通过多系统或者挂接到其他系统将数据外带。

two. Data protection requirements

• Internal protection needs of
internal management and control protection is mainly used for the protection of code and algorithms trained personnel software developer training materials, algorithm models generated.
• External protection needs
are mainly sold outside the intelligence module terminals, embedded algorithms, procedures and other anti-decompile, anti-crack, anti-tampering, as well as smart devices overall anti poisoning.

Third, the AI ​​industry data security solutions

   数据泄密的途径总结起来无非是网络、移动设备、第三方协议及外设，由于代码，算法模型等数据都是在员工pc端上产生，主要在pc-pc、应用服务器-pc之间流转，因此主要针对的对象是使用这些数据的pc和服务器。我们建议采用SDC防泄密系统进行数据防护的。对于向外销售的智能设备终端我们提供CBS赛博锁来保证设备内含的数据算法反编译，反篡改，防抄板，以此来保证智能设备的数据安全。

1, office data within the network security solutions

    SDC平台以‘环境加密技术’为技术理念，所谓的‘环境’是指数据在生成、存储、交互、使用的过程中所接触的载体、使用者、传输渠道的一个总称。而‘环境加密技术’就是采用了多种管理手段结合的方式保护数据在生成、存储、交互、使用过程中的安全环节控制。在保密系统中主要采用了磁盘加密、网络传输控制、移动存储加密，外设控制等技术手段来保障了数据安全环境的建立。
   磁盘加密主要采用了磁盘驱动加密技术对磁盘扇区进行强制加密，一旦磁盘被拆卸或者丢失也无法获得数据。
   外设控制则可控制计算机通过非正常手段，比如蓝牙、红外等设备进行数据传输泄密。移动存储加密可提供强大的移动存储管理功能，既方便了内部交流使用又将数据加密防止数据泄密。
   网络准入控制可以控制所有管理范围内终端只允许访问核心应用系统，其他无关网络不能访问。
   日志审计终端所有烧录联调、解密、打印都将生成日志，并备份文件到服务器。

As shown below:

              图 1-1 数据保密体系建立示意图

1.1 Solution System

Based anti-phishing platform designed for data security solutions can achieve the following effects:

1. Improve login security level of the server, authenticate the identity and privileges for visitors, filtering illegal access requests;
2. For data in the process of its circulation (storage, internal transport, media exchange, and sends out) to achieve a full range of protection and approval encryption, data of the living environment is effectively controlled;
3. Against sensitive and operational behavior violation alarm and recording, and generates a log. It supports the import log into the database, the binding log viewer, according to need to generate custom reports;
4. Protective sex for mobile office, ensuring productivity while protecting data security;
5. Outgoing data is not guaranteed secondary leak, greatly increases the controllability of the data;
6. Its policies can be configured for different roles (R & D personnel, business people, partners) to develop management and control efforts;
7. It provides multi-level management functions, forming a cascade control system management, while the regulatory authority to achieve vertical downward;
8. For larger deployments, in order to ensure the operation of anti-phishing platform server stability and realize the multiple load balancing server operating environment.

1.2 Program Features and Benefits

Based on the information security platform designed program features and advantages are as follows:
1. The holistic solution. Anti-phishing platform in the development of the overall program framework to achieve the management server authentication, data encryption operating environment, data terminals operating behavior monitoring and auditing functions, from multiple angles to enhance the protection of data based on; a platform-based data backup automatic, planned, centralized network data backup, to ensure the integrity of corporate data;
2. better compatibility. Under unified product platform, complex management and security features, no mutual interference situation between functions and influence to ensure the stable operation of the terminal;
3. environment based encryption solutions from good adaptability. Providing protection against existing data and environmental condition, can meet the new security requirements embodiment future upgrade or types of applications and terminal software generated;

4. Unique operating mode switch may take into account the work-life balance, reducing data confidentiality constraints on the use of personnel, to enhance the value of the use of computers;
5. From the point of view of risk off the assembly line, because the scheme is to control, if necessary contingency, the company can quickly remove the control measures on the environment in the short term, the lower the risk of dependency on the encryption and decryption of data based on the factory environment.

1.3, deploying schematic

              图1‐2部署示意图

1.4 Program Summary

   此方案根据数据所面临的风险不同，而提供多种保护手段，并且通过数据外泄端口的控制，有效的防止了数据的主动泄密和被动泄密的情况，不论用户是通过剪切板、拷屏、网络外发等方式，都受到网络加密、硬盘加密、移动存储加密、外设控制、网络安全准入等五重的保护，总而言之就是数据可以在环境内部自由使用，但没法违规脱离环境。

2, the terminal security peripherals

   CBS(CyberSandbox)锁是深信达公司研发的边缘计算终端的保护锁，通过把安全容器内嵌到操作系统中，对容器内的应用和数据进行加锁，实现终端安全。

2-1 CBS functional schematic diagram

   CBS锁通过容器接管操作系统，重新定义操作系统的权限模块，让程序和数据行为都在容器中白名单运行，非授权程序和脚本一律禁止启动。容器内所有数据，***账号、密码以及其他核心数据都在容器中存储，非授权外界无法获得，全容器加密。
   CBS锁提供高安全性、高易用性的对称和非对称加密算法，可供外围调用。CBS提供身份唯一ID并绑定硬件环境，防止系统被克隆

2.1, the installation effect

1. Only essential work scenarios to run, run unfamiliar programs prohibited
2. No intoxication and ******
3. Data anti-theft, anti-leak
program running within the 4-packed containers, and to prevent others to crack copy board
5 even the administrator account stolen, still safe
6. available for key generation, management destroyed
7 are free to select the desired encryption algorithm

2.2, CBS Features

• System Status to keep
what you what, get the system to normal operation when deployed to maintain, and low resource footprint, without compromising performance, networked and stand-alone support offline mode;
• prevent unauthorized software installed
unauthorized software can not be installed and run, to eliminate the root causes of poisoning and chaos mounted in ***;
• the container area data encryption protection
terminal core data is encrypted to prevent information leaks;
application within the anti-container • compile
the application to run in a container packed run, prevent decompilation.

2.3, CBS centralized management platform

   CBS提供单机版和网络版两种。
   网络版有集中的管理平台可对每一个联网终端进行维护审计