Model Armor 楼层设置

Model Armor 下限设置可定义规则,以规定在 Google Cloud资源层次结构的特定点(即在组织、文件夹或项目级别)创建的所有 Model Armor 模板的最低要求。如果存在多个相互冲突的下限设置,则资源层次结构中较低级别的设置优先。例如,如果在文件夹和项目级别都创建了下限设置政策,则会应用项目级政策。

以下示例展示了 Model Armor 下限设置政策的工作原理。下限政策 X 设置在文件夹级别,并启用了恶意网址过滤条件。下限政策 Y 设置在该文件夹中的一个项目上,针对提示注入和越狱检测过滤条件设置了中等置信度阈值。结果是,在该项目中创建的每个 Model Armor 模板都必须至少将提示注入和越狱检测过滤条件的置信度阈值设置为“中等”。在此项目父文件夹之外的文件夹中创建的模板不需要恶意 URI 过滤条件。

下限设置可帮助 CISO 和安全架构师在其组织的所有 Model Armor 模板中强制执行最低安全状况,防止个别开发者无意或有意地将安全标准降低到可接受的水平以下。对于订阅了 Security Command Center 高级方案或 Enterprise 方案的客户,违反下限设置会触发发现结果。这意味着,如果模板在下限设置之前创建,并且该模板的任何设置限制性都较低,则 Security Command Center 中会显示一个发现结果,以帮助您识别和修复安全性较低的 Model Armor 模板。

启用和停用 Model Armor 下限设置

如需启用 Model Armor 下限设置,请将 enable_floor_setting_enforcement 标志设置为 true。以下示例展示了如何执行此操作。

gcloud

  • 将 Model Armor 端点设置为其全局端点。

      gcloud config set api_endpoint_overrides/modelarmor "https://modelarmor.googleapis.com/"

  • 为指定项目启用 Model Armor 下限设置。

      gcloud model-armor floorsettings update \
   --full-uri='projects/PROJECT_ID/locations/global/floorSetting' \
   --enable-floor-setting-enforcement=true

  • 为指定的组织启用 Model Armor 下限设置。

      gcloud model-armor floorsettings update \
  --full-uri='organizations/ORGANIZATION_ID/locations/global/floorSetting' \
  --enable-floor-setting-enforcement=true

  • 为指定文件夹启用 Model Armor 下限设置。

      gcloud model-armor floorsettings update \
  --full-uri='folders/FOLDER_ID/locations/global/floorSetting' \
  --enable-floor-setting-enforcement=true

    替换以下内容:

  • PROJECT_ID 是模板的项目 ID。

  • FOLDER_ID 是模板文件夹的 ID。

  • ORGANIZATION_ID 是模板的组织 ID。

REST

  curl -X PATCH
  -d '{"enable_floor_setting_enforcement" : "true"}'
  -H "Content-Type: application/json"
  -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://modelarmor.googleapis.com/v1/projects/PROJECT_ID/locations/global/floorSetting?update_mask=enable_floor_setting_enforcement"

PROJECT_ID 替换为模板的项目 ID。

如果您不想使用 Model Armor 下限设置,请将 filter_config 标志设置为 empty 或将 enable_floor_setting_enforcement 标志设置为 false

gcloud

    gcloud model-armor floorsettings get 

    --full-uri='projects/PROJECT_ID/locations/global/floorSetting' 

    Flags
    --full-uri = name of the floor setting resource 

    --enable-floor-setting-enforcement=false 

    --filterConfig = {}

PROJECT_ID 替换为模板的项目 ID。

    curl -X PATCH 

    -H "Content-Type: application/json" 

    -H "Authorization: Bearer $(gcloud auth print-access-token)" 

    -d '{"filterConfig" :{},"enable_floor_setting_enforcement":"false"}' 

    "https://modelarmor.googleapis.com/v1/projects/PROJECT_ID/locations/global/floorSetting"

PROJECT_ID 替换为模板的项目 ID。

查看 Model Armor 下限设置

运行以下命令以查看 Model Armor 下限设置。

gcloud

  • 查看指定项目的 Model Armor 下限设置。

      gcloud model-armor floorsettings describe \
  --full-uri='projects/PROJECT_ID/locations/global/floorSetting'

  • 查看指定组织的 Model Armor 下限设置。

      gcloud model-armor floorsettings describe \
  --full-uri='organizations/ORGANIZATION_ID/locations/global/floorSetting'

  • 查看指定文件夹的 Model Armor 下限设置。

       gcloud model-armor floorsettings describe \
   --full-uri='folders/FOLDER_ID/locations/global/floorSetting'

    替换以下内容:

    • PROJECT_ID 是模板的项目 ID。
    • FOLDER_ID 是模板文件夹的 ID。
    • ORGANIZATION_ID 是模板的组织 ID。

REST

  • 查看指定项目的 Model Armor 下限设置。

    curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://modelarmor.googleapis.com/v1/projects/PROJECT_ID/locations/global/floorSetting"

  • 查看指定文件夹的 Model Armor 下限设置。

    curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://modelarmor.googleapis.com/v1/folders/FOLDER_ID/locations/global/floorSetting"

  • 查看指定组织的 Model Armor 下限设置。

    curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://modelarmor.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/floorSetting"

替换以下内容:

  • PROJECT_ID 是模板的项目 ID。
  • FOLDER_ID 是模板文件夹的 ID。
  • ORGANIZATION_ID 是模板的组织 ID。

Python

如需运行此命令,请先在 Python 中初始化 Model Armor 客户端

  • 查看指定项目的 Model Armor 下限设置。

    request = modelarmor_v1.GetFloorSettingRequest(
floor_setting={
  "name": "projects/PROJECT_ID/locations/global/floorSetting",
}
)
response = client.get_floor_setting(request=request)

  • 查看指定文件夹的 Model Armor 下限设置。

    request = modelarmor_v1.GetFloorSettingRequest(
floor_setting={
  "name": "folders/FOLDER_ID/locations/global/floorSetting",
}
)
response = client.get_floor_setting(request=request)

  • 查看指定组织的 Model Armor 下限设置。

    request = modelarmor_v1.GetFloorSettingRequest(
floor_setting={
  "name": "organizations/ORGANIZATION_ID/locations/global/floorSetting",
}
)
response = client.get_floor_setting(request=request)

    替换以下内容:

    • PROJECT_ID 是模板所属项目的 ID。
    • FOLDER_ID 是模板文件夹的 ID。
    • ORGANIZATION_ID 是模板的组织 ID。

更新 Model Armor 下限设置

运行以下命令以更新 Model Armor 下限设置。

gcloud

   gcloud model-armor floorsettings update --full-uri=<full-uri-of-the-floorsetting>

示例命令:

       gcloud model-armor floorsettings update \
       --malicious-uri-filter-settings-enforcement=ENABLED \
       --pi-and-jailbreak-filter-settings-enforcement=DISABLED \
       --pi-and-jailbreak-filter-settings-confidence-level=LOW_AND_ABOVE \
       --basic-config-filter-enforcement=ENABLED \
       --add-rai-settings-filters='[{"confidenceLevel": "low_and_above", "filterType": "HARASSMENT"}, {"confidenceLevel": "high", "filterType": "SEXUALLY_EXPLICIT"}]'
       --full-uri='folders/FOLDER_ID/locations/global/floorSetting' \
       --enable-floor-setting-enforcement=true

FOLDER_ID 替换为模板的文件夹 ID。

REST

  • 更新给定项目的 Model Armor 下限设置。

    curl -X PATCH -d '{"filterConfig" :{"piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED"}, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" }, "rai_settings":{"rai_filters":{"filter_type":"DANGEROUS", "confidence_level":"LOW_AND_ABOVE" },
"rai_filters":{"filter_type":"HATE_SPEECH", "confidence_level":"LOW_AND_ABOVE" }, "rai_filters":{"filter_type":"HARASSMENT", "confidence_level":"LOW_AND_ABOVE" }, "rai_filters":{"filter_type":"SEXUALLY_EXPLICIT", "confidence_level":"LOW_AND_ABOVE" }}},"enable_floor_setting_enforcement":"true"}' -H "Content-Type: application/json" -H "Authorization: Bearer $(gcloud auth print-access-token) "https://modelarmor.googleapis.com/v1/projects/PROJECT_ID/locations/global/floorSetting"

  • 更新给定文件夹的 Model Armor 下限设置。

    curl -X PATCH \
-d '{"filterConfig" :{"piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED"}, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" }},"enable_floor_setting_enforcement":"true"}' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
  "https://modelarmor.googleapis.com/v1/folders/FOLDER_ID/locations/global/floorSetting"

  • 更新给定组织的 Model Armor 下限设置。

    curl -X PATCH \
-d '{"filterConfig" :{"piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED"}, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" }},"enable_floor_setting_enforcement":"true"}' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
    "https://modelarmor.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/floorSetting"

    替换以下内容:

    • PROJECT_ID 是模板的项目 ID。
    • FOLDER_ID 是模板文件夹的 ID。
    • ORGANIZATION_ID 是模板的组织 ID。

    该更新命令会返回以下响应:

    {
"name": "projects/PROJECT_ID/locations/global/floorSetting",
"updateTime": "2024-12-19T15:36:21.318191Z",
"filterConfig": {
"piAndJailbreakFilterSettings": {
  "filterEnforcement": "ENABLED"
},
"maliciousUriFilterSettings": {
"filterEnforcement": "ENABLED"
}
}
}

Python

如需运行此命令,请先在 Python 中初始化 Model Armor 客户端

  • 更新给定项目的 Model Armor 下限设置。

    request = modelarmor_v1.UpdateFloorSettingRequest(
floor_setting={
  "name": "projects/PROJECT_ID/locations/global/floorSetting",
  "filter_config": FILTER_CONFIG,
  "enable_floor_setting_enforcement": True
}
)
response = client.update_floor_setting(request=request)

  • 更新给定文件夹的 Model Armor 下限设置。

    request = modelarmor_v1.UpdateFloorSettingRequest(
floor_setting={
  "name": "folders/FOLDER_ID/locations/global/floorSetting",
  "filter_config": FILTER_CONFIG
  "enable_floor_setting_enforcement": True
}
)
response = client.update_floor_setting(request=request)

  • 更新给定组织的 Model Armor 下限设置。

    request = modelarmor_v1.UpdateFloorSettingRequest(
floor_setting={
  "name": "organizations/ORGANIZATION_ID/locations/global/floorSetting",
  "filter_config": FILTER_CONFIG
  "enable_floor_setting_enforcement": True
}
)
response = client.update_floor_setting(request=request)

    替换以下内容:

  • FILTER_CONFIG 是模板的过滤条件配置。

  • PROJECT_ID 是模板所属项目的 ID。

  • FOLDER_ID:模板文件夹的 ID。

  • ORGANIZATION_ID 是模板的组织 ID。

违反下限设置

每项 Model Armor 服务发现结果都会识别一次违反下限设置的情况,这种情况在 Model Armor 模板未能满足资源层次结构下限设置所定义的最低安全标准时发生。下限设置规定了模板中每个过滤条件所允许的最低严格级别。违反下限设置可能是由于模板未包含所需的过滤条件,或未达到这些过滤条件所要求的最低置信度级别。检测到违规行为后,系统会在 Security Command Center 中发布高严重性发现结果。该发现结果会指明所违反的下限设置、不合规的模板以及违规详情。如需了解详情,请参阅 Model Armor 服务发现结果

以下示例展示了违反下限设置发现结果的 source_properties 字段。

{
  "filterConfig": {
    "raiSettings": {
      "raiFilters": [
        {
          "filterType": "HATE_SPEECH",
          "confidenceLevel": {
            "floorSettings": "LOW_AND_ABOVE",
            "template": "MEDIUM_AND_ABOVE"
          }
        },
        {
          "filterType": "HARASSMENT",
          "confidenceLevel": {
            "floorSettings": "MEDIUM_AND_ABOVE",
            "template": "HIGH"
          }
        }
      ]
    },
    "piAndJailbreakFilterSettings": {
      "confidenceLevel": {
        "floorSettings": "LOW_AND_ABOVE",
        "template": "HIGH"
      }
    },
    "maliciousUriFilterSettings": {
      "floorSettings": "ENABLED",
      "template": "DISABLED"
    }
  }
}

后续步骤