模型 Armor 下限设置定义了规则,这些规则会对在资源层次结构的特定位置(即组织、文件夹或项目级别)创建的所有模型 Armor 模板施加最低要求。 Google Cloud如果有多个楼层设置相互冲突,则资源层次结构中较低级别的设置优先。例如,如果在文件夹级别和项目级别创建了底价设置政策,系统会应用项目级政策。
以下示例展示了“模型装甲”下限设置政策的运作方式。在启用了恶意网址过滤器的文件夹中设置了底板政策 X。 在该文件夹中的项目上设置了底限政策 Y,以便使用置信度阈值为中等的提示注入和越狱检测过滤器。最终结果是,在项目中创建的每个 Model Armor 模板都必须至少设置提示注入和越狱检测过滤器,并将置信度阈值设为中等,但恶意网址过滤器不是必需的。
最低要求设置可帮助首席信息安全官 (CISO) 和安全架构师在其组织内的所有 Model Armor 模板中强制执行最低安全状态,防止个别开发者意外或故意将安全标准降低到可接受的水平以下。对于订阅 Security Command Center 高级层级或企业层级的客户,如果违反了下限设置,系统会触发发现结果。也就是说,如果模板是在最低设置之前创建的,并且模板具有任何限制较少的设置,Security Command Center 中就会显示相应问题,以帮助您识别和修复不太安全的 Model Armor 模板。
启用和停用 Model Armor 地板设置
如需启用 Model Armor 底价设置,请将 enable_floor_setting_enforcement 标志设置为 true。以下示例展示了如何执行此操作。
gcloud
为指定项目启用 Model Armor 底价设置。
gcloud model-armor floorsettings describe
--full-uri='projects/PROJECT_ID/locations/global/floorSetting' Flags --full-uri = name of the floor setting resource为给定组织启用 Model Armor 下限设置。
gcloud model-armor floorsettings describe
--full-uri='organizations/ORGANIZATION_ID/locations/global/floorSetting' Flags --full-uri = name of the floor setting resource为给定文件夹启用 Model Armor 底价设置。
gcloud model-armor floorsettings describe
--full-uri='folders/FOLDER_ID/locations/global/floorSetting' Flags --full-uri = name of the floor setting resource替换以下内容:
PROJECT_ID:模板所属项目的 ID。FOLDER_ID:模板的文件夹 ID。ORGANIZATION_ID:模板所属组织的 ID。
REST API
curl -X PATCH
-d '{"enable_floor_setting_enforcement" : "true"}'
-H "Content-Type: application/json"
-H "Authorization: Bearer $(gcloud auth print-access-token)" "https://modelarmor.googleapis.com/v1/projects/$PROJECT_ID/locations/global/floorSetting?update_mask=enable_floor_setting_enforcement"
替换以下内容:
gcloud auth print-access-token:指定账号的访问令牌。PROJECT_ID:模板所属项目的 ID。
如果您不想使用 Model Armor 下限设置,请将 filter_config 标志设置为 empty 或将 enable_floor_setting_enforcement 标志设置为 false。以下示例展示了如何执行此操作。
gcloud
gcloud alpha model-armor floorsettings get
--full-uri='projects/$PROJECT_ID/locations/global/floorSetting'
Flags
--full-uri = name of the floor setting resource
--enable-floor-setting-enforcement=false
--filterConfig = {}
替换以下内容:
PROJECT_ID:模板所属项目的 ID。
REST API
curl -X PATCH
-H "Content-Type: application/json"
-H "Authorization: Bearer $(gcloud auth print-access-token)"
-d '{"filterConfig" :{},"enable_floor_setting_enforcement":"false"}'
"https://modelarmor.googleapis.com/v1/projects/{PROJECT_ID}/locations/global/floorSetting"
替换以下内容:
gcloud auth print-access-token:指定账号的访问令牌。PROJECT_ID:模板所属项目的 ID。
查看 Model Armor 底价设置
运行以下命令可查看 Model Armor 地板设置。
gcloud
查看给定项目的 Model Armor 下限设置。
gcloud model-armor floorsettings describe --full-uri='projects/PROJECT_ID/locations/global/floorSetting' Flags --full-uri = name of the floor setting resource
查看给定组织的 Model Armor 下限设置。
gcloud model-armor floorsettings describe --full-uri='organizations/Organization/locations/global/floorSetting' Flags --full-uri = name of the floor setting resource
查看给定文件夹的 Model Armor 下限设置。
gcloud model-armor floorsettings describe --full-uri='folders/Folder/locations/global/floorSetting' Flags --full-uri = name of the floor setting resource
替换以下内容:
PROJECT_ID:模板所属项目的 ID。Folder:模板的文件夹 ID。Organization:模板所属组织的 ID。
REST API
查看给定项目的 Model Armor 下限设置。
curl -X GET
-H "Authorization: Bearer $(gcloud auth print-access-token)"
-H "Content-Type: application/json"
"https://modelarmor.googleapis.com/v1/projects/{project_id}/locations/global/floorSetting"查看给定文件夹的 Model Armor 下限设置。
curl -X GET
-H "Authorization: Bearer $(gcloud auth print-access-token)"
-H "Content-Type: application/json"
"https://modelarmor.googleapis.com/v1/folders/{folder}/locations/global/floorSetting"查看给定组织的 Model Armor 下限设置。
curl -X GET
-H "Authorization: Bearer $(gcloud auth print-access-token)"
-H "Content-Type: application/json"
"https://modelarmor.googleapis.com/v1/organizations/{organization}/locations/global/floorSetting"替换以下内容:
gcloud auth print-access-token:指定账号的访问令牌。PROJECT_ID:模板所属项目的 ID。Folder:模板的文件夹 ID。Organization:模板所属组织的 ID。
更新 Model Armor 底价设置
运行以下命令以更新 Model Armor 地板设置。
gcloud
gcloud model-armor floorsettings update --full-uri=<full-uri-of-the-floorsetting> [filters]
示例命令:
gcloud model-armor floorsettings update
--malicious-uri-filter-settings-enforcement=ENABLED
--pi-and-jailbreak-filter-settings-enforcement=DISABLED
--pi-and-jailbreak-filter-settings-confidence-level=LOW_AND_ABOVE
--basic-config-filter-enforcement=ENABLED
--add-rai-settings-filters='[{"confidenceLevel": "low_and_above", "filterType": "HARASSMENT"}, {"confidenceLevel": "high", "filterType": "SEXUALLY_EXPLICIT"}]'
--full-uri='folders/308621292149/locations/global/floorSetting'
--enable-floor-setting-enforcement=true
REST API
更新给定项目的“模型装甲”下限设置。
curl -X PATCH -d '{"filterConfig" :{"piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED"}, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" }, "rai_settings":{"rai_filters":{"filter_type":"DANGEROUS", "confidence_level":"LOW_AND_ABOVE" }, "rai_filters":{"filter_type":"HATE_SPEECH", "confidence_level":"LOW_AND_ABOVE" }, "rai_filters":{"filter_type":"HARASSMENT", "confidence_level":"LOW_ANDABOVE" }, "rai filters":{"filter_type":"SEXUALLY_EXPLICIT", "confidence_level":"LOW_AND_ABOVE" }}},"enable_floor_setting_enforcement":"true"}' -H "Content-Type: application/json" -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://modelarmor.googleapis.com/v1/projects/{project_id}/locations/global/floorSetting"更新给定文件夹的 Model Armor 下限设置。
curl -X PATCH
-d '{"filterConfig" :{"piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED"}, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" }},"enable_floor_setting_enforcement":"true"}'
-H "Content-Type: application/json"
-H "Authorization: Bearer $(gcloud auth print-access-token)"
"https://modelarmor.googleapis.com/v1/folders/{folder}/locations/global/floorSetting"更新给定组织的“模型装甲”下限设置。
curl -X PATCH
-d '{"filterConfig" :{"piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED"}, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" }},"enable_floor_setting_enforcement":"true"}'
-H "Content-Type: application/json"
-H "Authorization: Bearer $(gcloud auth print-access-token)"
"https://modelarmor.googleapis.com/v1/organizations/{organization}/locations/global/floorSetting"替换以下内容:
gcloud auth print-access-token:指定账号的访问令牌。PROJECT_ID:模板所属的项目的 ID。Folder:模板的文件夹 ID。Organization:模板所属组织的 ID。update 命令会返回以下响应:
{ "name": "projects/$PROJECT_ID/locations/global/floorSetting", "updateTime": "2024-12-19T15:36:21.318191Z", "filterConfig": { "piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED" }, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" } } }
违反了楼层设置
每个 Model Armor 服务发现结果都会指出 Model Armor 模板未达到资源层次结构下限设置定义的最低安全标准时发生的下限设置违规问题。下限设置决定了模板中每个过滤器允许的最宽松级别。底价设置违规可能涉及模板不包含所需的过滤条件,或者不符合这些过滤条件的最低置信度水平。检测到违规行为后,Security Command Center 中会发布高严重性发现结果。该发现会指明违反的底价设置、不合规的模板以及违规详情。如需了解详情,请参阅 Model Armor 服务发现。
这是地板设置违规问题发现结果的 source_properties 字段示例。
{
"filterConfig": {
"raiSettings": {
"raiFilters": [
{
"filterType": "HATE_SPEECH",
"confidenceLevel": {
"floorSettings": "LOW_AND_ABOVE",
"template": "MEDIUM_AND_ABOVE"
}
},
{
"filterType": "HARASSMENT",
"confidenceLevel": {
"floorSettings": "MEDIUM_AND_ABOVE",
"template": "HIGH"
}
}
]
},
"piAndJailbreakFilterSettings": {
"confidenceLevel": {
"floorSettings": "LOW_AND_ABOVE",
"template": "HIGH"
}
},
"maliciousUriFilterSettings": {
"floorSettings": "ENABLED",
"template": "DISABLED"
}
}
}
后续步骤
- 了解 Model Armor 概览。
- 了解模型装甲模板。
- 对提示和回答进行清理。
- 排查 Model Armor 问题。