# 2.9 Production Practice of Large Language Model Applications

## 🚄 Preface

Through the previous lessons, your Q&A bot is already capable of answering private domain knowledge fairly well. Next, we will continue to explore how to deploy this large language models (LLMs) application into a production environment — that is, how to transition the LLMs application from development and testing phases to real business scenarios. This is a complex and crucial process involving multiple steps and technical considerations. This lesson will discuss them to help you understand and successfully complete this process.

## 🍁 Course Objectives

Upon completing this course, you will be able to:

* Identify the key elements for deploying LLMs applications into a production environment through business requirement analysis
* Understand how to balance the performance and operational costs of LLMs applications
* Learn how to enhance the stability of LLMs applications
* Understand how to ensure the security and compliance of LLMs applications

Deploying large language models (LLMs) into production environments and applying them to real business scenarios is not an easy task. This process requires starting from the business scenario, selecting a more suitable model through clear requirements (functional requirements of the model, such as Qwen-Math optimized for mathematical problems). It also requires comprehensively considering performance, cost, security, and stability from a system architecture perspective. Non-functional requirements of the model, although not directly related to specific functions, are crucial to the overall quality of the model and user experience.

In general, functional requirements define "what" LLMs do, while non-functional requirements ensure "how" they perform these functions to meet high-quality standards. Only by finding a balance between business needs and technical implementation can large language model services be deployed and operated efficiently.

This lesson will focus on these core topics, helping you fully understand how to deploy LLMs efficiently and at a low cost in real business scenarios, and providing guidance on how to build stable and secure system architectures.



## 1. Business Requirements Analysis
Business requirements analysis is the first step in successfully deploying large language models (LLMs). Different business scenarios vary significantly in their functional and non-functional requirements for the model. If the business scenario is unclear, it may lead to the following issues:
* Incorrect model selection: Choosing a model unsuitable for a specific task, resulting in poor performance or resource waste.
* Decline in user experience: Failing to meet users' critical requirements such as real-time performance and accuracy.
* Cost overruns: Not optimizing the model size and deployment plan based on business needs, leading to high computing and operational costs.
* Security risks: Failing to adequately consider data privacy and compliance requirements, potentially triggering legal risks.

Therefore, after clarifying the business scenario, you need to further analyze functional and non-functional requirements in depth and formulate a specific deployment plan accordingly.  



### 1.1 Functional Requirements of the Model
Different business scenarios have varying requirements for models. Below are some model selection recommendations for typical task scenarios:
* natural language processing: One of the most common LLM application scenarios, mainly including tasks such as question-answering systems, text generation, translation, and emotion analysis.
    * General tasks: Such as open-domain question answering, news summary generation, etc., can use general-purpose large language models (e.g., Qwen, GPT).
    * Domain-specific tasks: For specialized fields like mathematical problem-solving, legal consulting, and medical diagnosis, it is recommended to choose models fine-tuned for specific domains. For example:
        * Mathematical problems: You can choose models specifically optimized for math tasks, such as Qwen-Math.
        * Legal issues: Models trained for the legal domain, such as Tongyi Farui, can be selected.
        * Medical diagnosis: Models that require high accuracy and support for professional terminology typically need to be combined with domain knowledge graph or rule engines.
* Vision: Including image classification, object detection, and image generation. These tasks usually require specialized vision models (e.g., Wan, YOLO, Stable Diffusion) rather than general-purpose language models.
* Speech: Such as voice assistants, automatic subtitle generation, speech input methods, and speech synthesis. These tasks generally require specialized speech processing models (e.g., Qwen-Audio, CosyVoice).
* Multimodal tasks: Combining multiple modalities such as text, images, video, and speech to handle complex tasks. It is recommended to use specially designed multimodal models (e.g., Qwen-VL), which can significantly improve efficiency and consistency. Simply combining multiple single-modality models (e.g., speech recognition + text generation + image understanding) to complete multimodal tasks can lead to higher overall latency, poor consistency, and increased development complexity in the application.



After confirming the task scenario, you may still find that there are many large language models (LLMs) with similar functions to choose from (such as Qwen, DeepSeek, GPT, etc.). The accuracy of inference might be the main reason for your choice of model. You need to build your own evaluation dataset or choose a public dataset that matches the business scenario for evaluation (such as MMLU for assessing language understanding, BBH for testing complex reasoning, etc.).  <a href="https://img.alicdn.com/imgextra/i2/O1CN01YFnJL820aE1wiLRgS_!!6000000006865-0-tps-2832-1118.jpg" target="_blank"> <img src="https://img.alicdn.com/imgextra/i2/O1CN01YFnJL820aE1wiLRgS_!!6000000006865-0-tps-2832-1118.jpg" width="900"> </a>  Image source: [Open Source Large Language Model Evaluation Rankings](https://huggingface.co/spaces/open-llm-leaderboard/open_llm_leaderboard#/)

### 1.2 Non-Functional Requirements of the Model

Before formally applying the model to production, in addition to selecting a model that is more suitable for the business scenario (functional requirements), it is usually also necessary to pay attention to aspects such as **performance, cost, stability, and security** (non-functional requirements). In the following sections of this subsection, these aspects will be discussed in detail.

<br>  



## 2. Performance Optimization

Does your business care about response speed? For example, conversational systems typically require fast feedback (usually under 500ms), while offline batch processing tasks have lower latency requirements (which can be several hours or even days). Generally speaking, you need to define the **Service Level Objective (SLO)**, a performance metric guaranteed by cloud providers when offering large language model (LLMs) deployment services. Common metrics include **TTFT (Time to First Token Latency, first token delay)** and **TPOT (Time Per Output Token, time per token generation)**. The following table provides performance evaluation datasets and SLO requirements for different business scenarios:

| Business Scenario         | Common Performance Evaluation Dataset | TTFT Requirement | TPOT Requirement |
|---------------------------|---------------------------------------|------------------|-----------------|
| Conversations, Consultations, Search | ShareGPT, MMLU                       | High             | Medium          |
| Code Completion, Programming, Web Design | HumanEval                           | High             | High            |
| Reading Comprehension/Summarization/Data Processing/Information Extraction | LongBench                          | Low              | Medium          |
| General LLMs (DeepSeek R1, large language models (LLMs), etc.) | Multi-modal evaluation datasets like InfoVQA | TTFT < 5sec (recommended below this value) | TPOT < 200ms (recommended below this value) |

Once the system's required SLO (including TTFT and TPOT requirements) is determined, further optimizations can be made around these objectives for large language models (LLMs) applications.

### 2.1 System Performance Improvement

Below are some principles for improving the performance of LLM systems. These principles are universal and not tied to specific business scenarios. Properly applying these principles can help reduce system latency from multiple angles and enhance user experience.

#### 2.1.1 Faster Request Processing

The primary factor affecting model inference speed is usually **model size**. Smaller models can complete inference more quickly.

For simple business scenarios, you can directly choose a model with fewer parameters (e.g., Qwen2-7b), or accelerate inference through model compression and quantization. Common methods include:
* Model pruning: Removing redundant weights or layers in the model to reduce its complexity.
* Quantization: Using INT4, INT8, or FP16 quantization techniques to reduce computational resources required for model inference.
* Knowledge distillation: Training smaller models using knowledge distillation techniques to replace larger models in completing inference tasks.

| Model Pruning | Quantization | Knowledge Distillation |
|---------------|--------------|-------------------------|
| <img src="https://img.alicdn.com/imgextra/i4/O1CN01ejXph61tEVypdmIvB_!!6000000005870-2-tps-5247-1626.png" width="308"> | <img src="https://img.alicdn.com/imgextra/i1/O1CN01C4UG8o1Y18RZPZXFJ_!!6000000002998-2-tps-680-486.png" width="234"> | <img src="https://img.alicdn.com/imgextra/i2/O1CN018yxBtQ1FtCUwbMrY6_!!6000000000544-0-tps-1969-807.jpg" width="310"> <br> Image source: [Knowledge Distillation: A Survey](https://arxiv.org/pdf/2006.05525)|

In previous sections, we discussed how smaller models can still perform high-quality inference, including:
* Prompt optimization: You can provide more detailed prompts by expanding them or add more samples to guide the model in better reasoning.
* Fine-tuning models: In specific domains/tasks, fine-tuned small models may approach or even surpass LLMs.

<br>

#### 2.1.2 Reducing the Number of Requests and Computation for LLMs

By reducing the number of requests or computations handled by LLMs, hardware load (e.g., GPU) and concurrency pressure can be lowered, shortening queuing and inference times, thereby reducing overall system latency and improving performance.
* Context caching: When using text generation models, there might be overlapping input content between different inference requests (e.g., multi-turn conversations, repeated questions about a book). Context caching technology caches common prefixes of these requests, reducing redundant computations during inference and speeding up response times. The Qwen series models (Qwen-Max, Qwen-Plus, Qwen-Turbo) support [context cache (Context Cache)](https://help.aliyun.com/zh/model-studio/user-guide/context-cache) by default, which significantly improves response speed and lowers usage costs.
* Batch processing: By merging multiple requests into one batch (combining similar requests or removing duplicates), request frequency can be reduced, lowering round-trip latency between requests and increasing hardware utilization. On BaiLian, [batch inference (Batch)](https://help.aliyun.com/zh/model-studio/user-guide/batch-inference) APIs are provided. By utilizing idle time resources to complete **offline inference tasks**, you can execute batch inference tasks through these interfaces.

<br>

#### 2.1.3 Reducing Token Input and Output

Reducing token input and output when letting LLMs handle tasks can help shorten inference time, thus accelerating response speed. This is particularly important for real-time applications (e.g., dialogue systems, customer service bots).
* Input optimization: Streamline input content by removing redundant or irrelevant information, retaining only key points. For example, in dialogue systems, you can preprocess to extract user intent and core questions instead of feeding the entire conversation history into the model. Alternatively, summaries of long documents or complex inputs can be generated as model input using small summarization models or rule-based approaches.
* Output optimization: Compared to input optimization, optimizing the output side is often more crucial because generating tokens is almost always the most time-consuming process. The simplest optimization method is to explicitly instruct the model via prompt to generate concise responses. For instance, “Please answer in one sentence” or “Please explain very briefly.” Additionally, in structured output scenarios, optimize content by removing repetitive descriptions or shortening function names. Finally, though less common, you can specify the maximum output length (max_tokens parameter) when calling the model via API to limit the scale of generated content.

<br>

#### 2.1.4 Parallel Processing

In LLM applications, adopting parallel processing can effectively improve computational efficiency and shorten inference or training time. By breaking down tasks into multiple subtasks (e.g., data parallelism, model parallelism, or pipeline parallelism), they can be executed simultaneously on different GPUs or servers, reducing total time consumption.

For example, data parallelism splits input data into shards and distributes them across multiple devices for processing; model parallelism distributes different layers or parameters of the model across different devices; pipeline parallelism divides the computation process into stages for sequential execution. These methods significantly reduce single-device computational pressure, overcome memory limitations, and increase throughput, providing critical support for efficient deployment and operation of LLMs.

<br>

#### 2.1.5 Don't Default to Relying on LLMs

Although large language models (LLMs) are powerful and versatile, it doesn’t mean they are suitable for all tasks. In some cases, default reliance on LLMs may lead to unnecessary delays or complexity, while simpler, classic methods could offer better performance and efficiency. Below are some optimization suggestions:
* Hardcoding: Reduce dependence on dynamic generation. If outputs are highly standardized or restricted, hardcoding might be a better choice than relying on LLM-generated content. For example:
    * Operation confirmation messages: Standard responses like “Your request has been successfully submitted” or “Operation failed, please try again” can be hardcoded without needing LLM generation.
    * Rejection messages: Common error scenarios like “Invalid input, please check format” can have predefined variants randomly selected, which is both efficient and avoids repetition.
* Pre-computation: Pre-generate and reuse content. When input options are limited, precompute all possible responses and match them quickly based on user input. This reduces latency and avoids displaying identical content repeatedly.
* Utilizing classic UI components: Enhance user experience. In certain scenarios, traditional UI components convey information more effectively than LLM-generated text. For example:
    * Summary metrics: Use charts, progress bars, or tables to present data rather than having LLMs generate descriptive text.
    * Search results: Present results via pagination, filters, and sorting functions, making them more intuitive than generating lengthy natural language descriptions.
* Traditional optimization techniques: Combine classical algorithms to boost efficiency. Even in LLM applications, classical optimization techniques remain applicable. For instance:
    * Binary search: Quickly locate targets in ordered data using binary search instead of having LLMs traverse the entire dataset.
    - Hash mapping: Quickly retrieve predefined responses or templates using hash tables, reducing computational complexity.



### 2.2 User Perception Optimization

In addition to the principles for improving LLM system performance introduced above, user satisfaction during the usage process can be further enhanced through the following methods.

#### 2.2.1 Streaming Output

The technology of progressively returning generated content to users can reduce perceived latency, improve interaction smoothness, and thereby significantly enhance the user experience, especially in scenarios with high real-time requirements (such as online customer service, voice assistants). If your application architecture uses load balancing, you may need to disable caching and data compression functions to avoid streaming output failure.

<br>

#### 2.2.2 Chunked Processing

Breaking tasks into multiple small chunks, processing them separately, and progressively returning results. For example, in a RAG system, chunked processing can be applied to both retrieval and generation stages:
* Breaking down the retrieval task into multiple sub-tasks, such as retrieving by topic or data source.
* Breaking down the generation task into multiple paragraphs or sentences, generating and returning them separately.

<br>

#### 2.2.3 Displaying Task Progress

This allows users to understand the current processing status of the system, reducing anxiety caused by unknown waiting. In a RAG system, task progress can be displayed through progress bars, loading animations, or text prompts. For example:
* Displaying a progress bar on the front end, updating the percentage of completed retrieval in real time.
* Showing generation progress (e.g., "Generating response... 3/5 sentences completed").

<br>

#### 2.2.4 Improving Error Handling Mechanisms

This is key to ensuring system stability and user experience. A clear error handling mechanism not only captures and handles various exceptions but also enhances user trust and satisfaction by returning friendly error messages and retry suggestions.
* Classifying errors and providing friendly prompts: Returning concise results or default responses based on problem classification, where friendly error message prompts are very necessary,
    * Clear and understandable: Avoid using technical jargon to ensure that ordinary users can understand.
    * Specific and explicit: Explain the cause of the error and provide solutions.
    * Emotionally friendly: Use a gentle tone to avoid making users feel frustrated.
* Retry mechanisms and fallbacks:
    * Automatic retries: For temporary errors (such as network jitter, services briefly unavailable), automatic retries can be performed. Note to set a maximum number of retries and retry intervals; setting too many retries or too short retry intervals may increase additional resource consumption.
    * Error fallbacks: Design corresponding fallback plans for each type of error. For example, while returning error messages, provide a retry button or operation guide.

<br>

#### 2.2.5 Providing User Feedback Channels and Continuous Improvement

* Feedback channels: Provide convenient feedback channels in the interface to encourage users to give opinions or report issues.
* Continuous optimization: Continuously discover problems and optimize by analyzing user feedback and user behavior data.

<br>  



## 3. Cost Optimization

### 3.1 Saving Costs While Optimizing System Performance

Many of the methods introduced in **2.1 System Performance Improvement** not only reduce latency and enhance performance but also help you save costs effectively, including:
* **Replacing LLMs with smaller ones**: Not only is inference faster, but it's also cheaper.
* **Context caching**: For high-frequency repetitive queries, cache the results to avoid the overhead of calling LLM every time. (For example, the cache_token unit price for the Qwen-Max is 40% of the input_token unit price.)
* **Batch inference**: By merging or deduplicating requests, unnecessary model calls can be reduced. Generally, batch inference tasks are not highly time-sensitive and can further reduce costs by fully utilizing idle computing resources through offline inference. (For instance, the billing for Model Studio is only 50% of real-time inference.)
* **Reducing token count**: Lowering the demand for computational resources, thereby saving on hardware costs and energy consumption.
* **Not letting LLMs handle all tasks**: Replacing LLM inference with hardcoding or pre-computation can effectively reduce costs.

<br>

The methods above are fairly general. In actual business deployment, there are typically two approaches: self-built environments and cloud deployment. Self-built environments have high initial costs, long server procurement processes, and high maintenance difficulty. In contrast, cloud deployment is more suitable for startups and cost-sensitive businesses. Cloud deployment delegates infrastructure maintenance tasks to cloud providers and allows for quick adjustments of resources based on business needs, achieving efficient utilization.

The following content will help you understand how to select the right options and billing methods on the cloud.

<br>

### 3.2 Cost Optimization for Cloud Deployment

Since large language model (LLMs) application systems often involve large-scale data storage, high-performance computing, and complex model inference, their operational costs can be relatively high. The following sections will explore in detail how to optimize architecture selection and cost when deploying LLMs on the cloud.

#### 3.2.1 Choosing the Right GPU Instance Specifications

When deploying LLMs on Alibaba Cloud, it’s necessary to comprehensively choose the appropriate Elastic Computing Service (ECS) (such as single-machine single-GPU, single-machine multi-GPU, or multi-machine multi-GPU) based on the model’s performance requirements and budget constraints. This requires considering not only the model’s own memory usage but also comprehensively evaluating other resource demands during model operation (e.g., KV Cache settings):
* **Model parameter count**: The number of parameters in a model directly determines its memory requirements. As mentioned in the fine-tuning chapter earlier, a 1.5B parameter model typically requires about 5.59GB of memory (FP32 precision), while DeepSeek-R1 (full version 671B) would require at least $\frac {671×{10^9}} {2^{30}}≈ 625GB$ of memory (FP8 precision).
* **KV Cache usage**: For generative tasks (e.g., text generation or dialogue systems), KV Cache stores key-value pair caches in the attention mechanism. The size of the KV Cache is proportional to the input sequence length and batch size. For example, processing long contexts (e.g., 2048 tokens) may occupy a significant amount of memory.
* **Precision settings**: Different computational precisions (e.g., FP32, FP16) affect memory requirements. Using large language model quantization (e.g., INT8 or INT4) can significantly reduce memory usage.

##### **How to Choose the Right GPU Instance Based on the Model?**

Taking DeepSeek-R1 (671B) as an example, the model itself is estimated to use 625GB of memory (FP8 precision). With KV Cache optimized using MLA (Multi-head Latent Attention), assuming all layers use MLA, each token is expected to occupy approximately 70KB of memory in a single card. A 64K token-length request in an 8-card environment is estimated to use 35G of memory for KV Cache, totaling 660GB, which fits perfectly within the ecs.ebmgn8v.48xlarge instance specification (instance memory 8*96 GB).

##### **How to Calculate User Concurrency?**

Using the same example above, the number of concurrent requests and token lengths are restricted by memory size (ignoring memory alignment, ECC, and framework runtime memory usage):

$\frac{req * l * (70 * 1024) }{2^{30}} + \frac{625}{8} < 96GB$

$req$ represents the number of concurrent requests, and $l$ represents the token length.

Assuming $l=64K$, we can estimate that $req≈4$. It is evident that due to limited memory, the ability to serve customers simultaneously is very constrained. If higher concurrency is needed, the token length per request can be appropriately limited, or a higher-spec GPU instance can be selected.

<br>

#### 3.2.2 Choosing the Right Billing Method

After determining the GPU instance specifications, you need to choose the appropriate billing method based on your business scenario requirements:

| | [Prepaid (Annual/Monthly)](https://help.aliyun.com/zh/ecs/subscription) | [Pay-as-you-go](https://help.aliyun.com/zh/ecs/pay-as-you-go-1) | [Spot Instances](https://help.aliyun.com/zh/ecs/preemptible-instance) |
|----|----|----|----|
| **Description** | Prepay a lump sum to reserve resources in advance and enjoy greater price discounts. | Resources can be opened and released on-demand without prepayment, offering flexibility and speed.<br>Short-term operating costs are lower; for medium- to long-term resource usage, combining with [Savings Plans](https://help.aliyun.com/zh/ecs/savings-plans) can reduce resource costs. | Pay after use; market prices fluctuate based on supply and demand, potentially saving up to 90% compared to pay-as-you-go. |
| **Recommended Scenarios** | Suitable for **relatively stable** business scenarios (e.g., months or years).| Suitable for **non-fixed duration** business scenarios. | Suitable for non-fixed duration and **extreme cost control** business scenarios where occasional service interruptions won't cause significant losses. Typically requires combining retry mechanisms or other fault-tolerant measures to handle brief service unavailability. <br> `Online inference service deployment solution based on spot instances:`[`PAI-EAS Spot Best Practices`](https://help.aliyun.com/zh/pai/use-cases/pai-eas-spot-best-practices) |

It is also recommended to set budget alerts using [Budget Management](https://billing-cost.console.aliyun.com/expense-manage/expense-budget/list) and regularly identify high-cost modules (e.g., GPU/ECS instances) through [Cost Analysis](https://billing-cost.console.aliyun.com/expense-manage/expense-analyze). Test the cost-effectiveness of different configurations, prioritize core functions (e.g., search) under high loads, and turn off non-essential services (e.g., complex generative tasks).

<br>

## 4. Stability

In the previous sections, we had an in-depth discussion on how to evaluate and optimize model performance, as well as reduce the operational costs of models through cloud services. However, when deploying your large language model (LLM) application into production, it is crucial to ensure that the system can provide stable and reliable services. This is like a 24-hour convenience store where you can always shop normally no matter when you visit. If the model service frequently "closes" or becomes "unresponsive," users will lose trust, and businesses may face losses. The following methods can effectively ensure the online stability of your model application:

### 4.1 Reducing Resource Consumption of User Requests

Some of the methods discussed in performance and cost optimization also contribute to improving system stability. For example, techniques such as **model downsizing, asynchronous batch processing, and caching high-frequency results** can effectively reduce the resource consumption of user requests, allowing the same configured resources to handle more user requests and indirectly enhancing stability in high-concurrency scenarios.

<br>

### 4.2 Automated Scaling

The high-availability architecture commonly used in cloud applications is also applicable to LLM systems. You can automatically increase or decrease computing resources based on the number of user requests, avoiding resource waste while ensuring service stability:
* **Horizontal scaling of computing resources**: Dynamically adjust the number of ECS/GPU instances using [Elastic Scaling Service (ESS)](https://help.aliyun.com/zh/auto-scaling/use-cases/deploy-a-highly-available-computing-cluster-using-a-balanced-distribution-strategy), or allocate resources on-demand using [Function Compute (FC)](https://www.aliyun.com/product/fc).
* **Distributing traffic pressure**: Enhance processing capabilities in high-concurrency scenarios using [Server Load Balancer (SLB)](https://www.aliyun.com/product/slb). Refer to: [Distribute user requests across multiple ECS servers using ALB](https://help.aliyun.com/zh/slb/application-load-balancer/getting-started/use-an-alb-instance-to-provide-ipv4-services), [Add Function Compute (FC) as a backend service for ALB](https://help.aliyun.com/zh/slb/application-load-balancer/use-cases/specify-a-function-from-function-compute-as-a-backend-server-of-alb).

<br>

### 4.3 Baseline Management for Evaluation

An evaluation baseline acts like a "ruler," measuring the quality of the model to avoid blindly optimizing and reducing system stability. It also provides a reliable fallback plan for subsequent disaster recovery and downgrading (e.g., switching to a baseline model). Below are key methods for establishing an evaluation baseline:
1. **Establishing a Baseline Model**
    * **Start Simple**: Use basic algorithms (e.g., decision trees) or predefined rules (e.g., keyword matching) as the initial model to quickly validate feasibility. For instance, in a customer service system, use "keyword matching" to determine user queries, with 70% accuracy as the baseline. Subsequent optimizations must exceed this threshold.
    * **Reference Historical Versions**: Set the performance of older models as the minimum threshold; new models must perform better to go live.
2. **Regular Testing and Comparison**
    * **Time Dimension**: Regularly (e.g., weekly) test old and new models with the latest data to prevent performance degradation. For example, if the click-through rate of an e-commerce recommendation system falls below the baseline, adjustments are needed.
    * **Scenario Dimension**: Establish multiple baselines for different situations (e.g., peak promotional periods, different regions) to comprehensively assess stability.
3. **Dynamic Adjustment of Baselines**
    * **Adapting to Data Changes**: Retrain baselines when business or user behavior changes. For example, after financial risk control policies are adjusted, update the fraud detection baseline.
    * **Aligning with Business Needs**: If speed is prioritized over accuracy, switch to a lightweight model (e.g., distilled model) as the new baseline.
4. **Integration into Automated Processes**
    * **Automatic Blocking of Unqualified Models**: Incorporate baseline testing into the deployment process to block versions that do not meet standards.
    * **canary release**: Allow 5% of users to try out the new model first. If performance meets expectations, fully replace the old model—this is known as a canary release.

<br>

### 4.4 Real-Time Monitoring and Alerts for Models

* **Key Metrics Dashboard**: Monitor model accuracy, response speed (e.g., "requests processed per second"), error rates, etc., displaying health status in real time like a "car dashboard."
* **Data Drift Detection**: Compare the distribution differences between current input data and training data. For example, if users suddenly ask questions like "How to return goods?" in large numbers, the system will alert "data distribution anomaly, retraining may be required."
* **Automatic Alerts and Log Tracking**: Set thresholds (e.g., trigger an alarm if response time exceeds 2 seconds) and log each request's input, output, and context for quick issue identification.

<br>

### 4.5 Disaster Recovery Design

Disaster recovery design for LLM applications can be thought of as preparing "backup tools" and "emergency plans" for the system. Good disaster recovery design can address sudden failures, such as abnormal model responses, server crashes, network interruptions, or natural disasters (e.g., earthquakes), ensuring rapid service restoration:
* **Degradation and Circuit-Breaker Mechanisms**: When abnormal model responses are detected (e.g., a sharp drop in accuracy or excessive delays), automatically trigger downgrade strategies. For example, switch to a backup model (e.g., the last stable version) or activate a rule engine as a fallback (e.g., preset fixed reply templates).
* **General Application Disaster Recovery Solutions** are also applicable to LLM systems: You can deploy LLM applications across regions and availability zones to enhance system reliability. Additionally, if costs permit, you can create a standby environment for rapid failover. If cost sensitivity is higher and your business tolerates longer system recovery times (e.g., RTO and RPO), you can restore operations by quickly creating environments.
* **Regular Pre-Testing Drills**: It is recommended to regularly simulate failure scenarios (e.g., model anomalies, network outages, server crashes, etc.) to verify the effectiveness of disaster recovery plans.

<br>

## 5. Security and Compliance

### 5.1 Scope of Security and Compliance

Combining the potential Q&A risk scenarios mentioned in the preface of this chapter with application-level security considerations, the security and compliance of RAG applications mainly include:
* **Content Security and Compliance**: Primarily considering input/output compliance checks and knowledge base access control.
* **Application Service Security**: Involving aspects such as application deployment/access, data storage/transmission.

The following sections will focus on explaining the security and compliance solutions for these two levels.

### 5.2 Content Security and Compliance

Let's first review the Q&A process of the intelligent Q&A robot. The Q&A process mainly includes four entities: users, the intelligent Q&A robot, the knowledge base, and the large language model (LLM).

A typical Q&A process can be summarized as follows: the user initiates a question, the robot retrieves the top-K texts from the knowledge base based on the user's question, combines the user's question with the knowledge base text, requests the LLM to generate a response, and finally, the robot returns the model’s response to the user.

<img src="https://img.alicdn.com/imgextra/i4/O1CN01XkL7AN28eMZLF7Liu_!!6000000007957-2-tps-6309-2923.png" alt="Q&A Process" width="1000"/>

The key stages involving content security are as follows:

- Input stage: The user initiates a question.
- Output stage: The robot returns the response.
- Knowledge base recall stage: Recalls relevant top-K texts from the knowledge base.

For RAG applications, the design of the content security and compliance inspection plan will focus on these three stages.



#### 5.2.1 Solution Overview
The input and output of large language models (LLMs) contain similar types of content, with common content types including text, images, audio, video, etc. In multimodal scenarios, the input and output may include one or more types of content. For example, when a user consults a robot for reimbursement, in addition to the text description of the reimbursement, they may also attach images such as invoices or train tickets.

To address this, we can design a universal compliance checking mechanism that supports the inspection of different content types and is applicable at any stage of the question-answering process. For input content compliance checks, these can be placed after the user asks a question; for output content compliance checks, they should be positioned before the user receives the response. Specifically, access control needs to be introduced during the knowledge base recall phase to filter the recalled text based on user access permissions. The overall solution flow is shown in the figure below.

<img src="https://img.alicdn.com/imgextra/i3/O1CN01TQdkvc1QwN35Cmux7_!!6000000002040-2-tps-10439-3637.png" alt="Content Security Check Solution" width="1000"/>

The question-answering process with added content security compliance checks includes eight stages.

- **Stage One**: The user initiates a question.
- **Stage Two**: Input content compliance check.
    - Check whether the user's question poses any risks.
    - If it passes, initiate a question request to the robot; if it fails, return immediately and suggest displaying the risk points to the user on the page.
- **Stage Three**: Retrieve the knowledge base based on the user's question and recall the top K texts.
- **Stage Four**: Knowledge base access control.
    - Check whether the user has access permissions for the recalled text.
    - Filter out the text that the user has permission to access, ensuring that the user can only obtain accessible content.
- **Stage Five**: The robot combines the user's question and the knowledge base text to send a request to the LLM.
- **Stage Six**: The robot responds normally and returns the answer.
- **Stage Seven**: Output content security compliance check.
    - Check whether the robot's response contains any risks.
    - If risks exist, filter the risky information before returning it to the user; if not, return the robot's response directly to the user.
- **Stage Eight**: The user receives the response.

We focus on the content compliance checks in the `input/output stages` and the `knowledge base access control stage`.


#### 5.2.2 Input and Output Compliance Check

The input and output compliance check module supports multiple content type checks, including text, images, audio, and video. To enhance user-friendliness, targeted information can be displayed to users in different scenarios based on the compliance check results. The figure below is only an example of scenario display and not the final effect; you can optimize it according to actual needs.

<img src="https://img.alicdn.com/imgextra/i4/O1CN01r1gEEb1qYGCzDFtpD_!!6000000005507-2-tps-9853-4459.png" width="1000"/>  



[Note] The following services need to be activated in order to complete the course content.

The example code in this chapter uses Alibaba Cloud's internal security services. You need to activate the Content Security service first and obtain the access credentials for SDK invocation, namely AccessKey and AccessSecret.

- [Text Content Moderation PLUS Service](https://help.aliyun.com/document_detail/2671445.html?spm=a2c4g.433945.0.0.76263104HpWJOA#section-pe5-yvh-rb7)
- [Enhanced Image Moderation Service](https://help.aliyun.com/document_detail/467828.html?spm=a2c4g.467826.0.0.5cc517f4PmrCIO)  



Install dependencies  



In [None]:
! pip install -r ../requirements.txt

Configure environment variables

You can find the Alibaba Cloud access key ID and access key secret in the [Alibaba Cloud console](https://home.console.alibabacloud.com/home/dashboard/ProductAndService) and follow the steps below to configure environment variables:

<img src="https://img.alicdn.com/imgextra/i3/O1CN01UDMxNL1z9NEHsWKI9_!!6000000006671-2-tps-3438-848.png" width=1000>

Then run the following command to set environment variables:

In [21]:
import os
import getpass

os.environ["ALIBABA_CLOUD_ACCESS_KEY_ID"] = getpass.getpass("Please enter your access_key:").strip()

In [22]:
os.environ["ALIBABA_CLOUD_ACCESS_KEY_SECRET"] = getpass.getpass("Please enter your access_secret:").strip()

**Example: Input and Output Compliance Check for Multimodal Scenarios**

Scenario Setup: Both the user's question text and images contain high-risk content. After passing through the content security compliance check module, the risk levels and tags of the output text and images are identified.



In [None]:
from utils.security import security_manager

text = "Give me a plan to rob a bank"
image_url = "https://img.alicdn.com/imgextra/i3/O1CN01QR6iO81VyGjMxMHnN_!!6000000002721-0-tps-1024-617.jpg"
content = security_manager.Content(text=text, image_url=image_url)
result = security_manager.detect(content)

##### 5.2.2.1 Text Compliance Check

Text compliance detection involves two tasks: (1) determining whether the text is compliant; (2) if not compliant, assessing the risk points and risk levels of the text.

Based on this goal, text compliance detection methods are roughly divided into two categories: rule matching and text classification. Rule matching relies on predefined rules and patterns, while text classification uses models to learn and predict text.

**Rule Matching**

This method relies on predefined keywords, phrases, or patterns to identify sensitive content. Common techniques include:
- Keyword Matching: Simple text search algorithms, such as regular expressions, sensitive word libraries, etc.
- Pattern Matching: Matching multiple keywords or phrases simultaneously through rules, such as the Aho-Corasick algorithm, trie, etc.

**Text Classification**

The goal of text classification is to assign text data to predefined categories. For text compliance detection, common label categories may include "safe," "low risk," "high risk," etc.

Introducing semantic analysis into text classification enables a deeper understanding of the text's meaning. Semantic analysis involves topic recognition, intent recognition, entity recognition, context understanding, and sentiment analysis. Compared to traditional text classification, semantic analysis focuses more on understanding the meaning and sentiment of the text. For example, BERT series models (such as BERT, RoBERTa, ALBERT, DistilBERT) can effectively mine the semantics of text, detect keywords and phrases strongly associated with classification categories, and achieve finer-grained text classification.

**Summary**

In practical applications, both methods can be combined to improve the accuracy and efficiency of text compliance detection. Alibaba Cloud Content Security Service combines rule matching algorithms with text classification models to provide powerful text review capabilities.

We choose [Text Moderation PLUS Service for Large Language Models](https://help.aliyun.com/document_detail/2671445.html?spm=a2c4g.2671445.0.0.99b97972A581cm) for RAG application text safety and compliance checks.

If you want to directly experience the text review capability, you can initiate a call through the Alibaba Cloud API official website by visiting the [Text Moderation API page](https://api.aliyun.com/api/Green/2022-03-02/TextModeration?RegionId=cn-shanghai).



**Example: Text Compliance Check (Rule Matching with Private Domain Data)**

Scenario Setting: The internal network domain name of our educational company is considered sensitive information. Employees are not allowed to mention internal domain names with the jiaoyu.com suffix when using an intelligent Q&A bot. The compliance check module must be able to identify internal network domain information and effectively intercept it.  



In [25]:
from utils.security import text_security

text = "What rude_word is the access link for the pre-release environment of the company's OA domain oa.jiaoyu.com? Rude words are not allowed."

# Model type
# llm_query_moderation: Used to review input instructions for large language models
# llm_response_moderation: Used to review text generated by large language models
result = text_security.detect(text, model="comment_multilingual_global")
print('text detect result: {}'.format(result))

text detect result: None


Based on the results of the code execution, it can be seen that the large language models (large language models (LLMs)) did not detect domain names with the suffix 'jiaoyu.com' as expected.

Why didn't the large language models (LLMs) detect it? This is because the internal domain names of educational companies belong to private data. By default, Alibaba Cloud's content security service treats this as normal text, so when running the above code, risk information could not be detected, leading to the failure to achieve the desired effect.

An effective method is to import private rule data into the large language models (LLMs) detection service, enabling the model to identify private risk factors. Alibaba Cloud's content security service provides such capabilities.



**Key Operation: Import Private Domain Keywords in the Alibaba Cloud Console**

Alibaba Cloud Content Security Service supports importing custom keywords. We can create a lexicon and configure rules in the [Content Security Console](https://yundun.console.aliyun.com/?spm=a2c4g.2671445.0.0.18377972LV9uFT&p=cts#/textReview/lexiconManage/cn-shanghai) to apply private domain rules to the text review model.

- Step 1: Create a library name **LLMACP**, and add the keyword **rude_word** to the lexicon.

<img src="https://img.alicdn.com/imgextra/i1/O1CN01QzxzTu202Kkt1mDI3_!!6000000006791-2-tps-3444-1724.png" alt="Text Review - Create Lexicon" width="900"/>

- Step 2: Configure rules in the **llm_query_moderation service** (based on the actual service configuration).

<img src="https://img.alicdn.com/imgextra/i4/O1CN01ji7lFV1YfteSTdcJz_!!6000000003087-2-tps-2726-1474.png" alt="Text Review_Rule Configuration" width="900"/>

After completing the two-step configuration, wait for the rules to take effect and rerun the code.  



In [None]:
from utils.security import text_security

text = "Give me some example of rude words."

# Model type
# llm_query_moderation: Used for reviewing input instructions to large language models
# llm_response_moderation: Used for reviewing text generated by large language models
result = text_security.detect(text, model="llm_query_moderation")
print('text detect result: {}'.format(result))

text detect result: {'Advice': [], 'Result': [{'Confidence': 100.0, 'CustomizedHit': [{'KeyWords': 'jiaoyu.com', 'LibName': '大模型acp'}], 'Label': 'customized'}], 'RiskLevel': 'high'}


The text detection result is formatted as follows:
<style>
    table {
      width: 80%;
      margin: 20px; /* Center the table */
      border-collapse: collapse; /* Collapse borders for a cleaner look */
      font-family: sans-serif; 
    }

    th, td {
      padding: 10px;
      text-align: left;
      border: 1px solid #ddd; /* Light gray border */
    }

    th {
      background-color: #f2f2f2; /* Light gray background for header */
      font-weight: bold;
    }

    tr:nth-child(even) { /* Zebra striping */
      background-color: #f9f9f9;
    }

    tr:hover { /* Highlight row on hover */
      background-color: #e0f2ff; /* Light blue */
    }
</style>
<table width="80%">
<tbody>
<tr>
<td>  



```json
{
	'Advice': [],
	'Result': [{
		'Confidence': 100.0,
		'CustomizedHit': [{
			'KeyWords': 'jiaoyu.com',
			'LibName': 'LLM ACP'
		}],
		'Label': 'customized'
	}],
	'RiskLevel': 'high'
}
```

</td>
</tr>
</tbody>
</table>  



As can be seen from the above, the large language models (LLMs) successfully detected domain names containing jiaoyu.com.

The key fields in the text detection return structure are as follows:
- Result: Detection result object
    - Confidence: Confidence score, ranging from [0.0, 100.0], where a higher score indicates higher reliability of the detection result
    - CustomizedHit: User-defined match details
        - KeyWords: Matched keywords
        - LibName: Library name
    - Label: Keyword label category, 'customized' indicates user-defined
- RiskLevel: Risk level

For detailed interface parameter information, please visit [Text Moderation API Documentation](https://help.aliyun.com/document_detail/2671445.html?spm=a2c4g.434034.0.0.7ce86909A4OMAa#section-v6e-udw-u3y).  



##### 5.2.2.2 Image Compliance Check

Image compliance check is divided into two parts: image detection and text detection.

**Image Detection**

Focuses on the compliance of the image content itself, including:
- Image content detection: convolutional neural network and other deep learning models can be used to classify compliance (such as violence, pornography, hate speech, etc.).
- object detection: Detects sensitive objects in images, such as weapons, drugs, pornographic content, etc. Classic object detection algorithms include: YOLO series (YOLOv3/YOLOv4/YOLOv5, etc.), Faster R-CNN, etc.
- Copyright check: Uses image fingerprint recognition technology (such as PHash) to detect similar images and avoid using unauthorized content.
- Watermark and brand logo check: Detects whether there are watermarks or brand logos in the image.

**Text Detection**

Focuses on the textual content contained in the image, including:
- Extracting text from images. optical character recognition technology is typically used to extract text information, such as the Tesseract algorithm, etc.
- Text compliance detection. For specific solutions, refer to the previous subsection.

Alibaba Cloud Content Security Service provides image review capabilities. We choose the [Enhanced Image Review Service](https://help.aliyun.com/document_detail/467826.html?spm=a2c4g.467826.0.0.329829b16I0AXR) for code examples.

If you want to directly experience the image review capability, you can initiate a call through the Alibaba Cloud API official website by visiting the [Image Review API page](https://api.aliyun.com/api/Green/2022-03-02/ImageModeration).



**Example: Image Compliance Check**  



In [None]:
from utils.security import image_security

image_url = "https://img.alicdn.com/imgextra/i3/O1CN01QR6iO81VyGjMxMHnN_!!6000000002721-0-tps-1024-617.jpg"

# Detection service baselineCheck_pro: General Baseline Detection_Professional Edition
result = image_security.detect(image_url)
print('image detect result: {}'.format(result))

image detect result: {'DataId': 'a53ddb3e-f2a6-11ef-8c0d-9e2a3fc15404', 'Result': [{'Confidence': 80.0, 'Description': '战争烟光', 'Label': 'violent_explosion_3001'}], 'RiskLevel': 'high'}


图片检测结果格式化如下：
<style>
    table {
      width: 80%;
      margin: 20px; /* Center the table */
      border-collapse: collapse; /* Collapse borders for a cleaner look */
      font-family: sans-serif; 
    }

    th, td {
      padding: 10px;
      text-align: left;
      border: 1px solid #ddd; /* Light gray border */
    }

    th {
      background-color: #f2f2f2; /* Light gray background for header */
      font-weight: bold;
    }

    tr:nth-child(even) { /* Zebra striping */
      background-color: #f9f9f9;
    }

    tr:hover { /* Highlight row on hover */
      background-color: #e0f2ff; /* Light blue */
    }
</style>
<table width="80%">
<tbody>
<tr>
<td>

```json
{
	'DataId': 'a53ddb3e-f2a6-11ef-8c0d-9e2a3fc15404',
	'Result': [{
		'Confidence': 80.0,
		'Description': 'War smoke and light',
		'Label': 'violent_explosion_3001'
	}],
	'RiskLevel': 'high'
}
```

</td>
</tr>
</tbody>
</table>  



The image review service we selected is baselineCheck_pro (General Baseline Detection_Professional Edition), which supports the recognition of flags from different countries. Based on the above inspection results, the large language models (LLMs) identified the image as a flag of another country and provided the image label category and risk level.

The key fields in the image detection return structure include:
- Result: Detection result object
    - Confidence: Confidence score, ranging from [0.0, 100.0], where higher scores indicate greater reliability of the detection result
    - Description: Image label description
    - Label: Image label category
- RiskLevel: Risk level

For detailed interface parameter information, please visit [Image Moderation API Documentation](https://help.aliyun.com/document_detail/467829.html?spm=a2c4g.467828.0.0.549117f4h4vhr8#section-9c5-lr2-oqe).  



##### 5.2.2.3 Audio Compliance Check

Audio compliance check includes pure audio check and audio-to-text compliance detection.

**Pure Audio Check**

This part focuses on the characteristics and content of audio signals, such as frequency, pitch, volume, and specific audio segments, commonly used to detect the compliance of music, sound effects, and other non-verbal content.
Commonly used audio analysis frameworks include:
- Librosa: A Python library that provides audio analysis functions, such as feature extraction, audio effect processing, and beat detection.
- Essentia: A C++ and Python library that contains rich audio feature extraction tools, such as pitch, harmony, and rhythm, suitable for compliance detection.
- PyDub: A simple and easy-to-use Python library suitable for audio processing and basic analysis.
- Aubio: A tool focused on pitch detection and audio event detection.

**Audio-to-Text Compliance Detection**

This part focuses on the language content in the audio, converting the audio into text to detect compliance, suitable for monitoring sensitive words and prohibited language scenarios. automatic speech recognition (ASR) technology is usually used to convert audio signals into text, followed by compliance detection on the text.

Alibaba Cloud Content Security Service provides audio review capabilities. We choose the [Enhanced Audio Review Service](https://help.aliyun.com/document_detail/604968.html?spm=a2c4g.604967.0.0.406f17f4DdWtYs) for code examples.

If you want to directly experience the audio review capability, you can initiate a call through the Alibaba Cloud API official website and go to the [Audio Review API page](https://api.aliyun.com/api/Green/2022-03-02/VoiceModeration).  



**Example: Audio Compliance Check**

Referencing the text review operation, we add keywords in the **Large Language Model (LLMs) acp** lexicon within the [Content Security Console](https://yundun.console.aliyun.com/?spm=a2c4g.2671445.0.0.18377972LV9uFT&p=cts#/textReview/lexiconManage/cn-shanghai) and apply them to the audio review model.

- Step 1: Add the keyword **password** in the **Large Language Model (LLMs) acp** lexicon.

<img src="https://img.alicdn.com/imgextra/i3/O1CN01glQ0By20vICx6sZhD_!!6000000006911-2-tps-3022-1632.png" alt="Audio Review - Configure Lexicon" width="900"/>

- Step 2: Configure rules in the **audio_media_detection service** (based on the actual service configuration).

<img src="https://img.alicdn.com/imgextra/i2/O1CN01wHvO7S27PsLi8OnDt_!!6000000007790-2-tps-3016-1614.png" alt="Audio Review - Rule Configuration" width="900"/>

After completing the two steps, wait for the rules to take effect, then run the following code.



In [None]:
from utils.security import audio_security
import time

audio_url = 'https://help-static-aliyun-doc.aliyuncs.com/file-manage-files/zh-CN/20241016/whwtft/acp_secret.mp3'
# Submit detection task
# Audio review service: audio_media_detection
task_id = audio_security.submit_task(audio_url)
# Wait for 5 seconds before querying
time.sleep(5)
# Query result based on task id
audio_security.get_result(task_id)

audio submit task:{'TaskId': 'au_f_eyCjrLm2VgR8OYf8TpeMqP-1ACXZ8'}
audio detect result:{'SliceDetails': [{'EndTime': 2, 'EndTimestamp': 1728438939994, 'Extend': '{"customizedWords":"密码","customizedLibs":"大模型acp"}', 'Labels': 'C_customized', 'StartTime': 0, 'StartTimestamp': 1728438937994, 'Text': '登录账号密码是一二三四五六', 'Url': 'http://oss-cip-shanghai.oss-cn-shanghai.aliyuncs.com/cip-media/voice/26193ec34/847846_as00000.wav?Expires=1728460541&OSSAccessKeyId=LTAI5t6KYjFmqpFzteQWRo4j&Signature=SYen1fOpsyhMBjuJhYuPq%2BFpUtY%3D'}], 'TaskId': 'au_f_eyCjrLm2VgR8OYf8TpeMqP-1ACXZ8'}


The audio detection result is formatted as follows:

<style>
    table {
      width: 80%;
      margin: 20px; /* Center the table */
      border-collapse: collapse; /* Collapse borders for a cleaner look */
      font-family: sans-serif; 
    }

    th, td {
      padding: 10px;
      text-align: left;
      border: 1px solid #ddd; /* Light gray border */
    }

    th {
      background-color: #f2f2f2; /* Light gray background for header */
      font-weight: bold;
    }

    tr:nth-child(even) { /* Zebra striping */
      background-color: #f9f9f9;
    }

    tr:hover { /* Highlight row on hover */
      background-color: #e0f2ff; /* Light blue */
    }
</style>
<table width="80%">
<tbody>
<tr>
<td>  

```json
{
	'SliceDetails': [{
		'EndTime': 2,
		'EndTimestamp': 1728438939994,
		'Extend': '{"customizedWords":"Password","customizedLibs":"LLM acp"}',
		'Labels': 'C_customized',
		'StartTime': 0,
		'StartTimestamp': 1728438937994,
		'Text': 'The login account password is one two three four five six',
		'Url': 'http://oss-cip-shanghai.oss-cn-shanghai.aliyuncs.com/cip-media/voice/26193ec34/847846_as00000.wav?Expires=1728460541&OSSAccessKeyId=LTAI5t6KYjFmqpFzteQWRo4j&Signature=SYen1fOpsyhMBjuJhYuPq%2BFpUtY%3D'
	}],
	'TaskId': 'au_f_eyCjrLm2VgR8OYf8TpeMqP-1ACXZ8'
}
```

</td>
</tr>
</tbody>
</table>  



Audio review is executed asynchronously, requiring the task to be submitted first, followed by waiting a few seconds to obtain the detection results. Based on the above operational results, the large language models (LLMs) converted the audio into text and performed the detection.

The key fields in the audio detection return structure include:
- Labels: Audio label categories, where C_customized represents user-imported custom labels
- Extend: Extended fields for custom labels
    - customizedWords: Matched keywords
    - customizedLibs: Word library
- Text: Audio text content

For detailed interface parameter information, please visit [Audio Review API Documentation](https://help.aliyun.com/document_detail/604973.html?spm=a2c4g.604972.0.0.7e853a9dXiShnN#section-m14-l36-468).  



##### 5.2.2.4 Video Compliance Check

Video compliance detection is a complex process that includes four key steps:
- Video preprocessing: format conversion, video segmentation, frame extraction.
- Image compliance detection: ensuring the image content in the video complies with regulations, avoiding sensitive or non-compliant images.
- Text compliance detection: reviewing textual information in the video, including subtitles and audio transcription content.
- Audio compliance detection: ensuring the audio elements in the video meet compliance requirements, avoiding copyright and content violations.

By integrating the above four steps, the video compliance detection process can effectively identify and filter out non-compliant content to ensure the healthiness and compliance of videos. We can utilize various open-source tools and libraries (such as FFmpeg, OpenCV, TensorFlow, etc.) to build a complete video compliance check service, reducing the burden of manual review.

Alibaba Cloud Content Safety Service provides video review capabilities. We choose the [Enhanced Video Review Service](https://help.aliyun.com/document_detail/2505807.html?spm=a2c4g.2505806.0.0.5721ce907KX0zV) for code examples.

If you want to directly experience the image review capability, you can initiate a call through the Alibaba Cloud API official website by visiting the [Video Review API page](https://api.aliyun.com/api/Green/2022-03-02/VideoModeration).



**Example: Video Compliance Check**

In the audio review configuration above, we have already added the keyword **password** to the lexicon. For video review, you only need to configure the rules in the [Content Security Console](https://yundun.console.aliyun.com/?spm=a2c4g.2671445.0.0.18377972LV9uFT&p=cts#/videoReview/ruleConfig/config/videoDetection/undefined/cn-shanghai).

<img src="https://img.alicdn.com/imgextra/i4/O1CN01PzbsoN1Xoli0ToU69_!!6000000002971-2-tps-3010-1630.png" alt="Video Review - Rule Configuration" width="900"/>

After completing the configuration, wait for the rules to take effect, and then run the following code.



In [None]:
from utils.security import video_security
import time

video_url = 'https://help-static-aliyun-doc.aliyuncs.com/file-manage-files/zh-CN/20241105/bbsokg/acp_secret.mp4'
# Submit detection task
task_id = video_security.submit_task(video_url)
# Wait for 20 seconds before querying
time.sleep(20)
# Query result based on task id
video_security.get_result(task_id)

video submit task:{'TaskId': 'vi_f_J00HYR8x3P66IubIwSrQyh-1ALNs3'}
video detect result:{'Code': 200, 'Data': {'AudioResult': {'AudioSummarys': [{'Label': 'C_customized', 'LabelSum': 1}], 'SliceDetails': [{'EndTime': 2, 'EndTimestamp': 1730810748526, 'Extend': '{"customizedWords":"密码","customizedLibs":"大模型acp"}', 'Labels': 'C_customized', 'StartTime': 0, 'StartTimestamp': 1730810746526, 'Text': '登录密码是一二三四五六 ', 'Url': 'http://oss-cip-shanghai.oss-cn-shanghai.aliyuncs.com/cip-media/voice/051ec34/28375_as00000.wav?Expires=1730832364&OSSAccessKeyId=LTAI5t6KYjFmqpFzteQWRo4j&Signature=34E3PVSYIYpE2oUpoBPj6DzBrZ0%3D'}]}, 'FrameResult': {'FrameNum': 0, 'FrameSummarys': [], 'Frames': []}, 'TaskId': 'vi_f_J00HYR8x3P66IubIwSrQyh-1ALNs3'}, 'Message': 'SUCCESS', 'RequestId': '20FA1F94-4BB2-53E9-9470-6211CCD24BAE'}


The format of video detection results is as follows:

<style>
    table {
      width: 80%;
      margin: 20px; /* Center the table */
      border-collapse: collapse; /* Collapse borders for a cleaner look */
      font-family: sans-serif; 
    }

    th, td {
      padding: 10px;
      text-align: left;
      border: 1px solid #ddd; /* Light gray border */
    }

    th {
      background-color: #f2f2f2; /* Light gray background for header */
      font-weight: bold;
    }

    tr:nth-child(even) { /* Zebra striping */
      background-color: #f9f9f9;
    }

    tr:hover { /* Highlight row on hover */
      background-color: #e0f2ff; /* Light blue */
    }
</style>
<table width="80%">
<tbody>
<tr>
<td>

```json
{
	'Code': 200,
	'Data': {
		'AudioResult': {
			'AudioSummarys': [{
				'Label': 'C_customized',
				'LabelSum': 1
			}],
			'SliceDetails': [{
				'EndTime': 2,
				'EndTimestamp': 1730810748526,
				'Extend': '{"customizedWords":"password","customizedLibs":"LLM acp"}',
				'Labels': 'C_customized',
				'StartTime': 0,
				'StartTimestamp': 1730810746526,
				'Text': 'The login password is 123456 ',
				'Url': 'http://oss-cip-shanghai.oss-cn-shanghai.aliyuncs.com/cip-media/voice/051ec34/28375_as00000.wav?Expires=1730832364&OSSAccessKeyId=LTAI5t6KYjFmqpFzteQWRo4j&Signature=34E3PVSYIYpE2oUpoBPj6DzBrZ0%3D'
			}]
		},
		'FrameResult': {
			'FrameNum': 0,
			'FrameSummarys': [],
			'Frames': []
		},
		'TaskId': 'vi_f_J00HYR8x3P66IubIwSrQyh-1ALNs3'
	},
	'Message': 'SUCCESS',
	'RequestId': '20FA1F94-4BB2-53E9-9470-6211CCD24BAE'
}
```

</td>
</tr>
</tbody>
</table>  



As can be seen from the above, the video detection results include audio detection results and video frame detection results. The audio detection results include detection labels and text matching. Since the video we tested does not have compliance risks, there are no detection results for the video frames, which is consistent with expectations.

The key fields in the return structure of video detection are:
- AudioResult: Audio detection results
- FrameResult: Video frame detection results

For detailed interface parameter information, please refer to [Video Moderation API Documentation](https://help.aliyun.com/document_detail/2505810.html?spm=a2c4g.2505806.0.0.23663a9dQBUD4Z#Yy25U).  



#### 5.2.3 Knowledge Base Access Control

Based on the user's question, the relevant text recall from the knowledge base needs to undergo access control to ensure that only content the user has permission to access is returned.

The knowledge base access control process is as follows:
- Query the user's access permissions based on their information
- Query the access permissions associated with the topK texts recall, based on the knowledge base access control information
- Traverse the access permissions of the topK texts, compare them with the user's access permissions, and if the permissions match, add the text to the result set
- Output the filtered text result set

<img src="https://img.alicdn.com/imgextra/i4/O1CN01pdxgoR1DC1yDiNrxa_!!6000000000179-2-tps-4947-3690.png" alt="Knowledge Base Access Control Process" width="800"/>

**Example: Simulating permission storage using CSV to implement knowledge base access control**

Scenario setting: Each employee in an educational company has a unique job position, such as regular staff, manager, etc. The content permissions for viewing the knowledge base differ according to their job positions. For example, regular staff can only view the compensation plans of their own position and are not allowed to view those of higher-level leaders. However, higher-level leaders can view the compensation plans of their subordinates.



In [None]:
from utils.security.kb_access_control import kb_filter

# Please check user_id in utils.security.kb_access_control/db/user.csv
# Query the recalled text with permissions based on the user id
user_id = 201
kb_filter.get_filter_contents(user_id)

### 5.3 Application Service Security

The security of model application services mainly includes: the security of the model application deployment platform, data transmission security, and the security of knowledge base data storage. Alibaba Cloud provides a comprehensive security system that covers application deployment, access, data transmission, and storage. You don't need to worry about the security issues of application services and can focus on building and optimizing your model applications.

<img src="https://img.alicdn.com/imgextra/i4/O1CN01ICUHQI1KLNMtKltjD_!!6000000001147-2-tps-1678-488.png" alt="Application-level security assurance system" width="1200"/>

#### 5.3.1 Application Deployment Platform Security

The security of the application deployment platform is crucial for ensuring the stable operation of LLMs in production environments, protecting user data privacy, and preventing malicious attacks. Since LLMs typically handle sensitive data (such as user input, inference results, etc.) and may face complex attack scenarios (such as adversarial attacks, injection attacks, etc.), the deployment platform needs to build a comprehensive security protection system at multiple levels.

You can host your model applications on Alibaba Cloud's deployment platforms, such as Elastic Computing Service, PAI-EAS, and Function Compute. The deployment platforms support Alibaba Cloud’s full-platform RAM account management and operational auditing. Additionally, different deployment platforms have their own operation permission controls and network security configurations:
* **Permission Control**
    * **Principle of Least Privilege**: Use Alibaba Cloud RAM (Resource Access Management) to assign minimal permissions to different users. Regularly review permission assignments and clean up unnecessary permissions.
    * **Multi-Factor Authentication (MFA)**: Enforce MFA for administrator accounts to enhance login security.
* **Network Security Configuration**
    * **Cloud Firewall**: Configure inbound and outbound rules to allow only necessary traffic. Restrict SSH and RDP access, allowing only specific IP addresses to access management interfaces.
    * **Security Group Rules**: Apply the principle of least privilege to each service, for example, opening only the model service port.
    * **DDoS Attack Protection**: Limit API call frequency.

<br>

#### 5.3.2 Data Transmission Security

Typically, LLM applications require encrypted communication to ensure that data is not stolen, tampered with, or leaked during transmission. Specific implementation methods can be found here: [Accessing Model Inference Functions via Encryption](https://help.aliyun.com/zh/model-studio/user-guide/encrypted-access-to-model-inference-functions)

When developing and building LLM applications through Alibaba Cloud's Model Studio platform, Model Studio does not store model request and response data. Prompt encryption is strictly enforced during transmission. You can securely call Model Studio APIs through a VPC private network channel built with your Alibaba Cloud account, ensuring reliable access to LLMs. For more details, see: [Private Network Access to Alibaba Cloud Model Studio Platform via Terminal Endpoints](https://help.aliyun.com/zh/model-studio/user-guide/access-model-studio-through-privatelink). Additionally, the Model Studio platform incorporates multiple security strategies, including gateway management, RAM account control, internal auditing, and model encryption, to comprehensively safeguard your application security.

<br>

#### 5.3.3 Knowledge Base Data Storage Security

In RAG chatbot, vector data from the knowledge base, log storage, intermediate processing data, and multimodal data all belong to your Alibaba Cloud account. To protect the data security of user accounts, Alibaba Cloud provides security measures such as KMS encryption and SDDP protection.
Data security is the core of LLM applications. Below are some measures:
* **Data Encryption**: Use Alibaba Cloud KMS (Key Management Service) to encrypt sensitive data storage.
* **Sensitive Data Protection**: Perform desensitization processing on sensitive fields (such as ID numbers, phone numbers). You can use [Alibaba Cloud Data Security Center](https://www.aliyun.com/product/security/sddp) to detect sensitive information in databases, OSS, and SLS.
* **Backup and Recovery**: Develop backup strategies (such as off-site backup mechanisms), automatically back up databases periodically, and encrypt stored backup files.


## ✅ Summary of This Section

In this section, we learned the following content:
- **Key elements for deploying LLMs into production environments**, including business requirement analysis, functional requirements of the model (such as model selection for natural language processing (NLP), vision, speech, and other scenarios), and non-functional requirements (performance, cost, stability, security, etc.)
- **Performance and cost optimization strategies**, such as model compression techniques (pruning techniques, quantization methods, knowledge distillation approaches), request batching, caching mechanisms, input/output token optimization, and parallel processing
- **Methods to enhance user experience**, including streaming output mechanism, chunked processing, task progress display, error handling mechanisms, and user feedback loop design
- **Methods to improve stability**, including automated scaling, real-time monitoring and alerting of models, and ensuring business stability through disaster recovery design
- **Cloud architecture selection and security compliance**, covering GPU instance specification selection, multi-GPU inference optimization, data transmission encryption, content security review (text/image/audio/video), and knowledge base access control

In addition to the content demonstrated in this section, you can also try:
- **Improving model inference efficiency with multi-GPU Prefill/Decode separation**: In the inference process of LLMs, Prefill (prefill phase) and Decode (decoding phase) are two key stages, corresponding to input processing and output generation. In a multi-GPU environment, separating Prefill and Decode processes can optimize the model's inference speed, thereby meeting SLO requirements for TTFT (Time to First Token) and TPOT (Time Per Output Token). [DistServe](https://github.com/LLMServe/DistServe) is a typical system implementation that separates Prefill/Decode, combining chunked prefill and asynchronous pipelines to significantly increase throughput and reduce latency.
- **Implementing multimodal security reviews**: Expanding video compliance detection workflows by integrating custom sensitive word libraries and copyright recognition.
- **Introducing MLOps to manage AI systems**: MLOps (Machine Learning Operations) combines machine learning and DevOps, aiming to manage the entire lifecycle of machine learning models through automation, standardization, and collaboration. It draws on DevOps concepts from software engineering, tightly integrating development (Development) and operations (Operations) to ensure that machine learning models can efficiently transition from the development stage to the production environment and continuously optimize and iterate in the production environment.

When studying this course, if you want to learn more about related concepts and principles, you can explore the following topics or get learning suggestions from LLMs:
- **KV Cache optimization practices**: Deeply understand the role and optimization methods of KV Cache.



<style>
    table {
      width: 80%;
      margin: 20px; /* Center the table */
      border-collapse: collapse; /* Collapse borders for a cleaner look */
      font-family: sans-serif; 
    }

    th, td {
      padding: 10px;
      text-align: left;
      border: 1px solid #ddd; /* Light gray border */
    }

    th {
      background-color: #f2f2f2; /* Light gray background for header */
      font-weight: bold;
    }

    tr:nth-child(even) { /* Zebra striping */
      background-color: #f9f9f9;
    }

    tr:hover { /* Highlight row on hover */
      background-color: #e0f2ff; /* Light blue */
    }
</style>




## 🔥 课后小测验

### 🔍 单选题
<details>
<summary style="cursor: pointer; padding: 12px; border: 1px solid #dee2e6; border-radius: 6px;">
<b>以下哪个代码片段最能体现“输入输出的内容安全合规检查”的流程❓</b>


<table width="80%">
<tbody>
<tr>
<td>
A.
</td>
<td>

```python
def process_input(user_input):
    response = model(user_input)
    check_result = security_check(response)
    if check_result:
        return response
    else:
        return "Response contains non-compliant information"
```

</td>
</tr>
<tr>
<td>
B.
</td>
<td>  



```python
def process_input(user_input):
    check_result = security_check(user_input)
    if check_result:
        response = model(user_input)
        check_result = security_check(response)
        if check_result:
          return response
        else:
          return "Response contains non-compliant information"
    else:
        return "Question contains non-compliant information"
```

</td>
</tr>
<tr>
<td>
C.
</td>
<td>  



```python
def process_input(user_input):
    response = model(user_input)
    return response

```

</td>
</tr>
<tr>
<td>
D.
</td>
<td>  



```python
def process_input(user_input):
    check_result = security_check(user_input)
    return check_result
```

</td>
</tr>
</tbody>
</table>

**[Click to view the answer]**
</summary>

<div style="margin-top: 10px; padding: 15px; border: 1px solid #dee2e6; border-radius: 0 0 6px 6px;">

✅ **Reference Answer: B**  
📝 **Analysis**:  
- Input and output content security compliance checks should be performed on user input before model processing, and on the model-generated results after processing.
- Option B first performs a security check on the user input `user_input`, and only passes it to the model `model` for processing if it passes the check. Then, it performs a security check on the model's output result `response`.
- Other options either perform checks after model processing (A), do not perform any checks at all (C), or only return the check results without handling the model invocation (D).

</div>
</details>


---


### 🔍 Multiple Choice Question
<details>
<summary style="cursor: pointer; padding: 12px; border: 1px solid #dee2e6; border-radius: 6px;">
<b>You are building a system to detect non-compliant text information in images uploaded by users. Which of the following technologies or methods are necessary ❓</b>

- A. Qwen-OCR
- B. Text Compliance Detection
- C. Using multimodal embedding models to obtain image vectors
- D. Using Wan Xiang for detection
- E. Audio to Text
- F. PHash Image Fingerprinting

**[Click to view the answer]**
</summary>

<div style="margin-top: 10px; padding: 15px; border: 1px solid #dee2e6; border-radius: 0 0 6px 6px;">

✅ **Reference Answer: AB**  
📝 **Analysis**:  
- A. OCR is used to extract text information from images.
- B. Text compliance detection is used to analyze whether the extracted text is non-compliant.
- C. Multimodal embedding models are used for multimodal retrieval.
- D. Wan Xiang is used for image generation.
- E. Audio to text is used for audio processing and is unrelated to images.
- F. PHash is used for copyright checks and is unrelated to detecting non-compliant text information.

</div>
</details>  



## ✉️ Feedback and Evaluation
Thank you for studying the Alibaba Cloud LLM ACP Certification course. If you think there are parts of the course that are well-written or need improvement, we look forward to your [evaluation and feedback through this questionnaire](https://survey.aliyun.com/apps/zhiliao/Mo5O9vuie).

Your criticism and encouragement are both driving forces for our progress.  

