MLCapsule: Guarded Offline Deployment of Machine Learning as a Service

Hanzlik, Lucjan; Zhang, Yang; Grosse, Kathrin; Salem, Ahmed Hamed; Backes, Michael; Fritz, Mario

doi:10.48550/arxiv.1808.00590

Cited by 11 publications

(17 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There has been some work on defending the ML models against stealing of inputs and parameters using other techniques like Homomorphic Encryption (HE) and Secure Multi-Party Computation (SMPC) [27,56,73], Watermarking [1,76], and Trusted Execution Engines (TEE) [32,38,88]. We refer the interested readers to survey papers published on ML privacy for a more exhaustive list [10,39,63,81].…”

Section: Orthogonal ML Defencesmentioning

confidence: 99%

Guarding Machine Learning Hardware Against Physical Side-channel Attacks

Dubey

Cammarota

Suresh

et al. 2022

J. Emerg. Technol. Comput. Syst.

View full text Add to dashboard Cite

Machine learning (ML) models can be trade secrets due to their development cost. Hence, they need protection against malicious forms of reverse engineering (e.g., in IP piracy). With a growing shift of ML to the edge devices, in part for performance and in part for privacy benefits, the models have become susceptible to the so-called physical side-channel attacks. ML being a relatively new target compared to cryptography poses the problem of side-channel analysis in a context that lacks published literature. The gap between the burgeoning edge-based ML devices and the research on adequate defenses to provide side-channel security for them thus motivates our study. Our work develops and combines different flavors of side-channel defenses for ML models in the hardware blocks. We propose and optimize the first defense based on Boolean masking . We first implement all the masked hardware blocks. We then present an adder optimization to reduce the area and latency overheads. Finally, we couple it with a shuffle-based defense. We quantify that the area-delay overhead of masking ranges from 5.4× to 4.7× depending on the adder topology used and demonstrate a first-order side-channel security of millions of power traces. Additionally, the shuffle countermeasure impedes a straightforward second-order attack on our first-order masked implementation.

show abstract

Section: Orthogonal ML Defencesmentioning

confidence: 99%

Guarding Machine Learning Hardware Against Physical Side-channel Attacks

Dubey

Cammarota

Suresh

et al. 2022

J. Emerg. Technol. Comput. Syst.

View full text Add to dashboard Cite

show abstract

“…Model hyper-parameters such as model architecture, number of layers, size of training batches or type of training data are usually public information, as they do not leak any information about trained model parameters or sensitive training data [15], [17], [19]. In order to mitigate possible threats linked to malicious data sources, PLINIUS supports secure provisioning of model hyper-parameters via the SGX remote attestation mechanism.…”

Section: Threat Modelmentioning

confidence: 99%

Plinius: Secure and Persistent Machine Learning Model Training

Yuhala¹,

Felber²,

Schiavoni³

et al. 2021

Preprint

View full text Add to dashboard Cite

With the increasing popularity of cloud based machine learning (ML) techniques there comes a need for privacy and integrity guarantees for ML data. In addition, the significant scalability challenges faced by DRAM coupled with the high access-times of secondary storage represent a huge performance bottleneck for ML systems. While solutions exist to tackle the security aspect, performance remains an issue. Persistent memory (PM) is resilient to power loss (unlike DRAM), provides fast and fine-granular access to memory (unlike disk storage) and has latency and bandwidth close to DRAM (in the order of ns and GB/s, respectively). We present PLINIUS, a ML framework using Intel SGX enclaves for secure training of ML models and PM for fault tolerance guarantees. PLINIUS uses a novel mirroring mechanism to create and maintain (i) encrypted mirror copies of ML models on PM, and (ii) encrypted training data in byteaddressable PM, for near-instantaneous data recovery after a system failure. Compared to disk-based checkpointing systems, PLINIUS is 3.2× and 3.7× faster respectively for saving and restoring models on real PM hardware, achieving robust and secure ML model training in SGX enclaves.

show abstract

“…In this mechanism there is a trade-off between the privacy performance, computational complexity and, model accuracy [25,26,27]. Our idea relies on TEEs to perform private inference or training in a secure hardware [5,6,7,8,9,10]. In particular, TEE-based training solutions focus on holding the entire model within the TEE environment which Inference FHME [19], MiniONN [20], CryptoNets [21],…”

Section: Related Workmentioning

confidence: 99%

“…Gazelle [22] SGXCMP [23], SecureML [24] Mlcapsule [7], ObliviousTEE [8], P-TEE [9], Slalom [10] Arden [25], NOffload [26], Shredder [27] Training SecureML [24], SecureNN [28],…”

Section: Related Workmentioning

confidence: 99%

“…Prior training schemes [5,6] secure the entire model within a TEE, thereby preventing large models from taking advantage of the TEE and also are unable to use ML accelerators such as GPUs. Prior inference schemes using TEE [7,8,9,10] exploit the fact that model parameters are fixed during inference to enable split execution between TEE and GPU. These schemes cannot be used for training since the parameters are constantly updated during the training process.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DarKnight: A Data Privacy Scheme for Training and Inference of Deep Neural Networks

Hashemi,

Wang,

Annavaram

2020

Preprint

View full text Add to dashboard Cite

Protecting the privacy of input data is of growing importance as machine learning applications reach new application domains. Cloud companies are providing machine learning as a service to make it easier for data holders to create customized training and inference paradigms. In this paper, we provide a unified training and inference framework for large DNNs while protecting input privacy. Our approach called DarKnight relies on cooperative execution between GPUs and trusted execution environment (TEE) to train complex models. The cooperative execution allows DarKnight to exploit the computational power of GPUs to perform linear operations, while exploiting TEEs to protect input privacy. In particular, DarKnight uses a novel encoding to linearly combine multiple inputs along with an additive stream cipher noise to obfuscate the inputs. The proposed encoding process allows DarKnight to efficiently decode the computed data even as the model parameters continuously evolve during the backward propagation of DNN training. DarKnight further simplifies the encoding process for inference where the model parameters are unchanged. Unlike prior approaches, DarKnight does not need to store model parameters within the TEE memory thereby getting around the TEE's limited secure memory limitations. By encoding and decoding multiple inputs during each iteration, DarKnight is well suited for current generation batch training process. We implement DarKnight on an Intel SGX enclave augmented with a GPU to demonstrate our new training capabilities.Preprint. Under review.

show abstract

MLCapsule: Guarded Offline Deployment of Machine Learning as a Service

Cited by 11 publications

References 20 publications

Guarding Machine Learning Hardware Against Physical Side-channel Attacks

Guarding Machine Learning Hardware Against Physical Side-channel Attacks

Plinius: Secure and Persistent Machine Learning Model Training

DarKnight: A Data Privacy Scheme for Training and Inference of Deep Neural Networks

Contact Info

Product

Resources

About