Securing Deep Neural Networks on Edge from Membership Inference Attacks Using Trusted Execution Environments
Authors: 
Cheng-Yun Yang, Gowri Ramshankar, Nicholas Eliopoulos, Purvish Jajal, Sudarshan Nambiar, Evan Miller, Xun Zhang, 
Dave (Jing) Tian, Shuo-Han Chen, Chiy-Ferng Perng, 
Yung-Hsiang LuAuthors Info & Claims
Cheng-Yun Yang, Gowri Ramshankar, Nicholas Eliopoulos, Purvish Jajal, Sudarshan Nambiar, Evan Miller, Xun Zhang, Dave (Jing) Tian, Shuo-Han Chen, Chiy-Ferng Perng, Yung-Hsiang LuAuthors Info & ClaimsPages 1 - 6
Abstract
Privacy concerns arise from malicious attacks on Deep Neural Network (DNN) applications during sensitive data inference on edge devices. Membership Inference Attack (MIA) is developed by adversaries to determine whether sensitive data is used to train the DNN applications. Prior work uses Trusted Execution Environments (TEEs) to hide DNN model inference from adversaries on edge devices. Unfortunately, existing methods have two major problems. First, due to the restricted memory of TEEs, prior work cannot secure large-size DNNs from gradient-based MIAs. Second, prior work is ineffective on output-based MIAs. To mitigate the problems, we present a depth-wise layer partitioning method to run large sensitive layers inside TEEs. We further propose a model quantization strategy to improve the defense capability of DNNs against output-based MIAs and accelerate the computation. We also automate the process of securing PyTorch-based DNN models inside TEEs. Experiments on Raspberry Pi 3B+ show that our method can reduce the accuracy of gradient-based MIAs on AlexNet, VGG-16, and ResNet-20 evaluated on the CIFAR-100 dataset by 28.8%, 11%, and 35.3%. The accuracy of output-based MIAs on the three models is also reduced by 18.5%, 13.4%, and 29.6%, respectively.
References
[1]
Sebastian P Bayerl et al. "Offline model guard: Secure and private ML on mobile devices". Design, Automation & Test in Europe Conference & Exhibition. 2020.
[2]
Han Cai et al. "Enable Deep Learning on Mobile Devices: Methods, Systems, and Applications". ACM Transactions on Design Automation of Electronic System 27.3 (2022).
[3]
Gianmarco Cerutti et al. "Sound event detection with binary neural networks on tightly power-constrained IoT devices". Proceedings of the ACM/IEEE International Symposium on Low Power Electronics and Design. 2020.
[4]
Nicholas Carlini et al. "Membership inference attacks from first principles". IEEE Symposium on Security and Privacy. 2022.
[5]
ARM Security Technology Building a Secure System using TrustZone Technology.
[6]
Fan Mo et al. "DarkneTZ: towards model privacy at the edge using trusted execution environments". International Conference on Mobile Systems, Applications, and Services. 2020.
[7]
Md Shihabul Islam et al. "Confidential Execution of Deep Learning Inference at the Untrusted Edge with ARM TrustZone". ACM Conference on Data and Application Security and Privacy. 2023.
[8]
Milad Nasr et al. "Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning". IEEE Symposium on Security and Privacy. 2019.
[9]
Reza Shokri et al. "Membership inference attacks against machine learning models". IEEE Symposium on Security and Privacy. 2017.
[10]
Jiacheng Li et al. "Membership Inference Attacks and Defenses in Classification Models". Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy. 2021.
[11]
Xiaoyong Yuan et al. "Membership Inference Attacks and Defenses in Neural Network Pruning". 31st USENIX Security Symposium. 2022.
[12]
Fan Yao et al. "DeepHammer: Depleting the intelligence of deep neural networks through targeted chain of bit flips". 29th USENIX Security Symposium. 2020.
[13]
Simon J. Shepherd. "The Tiny Encryption Algorithm". Cryptologia 31.3 (2007).
Index Terms
- Securing Deep Neural Networks on Edge from Membership Inference Attacks Using Trusted Execution Environments
Recommendations
Towards Trained Model Confidentiality and Integrity Using Trusted Execution Environments
Applied Cryptography and Network Security WorkshopsAbstractIn the security of machine learning, it is important to protect the confidentiality and integrity of trained models. The leakage of the data in a trained model leads to not only the infringement of intellectual property but also various attacks ...
Comparison of side-channel leakage on Rich and Trusted Execution Environments
CS2 '19: Proceedings of the Sixth Workshop on Cryptography and Security in Computing SystemsA Trusted Execution Environment (TEE) is a software solution made to improve security inside system on chip (SoC) based on ARM architecture. It offers a compromise between the functionality of the Rich Operating System (Rich OS), for example Android, ...
Membership reconstruction attack in deep neural networks
AbstractTo further enhance the reliability of Machine Learning (ML) systems, considerable efforts have been dedicated to developing privacy protection techniques. Recently, membership privacy has gained increasing attention, with a focus on ...
Comments
Information & Contributors
Information
Published In
August 2024
384 pages
ISBN:9798400706882
DOI:10.1145/3665314
- Chair:
- Pascal Meinerzhagen,
- Program Chair:
- Kapil Dev,
- Program Co-chair:
- Jerald Yoo
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
- SIGDA: ACM Special Interest Group on Design Automation
- IEEE CAS
- IEEE EDA
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 September 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ISLPED '24
Sponsor:
ISLPED '24: 29th ACM/IEEE International Symposium on Low Power Electronics and Design
August 5 - 7, 2024
CA, Newport Beach, USA
Acceptance Rates
Overall Acceptance Rate 398 of 1,159 submissions, 34%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 114Total Downloads
- Downloads (Last 12 months)114
- Downloads (Last 6 weeks)53
Reflects downloads up to 24 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in