[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3466752.3480112acmconferencesArticle/Chapter ViewAbstractPublication PagesmicroConference Proceedingsconference-collections
research-article
Open access

DarKnight: An Accelerated Framework for Privacy and Integrity Preserving Deep Learning Using Trusted Hardware

Published: 17 October 2021 Publication History

Abstract

Privacy and security-related concerns are growing as machine learning reaches diverse application domains. The data holders want to train or infer with private data while exploiting accelerators, such as GPUs, that are hosted in the cloud. Cloud systems are vulnerable to attackers that compromise the privacy of data and integrity of computations. Tackling such a challenge requires unifying theoretical privacy algorithms with hardware security capabilities. This paper presents DarKnight, a framework for large DNN training while protecting input privacy and computation integrity. DarKnight relies on cooperative execution between trusted execution environments (TEE) and accelerators, where the TEE provides privacy and integrity verification, while accelerators perform the bulk of the linear algebraic computation to optimize the performance. In particular, DarKnight uses a customized data encoding strategy based on matrix masking to create input obfuscation within a TEE. The obfuscated data is then offloaded to GPUs for fast linear algebraic computation. DarKnight’s data obfuscation strategy provides provable data privacy and computation integrity in the cloud servers. While prior works tackle inference privacy and cannot be utilized for training, DarKnight’s encoding scheme is designed to support both training and inference.

References

[1]
Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. 2016. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 308–318.
[2]
Tiago Alves. 2004. Trustzone: Integrated hardware and software security. White paper (2004).
[3]
Amazon. 2020. Machine Learning on AWS. https://aws.amazon.com/machine-learning
[4]
Aref Asvadishirehjini, Murat Kantarcioglu, and Bradley Malin. 2020. GOAT: GPU Outsourcing of Deep Learning Training With Asynchronous Probabilistic Integrity Verification Inside Trusted Execution Environment. arXiv preprint arXiv:2010.08855(2020).
[5]
Marcelo Blatt, Alexander Gusev, Yuriy Polyakov, and Shafi Goldwasser. 2020. Secure large-scale genome-wide association studies using homomorphic encryption. Proceedings of the National Academy of Sciences 117, 21(2020), 11608–11613.
[6]
Lenore Blum and Manuel Blum. 1975. Toward a mathematical theory of inductive inference. Information and control 28, 2 (1975), 125–155.
[7]
Keith Bonawitz, Vladimir Ivanov, Ben Kreuter, Antonio Marcedone, H Brendan McMahan, Sarvar Patel, Daniel Ramage, Aaron Segal, and Karn Seth. 2017. Practical secure aggregation for privacy-preserving machine learning. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 1175–1191.
[8]
Ferdinand Brasser, Urs Müller, Alexandra Dmitrienko, Kari Kostiainen, Srdjan Capkun, and Ahmad-Reza Sadeghi. 2017. Software grand exposure:{SGX} cache attacks are practical. In 11th {USENIX} Workshop on Offensive Technologies ({WOOT} 17).
[9]
Alfredo Canziani, Adam Paszke, and Eugenio Culurciello. 2016. An analysis of deep neural network models for practical applications. arXiv preprint arXiv:1605.07678(2016).
[10]
Nicholas Carlini, Samuel Deng, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Shuang Song, Abhradeep Thakurta, and Florian Tramer. 2020. An Attack on InstaHide: Is Private Learning Possible with Instance Encoding?arXiv preprint arXiv:2011.05315(2020).
[11]
Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained.IACR Cryptology ePrint Archive 2016, 086 (2016), 1–118.
[12]
Victor Costan, Ilia Lebedev, and Srinivas Devadas. 2016. Sanctum: Minimal hardware extensions for strong software isolation. In 25th {USENIX} Security Symposium ({USENIX} Security 16). 857–874.
[13]
Thomas M Cover. 1999. Elements of information theory. John Wiley & Sons.
[14]
LH Cox. 1994. Matrix masking methods for disclosure limitation in microdata. Surv. Methodol. 20(1994), 165–169.
[15]
Lawrence H Cox. 1980. Suppression methodology and statistical disclosure control. J. Amer. Statist. Assoc. 75, 370 (1980), 377–385.
[16]
Fu-Guo Deng and Gui Lu Long. 2004. Secure direct communication with a quantum one-time pad. Physical Review A 69, 5 (2004), 052319.
[17]
Yanjie Dong, Julian Cheng, Md Jahangir Hossain, and Victor CM Leung. 2019. Secure distributed on-device learning networks with byzantine adversaries. IEEE Network 33, 6 (2019), 180–187.
[18]
Úlfar Erlingsson, Vitaly Feldman, Ilya Mironov, Ananth Raghunathan, Kunal Talwar, and Abhradeep Thakurta. 2019. Amplification by shuffling: From local to central differential privacy via anonymity. In Proceedings of the Thirtieth Annual ACM-SIAM Symposium on Discrete Algorithms. SIAM, 2468–2479.
[19]
Úlfar Erlingsson, Vasyl Pihur, and Aleksandra Korolova. 2014. Rappor: Randomized aggregatable privacy-preserving ordinal response. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. 1054–1067.
[20]
Jakob Foerster, Ioannis Alexandros Assael, Nando De Freitas, and Shimon Whiteson. 2016. Learning to communicate with deep multi-agent reinforcement learning. In Advances in neural information processing systems. 2137–2145.
[21]
Jonas Geiping, Hartmut Bauermeister, Hannah Dröge, and Michael Moeller. 2020. Inverting Gradients–How easy is it to break privacy in federated learning?arXiv preprint arXiv:2003.14053(2020).
[22]
Craig Gentry. 2009. Fully homomorphic encryption using ideal lattices. In Proceedings of the forty-first annual ACM symposium on Theory of computing. 169–178.
[23]
Zahra Ghodsi, Tianyu Gu, and Siddharth Garg. 2017. Safetynets: Verifiable execution of deep neural networks on an untrusted cloud. arXiv preprint arXiv:1706.10268(2017).
[24]
Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. 2016. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In International Conference on Machine Learning. 201–210.
[25]
Oded Goldreich. 2007. Foundations of cryptography: volume 1, basic tools. Cambridge university press.
[26]
Google. 2020. Google AI platform. https://cloud.google.com/products/ai
[27]
Johannes Götzfried, Moritz Eckert, Sebastian Schinzel, and Tilo Müller. 2017. Cache attacks on Intel SGX. In Proceedings of the 10th European Workshop on Systems Security. 1–6.
[28]
Suyog Gupta, Ankur Agrawal, Kailash Gopalakrishnan, and Pritish Narayanan. 2015. Deep learning with limited numerical precision. In International Conference on Machine Learning. 1737–1746.
[29]
Song Han, Huizi Mao, and William J Dally. 2015. Deep compression: Compressing deep neural networks with pruning, trained quantization and huffman coding. arXiv preprint arXiv:1510.00149(2015).
[30]
Hanieh Hashemi, Yongqin Wang, Chuan Guo, and Murali Annavaram. 2021. Byzantine-Robust and Privacy-Preserving Framework for FedML. arXiv preprint arXiv:2105.02295(2021).
[31]
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition. 770–778.
[32]
JB Heaton, NG Polson, and Jan Hendrik Witte. 2017. Deep learning for finance: deep portfolios. Applied Stochastic Models in Business and Industry 33, 1 (2017), 3–12.
[33]
Weizhe Hua, Muhammad Umar, Zhiru Zhang, and G Edward Suh. 2020. GuardNN: Secure DNN Accelerator for Privacy-Preserving Deep Learning. arXiv preprint arXiv:2008.11632(2020).
[34]
Yangsibo Huang, Zhao Song, Kai Li, and Sanjeev Arora. 2020. Instahide: Instance-hiding schemes for private distributed learning. In International Conference on Machine Learning. PMLR, 4507–4518.
[35]
Tyler Hunt, Congzheng Song, Reza Shokri, Vitaly Shmatikov, and Emmett Witchel. 2018. Chiron: Privacy-preserving machine learning as a service. arXiv preprint arXiv:1803.05961(2018).
[36]
Nick Hynes, Raymond Cheng, and Dawn Song. 2018. Efficient deep learning on multi-source private data. arXiv preprint arXiv:1807.06689(2018).
[37]
Chiraag Juvekar, Vinod Vaikuntanathan, and Anantha Chandrakasan. 2018. {GAZELLE}: A low latency framework for secure neural network inference. In 27th {USENIX} Security Symposium ({USENIX} Security 18). 1651–1669.
[38]
Jay J Kim. 1986. A method for limiting disclosure in microdata based on random noise and transformation. In Proceedings of the section on survey research methods. American Statistical Association Alexandria, VA, 303–308.
[39]
Alex Krizhevsky, Geoffrey Hinton, 2009. Learning multiple layers of features from tiny images. online: http://www. cs. toronto. edu/kriz/cifar. html (2009).
[40]
Taegyeong Lee, Zhiqi Lin, Saumay Pushp, Caihua Li, Yunxin Liu, Youngki Lee, Fengyuan Xu, Chenren Xu, Lintao Zhang, and Junehwa Song. 2019. Occlumency: Privacy-preserving remote deep-learning inference using SGX. In The 25th Annual International Conference on Mobile Computing and Networking. 1–17.
[41]
Darryl Lin, Sachin Talathi, and Sreekanth Annapureddy. 2016. Fixed point quantization of deep convolutional networks. In International conference on machine learning. PMLR, 2849–2858.
[42]
Ji Lin, Chuang Gan, and Song Han. 2019. Defensive quantization: When efficiency meets robustness. arXiv preprint arXiv:1904.08444(2019).
[43]
Jian Liu, Mika Juuti, Yao Lu, and Nadarajah Asokan. 2017. Oblivious neural network predictions via minionn transformations. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 619–631.
[44]
Microsoft. 2020. Azure Machine Learning. https://azure.microsoft.com/en-us/services/machine-learning
[45]
Fatemehsadat Mireshghallah, Mohammadkazem Taram, Prakash Ramrakhyani, Ali Jalali, Dean Tullsen, and Hadi Esmaeilzadeh. 2020. Shredder: Learning noise distributions to protect inference privacy. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 3–18.
[46]
Fatemehsadat Mirshghallah, Mohammadkazem Taram, Praneeth Vepakomma, Abhishek Singh, Ramesh Raskar, and Hadi Esmaeilzadeh. 2020. Privacy in deep learning: A survey. arXiv preprint arXiv:2004.12254(2020).
[47]
Pratyush Mishra, Ryan Lehmkuhl, Akshayaram Srinivasan, Wenting Zheng, and Raluca Ada Popa. 2020. DELPHI: A cryptographic inference service for neural networks. In 29th {USENIX} Security Symposium ({USENIX} Security 20).
[48]
Fan Mo, Hamed Haddadi, Kleomenis Katevas, Eduard Marin, Diego Perino, and Nicolas Kourtellis. 2021. PPFL: privacy-preserving federated learning with trusted execution environments. arXiv preprint arXiv:2104.14380(2021).
[49]
Fan Mo, Ali Shahin Shamsabadi, Kleomenis Katevas, Soteris Demetriou, Ilias Leontiadis, Andrea Cavallaro, and Hamed Haddadi. 2020. Darknetz: towards model privacy at the edge using trusted execution environments. In Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services. 161–174.
[50]
Payman Mohassel and Peter Rindal. 2018. ABY3: A mixed protocol framework for machine learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 35–52.
[51]
Payman Mohassel and Yupeng Zhang. 2017. Secureml: A system for scalable privacy-preserving machine learning. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 19–38.
[52]
Deepak Narayanan, Aaron Harlap, Amar Phanishayee, Vivek Seshadri, Nikhil R Devanur, Gregory R Ganger, Phillip B Gibbons, and Matei Zaharia. 2019. PipeDream: generalized pipeline parallelism for DNN training. In Proceedings of the 27th ACM Symposium on Operating Systems Principles. 1–15.
[53]
Krishna Giri Narra, Zhifeng Lin, Mehrdad Kiamari, Salman Avestimehr, and Murali Annavaram. 2019. Slack squeeze coded computing for adaptive straggler mitigation. In Proceedings of the International Conference for High Performance Computing, Networking, Storage and Analysis. 1–16.
[54]
Krishna Giri Narra, Zhifeng Lin, Yongqin Wang, Keshav Balasubramaniam, and Murali Annavaram. 2019. Privacy-Preserving Inference in Machine Learning Services Using Trusted Execution Environments. arXiv preprint arXiv:1912.03485(2019).
[55]
Lucien KL Ng, Sherman SM Chow, Anna PY Woo, Donald PH Wong, and Yongjun Zhao. 2021. Goten: GPU-Outsourcing Trusted Execution of Neural Network Training. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 35. 14876–14883.
[56]
Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Fetzer. 2018. Varys: Protecting {SGX} enclaves from practical side-channel attacks. In 2018 {Usenix} Annual Technical Conference ({USENIX}{ATC} 18). 227–240.
[57]
Joongun Park, Naegyeong Kang, Taehoon Kim, Youngjin Kwon, and Jaehyuk Huh. 2020. Nested enclave: supporting fine-grained hierarchical isolation with SGX. In 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA). IEEE, 776–789.
[58]
Gregory F Pfister. 2001. An introduction to the infiniband architecture. High performance mass storage and parallel I/O 42, 617-632 (2001), 102.
[59]
Saurav Prakash, Hanieh Hashemi, Yongqin Wang, Murali Annavaram, and Amir Salman Avestimehr. 2020. Mitigating byzantine attacks in federated learning. arXiv preprint arXiv:2010.07541(2020).
[60]
Monika Rani, Riju Nayak, and OP Vyas. 2015. An ontology-based adaptive personalized e-learning system, assisted by software agents on cloud storage. Knowledge-Based Systems 90 (2015), 33–48.
[61]
M Sadegh Riazi, Bita Darvish Rouani, and Farinaz Koushanfar. 2019. Deep learning on private data. IEEE Security & Privacy 17, 6 (2019), 54–63.
[62]
Olga Russakovsky, Jia Deng, Hao Su, Jonathan Krause, Sanjeev Satheesh, Sean Ma, Zhiheng Huang, Andrej Karpathy, Aditya Khosla, Michael Bernstein, 2015. Imagenet large scale visual recognition challenge. International journal of computer vision 115, 3 (2015), 211–252.
[63]
Mark Sandler, Andrew Howard, Menglong Zhu, Andrey Zhmoginov, and Liang-Chieh Chen. 2018. Mobilenetv2: Inverted residuals and linear bottlenecks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 4510–4520.
[64]
Jeffrey Schwartz. 2021. Intel Makes 3rd Gen Xeon Scalable Processor Rollout Official. https://www.channelfutures.com/data-centers/intel-makes-3rd-gen-xeon-scalable-processor-rollout-official
[65]
Tom Shanley. 2003. InfiniBand network architecture. Addison-Wesley Professional.
[66]
Reza Shokri and Vitaly Shmatikov. 2015. Privacy-preserving deep learning. In Proceedings of the 22nd ACM SIGSAC conference on computer and communications security. 1310–1321.
[67]
Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556(2014).
[68]
Jinhyun So, Basak Guler, and A Salman Avestimehr. 2020. Byzantine-Resilient Secure Federated Learning. arXiv preprint arXiv:2007.11115(2020).
[69]
Nancy Spruill. 1983. The confidentiality and analytic usefulness of masked business microdata. Proceedings of the Section on Survey Research Methods, 1983 (1983), 602–607.
[70]
ADP Team. 2017. Learning with privacy at scale. Apple Mach. Learn. J 1, 9 (2017).
[71]
SGX team. 2021. Intel SGX in clouds. https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions.html
[72]
Florian Tramer and Dan Boneh. 2018. Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. In International Conference on Learning Representations.
[73]
Stavros Volos, Kapil Vaswani, and Rodrigo Bruno. 2018. Graviton: Trusted execution environments on gpus. In 13th {USENIX} Symposium on Operating Systems Design and Implementation ({OSDI} 18). 681–696.
[74]
Sameer Wagh, Divya Gupta, and Nishanth Chandran. 2019. Securenn: 3-party secure computation for neural network training. Proceedings on Privacy Enhancing Technologies 2019, 3(2019), 26–49.
[75]
Wenhao Wang, Guoxing Chen, Xiaorui Pan, Yinqian Zhang, XiaoFeng Wang, Vincent Bindschaedler, Haixu Tang, and Carl A Gunter. 2017. Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2421–2434.
[76]
Yuanzhong Xu, Weidong Cui, and Marcus Peinado. 2015. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In 2015 IEEE Symposium on Security and Privacy. IEEE, 640–656.
[77]
Zhenyu Xu, Thomas Mauldin, Zheyi Yao, Shuyi Pei, Tao Wei, and Qing Yang. 2020. A bus authentication and anti-probing architecture extending hardware trusted computing base off CPU chips and beyond. In 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA). IEEE, 749–761.
[78]
Guandao Yang, Tianyi Zhang, Polina Kirichenko, Junwen Bai, Andrew Gordon Wilson, and Chris De Sa. 2019. SWALP: Stochastic weight averaging in low precision training. In International Conference on Machine Learning. PMLR, 7015–7024.
[79]
Qian Yu, Songze Li, Netanel Raviv, Seyed Mohammadreza Mousavi Kalan, Mahdi Soltanolkotabi, and Salman A Avestimehr. 2019. Lagrange coded computing: Optimal design for resiliency, security, and privacy. In The 22nd International Conference on Artificial Intelligence and Statistics. PMLR, 1215–1225.
[80]
Wei Zhang, Suyog Gupta, Xiangru Lian, and Ji Liu. 2015. Staleness-aware async-sgd for distributed deep learning. arXiv preprint arXiv:1511.05950(2015).
[81]
Jiajun Zhu, David I Ferguson, and Dmitri A Dolgov. 2014. System and method for predicting behaviors of detected objects. US Patent 8,660,734.
[82]
Ligeng Zhu, Zhijian Liu, and Song Han. 2019. Deep leakage from gradients. In Advances in Neural Information Processing Systems. 14747–14756.

Cited By

View all
  • (2024)TransLinkGuard: Safeguarding Transformer Models Against Model Stealing in Edge DeploymentProceedings of the 32nd ACM International Conference on Multimedia10.1145/3664647.3680786(3479-3488)Online publication date: 28-Oct-2024
  • (2024)Proof of Unlearning: Definitions and InstantiationIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.335899319(3309-3323)Online publication date: 1-Jan-2024
  • (2024)EdgePro: Edge Deep Learning Model Protection via Neuron AuthorizationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.3365730(1-15)Online publication date: 2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
MICRO '21: MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture
October 2021
1322 pages
ISBN:9781450385572
DOI:10.1145/3466752
This work is licensed under a Creative Commons Attribution-NonCommercial International 4.0 License.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2021

Check for updates

Author Tags

  1. Intel SGX
  2. data encoding
  3. data privacy
  4. deep learning
  5. neural networks
  6. trusted execution environment

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

Conference

MICRO '21
Sponsor:

Acceptance Rates

Overall Acceptance Rate 484 of 2,242 submissions, 22%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)752
  • Downloads (Last 6 weeks)150
Reflects downloads up to 11 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)TransLinkGuard: Safeguarding Transformer Models Against Model Stealing in Edge DeploymentProceedings of the 32nd ACM International Conference on Multimedia10.1145/3664647.3680786(3479-3488)Online publication date: 28-Oct-2024
  • (2024)Proof of Unlearning: Definitions and InstantiationIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.335899319(3309-3323)Online publication date: 1-Jan-2024
  • (2024)EdgePro: Edge Deep Learning Model Protection via Neuron AuthorizationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.3365730(1-15)Online publication date: 2024
  • (2024)No Privacy Left Outside: On the (In-)Security of TEE-Shielded DNN Partition for On-Device ML2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00052(3327-3345)Online publication date: 19-May-2024
  • (2024)Efficient and Privacy-Preserving Integrity Verification for Federated Learning with TEEsMILCOM 2024 - 2024 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM61039.2024.10773815(999-1004)Online publication date: 28-Oct-2024
  • (2024)Memory-Efficient and Secure DNN Inference on TrustZone-enabled Consumer IoT DevicesIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621088(2009-2018)Online publication date: 20-May-2024
  • (2024)Privacy-Preserving Multi-Party Machine Learning Based on Trusted Execution Environment and GPU Accelerator2024 IEEE 12th International Conference on Information, Communication and Networks (ICICN)10.1109/ICICN62625.2024.10761130(601-606)Online publication date: 21-Aug-2024
  • (2024)Survey of research on confidential computingIET Communications10.1049/cmu2.1275918:9(535-556)Online publication date: 23-Apr-2024
  • (2024)Fault-tolerant deep learning inference on CPU-GPU integrated edge devices with TEEsFuture Generation Computer Systems10.1016/j.future.2024.07.027161:C(404-414)Online publication date: 1-Dec-2024
  • (2023)An Accelerated Method for Protecting Data Privacy in Financial Scenarios Based on Linear OperationApplied Sciences10.3390/app1303176413:3(1764)Online publication date: 30-Jan-2023
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Login options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media