ShadowNet: A Secure and Efficient On-device Model Inference System for
Convolutional Neural Networks
- URL: http://arxiv.org/abs/2011.05905v4
- Date: Thu, 6 Jul 2023 05:48:09 GMT
- Title: ShadowNet: A Secure and Efficient On-device Model Inference System for
Convolutional Neural Networks
- Authors: Zhichuang Sun, Ruimin Sun, Changming Liu, Amrita Roy Chowdhury, Long
Lu, Somesh Jha
- Abstract summary: ShadowNet is a novel on-device model inference system.
It protects the model privacy while securely outsourcing the heavy linear layers of the model to the untrusted hardware accelerators.
Our evaluation shows that ShadowNet achieves strong security guarantees with reasonable performance.
- Score: 33.98338559074557
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: With the increased usage of AI accelerators on mobile and edge devices,
on-device machine learning (ML) is gaining popularity. Thousands of proprietary
ML models are being deployed today on billions of untrusted devices. This
raises serious security concerns about model privacy. However, protecting model
privacy without losing access to the untrusted AI accelerators is a challenging
problem. In this paper, we present a novel on-device model inference system,
ShadowNet. ShadowNet protects the model privacy with Trusted Execution
Environment (TEE) while securely outsourcing the heavy linear layers of the
model to the untrusted hardware accelerators. ShadowNet achieves this by
transforming the weights of the linear layers before outsourcing them and
restoring the results inside the TEE. The non-linear layers are also kept
secure inside the TEE. ShadowNet's design ensures efficient transformation of
the weights and the subsequent restoration of the results. We build a ShadowNet
prototype based on TensorFlow Lite and evaluate it on five popular CNNs,
namely, MobileNet, ResNet-44, MiniVGG, ResNet-404, and YOLOv4-tiny. Our
evaluation shows that ShadowNet achieves strong security guarantees with
reasonable performance, offering a practical solution for secure on-device
model inference.
Related papers
- TEESlice: Protecting Sensitive Neural Network Models in Trusted Execution Environments When Attackers have Pre-Trained Models [12.253529209143197]
TSDP is a method that protects privacy-sensitive weights within TEEs and offloads insensitive weights to GPUs.
We introduce a novel partition before training strategy, which effectively separates privacy-sensitive weights from other components of the model.
Our evaluation demonstrates that our approach can offer full model protection with a computational cost reduced by a factor of 10.
arXiv Detail & Related papers (2024-11-15T04:52:11Z) - Task-Oriented Real-time Visual Inference for IoVT Systems: A Co-design Framework of Neural Networks and Edge Deployment [61.20689382879937]
Task-oriented edge computing addresses this by shifting data analysis to the edge.
Existing methods struggle to balance high model performance with low resource consumption.
We propose a novel co-design framework to optimize neural network architecture.
arXiv Detail & Related papers (2024-10-29T19:02:54Z) - TBNet: A Neural Architectural Defense Framework Facilitating DNN Model Protection in Trusted Execution Environments [14.074570784425225]
This paper presents TBNet, a TEE-based defense framework that protects DNN model from a neural architectural perspective.
Experimental results on a Raspberry Pi across diverse DNN model architectures and datasets demonstrate that TBNet achieves efficient model protection at a low cost.
arXiv Detail & Related papers (2024-05-07T03:08:30Z) - Privacy preserving layer partitioning for Deep Neural Network models [0.21470800327528838]
Trusted Execution Environments (TEEs) can introduce significant performance overhead due to additional layers of encryption, decryption, security and integrity checks.
We introduce layer partitioning technique and offloading computations to GPU.
We conduct experiments to demonstrate the effectiveness of our approach in protecting against input reconstruction attacks developed using trained conditional Generative Adversarial Network(c-GAN)
arXiv Detail & Related papers (2024-04-11T02:39:48Z) - MirrorNet: A TEE-Friendly Framework for Secure On-device DNN Inference [14.08010398777227]
Deep neural network (DNN) models have become prevalent in edge devices for real-time inference.
Existing defense approaches fail to fully safeguard model confidentiality or result in significant latency issues.
This paper presents MirrorNet, which generates a TEE-friendly implementation for any given DNN model to protect the model confidentiality.
For the evaluation, MirrorNet can achieve a 18.6% accuracy gap between authenticated and illegal use, while only introducing 0.99% hardware overhead.
arXiv Detail & Related papers (2023-11-16T01:21:19Z) - SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices [67.65883495888258]
We present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes.
SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices.
We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud.
arXiv Detail & Related papers (2023-09-26T08:11:38Z) - Publishing Efficient On-device Models Increases Adversarial
Vulnerability [58.6975494957865]
In this paper, we study the security considerations of publishing on-device variants of large-scale models.
We first show that an adversary can exploit on-device models to make attacking the large models easier.
We then show that the vulnerability increases as the similarity between a full-scale and its efficient model increase.
arXiv Detail & Related papers (2022-12-28T05:05:58Z) - Making DensePose fast and light [78.49552144907513]
Existing neural network models capable of solving this task are heavily parameterized.
To enable Dense Pose inference on the end device with current models, one needs to support an expensive server-side infrastructure and have a stable internet connection.
In this work, we target the problem of redesigning the DensePose R-CNN model's architecture so that the final network retains most of its accuracy but becomes more light-weight and fast.
arXiv Detail & Related papers (2020-06-26T19:42:20Z) - DarkneTZ: Towards Model Privacy at the Edge using Trusted Execution
Environments [37.84943219784536]
We present DarkneTZ, a framework that uses an edge device's Trusted Execution Environment (TEE) to limit the attack surface against Deep Neural Networks (DNNs)
We evaluate the performance of DarkneTZ, including CPU execution time, memory usage, and accurate power consumption.
Our results show that even if a single layer is hidden, we can provide reliable model privacy and defend against state of the art MIAs, with only 3% performance overhead.
arXiv Detail & Related papers (2020-04-12T21:42:03Z) - PatDNN: Achieving Real-Time DNN Execution on Mobile Devices with
Pattern-based Weight Pruning [57.20262984116752]
We introduce a new dimension, fine-grained pruning patterns inside the coarse-grained structures, revealing a previously unknown point in design space.
With the higher accuracy enabled by fine-grained pruning patterns, the unique insight is to use the compiler to re-gain and guarantee high hardware efficiency.
arXiv Detail & Related papers (2020-01-01T04:52:07Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.