DarKnight: A Data Privacy Scheme for Training and Inference of Deep Neural Networks

Protecting the privacy of input data is of growing importance as machine learning applications reach new application domains. Cloud companies are providing machine learning as a service to make it easier for data holders to create customized training and inference paradigms. In this paper, we provide a unified training and inference framework for large DNNs while protecting input privacy. Our approach called DarKnight relies on cooperative execution between GPUs and trusted execution environment (TEE) to train complex models. The cooperative execution allows DarKnight to exploit the computational power of GPUs to perform linear operations while exploiting TEEs to protect input privacy. In particular, DarKnight uses a novel encoding to linearly combine multiple inputs along with an additive stream cipher noise to obfuscate the inputs. The proposed encoding process allows DarKnight to efficiently decode the computed data even as the model parameters continuously evolve during the backward propagation of DNN training. DarKnight further simplifies the encoding process for inference where the model parameters are unchanged. Unlike prior approaches, DarKnight does not need to store model parameters within the TEE memory thereby getting around the TEE's limited secure memory limitations. By encoding and decoding multiple inputs during each iteration, DarKnight is well suited for the current generation batch training process. We implement DarKnight on an Intel SGX enclave augmented with a GPU to demonstrate our new training capabilities.

[1]  Ofer Harel,et al.  Data confidentiality: A review of methods for statistical disclosure limitation and methods for assessing privacy , 2011 .

[2]  Yongqin Wang,et al.  Privacy-Preserving Inference in Machine Learning Services Using Trusted Execution Environments , 2019, ArXiv.

[3]  Mark Sandler,et al.  MobileNetV2: Inverted Residuals and Linear Bottlenecks , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[4]  Rüdiger Kapitza,et al.  AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves , 2016, ESORICS.

[5]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[6]  Shimon Whiteson,et al.  Learning to Communicate with Deep Multi-Agent Reinforcement Learning , 2016, NIPS.

[7]  Dimitrios Pendarakis,et al.  YerbaBuena: Securing Deep Learning Inference Data via Enclave-based Ternary Model Partitioning , 2018 .

[8]  Sebastian Nowozin,et al.  Oblivious Multi-Party Machine Learning on Trusted Processors , 2016, USENIX Security Symposium.

[9]  Carl A. Gunter,et al.  Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX , 2017, CCS.

[10]  Hadi Esmaeilzadeh,et al.  Shredder: Learning Noise Distributions to Protect Inference Privacy , 2020, ASPLOS.

[11]  T. Alves,et al.  TrustZone : Integrated Hardware and Software Security , 2004 .

[12]  Philip S. Yu,et al.  Not Just Privacy: Improving Performance of Private Deep Learning in Mobile Cloud , 2018, KDD.

[13]  Yang Zhang,et al.  MLCapsule: Guarded Offline Deployment of Machine Learning as a Service , 2018, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[14]  Jan Hendrik Witte,et al.  Deep Learning for Finance: Deep Portfolios , 2016 .

[15]  Sameer Wagh,et al.  SecureNN: 3-Party Secure Computation for Neural Network Training , 2019, Proc. Priv. Enhancing Technol..

[16]  Alex Krizhevsky,et al.  Learning Multiple Layers of Features from Tiny Images , 2009 .

[17]  Kaushik Roy,et al.  Discretization Based Solutions for Secure Machine Learning Against Adversarial Attacks , 2019, IEEE Access.

[18]  Ran El-Yaniv,et al.  Quantized Neural Networks: Training Neural Networks with Low Precision Weights and Activations , 2016, J. Mach. Learn. Res..

[19]  Nancy L. Spruill THE CONFIDENTIALITY AND ANALYTIC USEFULNESS OF MASKED BUSINESS MICRODATA , 2002 .

[20]  Ian Goodfellow,et al.  Deep Learning with Differential Privacy , 2016, CCS.

[21]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[22]  Dimitrios Pendarakis,et al.  Securing Input Data of Deep Learning Inference Systems via Partitioned Enclave Execution , 2018, ArXiv.

[23]  Farinaz Koushanfar,et al.  Deep Learning on Private Data , 2019, IEEE Security & Privacy.

[24]  Dawn Xiaodong Song,et al.  Efficient Deep Learning on Multi-Source Private Data , 2018, ArXiv.

[25]  Chakri Padala,et al.  QuADD: QUantifying Accelerator Disaggregated Datacenter Efficiency , 2019, 2019 IEEE 12th International Conference on Cloud Computing (CLOUD).

[26]  Peter Rindal,et al.  ABY3: A Mixed Protocol Framework for Machine Learning , 2018, IACR Cryptol. ePrint Arch..

[27]  Mark Tygert,et al.  Secure multiparty computations in floating-point arithmetic , 2020, Information and Inference: A Journal of the IMA.

[28]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[29]  Amir Salman Avestimehr,et al.  Slack squeeze coded computing for adaptive straggler mitigation , 2019, SC.

[30]  Song Han,et al.  Deep Leakage from Gradients , 2019, NeurIPS.

[31]  Tim Verbelen,et al.  Privacy Aware Offloading of Deep Neural Networks , 2018, ICML 2018.

[32]  Tao Wei,et al.  COIN Attacks: On Insecurity of Enclave Untrusted Interfaces in SGX , 2020, ASPLOS.

[33]  Shuchang Zhou,et al.  DoReFa-Net: Training Low Bitwidth Convolutional Neural Networks with Low Bitwidth Gradients , 2016, ArXiv.

[34]  Payman Mohassel,et al.  SecureML: A System for Scalable Privacy-Preserving Machine Learning , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[35]  Michael S. Bernstein,et al.  ImageNet Large Scale Visual Recognition Challenge , 2014, International Journal of Computer Vision.

[36]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[37]  Thomas F. Wenisch,et al.  Disaggregated memory for expansion and sharing in blade servers , 2009, ISCA '09.

[38]  Vitaly Shmatikov,et al.  Privacy-preserving deep learning , 2015, 2015 53rd Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[39]  Tajana Simunic,et al.  FloatPIM: In-Memory Acceleration of Deep Neural Network Training with High Precision , 2019, 2019 ACM/IEEE 46th Annual International Symposium on Computer Architecture (ISCA).

[40]  Úlfar Erlingsson,et al.  RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response , 2014, CCS.

[41]  Medhat A. Moussa,et al.  Attacking Binarized Neural Networks , 2017, ICLR.

[42]  Yao Lu,et al.  Oblivious Neural Network Predictions via MiniONN Transformations , 2017, IACR Cryptol. ePrint Arch..

[43]  Song Han,et al.  Deep Compression: Compressing Deep Neural Network with Pruning, Trained Quantization and Huffman Coding , 2015, ICLR.

[44]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[45]  Andrew Zisserman,et al.  Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[46]  Jeff Johnson,et al.  Rethinking floating point for deep learning , 2018, ArXiv.

[47]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[48]  Pradeep Dubey,et al.  A Study of BFLOAT16 for Deep Learning Training , 2019, ArXiv.

[49]  Anantha Chandrakasan,et al.  Gazelle: A Low Latency Framework for Secure Neural Network Inference , 2018, IACR Cryptol. ePrint Arch..

[50]  Amir Salman Avestimehr,et al.  CodedPrivateML: A Fast and Privacy-Preserving Framework for Distributed Machine Learning , 2019, IEEE Journal on Selected Areas in Information Theory.

[51]  Eugenio Culurciello,et al.  An Analysis of Deep Neural Network Models for Practical Applications , 2016, ArXiv.

[52]  Pritish Narayanan,et al.  Deep Learning with Limited Numerical Precision , 2015, ICML.

[53]  Bo Chen,et al.  MobileNets: Efficient Convolutional Neural Networks for Mobile Vision Applications , 2017, ArXiv.

[54]  Andre Esteva,et al.  A guide to deep learning in healthcare , 2019, Nature Medicine.

[55]  Ahmad-Reza Sadeghi,et al.  Secure Multiparty Computation from SGX , 2017, Financial Cryptography.

[56]  Dan Boneh,et al.  Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware , 2018, ICLR.

[57]  Mariana Raykova,et al.  Privacy-Preserving Distributed Linear Regression on High-Dimensional Data , 2017, Proc. Priv. Enhancing Technol..

[58]  Michael Naehrig,et al.  CryptoNets: applying neural networks to encrypted data with high throughput and accuracy , 2016, ICML 2016.

[59]  L. Cox Suppression Methodology and Statistical Disclosure Control , 1980 .

[60]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[61]  Vitaly Shmatikov,et al.  Chiron: Privacy-preserving Machine Learning as a Service , 2018, ArXiv.