Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy-preserving Machine Learning

Published byCamilla Myra Dalton Modified over 6 years ago

Similar presentations

Presentation on theme: "Privacy-preserving Machine Learning"— Presentation transcript:

1 Privacy-preserving Machine Learning
Jian Liu, Mika Juuti, N. Asokan Secure Systems Group, Aalto University

2 How do you evaluate ML-based systems?
Effectiveness of inference accuracy/score measures on held-out test set? Performance inference speed and memory consumption? Hardware/software requirements e.g. memory/processor limitations, or specific software library? There are a lot of posters and talks today about machine learning. I am sure you guys know how to evaluate a machine learning system.

3 Meeting requirements in the presence of an adversary
Security & Privacy? Meeting requirements in the presence of an adversary But did you pay attention to the security and privacy. i.e.,

4 Machine learning pipeline
Pre-processor Trainer Model Inference Service Provider Data owners Clients Here is the machine learning pipeline. An adversary can present in any phase of this pipeline. Legend entities components

5 Inference Service Provider
1. Malicious data owners Pre-processor Trainer Model Inference Service Provider Data owners Clients Attack target Risk Remedies Model (integrity) Data poisoning [1, 2] Access control Robust estimators Active learning (human-in-the-loop learning) Outlier removal / normality models If the data owners are malicious, they can poison the data to affect the model integrity. [1] [2]

6 2. Malicious pre-processor
Trainer Model Inference Service Provider Data owners Clients Attack target Risk Remedies Model (integrity) Data poisoning Access control Robust estimators Active learning (human-in-the-loop learning) Outlier removal / normality models Training data (confidentiality) Unauthorized data use (e.g. profiling) Adding noise (e.g. differential privacy) [1] Oblivious aggregation (e.g., homomorphic encryption) If the preprocessor is malicious, he can poison the data as well, and he can also see the whole training data. [1] Heikkila et al. ”Differentially Private Bayesian Learning on Distributed Data”, NIPS’17

7 3. Malicious model trainer
Pre-processor Trainer Model Inference Service Provider Data owners Clients Attack target Risk Remedies Training data (confidentiality) Unauthorized data use (e.g. profiling) Oblivious training (learning with encrypted data) [1] The training data is also visible to the malicious trainer. [1] Graepel et al. “ML Confidential”, ICISC’12

8 4. Malicious inference service provider
Pre-processor Trainer Model Inference Service Provider Data owners Clients Attack target Risk Remedies Inference queries/results (confidentiality) Unauthorized data use (e.g. profiling) Oblivious inference [1,2,3] What if the service provider is malicious? I will talk about it later. [1] Gilad-Bachrach et al. “CryptoNets”, ICML’16 [2] Mohassel et al. “SecureML”, IEEE S&P’17 [3] Liu et al. “MiniONN”, ACM CCS’17

9 Inference Service Provider
5. Malicious client Pre-processor Trainer Model Inference Service Provider Data owners Clients Attack target Risk Remedies Training data (confidentiality) Membership inference Model inversion Minimize information leakage in responses Differential privacy Model (confidentiality) Model theft [1] Normality model for client queries Adaptive responses to client requests Model (integrity) Model evasion [2] If the clients are malicious, they can steal the model, evade the model or even invert the model by sending queries. [1] Tramer et al, “Stealing ML models via prediction APIs”, UsenixSEC’16 [2] Dang et al, “Evading Classifiers by Morphing in the Dark”, CCS’17

10 Machine learning as a service (MLaaS)
Input Predictions Next, I will focus on the case of malicious service provider, who can see all queries sent by users. This can be very serious in some scenarios like online diagnosis. violate clients’ privacy

11 Oblivious Neural Networks (ONN)
Given a neural network, is it possible to make it oblivious? server learns nothing about clients' input; clients learn nothing about the model.

12 Example: CryptoNets FHE-encrypted input FHE-encrypted predictions
High throughput for batch queries from same client High overhead for single queries: 297.5s and 372MB Only supports low-degree polynomials [GDLLNW16] CryptoNets, ICML 2016

13 MiniONN: Overview Blinded input Blinded predictions
oblivious protocols Blinded predictions Lightweight primitives: Additively homomorphic encryption (with SIMD) Secure two-party computation

14 Performance (for single queries)
Model Latency (s) Msg sizes (MB) Accuracy % MNIST/Square 0.4 (+ 0.88) 44 (+ 3.6) 98.95 CIFAR-10/ReLU 472 (+ 72) 6226 (+ 3046) 81.61 PTB/Sigmoid 4.39 (+ 13.9) 474 (+ 86.7) 120/114.5 (perplexity) It achieves 700 performance improvement over cryptoNets. Pre-computation time in parenthesis

Download ppt "Privacy-preserving Machine Learning"

Similar presentations

SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.

SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
SplitX: High-Performance Private Analytics Ruichuan Chen (Bell Labs / Alcatel-Lucent) Istemi Ekin Akkus (MPI-SWS) Paul Francis (MPI-SWS)

SplitX: High-Performance Private Analytics Ruichuan Chen (Bell Labs / Alcatel-Lucent) Istemi Ekin Akkus (MPI-SWS) Paul Francis (MPI-SWS)
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
Design, Implementation, and Experimentation on Mobile Agent Security for Electronic Commerce Applications Anthony H. W. Chan, Caris K. M. Wong, T. Y. Wong,

Design, Implementation, and Experimentation on Mobile Agent Security for Electronic Commerce Applications Anthony H. W. Chan, Caris K. M. Wong, T. Y. Wong,
Privacy-Preserving Computation and Verification of Aggregate Queries on Outsourced Databases Brian Thompson 1, Stuart Haber 2, William G. Horne 2, Tomas.

Privacy-Preserving Computation and Verification of Aggregate Queries on Outsourced Databases Brian Thompson 1, Stuart Haber 2, William G. Horne 2, Tomas.
Privacy Preserving Data Mining: An Overview and Examination of Euclidean Distance Preserving Data Transformation Chris Giannella cgiannel AT acm DOT org.

Privacy Preserving Data Mining: An Overview and Examination of Euclidean Distance Preserving Data Transformation Chris Giannella cgiannel AT acm DOT org.
A Seminar on Securities In Cloud Computing Presented by Sanjib Kumar Raul Mtech(ICT) Roll-10IT61B09 IIT Kharagpur Under the supervision of Prof. Indranil.

A Seminar on Securities In Cloud Computing Presented by Sanjib Kumar Raul Mtech(ICT) Roll-10IT61B09 IIT Kharagpur Under the supervision of Prof. Indranil.
ObliviStore High Performance Oblivious Cloud Storage Emil StefanovElaine Shi

ObliviStore High Performance Oblivious Cloud Storage Emil StefanovElaine Shi
Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.

Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.

Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
CS 5150 1 CS 5150 Software Engineering Lecture 18 Security.

CS CS 5150 Software Engineering Lecture 18 Security.
Privacy-Aware Personalization for Mobile Advertising

Privacy-Aware Personalization for Mobile Advertising
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: 102088 March 10, 2001.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Architectures of distributed systems Fundamental Models

Architectures of distributed systems Fundamental Models
Hiding in the Mobile Crowd: Location Privacy through Collaboration.

Hiding in the Mobile Crowd: Location Privacy through Collaboration.
Annual Conference of ITA ACITA 2010 Secure Sharing in Distributed Information Management Applications: Problems and Directions Piotr Mardziel, Adam Bender,

Annual Conference of ITA ACITA 2010 Secure Sharing in Distributed Information Management Applications: Problems and Directions Piotr Mardziel, Adam Bender,

Similar presentations

Ads by Google