Seminars
View all Seminars | Download ICal for this eventProtecting Deep Learning Models on Cloud with Trusted Execution Environments
Series: Ph.D. Colloquium
Speaker: Kripa Shanker Ph.D (Engg.) student Dept. of CSA
Date/Time: Jul 09 09:00:00
Location: CSA Auditorium, (Room No. 104, Ground Floor)
Faculty Advisor: Prof. Vinod Ganapathy
Abstract:
Deep learning is rapidly integrated into different applications,
from medical imaging to financial products. Organisations are spending
enormous financial resources to train deep learning models. Often, many
organisations do not have sufficient resources to host, manage and
scale these deep learning workloads in-house. Therefore, these organisations
outsource deep learning inference workloads to public cloud platforms.
However, outsourcing to public cloud platforms raises security and
privacy risks for the trained models. On the cloud, the service
provider controls all the software and hardware on their premises and
has full access to the models deployed on their platforms. A malicious or
compromised cloud provider can steal the trained model or interfere with
the inference workload, which may lead to financial losses and legal
troubles for the model owner. This dissertation presents solutions to
secure deep learning workloads on public cloud platforms with
hardware-assisted trusted execution environments.
Intel has introduced SGX, a hardware-based trusted execution environment,
to run private computations on public cloud platforms. However,
applications do not run out-of-the-box on the SGX platform due to the
restrictions imposed by the SGX specifications. Therefore, applications
need to be rewritten, or other methods should be used to avoid executing restricted
instructions within the enclave. To port commodity applications to SGX
enclaves, the software community has developed multiple frameworks to
adapt applications to SGX specifications. However, at the beginning of
this work, it was not clear which framework should be used to port deep
learning workloads to SGX enclaves. Therefore, in the first part of this work,
we studied various frameworks that port applications to SGX to find a suitable
framework for porting deep learning workloads. The study focuses on the challenges
in transitioning commodity applications to SGX enclaves.
Next, during the study, we observed that memory-intensive applications, such as deep
learning workloads, incur a performance penalty when executing within the trusted execution
environment offered by Intel SGX. Furthermore, SGX cannot securely use
other untrusted resources, such as untrusted co-processors, that are
commonly used to accelerate deep learning workloads. Therefore, the second part
of the work focuses on improving the performance of deep
learning workloads on TEE. It presents MazeNet, a framework to transform pre-trained
models into MazeNet models and deploy them on a combination of trusted and untrusted
hardware, where the trusted hardware ensures the security of the model while the untrusted
hardware accelerates the deep learning workload. MazeNet employs a secure outsourcing
scheme that outsources both the linear and non-linear layers of deep learning models to
untrusted hardware. Our experimental evaluation demonstrates that MazeNet can improve
the throughput by 30x and reduce the latency by 5x.