Machine learning algorithms based on deep neural networks have achieved remarkable results in a variety of domains such as spam detection, traffic analysis, intrusion detection, medical predictions, and financial predictions. Neural network (NN) driven technologies such as image/voice recognition and personal assistance apps have greatly improved the quality of life and have become utilities people rely on everyday. NN-based machine learning algorithms are often hosted on cloud servers as a service provided to users, which concerns their security, that is, how to protect user private data from hackers as well as trusted-yet-curious servers; how to protect model piracy and enforce intellectual property (IP) protection. Adopting traditional encryption based defenses tends to introduce severe performance degradation to the system. This project addresses these issues and thus help increase the use of accelerator architectures for machine learning in the computing cloud and mobile clients. It assures the IP of users are securely protected. The work integrates research with high education with curricular innovation at both the undergraduate and graduate levels and with outreach to under-represented groups and K-12 education.
This project develops a secure, privacy-preserving and confidential and tamper-proofing environment for users to acquire services from the cloud. It focuses on three tasks. 1) IP protection via user dependent modeling: lightweight training and inference methodologies are developed to produce models that can only execute on legitimate IP owners. Such dependency can be derived from either target hardware or a secret shared among IP owners. 2) Data privacy protection: acceleration techniques are developed for a privacy-preserving cryptographic homomorphic encryption (HE) which runs NN on encrypted data but could slow down an inference by several orders of magnitude. HE is analyzed, the most suitable accelerator is selected and optimized mapping of HE onto the accelerator is developed to maximize its performance. 3) Protection for confidentiality and integrity of NN, and defend side-channel attacks: protect dynamic execution of NNs by adding memory encryption, authentication, bus protection and isolation to defend sophisticated attacks targeted at the accelerator hardware. The proposed designs in this project exploit uniqueness of NN and achieve minimum impact on performance.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
