Chiron: Privacy-preserving Machine Learning as a Service (1803.05961v1)

Abstract: Major cloud operators offer ML as a service, enabling customers who have the data but not ML expertise or infrastructure to train predictive models on this data. Existing ML-as-a-service platforms require users to reveal all training data to the service operator. We design, implement, and evaluate Chiron, a system for privacy-preserving machine learning as a service. First, Chiron conceals the training data from the service operator. Second, in keeping with how many existing ML-as-a-service platforms work, Chiron reveals neither the training algorithm nor the model structure to the user, providing only black-box access to the trained model. Chiron is implemented using SGX enclaves, but SGX alone does not achieve the dual goals of data privacy and model confidentiality. Chiron runs the standard ML training toolchain (including the popular Theano framework and C compiler) in an enclave, but the untrusted model-creation code from the service operator is further confined in a Ryoan sandbox to prevent it from leaking the training data outside the enclave. To support distributed training, Chiron executes multiple concurrent enclaves that exchange model parameters via a parameter server. We evaluate Chiron on popular deep learning models, focusing on benchmark image classification tasks such as CIFAR and ImageNet, and show that its training performance and accuracy of the resulting models are practical for common uses of ML-as-a-service.

• The paper demonstrates a novel MLaaS approach that conceals training data from service providers using SGX enclaves and sandboxing.
• The paper introduces a secure parameter exchange strategy employing fixed-rate communication among enclaves for consistent distributed training.
• The paper validates Chiron on CIFAR and ImageNet, showing competitive performance with minimal accuracy degradation on realistic datasets.

Privacy-preserving Machine Learning as a Service

The paper discusses the development and evaluation of Chiron, a system designed to implement privacy-preserving machine learning as a service (MLaaS). The motivation behind this research stems from the conundrum faced by data holders who wish to exploit ML without exposing confidential training data to service providers. Chiron endeavors to address these privacy concerns while simultaneously adhering to the operational constraints of existing MLaaS platforms.

Chiron encapsulates its primary innovation in concealing the training data from the service operator while providing a standard black-box interface for users. This is significant as current MLaaS offerings, such as those from Google, Amazon, and Microsoft, require full data exposure to service operators. Chiron leverages Intel's Software Guard Extensions (SGX) enclaves to protect sensitive data, ensuring it is processed within a secure environment that is resistant to data leakage, even against the hosting platform's software.

To achieve data privacy and model confidentiality, Chiron employs SGX enclaves coupled with the Ryoan sandbox, a confinement tool that limits the service provider's code, hence preventing it from transmitting privy information beyond the enclave. The untrusted code by the service provider only interacts with an internally trusted ML toolchain, in this case based on Theano, which provides fundamental model training capabilities. This is supplemented by a hardware-sealed communication protocol ensuring the integrity and confidentiality of data exchanges between enclaves and from enclaves to users.

A significant feature of Chiron is its deduced parameter exchange strategy where multiple concurrently executing enclaves share model parameters via a secured parameter server, employing a fixed-rate communication policy to hinder covert channels. This is crucial for maintaining consistency in distributed training modalities frequently employed in deep learning tasks.

The system was rigorously evaluated with popular benchmarks such as CIFAR and ImageNet datasets. Key results indicate that Chiron's training performance and model accuracy are practical and competitive alongside traditional, non-secure MLaaS platforms. For instance, realistic training times were observed without significant accuracy degradation, although certain configurations experienced nominal accuracy drops due to parameter update staleness issues inherent in distributed ML settings.

Chiron's architecture demonstrates adaptability to existing ML workflows without burdening users with the complexities traditionally associated with secure cryptographic protocols. This offers a pathway for broader adoption of MLaaS by privacy-concerned clientele.

The implications of this research are multifaceted. Practically, it could foster increased reliance on outsourced ML, especially in sensitive domains such as finance and healthcare, where data privacy is paramount. Theoretically, Chiron pushes the boundary of what is achievable with current secure enclave technology and posits a framework that future MLaaS services might be built upon.

Future advancements may explore reducing dependency on SGX by creating more comprehensive, hardware-agnostic solutions or integrate more robust countermeasures to mitigate side channels, such as data-oblivious ML algorithms. However, these are contingent upon broader hardware-supportive technologies evolving to include similar enclave functionalities.

The paper contributes significantly to the discourse on privacy in outsourced ML and provides a critical reference point for improvements in secure computation environments. As AI continues to penetrate various industrial domains, such initiatives become essential for harmonizing ML capabilities with stringent data privacy norms.