Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
80 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Privacy and Security Implications of Cloud-Based AI Services : A Survey (2402.00896v1)

Published 31 Jan 2024 in cs.CR, cs.AI, and cs.LG

Abstract: This paper details the privacy and security landscape in today's cloud ecosystem and identifies that there is a gap in addressing the risks introduced by machine learning models. As machine learning algorithms continue to evolve and find applications across diverse domains, the need to categorize and quantify privacy and security risks becomes increasingly critical. With the emerging trend of AI-as-a-Service (AIaaS), machine learned AI models (or ML models) are deployed on the cloud by model providers and used by model consumers. We first survey the AIaaS landscape to document the various kinds of liabilities that ML models, especially Deep Neural Networks pose and then introduce a taxonomy to bridge this gap by holistically examining the risks that creators and consumers of ML models are exposed to and their known defences till date. Such a structured approach will be beneficial for ML model providers to create robust solutions. Likewise, ML model consumers will find it valuable to evaluate such solutions and understand the implications of their engagement with such services. The proposed taxonomies provide a foundational basis for solutions in private, secure and robust ML, paving the way for more transparent and resilient AI systems.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (75)
  1. J. Yu, Y. Wu, D. Shu, M. Jin, and X. Xing, “Assessing prompt injection risks in 200+ custom gpts,” 2023.
  2. A. Salem, G. Cherubin, D. Evans, B. Köpf, A. Paverd, A. Suri, S. Tople, and S. Zanella-Béguelin, “Sok: Let the privacy games begin! a unified treatment of data inference privacy in machine learning,” in 2023 IEEE Symposium on Security and Privacy (SP), pp. 327–345, 2023.
  3. J.-W. Lee, H. Kang, Y. Lee, W. Choi, J. Eom, M. Deryabin, E. Lee, J. Lee, D. Yoo, Y.-S. Kim, and J.-S. No, “Privacy-preserving machine learning with fully homomorphic encryption for deep neural network,” IEEE Access, vol. 10, pp. 30039–30054, 2022.
  4. H. Hu, Z. Salcic, L. Sun, G. Dobbie, P. S. Yu, and X. Zhang, “Membership inference attacks on machine learning: A survey,” ACM Comput. Surv., vol. 54, sep 2022.
  5. B. Liu, M. Ding, S. Shaham, W. Rahayu, F. Farokhi, and Z. Lin, “When machine learning meets privacy: A survey and outlook,” ACM Comput. Surv., vol. 54, mar 2021.
  6. X. Liu, L. Xie, Y. Wang, J. Zou, J. Xiong, Z. Ying, and A. V. Vasilakos, “Privacy and security issues in deep learning: A survey,” IEEE Access, vol. 9, pp. 4566–4593, 2021.
  7. R. Shokri, M. Stronati, C. Song, and V. Shmatikov, “Membership inference attacks against machine learning models,” in 2017 IEEE Symposium on Security and Privacy (SP), pp. 3–18, 2017.
  8. B. Hitaj, G. Ateniese, and F. Perez-Cruz, “Deep models under the gan: Information leakage from collaborative deep learning,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, (New York, NY, USA), p. 603–618, Association for Computing Machinery, 2017.
  9. Z. Wang, M. Song, Z. Zhang, Y. Song, Q. Wang, and H. Qi, “Beyond inferring class representatives: User-level privacy leakage from federated learning,” in IEEE INFOCOM 2019 - IEEE Conference on Computer Communications, pp. 2512–2520, 2019.
  10. C. Priebe, K. Vaswani, and M. Costa, “Enclavedb: A secure database using sgx,” in 2018 IEEE Symposium on Security and Privacy (SP), pp. 264–278, IEEE, 2018.
  11. F. Mo, Z. Tarkhani, and H. Haddadi, “Sok: machine learning with confidential computing,” arXiv preprint arXiv:2208.10134, 2022.
  12. A. Acar, H. Aksu, A. S. Uluagac, and M. Conti, “A survey on homomorphic encryption schemes: Theory and implementation,” ACM Comput. Surv., vol. 51, jul 2018.
  13. R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, “Searchable symmetric encryption: Improved definitions and efficient constructions,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS ’06, (New York, NY, USA), p. 79–88, Association for Computing Machinery, 2006.
  14. P. Samarati and S. D. C. di Vimercati, “Data protection in outsourcing scenarios: Issues and directions,” in Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’10, (New York, NY, USA), p. 1–14, Association for Computing Machinery, 2010.
  15. TerryLanfear, “Protection of customer data in Azure — learn.microsoft.com.” https://learn.microsoft.com/en-us/azure/security/fundamentals/protection-customer-data. [Accessed 11-09-2023].
  16. KCCross, “Technical reference details about encryption — learn.microsoft.com.” https://learn.microsoft.com/en-us/purview/technical-reference-details-about-encryption. [Accessed 14-09-2023].
  17. TerryLanfear, “Double Encryption in Microsoft Azure — learn.microsoft.com.” https://learn.microsoft.com/en-us/azure/security/fundamentals/double-encryption. [Accessed 14-09-2023].
  18. “Data Privacy - Amazon Web Services (AWS) — aws.amazon.com.” https://aws.amazon.com/compliance/data-privacy/. [Accessed 11-09-2023].
  19. “Encrypting File Data with Amazon Elastic File System - Encrypting File Data with Amazon Elastic File System — docs.aws.amazon.com.” https://docs.aws.amazon.com/whitepapers/latest/efs-encrypted-file-systems/efs-encrypted-file-systems.html. [Accessed 11-09-2023].
  20. “Google security overview  —  Documentation  —  Google Cloud — cloud.google.com.” https://cloud.google.com/docs/security/overview/whitepaper. [Accessed 11-09-2023].
  21. “Huawei Cloud Security White Paper — Huawei Cloud — huaweicloud.com.” https://res-static.hc-cdn.cn/cloudbu-site/intl/en-us/TrustCenter/WhitePaper/Best%20Practices/SecurityWhitepaper_intl_en.pdf, 2022. [Accessed 11-09-2023].
  22. “Huawei Cloud Data Security White Paper — Huawei Cloud — huaweicloud.com.” https://res-static.hc-cdn.cn/cloudbu-site/intl/en-us/TrustCenter/WhitePaper/Best%20Practices/DataSecurityWhitepaper_intl_en.pdf, 2022. [Accessed 11-09-2023].
  23. “Encryption of data in transit — ibm.com.” https://www.ibm.com/docs/en/db2/11.5?topic=encryption-data-in-transit. [Accessed 11-09-2023].
  24. “What is Confidential Computing? — IBM — ibm.com.” https://www.ibm.com/topics/confidential-computing. [Accessed 11-09-2023].
  25. “Oracle Cloud Infrastructure Security Architecture — Oracle — oracle.com.” https://www.oracle.com/a/ocom/docs/oracle-cloud-infrastructure-security-architecture.pdf, 2021. [Accessed 11-09-2023].
  26. “Alibaba Cloud Security White Paper — Ali Cloud — alicloud.com.” https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf, 2021. [Accessed 11-09-2023].
  27. “Data protection - SageMaker Studio Administration Best Practices — docs.aws.amazon.com.” https://docs.aws.amazon.com/whitepapers/latest/sagemaker-studio-admin-best-practices/data-protection.html. [Accessed 11-09-2023].
  28. “Customer-managed encryption keys (CMEK)  —  Vertex AI  —  Google Cloud — cloud.google.com.” https://cloud.google.com/vertex-ai/docs/general/cmek. [Accessed 11-09-2023].
  29. S. Cheng, Y. Dong, T. Pang, H. Su, and J. Zhu, “Improving black-box adversarial attacks with a transfer-based prior,” Advances in neural information processing systems, vol. 32, 2019.
  30. A.-M. Cretu, D. Jones, Y.-A. de Montjoye, and S. Tople, “Re-aligning shadow models can improve white-box membership inference attacks,” arXiv preprint arXiv:2306.05093, 2023.
  31. J. Jia, A. Salem, M. Backes, Y. Zhang, and N. Z. Gong, “Memguard: Defending against black-box membership inference attacks via adversarial examples,” in Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp. 259–274, 2019.
  32. G. Nanfack, A. Fulleringer, J. Marty, M. Eickenberg, and E. Belilovsky, “Adversarial attacks on the interpretation of neuron activation maximization,” arXiv preprint arXiv:2306.07397, 2023.
  33. G. Han, J. Choi, H. Lee, and J. Kim, “Reinforcement learning-based black-box model inversion attacks,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 20504–20513, 2023.
  34. I. Driouich, C. Xu, G. Neglia, F. Giroire, and E. Thomas, “Local model reconstruction attacks in federated learning and their uses,” arXiv preprint arXiv:2210.16205, 2022.
  35. L. Lyu and C. Chen, “A novel attribute reconstruction attack in federated learning,” arXiv preprint arXiv:2108.06910, 2021.
  36. S. Mehnaz, N. Li, and E. Bertino, “Black-box model inversion attribute inference attacks on classification models,” arXiv preprint arXiv:2012.03404, 2020.
  37. C. Fu, X. Zhang, S. Ji, J. Chen, J. Wu, S. Guo, J. Zhou, A. X. Liu, and T. Wang, “Label inference attacks against vertical federated learning,” in 31st USENIX Security Symposium (USENIX Security 22), pp. 1397–1414, 2022.
  38. C. A. Choquette-Choo, F. Tramer, N. Carlini, and N. Papernot, “Label-only membership inference attacks,” in International conference on machine learning, pp. 1964–1974, PMLR, 2021.
  39. Z. Wang, M. Song, Z. Zhang, Y. Song, Q. Wang, and H. Qi, “Beyond inferring class representatives: User-level privacy leakage from federated learning,” in IEEE INFOCOM 2019-IEEE conference on computer communications, pp. 2512–2520, IEEE, 2019.
  40. J. Lin, L. Dang, M. Rahouti, and K. Xiong, “Ml attack models: adversarial attacks and data poisoning attacks,” arXiv preprint arXiv:2112.02797, 2021.
  41. Z. Lin, Y. Shi, and Z. Xue, “Idsgan: Generative adversarial networks for attack generation against intrusion detection,” in Pacific-asia conference on knowledge discovery and data mining, pp. 79–91, Springer, 2022.
  42. G. Liu and L. Lai, “Provably efficient black-box action poisoning attacks against reinforcement learning,” Advances in Neural Information Processing Systems, vol. 34, pp. 12400–12410, 2021.
  43. C. Zhu, W. R. Huang, H. Li, G. Taylor, C. Studer, and T. Goldstein, “Transferable clean-label poisoning attacks on deep neural nets,” in International Conference on Machine Learning, pp. 7614–7623, PMLR, 2019.
  44. A. R. Shahid, A. Imteaj, P. Y. Wu, D. A. Igoche, and T. Alam, “Label flipping data poisoning attack against wearable human activity recognition system,” in 2022 IEEE Symposium Series on Computational Intelligence (SSCI), pp. 908–914, IEEE, 2022.
  45. T. B. Brown and D. Mané, “Aurko roy, martín abadi, and justin gilmer,” Adversarial patch, vol. 2, p. 1, 2017.
  46. V. Shejwalkar, A. Houmansadr, P. Kairouz, and D. Ramage, “Back to the drawing board: A critical evaluation of poisoning attacks on production federated learning,” in 2022 IEEE Symposium on Security and Privacy (SP), pp. 1354–1371, IEEE, 2022.
  47. J. Dumford and W. Scheirer, “Backdooring convolutional neural networks via targeted weight perturbations,” in 2020 IEEE International Joint Conference on Biometrics (IJCB), pp. 1–9, IEEE, 2020.
  48. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” arXiv preprint arXiv:1312.6199, 2013.
  49. B. Biggio and F. Roli, “Wild patterns: Ten years after the rise of adversarial machine learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, (New York, NY, USA), p. 2154–2156, Association for Computing Machinery, 2018.
  50. A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N. Gomez, L. u. Kaiser, and I. Polosukhin, “Attention is all you need,” in Advances in Neural Information Processing Systems (I. Guyon, U. V. Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, eds.), vol. 30, Curran Associates, Inc., 2017.
  51. F. Zhuang, Z. Qi, K. Duan, D. Xi, Y. Zhu, H. Zhu, H. Xiong, and Q. He, “A comprehensive survey on transfer learning,” Proceedings of the IEEE, vol. 109, no. 1, pp. 43–76, 2021.
  52. T. Li, A. K. Sahu, A. Talwalkar, and V. Smith, “Federated learning: Challenges, methods, and future directions,” IEEE Signal Processing Magazine, vol. 37, no. 3, pp. 50–60, 2020.
  53. T. Khan, K. Nguyen, and A. Michalas, “Split ways: Privacy-preserving training of encrypted data using split learning,” 2023.
  54. M. Fredrikson, E. Lantz, S. Jha, S. Lin, D. Page, and T. Ristenpart, “Privacy in pharmacogenetics: An End-to-End case study of personalized warfarin dosing,” in 23rd USENIX Security Symposium (USENIX Security 14), (San Diego, CA), pp. 17–32, USENIX Association, Aug. 2014.
  55. P. W. Koh, J. Steinhardt, and P. Liang, “Stronger data poisoning attacks break data sanitization defenses,” Machine Learning, pp. 1–47, 2022.
  56. D. Puccinelli and M. Haenggi, “Wireless sensor networks: applications and challenges of ubiquitous sensing,” IEEE Circuits and Systems Magazine, vol. 5, no. 3, pp. 19–31, 2005.
  57. P. Asghari, A. M. Rahmani, and H. H. S. Javadi, “Internet of things applications: A systematic review,” Computer Networks, vol. 148, pp. 241–261, 2019.
  58. L. Nie, X. Wang, S. Wang, Z. Ning, M. S. Obaidat, B. Sadoun, and S. Li, “Network traffic prediction in industrial internet of things backbone networks: A multitask learning mechanism,” IEEE Transactions on Industrial Informatics, vol. 17, no. 10, pp. 7123–7132, 2021.
  59. T. Yu, T. Li, Y. Sun, S. Nanda, V. Smith, V. Sekar, and S. Seshan, “Learning context-aware policies from multiple smart homes via federated multi-task learning,” in 2020 IEEE/ACM Fifth International Conference on Internet-of-Things Design and Implementation (IoTDI), pp. 104–115, 2020.
  60. F. Chang, J. Dean, S. Ghemawat, W. C. Hsieh, D. A. Wallach, M. Burrows, T. Chandra, A. Fikes, and R. E. Gruber, “Bigtable: A distributed storage system for structured data,” ACM Trans. Comput. Syst., vol. 26, jun 2008.
  61. C. J. Hoofnagle, B. van der Sloot, and F. Z. Borgesius, “The european union general data protection regulation: what it is and what it means,” Information & Communications Technology Law, vol. 28, no. 1, pp. 65–98, 2019.
  62. W. B. Chik, “The singapore personal data protection act and an assessment of future trends in data privacy reform,” Computer Law & Security Review, vol. 29, no. 5, pp. 554–575, 2013.
  63. M. C. Addis and M. Kutar, “The general data protection regulation (gdpr), emerging technologies and uk organisations: Awareness, implementation and readiness,” UK Academy for Information Systems Conference Proceedings 2018. 29, 2018.
  64. B. Gaff, H. Sussman, and J. Geetter, “Privacy and big data,” Computer, vol. 47, pp. 7–9, 06 2014.
  65. Z. Zhang, P. Luo, C. C. Loy, and X. Tang, “Facial landmark detection by deep multi-task learning,” in Computer Vision – ECCV 2014 (D. Fleet, T. Pajdla, B. Schiele, and T. Tuytelaars, eds.), (Cham), pp. 94–108, Springer International Publishing, 2014.
  66. S. Ö. Arık, M. Chrzanowski, A. Coates, G. Diamos, A. Gibiansky, Y. Kang, X. Li, J. Miller, A. Ng, J. Raiman, S. Sengupta, and M. Shoeybi, “Deep voice: Real-time neural text-to-speech,” in Proceedings of the 34th International Conference on Machine Learning (D. Precup and Y. W. Teh, eds.), vol. 70 of Proceedings of Machine Learning Research, pp. 195–204, PMLR, 06–11 Aug 2017.
  67. M. Maqsood, F. Nazir, U. Khan, F. Aadil, H. Jamal, I. Mehmood, and O.-y. Song, “Transfer learning assisted classification and detection of alzheimer’s disease stages using 3d mri scans,” Sensors, vol. 19, no. 11, 2019.
  68. A. G. Roy, S. Siddiqui, S. Pölsterl, N. Navab, and C. Wachinger, “Braintorrent: A peer-to-peer environment for decentralized federated learning,” 2019.
  69. C. T. Dinh, N. Tran, and J. Nguyen, “Personalized federated learning with moreau envelopes,” in Advances in Neural Information Processing Systems (H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, and H. Lin, eds.), vol. 33, pp. 21394–21405, Curran Associates, Inc., 2020.
  70. Y. Jiang, J. Konečný, K. Rush, and S. Kannan, “Improving federated learning personalization via model agnostic meta learning,” CoRR, vol. abs/1909.12488, 2019.
  71. V. Smith, C.-K. Chiang, M. Sanjabi, and A. S. Talwalkar, “Federated multi-task learning,” in Advances in Neural Information Processing Systems (I. Guyon, U. V. Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, eds.), vol. 30, Curran Associates, Inc., 2017.
  72. B. Reagen, W.-S. Choi, Y. Ko, V. T. Lee, H.-H. S. Lee, G.-Y. Wei, and D. Brooks, “Cheetah: Optimizing and accelerating homomorphic encryption for private inference,” in 2021 IEEE International Symposium on High-Performance Computer Architecture (HPCA), pp. 26–39, 2021.
  73. N. Chakraborty and G. Patra, “Functional encryption for secured big data analytics,” International Journal of Computer Applications, vol. 107, no. 16, 2014.
  74. C. zhi Gao, Q. Cheng, P. He, W. Susilo, and J. Li, “Privacy-preserving naive bayes classifiers secure against the substitution-then-comparison attack,” Information Sciences, vol. 444, pp. 72–88, 2018.
  75. X. S. Wang, Y. Huang, Y. Zhao, H. Tang, X. Wang, and D. Bu, “Efficient genome-wide, privacy-preserving similar patient query based on private edit distance,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, (New York, NY, USA), p. 492–503, Association for Computing Machinery, 2015.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (3)
  1. Alka Luqman (3 papers)
  2. Riya Mahesh (2 papers)
  3. Anupam Chattopadhyay (55 papers)