Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
139 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

TransLinkGuard: Safeguarding Transformer Models Against Model Stealing in Edge Deployment (2404.11121v2)

Published 17 Apr 2024 in cs.CR and cs.AI

Abstract: Proprietary LLMs have been widely applied in various scenarios. Additionally, deploying LLMs on edge devices is trending for efficiency and privacy reasons. However, edge deployment of proprietary LLMs introduces new security challenges: edge-deployed models are exposed as white-box accessible to users, enabling adversaries to conduct effective model stealing (MS) attacks. Unfortunately, existing defense mechanisms fail to provide effective protection. Specifically, we identify four critical protection properties that existing methods fail to simultaneously satisfy: (1) maintaining protection after a model is physically copied; (2) authorizing model access at request level; (3) safeguarding runtime reverse engineering; (4) achieving high security with negligible runtime overhead. To address the above issues, we propose TransLinkGuard, a plug-and-play model protection approach against model stealing on edge devices. The core part of TransLinkGuard is a lightweight authorization module residing in a secure environment, e.g., TEE. The authorization module can freshly authorize each request based on its input. Extensive experiments show that TransLinkGuard achieves the same security protection as the black-box security guarantees with negligible overhead.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (65)
  1. Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In 27th USENIX Security Symposium (USENIX Security 18). 1615–1631.
  2. Tiago Alves. 2004. Trustzone: Integrated hardware and software security. Information Quarterly 3 (2004), 18–24.
  3. Anthropic. 2023. Claude. https://www.anthropic.com/. Accessed: [2024.02.24].
  4. Language models are few-shot learners. Advances in neural information processing systems 33 (2020), 1877–1901.
  5. Boosting Neural Networks to Decompile Optimized Binaries. In Proceedings of the 38th Annual Computer Security Applications Conference. 508–518.
  6. Hardware-assisted intellectual property protection of deep learning models. In 2020 57th ACM/IEEE Design Automation Conference (DAC). IEEE, 1–6.
  7. Copy, right? a testing framework for copyright protection of deep learning models. In 2022 IEEE symposium on security and privacy (SP). IEEE, 824–841.
  8. Teacher model fingerprinting attacks against transfer learning. In 31st USENIX Security Symposium (USENIX Security 22). 3593–3610.
  9. Training verifiers to solve math word problems. arXiv preprint arXiv:2110.14168 (2021).
  10. Glm: General language model pretraining with autoregressive blank infilling. arXiv preprint arXiv:2103.10360 (2021).
  11. Tarek Elgamal and Klara Nahrstedt. 2020. Serdab: An IoT framework for partitioning neural networks computation across multiple enclaves. In 2020 20th IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing (CCGRID). IEEE, 519–528.
  12. Rethinking deep neural network ownership verification: Embedding passports to defeat ambiguity attacks. Advances in neural information processing systems 32 (2019).
  13. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In International conference on machine learning. PMLR, 201–210.
  14. Google. 2023. Gemini. https://blog.google/technology/ai/google-gemini-ai/. Accessed: [2024.03.12].
  15. Mlcapsule: Guarded offline deployment of machine learning as a service. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 3300–3309.
  16. DarKnight: An accelerated framework for privacy and integrity preserving deep learning using trusted hardware. In MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture. 212–224.
  17. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition. 770–778.
  18. Guardnn: secure accelerator architecture for privacy-preserving deep learning. In Proceedings of the 59th ACM/IEEE Design Automation Conference. 349–354.
  19. Reverse engineering convolutional neural networks through side-channel information leaks. In Proceedings of the 55th Annual Design Automation Conference. 1–6.
  20. A Fast, Performant, Secure Distributed Training Framework For LLM. In ICASSP 2024 - 2024 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). 4800–4804. https://doi.org/10.1109/ICASSP48485.2024.10446717
  21. High accuracy and high fidelity extraction of neural networks. In 29th USENIX security symposium (USENIX Security 20). 1345–1362.
  22. Entangled watermarks as a defense against model extraction. In 30th USENIX Security Symposium (USENIX Security 21). 1937–1954.
  23. Pubmedqa: A dataset for biomedical research question answering. arXiv preprint arXiv:1909.06146 (2019).
  24. {{\{{GAZELLE}}\}}: A low latency framework for secure neural network inference. In 27th USENIX security symposium (USENIX security 18). 1651–1669.
  25. AMD memory encryption. White paper 13 (2016).
  26. Vessels: Efficient and scalable deep learning prediction on trusted processors. In Proceedings of the 11th ACM Symposium on Cloud Computing. 462–476.
  27. Occlumency: Privacy-preserving remote deep-learning inference using SGX. In The 25th Annual International Conference on Mobile Computing and Networking. 1–17.
  28. Bart: Denoising sequence-to-sequence pre-training for natural language generation, translation, and comprehension. arXiv preprint arXiv:1910.13461 (2019).
  29. Lasagna: Accelerating secure deep learning inference in sgx-enabled edge cloud. In Proceedings of the ACM Symposium on Cloud Computing. 533–545.
  30. Pushing large language models to the 6g edge: Vision, challenges, and opportunities. arXiv preprint arXiv:2309.16739 (2023).
  31. An invisible and robust watermarking scheme using convolutional neural networks. Expert Systems with Applications 210 (2022), 118529.
  32. Roberta: A robustly optimized bert pretraining approach. arXiv preprint arXiv:1907.11692 (2019).
  33. Chun Shien Lu. 2005. Steganography and digital watermarking techniques for protection of intellectual property. Multimedia Security, Idea Group Publishing, Singapore (2005), 75–157.
  34. Innovative instructions and software model for isolated execution. Hasp@ isca 10, 1 (2013).
  35. PPFL: privacy-preserving federated learning with trusted execution environments. In Proceedings of the 19th annual international conference on mobile systems, applications, and services. 94–108.
  36. Darknetz: towards model privacy at the edge using trusted execution environments. In Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services. 161–174.
  37. Towards trained model confidentiality and integrity using trusted execution environments. In Applied Cryptography and Network Security Workshops: ACNS 2021 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S&P, SCI, SecMT, and SiMLA, Kamakura, Japan, June 21–24, 2021, Proceedings. Springer, 151–168.
  38. NVIDIA. 2024. NVIDIA H100 Tensor Core GPU. https://www.nvidia.com/en-us/data-center/h100/. Accessed: [2024.3.18].
  39. OpenAI. 2023a. GPT-4. https://openai.com/gpt-4. Accessed: [2023.11.17].
  40. OpenAI. 2023b. Text-generation. https://platform.openai.com/docs/guides/text-generation. Accessed: [2023.11.17].
  41. Knockoff nets: Stealing functionality of black-box models. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 4954–4963.
  42. Towards the science of security and privacy in machine learning. arXiv preprint arXiv:1611.03814 (2016).
  43. Language models are unsupervised multitask learners. OpenAI blog 1, 8 (2019), 9.
  44. Squad: 100,000+ questions for machine comprehension of text. arXiv preprint arXiv:1606.05250 (2016).
  45. Deepsteal: Advanced model extractions leveraging efficient weight stealing in memories. In 2022 IEEE symposium on security and privacy (SP). IEEE, 1157–1174.
  46. Chameleon: A hybrid secure computation framework for machine learning applications. In Proceedings of the 2018 on Asia conference on computer and communications security. 707–721.
  47. Frank Rubin. 1996. One-time pad cryptography. Cryptologia 20, 4 (1996), 359–364.
  48. Claude E Shannon. 1949. Communication theory of secrecy systems. The Bell system technical journal 28, 4 (1949), 656–715.
  49. {{\{{SOTER}}\}}: Guarding Black-box Inference for General Neural Networks at the Edge. In 2022 USENIX Annual Technical Conference (USENIX ATC 22). 723–738.
  50. Occlum: Secure and efficient multitasking inside a single enclave of intel sgx. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 955–970.
  51. Shadownet: A secure and efficient on-device model inference system for convolutional neural networks. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 1596–1612.
  52. Mingxing Tan and Quoc Le. 2019. Efficientnet: Rethinking model scaling for convolutional neural networks. In International conference on machine learning. PMLR, 6105–6114.
  53. Timothy Prickett Morgan. 2022. Counting The Cost Of Training Large Language Models. https://www.nextplatform.com/2022/12/01/counting-the-cost-of-training-large-language-models/. Accessed: [2024.02.24].
  54. Llama 2: Open foundation and fine-tuned chat models. arXiv preprint arXiv:2307.09288 (2023).
  55. Florian Tramer and Dan Boneh. 2018. Slalom: Fast, verifiable and private execution of neural networks in trusted hardware. arXiv preprint arXiv:1806.03287 (2018).
  56. Attention is all you need. Advances in neural information processing systems 30 (2017).
  57. Graviton: Trusted execution environments on {{\{{GPUs}}\}}. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18). 681–696.
  58. GLUE: A multi-task benchmark and analysis platform for natural language understanding. arXiv preprint arXiv:1804.07461 (2018).
  59. {{\{{DnD}}\}}: A {{\{{Cross-Architecture}}\}} deep neural network decompiler. In 31st USENIX Security Symposium (USENIX Security 22). 2135–2152.
  60. Cache telepathy: Leveraging shared resource attacks to learn {{\{{DNN}}\}} architectures. In 29th USENIX Security Symposium (USENIX Security 20). 2003–2020.
  61. Assessing the ability of self-attention networks to learn word order. arXiv preprint arXiv:1906.00592 (2019).
  62. Spider: A large-scale human-labeled dataset for complex and cross-domain semantic parsing and text-to-sql task. arXiv preprint arXiv:1809.08887 (2018).
  63. Secure Transformer Inference. arXiv preprint arXiv:2312.00025 (2023).
  64. No Privacy Left Outside: On the (In-) Security of TEE-Shielded DNN Partition for On-Device ML. In 2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 52–52.
  65. NNSplitter: an active defense solution for DNN model via automated weight obfuscation. In International Conference on Machine Learning. PMLR, 42614–42624.
Citations (7)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets