Papers
Topics
Authors
Recent
Search
2000 character limit reached

Model-less Is the Best Model: Generating Pure Code Implementations to Replace On-Device DL Models

Published 25 Mar 2024 in cs.SE | (2403.16479v2)

Abstract: Recent studies show that deployed deep learning (DL) models such as those of Tensor Flow Lite (TFLite) can be easily extracted from real-world applications and devices by attackers to generate many kinds of attacks like adversarial attacks. Although securing deployed on-device DL models has gained increasing attention, no existing methods can fully prevent the aforementioned threats. Traditional software protection techniques have been widely explored, if on-device models can be implemented using pure code, such as C++, it will open the possibility of reusing existing software protection techniques. However, due to the complexity of DL models, there is no automatic method that can translate the DL models to pure code. To fill this gap, we propose a novel method, CustomDLCoder, to automatically extract the on-device model information and synthesize a customized executable program for a wide range of DL models. CustomDLCoder first parses the DL model, extracts its backend computing units, configures the computing units to a graph, and then generates customized code to implement and deploy the ML solution without explicit model representation. The synthesized program hides model information for DL deployment environments since it does not need to retain explicit model representation, preventing many attacks on the DL model. In addition, it improves ML performance because the customized code removes model parsing and preprocessing steps and only retains the data computing process. Our experimental results show that CustomDLCoder improves model security by disabling on-device model sniffing. Compared with the original on-device platform (i.e., TFLite), our method can accelerate model inference by 21.8% and 24.3% on x86-64 and ARM64 platforms, respectively. Most importantly, it can significantly reduce memory consumption by 68.8% and 36.0% on x86-64 and ARM64 platforms, respectively.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (39)
  1. TensorFlow: Large-Scale Machine Learning on Heterogeneous Systems. https://www.tensorflow.org/ Software available from tensorflow.org.
  2. Learning to reverse dnns from ai programs automatically. In AAAI Conference on Artificial Intelligence.
  3. {{\{{TVM}}\}}: An automated {{\{{End-to-End}}\}} optimizing compiler for deep learning. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18). 578–594.
  4. A comprehensive study on challenges in deploying deep learning based software. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 750–762. https://doi.org/10.1145/3368089.3409759
  5. An empirical study on deployment faults of deep learning based mobile applications. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 674–685. https://doi.org/10.1109/icse43902.2021.00068
  6. François Chollet et al. 2018. Keras: The python deep learning library. Astrophysics source code library (2018), ascl–1806.
  7. A taxonomy of obfuscating transformations.
  8. Manufacturing cheap, resilient, and stealthy opaque constructs. In Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages. 184–196. https://doi.org/10.1145/268946.268962
  9. Developers. 2022. tf2onnx - Convert TensorFlow, Keras, Tensorflow.js and Tflite models to ONN. https://github.com/onnx/tensorflow-onnx
  10. Understanding Software-2.0: A Study of Machine Learning library usage and evolution. ACM Transactions on Software Engineering and Methodology (TOSEM) 30, 4 (2021), 1–42. https://doi.org/10.1145/3453478
  11. Stealing neural networks via timing side channels. arXiv preprint arXiv:1812.11720 (2018).
  12. Simple Black-box Adversarial Attacks. In International Conference on Machine Learning. 2484–2493.
  13. Mobilenets: Efficient convolutional neural networks for mobile vision applications. arXiv preprint arXiv:1704.04861 (2017).
  14. Yujin Huang and Chunyang Chen. 2022. Smart App Attack: Hacking Deep Learning Models in Android Apps. IEEE Transactions on Information Forensics and Security 17 (2022), 1827–1840.
  15. Katsuya Hyodo. 2022. tflite2tensorflow. https://github.com/PINTO0309/tflite2tensorflow
  16. Katsuya Hyodo. 2023. ONNX2TF. https://github.com/PINTO0309/onnx2tf
  17. SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and¡ 0.5 MB model size. arXiv preprint arXiv:1602.07360 (2016).
  18. Posenet: A convolutional network for real-time 6-dof camera relocalization. In Proceedings of the IEEE international conference on computer vision. 2938–2946. https://doi.org/10.1109/iccv.2015.336
  19. Gradient-based learning applied to document recognition. Proc. IEEE 86, 11 (1998), 2278–2324. https://doi.org/10.1109/5.726791
  20. Deeppayload: Black-box backdoor attack on deep learning models through neural payload injection. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 263–274. https://doi.org/10.1109/icse43902.2021.00035
  21. Side channel attacks in computation offloading systems with gpu virtualization. In 2019 IEEE Security and Privacy Workshops (SPW). IEEE, 156–161.
  22. Ssd: Single shot multibox detector. In European conference on computer vision. Springer, 21–37.
  23. DNNFusion: accelerating deep neural networks execution with advanced operator fusion. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation. 883–898. https://doi.org/10.1145/3453483.3454083
  24. Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia conference on computer and communications security. 506–519.
  25. Pytorch: An imperative style, high-performance deep learning library. Advances in neural information processing systems 32 (2019).
  26. Language models are unsupervised multitask learners. OpenAI blog 1, 8 (2019), 9.
  27. Towards robust monocular depth estimation: Mixing datasets for zero-shot cross-dataset transfer. IEEE transactions on pattern analysis and machine intelligence 44, 3 (2020), 1623–1637. https://doi.org/10.1109/tpami.2020.3019967
  28. Protecting software through obfuscation: Can it keep pace with progress in code analysis? ACM Computing Surveys (CSUR) 49, 1 (2016), 1–37. https://doi.org/10.1145/2886012
  29. Mind your weight (s): A large-scale study on insufficient machine learning model protection in mobile apps. In 30th USENIX Security Symposium (USENIX Security 21). 1955–1972.
  30. Mnasnet: Platform-aware neural architecture search for mobile. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2820–2828. https://doi.org/10.1109/cvpr.2019.00293
  31. Mingxing Tan and Quoc Le. 2019. Efficientnet: Rethinking model scaling for convolutional neural networks. In International conference on machine learning. PMLR, 6105–6114.
  32. Chenxi Wang. 2001. A security architecture for survivability mechanisms. University of Virginia.
  33. Zhenhua Wang. 2021. tflite2onnx - Convert TensorFlow Lite models to ONNX. https://github.com/jackwish/tflite2onnx
  34. Leaky dnn: Stealing deep-learning model secret with gpu context-switching side-channel. In 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 125–137. https://doi.org/10.1109/dsn48063.2020.00031
  35. Gregory Wroblewski. 2002. General method of program code obfuscation. (2002).
  36. A first look at deep learning apps on smartphones. In The World Wide Web Conference. 2125–2136.
  37. Investigating Top-k White-Box and Transferable Black-box Attack. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 15085–15094.
  38. ModelObfuscator: Obfuscating Model Information to Protect Deployed ML-Based Systems. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis (Seattle, WA, USA) (ISSTA 2023). Association for Computing Machinery, New York, NY, USA, 1005–1017. https://doi.org/10.1145/3597926.3598113
  39. Dast: Data-free substitute training for adversarial attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 234–243.
Citations (3)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up

Tweets

Sign up for free to view the 2 tweets with 7 likes about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free