The growing popularity of Machine Learning (ML) has led to its deployment in various sensitive domains, which has resulted in significant research focused on ML security and privacy. However, in some applications, such as autonomous driving, integrity verification of the outsourced ML workload is more critical-a facet that has not received much attention. Existing solutions, such as multi-party computation and proof-based systems, impose significant computation overhead, which makes them unfit for real-time applications. We propose Fides, a novel framework for real-time validation of outsourced ML workloads. Fides features a novel and efficient distillation technique-Greedy Distillation Transfer Learning-that dynamically distills and fine-tunes a space and compute-efficient verification model for verifying the corresponding service model while running inside a trusted execution environment. Fides features a client-side attack detection model that uses statistical analysis and divergence measurements to identify, with a high likelihood, if the service model is under attack. Fides also offers a re-classification functionality that predicts the original class whenever an attack is identified. We devised a generative adversarial network framework for training the attack detection and re-classification models. The extensive evaluation shows that Fides achieves an accuracy of up to 98% for attack detection and 94% for re-classification.

翻译：机器学习（ML）的日益普及促使其被部署至各类敏感领域，这引发了大量针对ML安全性与隐私性的研究。然而在自动驾驶等应用中，外包ML工作负载的完整性验证更为关键——这一方面尚未受到足够重视。现有解决方案（如多方计算与基于证明的系统）会带来显著计算开销，使其难以适用于实时应用场景。我们提出Fides，一种用于外包ML工作负载实时验证的新型框架。Fides采用一种新颖高效的蒸馏技术——贪婪蒸馏迁移学习，该技术在可信执行环境内部运行时，动态蒸馏并微调一个空间与计算高效的验证模型，用于验证对应的服务模型。Fides包含一个客户端攻击检测模型，该模型通过统计分析与散度测量，以高概率识别服务模型是否遭受攻击。此外，Fides还提供重分类功能，可在检测到攻击时预测原始类别。我们设计了一个生成对抗网络框架来训练攻击检测与重分类模型。大量评估表明，Fides对攻击检测的准确率高达98%，对重分类的准确率达94%。