The growing popularity of Machine Learning (ML) has led to its deployment in various sensitive domains, which has resulted in significant research focused on ML security and privacy. However, in some applications, such as autonomous driving, integrity verification of the outsourced ML workload is more critical--a facet that has not received much attention. Existing solutions, such as multi-party computation and proof-based systems, impose significant computation overhead, which makes them unfit for real-time applications. We propose Fides, a novel framework for real-time validation of outsourced ML workloads. Fides features a novel and efficient distillation technique--Greedy Distillation Transfer Learning--that dynamically distills and fine-tunes a space and compute-efficient verification model for verifying the corresponding service model while running inside a trusted execution environment. Fides features a client-side attack detection model that uses statistical analysis and divergence measurements to identify, with a high likelihood, if the service model is under attack. Fides also offers a re-classification functionality that predicts the original class whenever an attack is identified. We devised a generative adversarial network framework for training the attack detection and re-classification models. The evaluation shows that Fides achieves an accuracy of up to 98% for attack detection and 94% for re-classification.

翻译：机器学习（ML）的日益普及促使其被部署到多个敏感领域，这也催生了大量关于ML安全与隐私的研究。然而，在自动驾驶等应用中，外包ML工作负载的完整性验证更为关键——这一方面尚未受到足够重视。现有解决方案（如多方计算和基于证明的系统）会带来显著的计算开销，因此不适合实时应用。我们提出Fides，一种用于实时验证外包ML工作负载的新型框架。Fides采用一种新颖且高效的提炼技术——贪心蒸馏迁移学习——该技术能在可信执行环境内动态提炼并微调一个空间高效、计算高效的验证模型，以校验对应的服务模型。Fides还具备客户端攻击检测模型，通过统计分析和散度测量，以高置信度识别服务模型是否遭受攻击。此外，Fides提供重分类功能，能在检测到攻击时预测原始类别。我们设计了一个生成式对抗网络框架来训练攻击检测与重分类模型。评估显示，Fides的攻击检测准确率高达98%，重分类准确率达94%。