The growing popularity of Machine Learning (ML) has led to its deployment in various sensitive domains, which has resulted in significant research focused on ML security and privacy. However, in some applications, such as autonomous driving, integrity verification of the outsourced ML workload is more critical--a facet that has not received much attention. Existing solutions, such as multi-party computation and proof-based systems, impose significant computation overhead, which makes them unfit for real-time applications. We propose Fides, a novel framework for real-time validation of outsourced ML workloads. Fides features a novel and efficient distillation technique--Greedy Distillation Transfer Learning--that dynamically distills and fine-tunes a space and compute-efficient verification model for verifying the corresponding service model while running inside a trusted execution environment. Fides features a client-side attack detection model that uses statistical analysis and divergence measurements to identify, with a high likelihood, if the service model is under attack. Fides also offers a re-classification functionality that predicts the original class whenever an attack is identified. We devised a generative adversarial network framework for training the attack detection and re-classification models. The evaluation shows that Fides achieves an accuracy of up to 98% for attack detection and 94% for re-classification.

翻译：随着机器学习（ML）的普及，其已部署于多个敏感领域，并催生了大量关于ML安全与隐私的研究。然而在自动驾驶等应用中，外包ML工作负载的完整性验证更为关键——这一方面尚未得到充分关注。现有方案（如多方计算与基于证明的系统）会带来显著的计算开销，因此不适用于实时场景。我们提出Fides，一种面向外包ML工作负载实时验证的创新框架。Fides的核心是一种新颖且高效的蒸馏技术——贪心蒸馏迁移学习——能够在可信执行环境内运行时，动态蒸馏并微调出空间与计算效率俱佳的验证模型，以验证对应的服务模型。Fides搭载基于统计分析及散度测量的客户端攻击检测模型，可高概率识别服务模型是否遭受攻击。此外，Fides还提供重分类功能，在检测到攻击时预测原始类别。我们设计了一个生成对抗网络框架来训练攻击检测与重分类模型。评估表明，Fides的攻击检测准确率高达98%，重分类准确率高达94%。