The growing popularity of Machine Learning (ML) has led to its deployment in various sensitive domains, which has resulted in significant research focused on ML security and privacy. However, in some applications, such as Augmented/Virtual Reality, integrity verification of the outsourced ML tasks is more critical--a facet that has not received much attention. Existing solutions, such as multi-party computation and proof-based systems, impose significant computation overhead, which makes them unfit for real-time applications. We propose Fides, a novel framework for real-time integrity validation of ML-as-a-Service (MLaaS) inference. Fides features a novel and efficient distillation technique--Greedy Distillation Transfer Learning--that dynamically distills and fine-tunes a space and compute-efficient verification model for verifying the corresponding service model while running inside a trusted execution environment. Fides features a client-side attack detection model that uses statistical analysis and divergence measurements to identify, with a high likelihood, if the service model is under attack. Fides also offers a re-classification functionality that predicts the original class whenever an attack is identified. We devised a generative adversarial network framework for training the attack detection and re-classification models. The evaluation shows that Fides achieves an accuracy of up to 98% for attack detection and 94% for re-classification.

翻译：机器学习（ML）日益普及，使其被部署到诸多敏感领域，进而催生了大量针对ML安全性与隐私性的研究。然而，在增强现实/虚拟现实等应用中，外包ML任务的完整性验证更为关键——这一方面尚未得到充分关注。现有方案（如多方计算与基于证明的系统）会引入显著计算开销，无法适用于实时应用场景。我们提出Fides——一种用于ML即服务（MLaaS）推理的实时完整性验证新型框架。Fides采用创新高效的精炼技术"贪婪蒸馏迁移学习"，可在可信执行环境内动态精炼并微调空间与计算高效的验证模型，以检验对应服务模型。Fides配备客户端攻击检测模型，通过统计分析与散度度量算法，能以高置信度识别服务模型是否遭受攻击。Fides另提供重分类功能，可在检测到攻击时预测原始类别。我们构建了生成对抗网络框架用于训练攻击检测与重分类模型。评估表明，Fides的攻击检测准确率最高达98%，重分类准确率最高达94%。