Development of a Secure Private Neural Network Capability

Machine Learning (ML) tools like Deep Neural Networks (DNNs) have gained widespread popularity due to their ability to quickly and accurately perform discriminative tasks, such as object detection and classification. However, current implementations of this concept have several drawbacks. First, traditional DNNs require access to unprotected (unencrypted) data. Even if the data is secured and the ML tool is made compatible for use with encrypted data, the resulting operational performance is slowed to the point that it renders the approach intractable. Second, recent research has shown many DNNs are susceptible to white box (full access to the machine learning tool and operations) and black box (only access to system input and output) attacks, allowing adversaries to maliciously manipulate the ML tool's output.

In its short history, this concept has been successfully applied to a broad spectrum of problems: speech and image recognition, medical imagery diagnostics, drug discovery, customer relationship management, fraud detection, and military applications, among many others. In many of these applications, a critical factor has been the need to access large volumes of data, which created privacy concerns and opened the potential for insights that might have inappropriate or unwanted implications. Those factors were most obvious in applications involving patient data and in military applications. Although these problem domains could greatly benefit from the capabilities of an ML tool, these critical security concerns thwart their use.

These challenges have resulted in the development of a Secure Private Neural Network, which is a set of fully computationally tractable DNNs that preserve the privacy of core data sets via end-to-end homomorphic encryption, while providing additional defense against black box adversarial attacks through intelligent network stochasticity and training set confounding. The full implementation of the Secure Private Neural Network enables maintainers and users of ML tools to provide security and privacy, achieving a balance between data security and providing advanced modeling over the data in sensitive databases.

SPNN is a secure neural network that protects sensitive information

SPNN is a secure neural network that protects sensitive information

In developing the Secure Private Neural Network (SPNN) capability, there were two major challenges that had to be addressed. First, because the data to be used is often sensitive, it must be protected through encryption. However, performing arithmetic operations via traditional means renders the overall process intractably slow. Therefore, it was necessary to develop a framework offering accelerated computational processes on encrypted data in a way that met security needs without compromising these processes. Second, traditional DNNs are vulnerable to a variety of attacks. Some of these involve manipulating data sets in a way that leads to incorrect conclusions and output. In so called “Trojan attacks,” attackers can submit “trojans” into typical training sets that sculpt the performance of ML tools in a way that can be later exploited. Other attacks allow the attacker to gain insights about what has been learned, enabling their own counterstrategy development. Either problem can be significant, regardless of whether the attacker is a “nuisance” or a true adversary.

The approach to solving these challenges is reflected in the diagram below, showing how the multi-stage approach of the Secure Private Neural Network uses a combination of non-sensitive data in a “pretraining” phase, followed by subsequent training and classification phases, in which the data employed and the analytic results are secure from attack.

In the initialization phase, the DNN Builder converts the original structure into a homomorphic encryption-compliant structure and functions. It also adds extensions to the DNN to support resiliency to black box attacks. In the pretraining phase, the Pretrainer performs initial training of the unencrypted DNN with non-sensitive data, so the DNN begins to converge to its final state without revealing any sensitive data. The semi-trained parameters are then sent to the Trainer, which finalizes the DNN parameters in the training phase with encrypted non-sensitive and sensitive training data. Finally, in the classification phase, the Classifier Interface accepts input data from the client, selects DNN parameters from a set of DNN variants, and calculates a classification confidence that is only fully decrypted at the client.

Although homomorphic encryption is most efficient with binary data (ones and zeros), procedures can be used to perform arithmetic on more flexible data, such as floating point numbers (allowing images to be processed). Given the need for data security, the ability to operate on encrypted floating point numbers is extremely beneficial. However, simply encrypting data can potentially leave an adversary with exploitable information, by using so called adversarial attacks. At their core, adversarial attacks exploit underlying trends in how DNNs operate, allowing the adversary to, for example, expose a DNN to imagery with subtle (non-human perceptible) changes which dramatically change its output. Obfuscation defenses work by adding network stochasticity, which masks the underlying trends of the DNNs, rendering attacks that leverage these trends ineffective.

To speed performance, the DNN can take advantage of the massively parallel computational capabilities of a GPU. GPUs are commonplace in the ML community due to the large number of processing streams they support; converting an ML algorithm to benefit from GPUs or Tensor Processing Units (TPUs) can result in nearly two orders of magnitude speed-ups. Tractable computation times is a primary concern for our Secure Private Neural Network, but encrypted calculations are not typically easy to parallelize. In our Secure Private Neural Network, encrypted operations on the encrypted DNN are parallelizable, and GPUs effectively speed up the computation proportionally to the number of available cores.

Real-time computer vision is one example application of the Secure Private Neural Network technology. Specific applications include robotic navigation; security screening; video analytics; and intelligence, surveillance, and reconnaissance (ISR). The accelerated pace of recent advances has made computer vision technology appealing to numerous products in a variety of commercial markets. One application, involving concealed weapon detection capabilities, clearly showcases the need to address the privacy and security concerns that motivated this approach.

This article was written by Curt Wu, Chief Software Engineer, and Jeff Druce, Senior Scientist, Charles River Analytics. (Cambridge, MA). For more information, visit here .