Pseudo-encryption method to deploy convolutional networks on an untrusted platform for secure inferential steps and prevent model theft using 2D Holographic Reduced Representations (HRR). By leveraging HRR, we create a neural network with a pseudo-encryption style defense that empirically shows robustness to attack, even under threat models that unrealistically favor the adversary.
Here is an example of 2D HRR operating on the image shown in (a). The bound image of the original image and secret is shown in (b). The retrieved image from the bound image using the secret is shown in (c).
The following block diagram illustrates the encryption process of the CNN using improved 2D HRR in three stages. Both of the orange regions are on the user-end. The secrets to unbind the images and outputs of the main network are only shared in these regions (dashed line). The red region indicates the untrusted third party who will run the main network after it has been trained.
Experiments are performed on the following datasets:
- MNIST: 28 x 28 - 10 classes
- SVHN: 32 x 32 - 10 classes
- CIFAR-10: 32 x 32 - 10 classes
- CIFAR-100: 32 x 32 - 100 classes
- Mini-Imagenet: 84 x 84 - 100 classes
Experiments regarding each dataset are separated by each folder by the name of the dataset. Base model experiments are separated by suffixing -base
in the dataset name. Each folder contains separate files for network
, train
, and predict
. embed.py
creates UMAP 2D representation image samples. clustering.py
do the Kmeans, Spectral, Gaussian mixture, Birch, and HDBScan clustering experiments of the paper.
The following table shows the accuracy of the Base model (without secret binding) and CSPS on the five datasets.
The accuracy of CSPS drops compared to the Base model due to the extra security feature. However, the lost accuracy can be retrieved by sampling k predictions and taking their ensemble average. The following figure demonstrates how taking the ensemble average of k (1...10) predictions restores the lost accuracy.
If you use our work, please cite us using the below bibtex. We will update when the ICML proceedings provide the official citation style. Cite the paper as:
@inproceedings{Alam2022,
archivePrefix = {arXiv},
arxivId = {2206.05893},
author = {Alam, Mohammad Mahmudul and Raff, Edward and Oates, Tim and Holt, James},
booktitle = {International Conference on Machine Learning},
eprint = {2206.05893},
title = {{Deploying Convolutional Networks on Untrusted Platforms Using 2D Holographic Reduced Representations}},
url = {http://arxiv.org/abs/2206.05893},
year = {2022}
}