Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Generative Framework for Low-Cost Result Validation of Machine Learning-as-a-Service Inference

Abhinav Kumar, Miguel A. Guirao Aguilera, Reza Tourani, Satyajayant Misra

TL;DR

This paper addresses the challenge of validating the integrity of outsourced ML inference in MLaaS, especially for real-time edge/AR/VR applications. It proposes Fides, a framework that combines Greedy Distillation Transfer Learning (GDTL) to produce a compact verification model running in a Trusted Execution Environment with GAN-based client-side attack detection and re-classification. The approach achieves high attack detection (up to 98%) and re-classification accuracy (up to 94%), while delivering significant system-speed improvements over prior verifiable ML approaches. The work demonstrates practical feasibility through extensive experiments on CIFAR-10/100 and ImageNet across multiple architectures, and shows favorable scalability and overheads for edge deployments, highlighting its potential for secure, real-time MLaaS in edge ecosystems.

Abstract

The growing popularity of Machine Learning (ML) has led to its deployment in various sensitive domains, which has resulted in significant research focused on ML security and privacy. However, in some applications, such as Augmented/Virtual Reality, integrity verification of the outsourced ML tasks is more critical--a facet that has not received much attention. Existing solutions, such as multi-party computation and proof-based systems, impose significant computation overhead, which makes them unfit for real-time applications. We propose Fides, a novel framework for real-time integrity validation of ML-as-a-Service (MLaaS) inference. Fides features a novel and efficient distillation technique--Greedy Distillation Transfer Learning--that dynamically distills and fine-tunes a space and compute-efficient verification model for verifying the corresponding service model while running inside a trusted execution environment. Fides features a client-side attack detection model that uses statistical analysis and divergence measurements to identify, with a high likelihood, if the service model is under attack. Fides also offers a re-classification functionality that predicts the original class whenever an attack is identified. We devised a generative adversarial network framework for training the attack detection and re-classification models. The evaluation shows that Fides achieves an accuracy of up to 98% for attack detection and 94% for re-classification.

A Generative Framework for Low-Cost Result Validation of Machine Learning-as-a-Service Inference

TL;DR

This paper addresses the challenge of validating the integrity of outsourced ML inference in MLaaS, especially for real-time edge/AR/VR applications. It proposes Fides, a framework that combines Greedy Distillation Transfer Learning (GDTL) to produce a compact verification model running in a Trusted Execution Environment with GAN-based client-side attack detection and re-classification. The approach achieves high attack detection (up to 98%) and re-classification accuracy (up to 94%), while delivering significant system-speed improvements over prior verifiable ML approaches. The work demonstrates practical feasibility through extensive experiments on CIFAR-10/100 and ImageNet across multiple architectures, and shows favorable scalability and overheads for edge deployments, highlighting its potential for secure, real-time MLaaS in edge ecosystems.

Abstract

The growing popularity of Machine Learning (ML) has led to its deployment in various sensitive domains, which has resulted in significant research focused on ML security and privacy. However, in some applications, such as Augmented/Virtual Reality, integrity verification of the outsourced ML tasks is more critical--a facet that has not received much attention. Existing solutions, such as multi-party computation and proof-based systems, impose significant computation overhead, which makes them unfit for real-time applications. We propose Fides, a novel framework for real-time integrity validation of ML-as-a-Service (MLaaS) inference. Fides features a novel and efficient distillation technique--Greedy Distillation Transfer Learning--that dynamically distills and fine-tunes a space and compute-efficient verification model for verifying the corresponding service model while running inside a trusted execution environment. Fides features a client-side attack detection model that uses statistical analysis and divergence measurements to identify, with a high likelihood, if the service model is under attack. Fides also offers a re-classification functionality that predicts the original class whenever an attack is identified. We devised a generative adversarial network framework for training the attack detection and re-classification models. The evaluation shows that Fides achieves an accuracy of up to 98% for attack detection and 94% for re-classification.
Paper Structure (23 sections, 6 equations, 13 figures, 4 tables)

This paper contains 23 sections, 6 equations, 13 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Observation
  3. Background
  4. Trusted Execution Environments
  5. Model Compression
  6. Similarity Measures
  7. Models and Assumptions
  8. System Model
  9. Threat Model
  10. Attack Modeling
  11. Design of Fides
  12. Service Package Building
  13. Generative Attack Detection and Re-classification Training
  14. Service Deployment
  15. Service Request and Execution
  16. ...and 8 more sections

Figures (13)

  • Figure 1: We consider the integrity verification of Machine Learning-as-a-Service inference, where clients send their data to the edge servers for ML inference tasks. In our proposed framework, Fides, we aim to detect any malicious misclassification caused by a malicious edge server when running the clients' inference tasks.
  • Figure 2: The KL divergence density distribution between two models ( ResNet50 and ResNet152) before (green) and after (red) attack on one of the models (ResNet152). Both models are trained on Cifar10 and Cifar100 datasets. The KL divergence between the benign models' posterior vectors belongs to a distribution with low mean and variance (green distribution). Performing a prediction-switching attack against one of the models (ResNet152) leads to a significant increase in the distribution's mean and variance (red distribution). We use this identifiable behavior in designing Fides. (distributions' tails are truncated for better visualization).
  • Figure 3: The JD measurements of two models. For Case A, the attack increases the divergence value, whereas in Case B (disagreement), the attack decreases the divergence value. Thus validating our reasoning for divergence's role in attack detection.
  • Figure 4: In Fides, the provider builds the service package (§ \ref{['sec:prepare']}) and the attack detection and re-classification pipeline (§ \ref{['sec:detection']}) for deployment on the server (§ \ref{['sec:deploy']}) and the client, respectively. The client then sends the service request to the edge server and verifies the result using the attack detection pipeline (§ \ref{['sec:offload']}).
  • Figure 5: In service package building, the provider trains the service model and uses it to run the greedy distillation transfer learning process, which builds the customized compressed verification model.
  • ...and 8 more figures