Privacy and Security Implications of Cloud-Based AI Services : A Survey

TL;DR

This survey addresses privacy and security in cloud-based AI services (AIaaS/MLaaS), arguing that protections focused on data-at-rest/in-transit are insufficient because trained models and inferences can leak sensitive information. It develops two complementary taxonomies: one linking data ownership and usage rights to defensive capabilities, and another cataloging attacks and defenses across data and model surfaces, lifecycle stages, and deployment settings. The work catalogs broad attack classes (privacy, robustness, evasion, poisoning, backdoors) and defense techniques (cryptography, differential privacy, TEEs, HE, MPC, anonymization, and access controls), mapping them to practical cloud-provider guarantees and ML workflows. By clarifying how threats intersect with data-model ownership and lifecycle, the paper aims to guide both providers and consumers toward more private, robust, and transparent AI systems in the cloud, supporting safer AI deployment at scale.

Abstract

This paper details the privacy and security landscape in today's cloud ecosystem and identifies that there is a gap in addressing the risks introduced by machine learning models. As machine learning algorithms continue to evolve and find applications across diverse domains, the need to categorize and quantify privacy and security risks becomes increasingly critical. With the emerging trend of AI-as-a-Service (AIaaS), machine learned AI models (or ML models) are deployed on the cloud by model providers and used by model consumers. We first survey the AIaaS landscape to document the various kinds of liabilities that ML models, especially Deep Neural Networks pose and then introduce a taxonomy to bridge this gap by holistically examining the risks that creators and consumers of ML models are exposed to and their known defences till date. Such a structured approach will be beneficial for ML model providers to create robust solutions. Likewise, ML model consumers will find it valuable to evaluate such solutions and understand the implications of their engagement with such services. The proposed taxonomies provide a foundational basis for solutions in private, secure and robust ML, paving the way for more transparent and resilient AI systems.

Figures (9)

• Figure 1: Examples of attacks affecting autonomous vehicles during model training by poisoning input data labels or during inference by manipulating scenes in real-time.
• Figure 2: CIA triad for Information Security.
• Figure 3: Extending the threat model of cryptography systems to the ML ecosystem.
• Figure 4: Extending the CIA triad for Model Security and using it to depict the security attacks possible on an example ML application that identifies physical traffic signs on roads to control driving in autonomous vehicles.
• Figure 5: Threat model on a Data Flow Diagram of a simple ML-as-a-service model. The actors interact with the system using assets, which are the resources targeted by an attacker. The dashed lines represent threat boundaries. Controls are placed at vulnerable attack surfaces to mitigate risk.