Privacy-Preserving Intrusion Detection using Convolutional Neural Networks

TL;DR

The paper tackles privacy-preserving intrusion detection in MLaaS by protecting both client data and the model using the PriMIA framework. It adapts PriMIA's Function Secret Sharing-based secure inference to a CNN-based IDS (ResNet50) operating on IoT sensor-derived $224\times224\times3$ images. A key contribution is the fixed fractional precision scheme with $m = z \times b^{p}$, where $b = 10$, $p \in [1,16]$, and $s = 64$, including an exhaustive hyperparameter search to minimize discrepancy with plaintext results. Experiments show encrypted inference preserves binary attack-detection metrics on the TT500n_miss3 dataset, with substantial runtime overhead, highlighting a practical trade-off between privacy and performance.

Abstract

Privacy-preserving analytics is designed to protect valuable assets. A common service provision involves the input data from the client and the model on the analyst's side. The importance of the privacy preservation is fuelled by legal obligations and intellectual property concerns. We explore the use case of a model owner providing an analytic service on customer's private data. No information about the data shall be revealed to the analyst and no information about the model shall be leaked to the customer. Current methods involve costs: accuracy deterioration and computational complexity. The complexity, in turn, results in a longer processing time, increased requirement on computing resources, and involves data communication between the client and the server. In order to deploy such service architecture, we need to evaluate the optimal setting that fits the constraints. And that is what this paper addresses. In this work, we enhance an attack detection system based on Convolutional Neural Networks with privacy-preserving technology based on PriMIA framework that is initially designed for medical data.

Figures (6)

• Figure 1: Adjustments of PriMIA to process data from IoT detection use case.
• Figure 2: Extension of PriMIA to implement ResNet50. Bottleneck had already been defined as specified in the inner frame. This implementation corresponds to he2016resnet. The array [3, 4, 6, 3] defines the number of successive Bottleneck blocks before a change of dimensions.
• Figure 3: Example of an encoded $224\times224\times3\text{-channel}$ picture representing a 224 items long history (vertically) of 17 different subsensors (horizontally) as a sensor provides one or more subsensor readings.
• Figure 4: Mapping of PriMIA framework to the use case of privacy-preserving analytics
• Figure 5: Fixed fractional precision hyperparameter search. In the original PriMIA setting, there are three classes (0, 1, 2). Changing the fixed fractional precision changes how well the encrypted inference matches the unencrypted inference results. This table provides evidence of setting up of the precision is crucial to get encrypted inference function properly.