Visible to the public DeepAttest: An End-to-End Attestation Framework for Deep Neural Networks

TitleDeepAttest: An End-to-End Attestation Framework for Deep Neural Networks
Publication TypeConference Paper
Year of Publication2019
AuthorsChen, Huili, Fu, Cheng, Rouhani, Bita Darvish, Zhao, Jishen, Koushanfar, Farinaz
Conference Name2019 ACM/IEEE 46th Annual International Symposium on Computer Architecture (ISCA)
Date Publishedjun
Keywordsapplication program interfaces, application usage, attestation, attestation criterion, authorisation, authorized DNN programs, composability, deep learning frameworks, deep neural networks, DeepAttest overhead, DeepAttest provisions, device provider, device-specific fingerprint, DNN applications, DNN benchmarks, DNN program, embedded fingerprint, end-to-end attestation framework, FP, hardware architectures, hardware-bounded IP protection impair, hardware-level intellectual property, hardware-software codesign, Human Behavior, industrial property, intelligent devices, intelligent platforms, IP concern, ip protection, learning (artificial intelligence), manufactured hardware, neural nets, on-device DNN attestation method, pubcrawl, queried DNN, Resiliency, Software/Hardware Codesign, target platform, TEE-supported platforms, Trusted Execution Environment, unregulated usage, usage control
AbstractEmerging hardware architectures for Deep Neural Networks (DNNs) are being commercialized and considered as the hardware- level Intellectual Property (IP) of the device providers. However, these intelligent devices might be abused and such vulnerability has not been identified. The unregulated usage of intelligent platforms and the lack of hardware-bounded IP protection impair the commercial advantage of the device provider and prohibit reliable technology transfer. Our goal is to design a systematic methodology that provides hardware-level IP protection and usage control for DNN applications on various platforms. To address the IP concern, we present DeepAttest, the first on-device DNN attestation method that certifies the legitimacy of the DNN program mapped to the device. DeepAttest works by designing a device-specific fingerprint which is encoded in the weights of the DNN deployed on the target platform. The embedded fingerprint (FP) is later extracted with the support of the Trusted Execution Environment (TEE). The existence of the pre-defined FP is used as the attestation criterion to determine whether the queried DNN is authenticated. Our attestation framework ensures that only authorized DNN programs yield the matching FP and are allowed for inference on the target device. DeepAttest provisions the device provider with a practical solution to limit the application usage of her manufactured hardware and prevents unauthorized or tampered DNNs from execution. We take an Algorithm/Software/Hardware co-design approach to optimize DeepAttest's overhead in terms of latency and energy consumption. To facilitate the deployment, we provide a high-level API of DeepAttest that can be seamlessly integrated into existing deep learning frameworks and TEEs for hardware-level IP protection and usage control. Extensive experiments corroborate the fidelity, reliability, security, and efficiency of DeepAttest on various DNN benchmarks and TEE-supported platforms.
Citation Keychen_deepattest_2019