ModelObfuscator: Obfuscating Model Information to Protect Deployed ML-Based Systems

Mingyi Zhou; Xiang Gao; Jing Wu; John Grundy; Xiao Chen; Chunyang Chen; Li Li

doi:10.1145/3597926.3598113

ModelObfuscator: Obfuscating Model Information to Protect Deployed ML-Based Systems

Mingyi Zhou
, Xiang Gao
, Jing Wu
, John Grundy
, Xiao Chen
, Chunyang Chen
, Li Li

Monash University
Beihang University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

14 Scopus citations

Abstract

More and more edge devices and mobile apps are leveraging deep learning (DL) capabilities. Deploying such models on devices - referred to as on-device models - rather than as remote cloud-hosted services, has gained popularity because it avoids transmitting user's data off of the device and achieves high response time. However, on-device models can be easily attacked, as they can be accessed by unpacking corresponding apps and the model is fully exposed to attackers. Recent studies show that attackers can easily generate white-box-like attacks for an on-device model or even inverse its training data. To protect on-device models from white-box attacks, we propose a novel technique called model obfuscation. Specifically, model obfuscation hides and obfuscates the key information - structure, parameters and attributes - of models by renaming, parameter encapsulation, neural structure obfuscation, shortcut injection, and extra layer injection. We have developed a prototype tool ModelObfuscator to automatically obfuscate on-device TFLite models. Our experiments show that this proposed approach can dramatically improve model security by significantly increasing the difficulty of parsing models' inner information, without increasing the latency of DL models. Our proposed on-device model obfuscation has the potential to be a fundamental technique for on-device model deployment. Our prototype tool is publicly available at https://github.com/zhoumingyi/ModelObfuscator.

Original language	English
Title of host publication	ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
Editors	Rene Just, Gordon Fraser
Publisher	Association for Computing Machinery, Inc
Pages	1005-1017
Number of pages	13
ISBN (Electronic)	9798400702211
DOIs	https://doi.org/10.1145/3597926.3598113
State	Published - 12 Jul 2023
Externally published	Yes
Event	32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2023 - Seattle, United States Duration: 17 Jul 2023 → 21 Jul 2023

Publication series

Name	ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

Conference

Conference	32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2023
Country/Territory	United States
City	Seattle
Period	17/07/23 → 21/07/23

Keywords

AI safety
SE for AI
model deployment
model obfuscation

Access to Document

10.1145/3597926.3598113

Cite this

Zhou, M., Gao, X., Wu, J., Grundy, J., Chen, X., Chen, C., & Li, L. (2023). ModelObfuscator: Obfuscating Model Information to Protect Deployed ML-Based Systems. In R. Just, & G. Fraser (Eds.), ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis (pp. 1005-1017). (ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis). Association for Computing Machinery, Inc. https://doi.org/10.1145/3597926.3598113

Zhou, Mingyi ; Gao, Xiang ; Wu, Jing et al. / ModelObfuscator : Obfuscating Model Information to Protect Deployed ML-Based Systems. ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. editor / Rene Just ; Gordon Fraser. Association for Computing Machinery, Inc, 2023. pp. 1005-1017 (ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis).

@inproceedings{4e80725351954ac199e1ddfd774ecdc1,

title = "ModelObfuscator: Obfuscating Model Information to Protect Deployed ML-Based Systems",

abstract = "More and more edge devices and mobile apps are leveraging deep learning (DL) capabilities. Deploying such models on devices - referred to as on-device models - rather than as remote cloud-hosted services, has gained popularity because it avoids transmitting user's data off of the device and achieves high response time. However, on-device models can be easily attacked, as they can be accessed by unpacking corresponding apps and the model is fully exposed to attackers. Recent studies show that attackers can easily generate white-box-like attacks for an on-device model or even inverse its training data. To protect on-device models from white-box attacks, we propose a novel technique called model obfuscation. Specifically, model obfuscation hides and obfuscates the key information - structure, parameters and attributes - of models by renaming, parameter encapsulation, neural structure obfuscation, shortcut injection, and extra layer injection. We have developed a prototype tool ModelObfuscator to automatically obfuscate on-device TFLite models. Our experiments show that this proposed approach can dramatically improve model security by significantly increasing the difficulty of parsing models' inner information, without increasing the latency of DL models. Our proposed on-device model obfuscation has the potential to be a fundamental technique for on-device model deployment. Our prototype tool is publicly available at https://github.com/zhoumingyi/ModelObfuscator.",

keywords = "AI safety, SE for AI, model deployment, model obfuscation",

author = "Mingyi Zhou and Xiang Gao and Jing Wu and John Grundy and Xiao Chen and Chunyang Chen and Li Li",

note = "Publisher Copyright: {\textcopyright} 2023 ACM.; 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2023 ; Conference date: 17-07-2023 Through 21-07-2023",

year = "2023",

month = jul,

day = "12",

doi = "10.1145/3597926.3598113",

language = "English",

series = "ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis",

publisher = "Association for Computing Machinery, Inc",

pages = "1005--1017",

editor = "Rene Just and Gordon Fraser",

booktitle = "ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis",

}

Zhou, M, Gao, X, Wu, J, Grundy, J, Chen, X, Chen, C & Li, L 2023, ModelObfuscator: Obfuscating Model Information to Protect Deployed ML-Based Systems. in R Just & G Fraser (eds), ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, Association for Computing Machinery, Inc, pp. 1005-1017, 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2023, Seattle, United States, 17/07/23. https://doi.org/10.1145/3597926.3598113

ModelObfuscator: Obfuscating Model Information to Protect Deployed ML-Based Systems. / Zhou, Mingyi; Gao, Xiang; Wu, Jing et al.
ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. ed. / Rene Just; Gordon Fraser. Association for Computing Machinery, Inc, 2023. p. 1005-1017 (ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - ModelObfuscator

T2 - 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2023

AU - Zhou, Mingyi

AU - Gao, Xiang

AU - Wu, Jing

AU - Grundy, John

AU - Chen, Xiao

AU - Chen, Chunyang

AU - Li, Li

PY - 2023/7/12

Y1 - 2023/7/12

N2 - More and more edge devices and mobile apps are leveraging deep learning (DL) capabilities. Deploying such models on devices - referred to as on-device models - rather than as remote cloud-hosted services, has gained popularity because it avoids transmitting user's data off of the device and achieves high response time. However, on-device models can be easily attacked, as they can be accessed by unpacking corresponding apps and the model is fully exposed to attackers. Recent studies show that attackers can easily generate white-box-like attacks for an on-device model or even inverse its training data. To protect on-device models from white-box attacks, we propose a novel technique called model obfuscation. Specifically, model obfuscation hides and obfuscates the key information - structure, parameters and attributes - of models by renaming, parameter encapsulation, neural structure obfuscation, shortcut injection, and extra layer injection. We have developed a prototype tool ModelObfuscator to automatically obfuscate on-device TFLite models. Our experiments show that this proposed approach can dramatically improve model security by significantly increasing the difficulty of parsing models' inner information, without increasing the latency of DL models. Our proposed on-device model obfuscation has the potential to be a fundamental technique for on-device model deployment. Our prototype tool is publicly available at https://github.com/zhoumingyi/ModelObfuscator.

AB - More and more edge devices and mobile apps are leveraging deep learning (DL) capabilities. Deploying such models on devices - referred to as on-device models - rather than as remote cloud-hosted services, has gained popularity because it avoids transmitting user's data off of the device and achieves high response time. However, on-device models can be easily attacked, as they can be accessed by unpacking corresponding apps and the model is fully exposed to attackers. Recent studies show that attackers can easily generate white-box-like attacks for an on-device model or even inverse its training data. To protect on-device models from white-box attacks, we propose a novel technique called model obfuscation. Specifically, model obfuscation hides and obfuscates the key information - structure, parameters and attributes - of models by renaming, parameter encapsulation, neural structure obfuscation, shortcut injection, and extra layer injection. We have developed a prototype tool ModelObfuscator to automatically obfuscate on-device TFLite models. Our experiments show that this proposed approach can dramatically improve model security by significantly increasing the difficulty of parsing models' inner information, without increasing the latency of DL models. Our proposed on-device model obfuscation has the potential to be a fundamental technique for on-device model deployment. Our prototype tool is publicly available at https://github.com/zhoumingyi/ModelObfuscator.

KW - AI safety

KW - SE for AI

KW - model deployment

KW - model obfuscation

UR - https://www.scopus.com/pages/publications/85167663259

U2 - 10.1145/3597926.3598113

DO - 10.1145/3597926.3598113

M3 - Conference contribution

AN - SCOPUS:85167663259

T3 - ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

SP - 1005

EP - 1017

BT - ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

A2 - Just, Rene

A2 - Fraser, Gordon

PB - Association for Computing Machinery, Inc

Y2 - 17 July 2023 through 21 July 2023

ER -

Zhou M, Gao X, Wu J, Grundy J, Chen X, Chen C et al. ModelObfuscator: Obfuscating Model Information to Protect Deployed ML-Based Systems. In Just R, Fraser G, editors, ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. Association for Computing Machinery, Inc. 2023. p. 1005-1017. (ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis). doi: 10.1145/3597926.3598113

ModelObfuscator: Obfuscating Model Information to Protect Deployed ML-Based Systems

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this