AI Security: How to Protect Your Machine Learning Models

SOLUTION: 
To prevent this, it is advisable to use a strong licensing platform that protects against model extraction and ensures full flexibility for you and for your customer.

In 2021, about two thirds of the trending applications in China used machine learning and were protected against copying. (Mind Your Weight(s): A Large-scale Study on Insufficient Machine Learning Model Protection in Mobile Apps | USENIX)

Open Web Application Security Project (OWASP) lists model theft in its top ten attacks on machine models (Open Web Application Security Project (OWASP), 2023)

USE CASE: Industrial Automation
Computer vision is a good example of where it is imperative to feed your ML model with an extensive dataset that has been meticulously curated. Computer vision is installed in robots to recognize obstacles while navigating a shop floor or into a pick-and-place machine to identify incorrectly positioned components during PCB assembly. Failing to tightly control access to the model and its tuning poses the risk of allowing a competitor to extract and replicate the model. They can then fine-tune it for their specific needs and seamlessly integrate it into their own applications. The more accurately they can discern the structure of your model through reverse engineering, the better they can conceal its origin. Consequently, not only would they catch up with the quality of recognition you provide, but it would also become exceedingly challenging to substantiate claims of intellectual property repurposing. 

SOLUTION:
An often-used countermeasure against both breaches to AI model security is to encrypt the model and allow only the correct application to decrypt and use it. AI model encryption makes the code all but useless without the correct decryption key. Decryption logic and the secret decryption key prevent the model from analysis and protect it from being replaced with a different one, as the encryption would not match. This way, you not only prevent replacement, but you also keep the attacker from analyzing your model structure.

Combining AI model encryption with a licensing system provides greater flexibility and protection because a licensing system that issues license-specific cryptography creates a secure binding between licensing and protection.

USE CASE: Autonomous driving
A model poisoning attack on a car’s machine learning model could cause the model to misbehave in specific situations, with dire results. For example, a hacker could re-train the model to instruct the car to accelerate through a red light if the optical sensor registers bumper sticker on the car in front of it.

SOLUTION: 
Sophisticated software protection tools harden the application against reverse engineering and modification to prevent these threats to your AI model security. These tools are found in advanced copy protection and licensing systems.

USE CASE: Network Security
For machine learning models to accurately identify network intrusion and data leakage, it is crucial that the input data remains unaltered, and the alert flagging mechanism functions correctly. When the input (e.g. manipulating input operations) and output logic (e.g. tampering with alert flags) are manipulated, there’s a risk of malicious activities going unnoticed. Attackers can evade detection by concealing the triggering alerts at specified dates and times.

SOLUTION: 
Since the attacker must utilize the application to run their datasets, you can use combination of the protections listed earlier to tightly control the application use (licensing). This is achieved by defining how many classifications are possible in each timeframe, limiting the total number of classifications, and restricting the number of concurrently running instances of the application. By adding custom controls to detect and limit abnormal usage with integrity protection, you further secure the application by preventing the controls from being removed from inside the application.

USE CASE: Medical Devices
Your medical MRI machine is trained to classify images against specific illnesses. Your competitor wants to use your application to label their training dataset. Fortunately, you have protected your application so that the competitor can only run very few images at a time, making it impossible to use your technology to leapfrog your training to their own advantage. By controlling the detection parameters via licensing properties, you can safely even modify them in the field for the customer’s specific use case.

About the authors

• Dr. Werner Dondl is working as software architect and advisory engineer in the of Chief Technology Office for Software Monetization at Thales in Munich, Germany. Werner joined Thales after finishing his PhD in semiconductor physics at the Technical University in Munich as specialist for cryptographic libraries. He has held various positions over the last 28 years, in development, as a team leader and software architect. In his current position in the CTO office, he focuses on cutting-edge projects related to software security and monetization.
   
• Michael “MiZu” Zunke is a software security and monetization expert. Currently serving as the Chief Technology Officer for Software Monetization at Thales where he is responsible for driving security and innovation. Today, he is most focused on how to deal with the challenges of intellectual property protection in machine learning. A graduate in physics from TU Munich, he holds several valuable patents in software protection and reverse engineering.
  
  With over 30 years of experience in Software Protection and Licensing technology and research, Mizu has served as Technical Advisor of the Board at former Gemalto and program chair for the SPRO workshop at ACM CSS London.