2024 13th MEDITERRANEAN CONFERENCE ON EMBEDDED COMPUTING (MECO), 11-14 JUNE 2024, BUDVA, MONTENEGRO

Securing AI Systems: A Comprehensive Overview of

Cryptographic Techniques for Enhanced Confidentiality
and Integrity
2024 13th Mediterranean Conference on Embedded Computing (MECO) | 979-8-3503-8756-8/24/$31.00 ©2024 IEEE | DOI: 10.1109/MECO62516.2024.10577883

Jose Luis Cano Garcia1 , Izuchukwu Patrick Udechukwu1 , Isiaq Bolaji Ibrahim1 , Ikechukwu John Chukwu1 , Hasan Dağ1 , Vesna
Dimitrova2 , and Elissa Mollakuqe*1

1 Kadir Has University, Türkiye

2 Cyril and Methodius University, North Macedonia

ABSTRACT Cryptography, traditionally applied in information security,

The rapid evolution of artificial intelligence (AI) has intro- could potentially address the unique challenges posed by AI
duced transformative changes across industries, accompanied systems security. Existing research has explored different
by escalating security concerns. This paper contributes to the encryption techniques. Nevertheless, its incorporation into
imperative need for robust security measures in AI systems AI systems remains a continuously evolving and actively re-
based on the application of cryptographic techniques. This searched domain.
research analyzes AI-ML systems vulnerabilities and associ-
Despite the progress made in securing AI systems using cryp-
ated risks and identifies existing cryptographic methods that
tographic techniques, notable limitations exist. One key chal-
could constitute security measures to mitigate such risks. In-
lenge is the trade-off between security and computational
formation assets subject to cyberattacks are identified, such as
efficiency, as cryptographic operations can introduce overhead
training data and model parameters, followed by a description
that impacts the real-time performance of AI applications.
of existing encryption algorithms and a suggested approach
Additionally, the dynamic nature of neural networks, with con-
to use a suitable technique, such as homomorphic encryp-
stant updates and learning, poses difficulties in implementing
tion CKKS, along with digital signatures based on ECDSA to
static cryptographic measures. Furthermore, the application of
protect the digital assets through all the AI system life cycle.
complex cryptographic methods can hinder the interpretability
These methods aim to safeguard sensitive data, algorithms,
and explainability of AI systems.
and AI-generated content from unauthorized access and tam-
pering. The outcome offers potential and practical solutions This research aims to review existing cryptographic techiques
against privacy breaches, adversarial attacks, and misuse of that are suitable for protecting AI systems assets and mitigat-
AI-generated content. Ultimately, this work aspires to bolster ing the security risks present in these types of environments.
public trust in AI technologies, fostering innovation in a secure This work is organized in the following manner. First, we
and reliable AI-driven landscape. present a brief section with theoretical background about the
most important concepts related to this research. The next
section gives an analysis of AI systems assets where vulnera-
Author Keywords
bilities are identified. Then a review of existing cryptographic
Artificial Intelligence; Cryptography; Security; Neural
techniques is presented. In the discussion section we provide
Networks.
a viable way of using such cryptographic methods to protect
the identified assets on AI systems and address the found vul-
INTRODUCTION nerabilities in the previous sections. Finally we present our
The pervasive integration of artificial intelligence systems, conclusions. Our research questions are:
such as those implemented based on Machine Learning (ML)
• What are the key assets within AI systems that are subject
and Neural Networks (NN) in contemporary applications, has
to cyberattacks?
heralded a transformative era in technology, significantly im-
• What vulnerabilities in AI systems present potential exploits
pacting various sectors. The escalating reliance on ML for
for cyberattacks?
decision-making processes across industries underscores its
• What cryptographic techniques demonstrate effectiveness
pivotal role in optimizing efficiency, automating tasks, and
in mitigating risks linked to the identified vulnerabilities in
unlocking insights from vast datasets.
AI systems?
However, as ML and NN become increasingly integral to • How can these cryptographic techniques be applied to safe-
our technological ecosystem, understanding and addressing guard the assets of AI systems?
the vulnerabilities within NNs and securing AI systems has
gained attention and emerged as a critical research focus as BACKGROUND
the deployment of AI becomes widespread. Machine Learning Fundamentals
Machine Learning (ML) algorithms serve as the foundation
of artificial intelligence, enabling systems to learn, predict,

979-8-3503-8756-8/24/$31.00 ©2024 IEEE

Authorized licensed use limited to: Universidad Industrial de Santander. Downloaded on October 16,2024 at 04:12:01 UTC from IEEE Xplore. Restrictions apply.
 2024 13th MEDITERRANEAN CONFERENCE ON EMBEDDED COMPUTING (MECO), 11-14 JUNE 2024, BUDVA, MONTENEGRO

and evolve based on data.. Machine learning (ML) is used to separate validation datasets or through techniques like k-fold
teach machines how to handle the data more efficiently [18]. cross-validation. This evaluation phase is critical in assessing
As Arthur Samuel defined, ML is the field where computers the model’s generalization ability and ensuring its reliability
learn without explicit programming. This learning process can in real-world scenarios. Finally, the culmination of the ML
be broadly categorized into three types: supervised learning, lifecycle involves deploying the trained model into produc-
unsupervised learning, and reinforcement learning, each tai- tion environments, where it becomes accessible to end-users
lored for specific tasks.. Effective data preparation is crucial through various interfaces or integration into existing systems.
in ensuring the quality and relevance of training data, while This deployment phase requires careful consideration of fac-
feature extraction transforms raw data for meaningful learning. tors such as scalability, latency, and ongoing monitoring to
Evaluation metrics serve as quantitative measures to assess ensure the model’s continued effectiveness and relevance. By
the model’s performance, providing insights into its accuracy, providing users with an extended explanation of these founda-
precision, recall, and other critical attributes. Common evalua- tional steps in the ML lifecycle, they gain a deeper appreciation
tion metrics include accuracy, precision, recall, F1 score, and for the complexities involved in building and deploying ML
mean squared error (MSE) [10] [8] . solutions. (Reference: Géron, A. (2019). Hands-On Machine
Learning with Scikit-Learn, Keras, and TensorFlow: Concepts,
Artificial Intelligence and Neural Networks Tools, and Techniques to Build Intelligent Systems. O’Reilly
Artificial intelligence (AI) and neural networks (NN) [2] are Media.)
closely related concepts. However, the terms are often wrongly
used interchangeably. The components of NN consist of Neurons, Layers, and Ac-
tivation Functions. The functionality of a neuron involves
AI is a broader term that encompasses NN. Neural Networks summing the weighted inputs, adding a bias, and applying
(NNs) stand as the cornerstone of modern machine learning, an activation function to determine the neuron’s output and
embodying a paradigm shift in computational approaches and shape NN behavior. The layers receive raw data, process and
exhibiting a transformative impact on diverse applications. extract features from this information and output the final
The Neural Network mimics the intricate structure and func- result... Key activation functions include sigmoid function ,
tioning of the human brain composed of interconnected nodes, hyperbolic Tangent (tanh), and Rectified Linear Unit, Under-
or neurons, organized into layers. NNs process information standing activation functions is crucial for tailoring NNs to
through a series of weighted connections, collectively enabling specific applications. One popular NN such as Convolutional
complex computations and pattern recognition. This architec- Neural Network has revolutionized the field of computer vi-
ture allows NNs to tackle tasks that traditional algorithms find sion, proving instrumental in tasks such as image recognition
challenging, such as image and speech recognition, natural and object detection [14]. [4] describes CNN as the con-
language processing, and complex decision-making. Through cept of hierarchical feature detectors in a biologically inspired
a process called training, NNs adjust their parameters based manner. It can learn highly abstract features and can identify
on input output pairs, gradually refining their ability to make objects efficiently [26]. Due to lesser parameters, CNN can be
accurate predictions or classifications. The transformative trained smoothly and does not suffer overfitting [21]. CNNs
impact of Neural Networks reverberates across industries, re- are widely being used in various domains due to their remark-
shaping the landscape of technology, healthcare, finance, and able performance [24] such as image classification [12] [25]
more. [3], object detection [22], face detection, speech recognition
[19], vehicle recognition [14], diabetic retinopathy [5], facial
Neural Network Components: Neurons, Layers, and Acti- expression recognition [23] and many more.
vation Functions
Integrating a section on the inner workings of machine learn- Data encryption
ing (ML) expands users’ understanding of how these systems Encryption is the process of converting a piece of data from
are engineered and readied for practical use. Breaking down its original form into an unintelligible form. The original
the process into simple steps elucidates the journey from raw representation of the information is known as plaintext and the
data to deployable ML models. Initially, data acquisition lays encrypted representation is known as ciphertext. The purpose
the groundwork, where a diverse array of datasets is collected of encryption is to provide confidentiality to sensitive data of
from various sources relevant to the task at hand. Following any type, not by preventing access to the data but by making
this, preprocessing steps such as data cleaning, feature selec- the content not intelligible to a potential interceptor.
tion, and normalization are undertaken to refine the dataset
and prepare it for effective model training. The pivotal phase Two main kinds of encryption are symmetric encryption and
of model selection and training ensues, wherein appropriate asymmetric encryption.
algorithms are chosen based on the nature of the data and the
Typically, a key and an algorithm are used to perform data
objectives of the ML project. Through iterative training on
encryption. A secure encryption process should be designed
the prepared dataset, the selected model learns patterns and in such a way that it would be impractical to decrypt the mes-
relationships within the data, continually refining its predictive sage without possessing the key. In principle, only authorized
capabilities. This iterative process often involves techniques parties can decrypt a ciphertext and access the original data.
such as cross-validation to ensure robust performance and pre-
vent overfitting. Once the model achieves satisfactory perfor- Specific encryption algorithms and approaches are discussed
mance during training, it undergoes rigorous evaluation using in section 4.

Authorized licensed use limited to: Universidad Industrial de Santander. Downloaded on October 16,2024 at 04:12:01 UTC from IEEE Xplore. Restrictions apply.
 2024 13th MEDITERRANEAN CONFERENCE ON EMBEDDED COMPUTING (MECO), 11-14 JUNE 2024, BUDVA, MONTENEGRO

Previous work [15] have demonstrated that AI-ML systems

can be analyzed in a systematic manner in order to identify
threats using an asset centered methodology. In other words,
potential failures in AI-ML systems can be mapped to threats
by first identifying the assets generated and used during the
system life cycle. A typical AI-ML system life cycle consists
of the following stages:
• Model Data Ingestion And Preprocessing
Figure 1. Encryption Process • Model Selection And Training
• Model Hyper-Parameters Fine-Tuning
• Model Transition From Development to Production
• Model Maintenance For Continuous Improvement
After an analysis of these stages, one can identify the digital
assets that are generated and used in each of them. These infor-
mation assets can also be grouped in categories as described
in the list below:
• Data
– Raw Data
– Labeled Data
– Validation Data
• Models
– Model Parameters
– Hyper-Parameters
– Trained Models
Figure 2. Digital signature - how it works • Actors
– Data Owner
Digital Signature – AI Developer
Digital signing ensures data authentication and integrity by – Model Provider
creating an encrypted hash of the data, signed with a private • Processes
key. To verify the integrity of signed data:
– Data Collection
• Decrypt the digital signature using the signer’s public key. – Pre-processing
– Model tunning
• Recalculate the hash of the data using the same algorithm.
• Tools
• Compare the recalculated hash with the decrypted hash. – Data Exploration Tools
Following we provide an example of signing messages by – Libraries
using Digital Signature. On the message "KADIR HAS UNI- – Visualization Tools
VERSITY" we applied the SHA-256 hash algorithm. When • Artefacts
we apply SHA-256 to the message, we get a unique hash (rep- – Model Architecture
resented on figure 2). We add a private key for signing. The – Use Case
digital signature is then created by combining the hash and the – Metadata Schema
private key through a cryptographic operation:
Understanding these digital assets is the key to pinpoint secu-
Digital Signature = Sign (hash algorithms + private key) rity vulnerabilities in the AI ecosystem and define the security
To verify this signature, one would use the corresponding measures that can be used to mitigate them [15]. Each of
public key: these assets are subject to different type of cyberattacks that
can compromise its integrity, availability or confidenciality,
Verified = Verify (Digital Signature, Hash + Public Key) such as: Spoofing, Tampering, Repudiation, Information Dis-
This ensures the authenticity of the "KADIR HAS UNIVER- closure, Denial-of-Service and Elevation-of-Privilege. In the
SITY" message, confirming that the digital signature matches following subsections we describe the major security risks that
the expected outcome based on the original message and pri- are associated with these assets.
vate key.
Sensitive data privacy breach (Leakage of personal infor-
NEURAL NETWORKS ASSETS AND VULNERABILITIES mation)
In this section, we will analyze the assets and vulnerabilities Data privacy breaches in the context of NN pose significant
present in neural networks and the related possible attacks. risks, often stemming from vulnerabilities in the models, data

Authorized licensed use limited to: Universidad Industrial de Santander. Downloaded on October 16,2024 at 04:12:01 UTC from IEEE Xplore. Restrictions apply.
 2024 13th MEDITERRANEAN CONFERENCE ON EMBEDDED COMPUTING (MECO), 11-14 JUNE 2024, BUDVA, MONTENEGRO

handling processes, or adversarial attacks. If the training Parameter alteration or replacement

dataset contains sensitive or personally identifiable informa- Fine-tuning hyper-parameters such as weights and biases, ac-
tion (PII), neural networks can inadvertently learn and memo- tivation functions, etc. plays a crucial role in training neural
rize these details, leading to unauthorized disclosure during networks. Attackers can target this vulnerability to degrade
predictions.. Malicious actors can manipulate the input data model performance or introduce bias. This can lead to the
with subtle, carefully crafted perturbations, causing the neural model acting maliciously, a drop in the model’s performance
network to misclassify or leak sensitive information. This is or accuracy. Also an adversary can try to reverse-engineer a
particularly concerning in applications like image recognition neural network to reconstruct sensitive information from its
or NLP, where slight alterations to input data may lead to pri- outputs. This vulnerability poses a significant threat to privacy
vacy breaches. Additionally, model inversion attacks exploit when AI systems handle personal or confidential data. Adver-
the output of a neural network to infer details about the input sarial actors may employ various attack strategies, including
data, potentially revealing sensitive information. If the model physical side-channel attacks [9], to extract the well-trained
provides granular predictions, attackers may reverse-engineer weights and architectures of Neural Networks. In scenarios
and deduce specifics about individuals from seemingly in- where the weights exist in plaintext, malicious users have the
nocuous outputs. Inadequate encryption, unsecured APIs, or potential to illicitly distribute and profit from these plaintext
insufficient access controls may expose sensitive information, NNs without obtaining permission from the original model
allowing unauthorized access to the neural network’s predic- providers, leading to instances of copyright infringement [13].
tions.
CRYPTOGRAPHIC TECHNIQUES
In this section we summarize existing encryption algorithms
Model stealing (Intellectual property theft)
that could be potentially used as part of a security strategy
Attackers can extract the architecture or parameters of a neural to mitigate the risks associated to the AI-ML systems as de-
network by querying it with carefully crafted inputs. This scribed in the previous section. Cryptography [17] is con-
can also lead to intellectual property theft, where an attacker sidered to be an effective and efficient way to guarantee the
replicates a proprietary model without authorization. The secure handling of information by transforming it into an un-
value of DNNs is significantly increased due to numerous intelligible form only accessible to authorized entities. The
data sets, powerful computing resources and fine-tuning skills right selection of the cryptographic algorithm is important for
for hyper-parameters. For instance, the training service cost secure communication and storage. Encryption algorithms
of a certain NN model named BERTLARGE , an extremely are typically categorized as shown in the following list (only
powerful language representation DNN model that has 340 key-based algorithms are considered as they are considered
million parameters, is about 16 (TPUs) × 4 (days) × 24 (h) × generally more secure than keyless techniques):
4.5 (USD per hour) = 6912 USD [7]. Such valuable neural
network models are usually confidential for model providers. • Symmetric Encryption
The model providers can have access to the NN for mainte- – Block Cipher
nance, and if not properly watermarked, the model is assumed
∗ DES
to be without an owner and can be open sourced [1]. There-
∗ 3DES
fore, protecting the intellectual property (IP) of NNs when
∗ Blowfish
designing and deploying NNs has become an urgent problem
∗ AES
to be solved in the area of machine learning [13].
∗ Others
– Stream Cipher
Data poisoning and manipulation ∗ RC4
Data poisoning and manipulation represent critical threats to ∗ Others
the integrity of neural networks (NNs). Attackers can exploit • Asymmetric Encryption
vulnerabilities in the training data sets during the training
process, injecting counterfeit or malicious data well before – RSA
model deployment. These training data or pre-trained models, – ECC
often sourced from third parties, are susceptible to manipu- – CKKS (Homomorphic)
lation along the supply chain if not adequately secured. The – Others
introduction of poisoned data can severely compromise the Following subsections summarize the details of these tech-
overall performance of the NN, leading to consequences such niques.
as reduced accuracy, model failure in detection tasks (e.g.,
self-driving cars unable to identify road signs, face detection Symmetric Encryption
systems failing to recognize actual faces). Additionally, attack-
A technique that uses a single key to encrypt and decrypt data
ers may gain access to plaintext data, maliciously manipulate [16]. Efficient for large amounts of data, requires secure key
or poison the data, and swiftly encrypt it to obfuscate the ne- exchange since the strength of the symmetric key encryption
farious content within the data. This underscores the need for depends on the secrecy of its key.
robust security measures to safeguard the integrity of train-
ing data and pre-trained models throughout the entire supply These algorithms can be further categorized into two broad
chain. categories: block and stream cipher. In a block cipher, a group

Authorized licensed use limited to: Universidad Industrial de Santander. Downloaded on October 16,2024 at 04:12:01 UTC from IEEE Xplore. Restrictions apply.
 2024 13th MEDITERRANEAN CONFERENCE ON EMBEDDED COMPUTING (MECO), 11-14 JUNE 2024, BUDVA, MONTENEGRO

of message characters of a fixed size (a block) is encrypted ECDSA

simultaneously. The stream cipher is a particular case where Elliptic Curve Digital Signature Algorithm (ECDSA) is a
the block size is one character. A stream cipher is usually Digital Signature Algorithm (DSA) which uses keys derived
inappropriate for software processing due to the required long from elliptic curve cryptography (ECC).
key (as long as the message).
CKKS
DES Cheon, Kim, Kim and Song (CKKS) is a type of Homomor-
Symmetric encryption algorithm that makes use of a key’s phic Encryption, meaning that it allows computations on en-
length of 56 bits and performs the encryption of message crypted data without decrypting it first. CKKS is a fourth-
using a block size of 64 bits. It is now considered insecure for generation fully homomorphic encryption technique. HE en-
modern applications due to its relative short key, however, it ables privacy-preserving computations hence it has potential
was highly influential in the development of further techniques. applications in machine learning on encrypted data, allowing
data to remain confidential during processing. An homomor-
3DES phic encryption algorithm is also asymmetric
Designed to address DES vulnerability to brute force attacks
by means of the improvement in its key length. 3DES provides Apart from encryption as such, there are other crytographic
a better security by simply incrementing the key length instead techniques used in information security. That is the case of
of designing a completely new block cipher. The key length hashing, salting and digital signing (already described in the
for the 3DES is 168 bits and the block size is 64 bits. background section). These techniques are described in the
following subsections.
Blowfish
It is a symmetric block cipher based on the Feistel function. Hashing
Its key length is variable, ranging from 32 to 448. It uses A technique that converts data of arbitrary size to a fixed-size
a 64 bits block. Blowfish algorithm needs more processing output.
time as it depends on the key size. The subkey generation Ensures data integrity by generating fixed-size outputs. Com-
process increases the complexity that protects from brute force monly used for data verification and integrity checks. Primar-
attack and provides better security than existing encryption ily used for one-way transformations. Hashing is computa-
techniques. tionally efficient compared to encryption for certain purposes.
Main hashing algorithms are summarized in the following
AES
subsections.
AES is the new generation block cipher created to replace DES
and 3DES. It increases the block size to 128 bits and the key MD-5
sizes to 128 bits, 192 bits and 256 bits. AES was designed to It is one of the first hashing algorithms to be widely approved.
be compact and time efficient, simple in its design and secure It is currently not considered safe. It generated a digest of 128
against all known attacks at the time of its design. bits.

Asymmetric Encryption SHA

A technique that uses two keys, a public key and a private Family of algorithms considered secure. There are different
key, to encrypt and decrypt data. The encryption key is known releases SHA-1, SHA-2 and SHA-3. SHA-1 produces a hash
as the public key and is in charge of encrypting the message. digest of 160 bits and is has been broken so it is not considered
The decryption key is known as the secret or private key and secure anymore. SHA-2 consists of two hash algorithms:
can be used to decrypt the message. It is effective for secure SHA-256 and SHA-512. SHA-512(output size of 64 bytes) is
communication but it is computationally more expensive. It is more secure than SHA-256 (output size of 32 bytes). SHA-3
commonly used for confidentiality and digital signatures for provides the same output sizes as SHA-2.
message authentication. RIPEMD-160
RACE Integrity Primitives Evaluation Message Digest shares
RSA
design characteristics with MD4 and has a performance similar
It is a popular type of asymmetric encryption, based on the
to SHA-1. RIPEMD-160 has not been broken. It generates a
principle that it is easy to multiply large numbers, but factoring
hash digest of 160 bits.
large numbers is very difficult. The security of RSA relies on
the "factoring problem", meaning the difficulty of factoring Whirlpool
the product of two large prime numbers. Based on a modified version of AES. Whirlpool produces a
hash digest of 512 bits.
ECC
Elliptic-curve cryptography (ECC) is an asymmetric cryptog- Salting
raphy technique based on the algebraic structure of elliptic A technique that adds random data to the input of a hash
curves over finite fields. ECC allows smaller keys compared to function to prevent attackers.
non-EC cryptography to provide equivalent security. Elliptic
curves find direct applications in digital signatures such as Enhances security by preventing precomputed hash attacks.
ECDSA. Commonly used for password storage to thwart rainbow table

Authorized licensed use limited to: Universidad Industrial de Santander. Downloaded on October 16,2024 at 04:12:01 UTC from IEEE Xplore. Restrictions apply.
 2024 13th MEDITERRANEAN CONFERENCE ON EMBEDDED COMPUTING (MECO), 11-14 JUNE 2024, BUDVA, MONTENEGRO

attacks. Not associated with privacy-preserving computations. production data processing. Encrypting and decrypting data is
The addition of salt is a lightweight and recommended security usually time-consuming and would impact the performance
practice. of the consumer application. Also, the data is treated as plain
text during the training and recognition steps, in such steps the
DISCUSSION AND SOLUTION PROPOSAL encryption algorithm could not protect against an attack that
In this section, we discuss the different cryptographic tech- aims to steal the data or model.
niques mentioned in the previous section and propose one that Based on this we believe that a NN service system that deals
can address the vulnerabilities and attacks described in the with sensitive data and wants to protect its intellectual property
corresponding section. needs to deal with encrypted data at all times. This would lead
Our proposal aims to provide the reader with a list of suitable to the following approach:
cryptographic techniques that can be used as a reference to se- • Collect and encrypt training data
cure AI systems consisting of neural networks. This proposal • Store the encrypted training data
is especially important for off-premise models that offer their • Train the NN model using the encrypted data
functionality as services in the cloud. • Encrypt production data before sending it to the model for
As a recap of our previous analysis, we find that the most analysis
important assets to protect in a neural network can be defined • Use the encrypted production data as input to the model
as part of the following broad groups [15]: • Send the encrypted result to the client
• Training Data Set Using this approach, the data is always protected as it is never
• Trained NN model treated as plain text. Now, from our cryptographic analysis
• Production data in section 4, it is clear that homomorphic encryption (HE)
suits this application better than the other encryption methods
The solution should provide these assets with integrity and due to its capability to enable operations on encrypted data
confidentiality to meet the privacy and good functioning of the without the need for a previous decryption step [6]. Avoiding
system. the overhead of the first approach.
These assets are data and encryption being a way of making Different schemes of HE have been developed, however, the
data unintelligible comes as a natural solution for protecting proposed solution is to use the CKKS scheme, since it is the
these assets. preferred algorithm to evaluate machine learning models on
Production and training data sets can potentially contain sen- encrypted data [11].
sitive data, for example, on AI systems performing biometric With this approach, the confidentiality of the data can be en-
recognition. It is clear then that these data sets must be en- sured. However, the data could still be manipulated by an
crypted, however, we need to define when and how. Generally attacker and the integrity of the model and training data could
speaking, sensitive data can be handled as part of the following be compromised as mentioned in section 4. Therefore, an
processes: integrity protection measure needs to be set in place as well.
• Training Data Collection Considering the client-server model where a trustworthy client
• Training Data Storage sends valid production and training data to the server, the use
• Model training of digital signatures is an option for validating the integrity
• Production data analysis and authenticity of the received data. If the data was modified
by a third entity at any moment then the server can reject it to
Hence, one approach for protecting the data through encryp- prevent data poisoning.
tion could consist of the following steps:
Finally, validating the client’s data does not ensure that our
• Collect and encrypt training data model has not been modified. So we propose to sign the model
• Store the encrypted training data data itself, so its integrity can be confirmed before loading it.
• Decrypt the training data and train the NN model If the data of the model has been modified in any way then the
• Delete decrypted data system should refuse to run it.
• Encrypt production data before sending it to the model for
analysis In terms of the specific encryption algorithm to be used for the
• Decrypt the data before passing it as input to the model signing process we propose the use of the Elliptic Curve Digi-
• Delete the decrypted production data tal Signature Algorithm (ECDSA) [20], which as mentioned in
• Encrypt the result and send it to the client our algorithms analysis can use a shorter key length compared
to RSA when calculating digital signatures and yet maintain
However, after training the NN, the training data is embedded a high level of security. This characteristic allows ECDSA to
into the model’s parameters too, which makes it possible for provide high-security performance at a lower hardware cost
an attacker to reverse engineer the model and recover the than RSA. It is worth noting that international organizations
original training data. Hence, the model has to be encrypted such as ISO, ANSI, NIST, and IEEE have accepted ECDSA
as well under this approach. This is possible as a NN model as a standard.
can conceptually be seen as plain text. In such a case the
model would need to be decrypted every time a client requests

Authorized licensed use limited to: Universidad Industrial de Santander. Downloaded on October 16,2024 at 04:12:01 UTC from IEEE Xplore. Restrictions apply.
 2024 13th MEDITERRANEAN CONFERENCE ON EMBEDDED COMPUTING (MECO), 11-14 JUNE 2024, BUDVA, MONTENEGRO

CONCLUSIONS suited for low-power hardware implementation. 21 -28

Neural networks, especially when implemented as services (01 2006), 21 – 28. DOI:
hosted in the cloud, can be seen as information systems, con- http://dx.doi.org/10.1109/IJCNN.2006.246654
sisting of assets that need to be protected to preserve their
[5] Shital N. Firke and Ranjan Bala Jain. 2021.
confidentiality and integrity. There are several of these assets
Convolutional Neural Network for Diabetic Retinopathy
but special attention should be paid to:
Detection. In 2021 International Conference on
• Training Data Artificial Intelligence and Smart Systems (ICAIS).
• Trained NN model 549–553. DOI:
• Production data http://dx.doi.org/10.1109/ICAIS50930.2021.9395796

The unauthorized access to these assets can have serious con- [6] Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine,
sequences for a company. Included but not limited to: Kristin Lauter, Michael Naehrig, and John Wernsing.
2016. CryptoNets: Applying Neural Networks to
• Sensitive data privacy breach Encrypted Data with High Throughput and Accuracy. In
• Model stealing (Intellectual property theft) Proceedings of The 33rd International Conference on
• Data poisoning and manipulation Machine Learning (Proceedings of Machine Learning
These could eventually cause a company to face legal repercus- Research), Maria Florina Balcan and Kilian Q.
sions for sensitive data loss or even unfair competition from Weinberger (Eds.), Vol. 48. PMLR, New York, New
companies using stolen models. York, USA, 201–210. https:
//proceedings.mlr.press/v48/gilad-bachrach16.html
Different approaches can be used to protect these assets. How-
ever, a cryptographic approach was taken in this paper. Based [7] Google. 2024. Single Cloud TPU Device Pricing. (2024).
on our analysis of existing cryptographic techniques and vul- https://cloud.google.com/tpu/
nerabilities in neural networks, we conclude that the best way [8] Trevor Hastie, Robert Tibshirani, and Jerome Friedman.
to preserve the data and model confidentiality is to solely han- 2009. The elements of statistical learning: data mining,
dle encrypted data. The data should be encrypted right from inference and prediction (2 ed.). Springer.
its source so that by the time it reaches the AI system it is http://www-stat.stanford.edu/~tibs/ElemStatLearn/
already unintelligible. The model can be then trained with this
encrypted data producing a trained model based on encrypted [9] Weizhe Hua, Zhiru Zhang, and G. Edward Suh. 2018.
data that is by concept secure against reverse engineering. The Reverse engineering convolutional neural networks
ability of homomorphic encryption to enable operations on through side-channel information leaks. In Proceedings
encrypted data allows this approach. The CKKS scheme for of the 55th Annual Design Automation Conference (DAC
the HE should be used as it is the algorithm that best suits ’18). Association for Computing Machinery, New York,
machine learning models. NY, USA, Article 4, 6 pages. DOI:
http://dx.doi.org/10.1145/3195970.3196105
Finally, the integrity of the model and data can be ensured by
the well-known approach of digital signing. These elements [10] Gareth James, Daniela Witten, Trevor Hastie, and
should be signed right after their generation using ECDSA as Robert Tibshirani. 2013. An Introduction to Statistical
it provides a high-security performance at low costs. Learning: with Applications in R. Springer.
https://faculty.marshall.usc.edu/gareth-james/ISL/
REFERENCES
[11] Andrey Kim, Antonis Papadimitriou, and Yuriy
[1] Yossi Adi, Carsten Baum, Moustapha Cisse, Benny
Polyakov. 2020. Approximate Homomorphic
Pinkas, and Joseph Keshet. 2018. Turning your
Encryption with Reduced Approximation Error.
weakness into a strength: watermarking deep neural
Cryptology ePrint Archive, Paper 2020/1118. (2020).
networks by backdooring. In Proceedings of the 27th
https://eprint.iacr.org/2020/1118
USENIX Conference on Security Symposium (SEC’18).
https://eprint.iacr.org/2020/1118.
USENIX Association, USA, 1615–1631.
[2] Giorgio Buttazzo. 2023. Rise of artificial general [12] Alex Krizhevsky, Ilya Sutskever, and Geoffrey E.
intelligence: risks and opportunities. Frontiers in Hinton. 2012. ImageNet classification with deep
Artificial Intelligence 6 (2023). DOI: convolutional neural networks. In Proceedings of the
http://dx.doi.org/10.3389/frai.2023.1226990 25th International Conference on Neural Information
Processing Systems - Volume 1 (NIPS’12). Curran
[3] Jeff Donahue, Yangqing Jia, Oriol Vinyals, Judy Associates Inc., Red Hook, NY, USA, 1097–1105.
Hoffman, Ning Zhang, Eric Tzeng, and Trevor Darrell.
2014. DeCAF: a deep convolutional activation feature [13] Ning Lin, Xiaoming Chen, Hang Lu, and Xiaowei Li.
for generic visual recognition. In Proceedings of the 31st 2021. Chaotic Weights: A Novel Approach to Protect
International Conference on International Conference Intellectual Property of Deep Neural Networks. IEEE
on Machine Learning - Volume 32 (ICML’14). Transactions on Computer-Aided Design of Integrated
JMLR.org, I–647–I–655. Circuits and Systems 40, 7 (2021), 1327–1339. DOI:
[4] J. Fieres, Johannes Schemmel, and Kyle Meier. 2006. http://dx.doi.org/10.1109/TCAD.2020.3018403
Training convolutional networks of threshold neurons

Authorized licensed use limited to: Universidad Industrial de Santander. Downloaded on October 16,2024 at 04:12:01 UTC from IEEE Xplore. Restrictions apply.
 2024 13th MEDITERRANEAN CONFERENCE ON EMBEDDED COMPUTING (MECO), 11-14 JUNE 2024, BUDVA, MONTENEGRO

[14] Xingcheng Luo, Ruihan Shen, Jian Hu, Jianhua Deng, International Conference on Big Data, Information and
Linji Hu, and Qing Guan. 2017. A Deep Convolution Computer Network (BDICN). 182–188. DOI:
Neural Network Model for Vehicle Recognition and http://dx.doi.org/10.1109/BDICN55575.2022.00043
Face Recognition. Procedia Comput. Sci. 107, C (apr
[21] Evgeny Smirnov, Denis Timoshenko, and Serge
2017), 715–720. DOI:
Andrianov. 2014. Comparison of Regularization
http://dx.doi.org/10.1016/j.procs.2017.03.153
Methods for ImageNet Classification with Deep
[15] Lara Mauri and Ernesto Damiani. 2022. Modeling Convolutional Neural Networks. AASRI Procedia 6 (12
Threats to AI-ML Systems Using STRIDE. Sensors 22, 2014), 89–94. DOI:
17 (2022). DOI:http://dx.doi.org/10.3390/s22176662 http://dx.doi.org/10.1016/j.aasri.2014.05.013
[16] Qahtan Makki Shallal Mohammad Ubaidullah Bokhari. [22] Christian Szegedy, Alexander Toshev, and Dumitru
2016. A Review on Symmetric Key Encryption Erhan. 2013. Deep Neural Networks for Object
Techniques in Cryptography. International Journal of Detection. In Advances in Neural Information
Computer Applications 147, 10 (Aug 2016), 43–48. Processing Systems, C.J. Burges, L. Bottou, M. Welling,
DOI:http://dx.doi.org/10.5120/ijca2016911203 Z. Ghahramani, and K.Q. Weinberger (Eds.), Vol. 26.
[17] Muhammad Faheem Mushtaq, Sapiee Jamel, Curran Associates, Inc.
https://proceedings.neurips.cc/paper_files/paper/
Abdulkadir Hassan Disina, Zahraddeen A. Pindar, Nur
2013/file/f7cade80b7cc92b991cf4d2806d6bd78-Paper.pdf
Shafinaz Ahmad Shakir, and Mustafa Mat Deris. 2017.
A Survey on the Cryptographic Encryption Algorithms. [23] Ayşegül Uçar. 2017. Deep Convolutional Neural
International Journal of Advanced Computer Science Networks for facial expression recognition. 371–375.
and Applications 8, 11 (2017). DOI: DOI:http://dx.doi.org/10.1109/INISTA.2017.8001188
http://dx.doi.org/10.14569/IJACSA.2017.081141
[24] Jichen Wang, Jun Lin, and Zhongfeng Wang. 2016.
[18] Michael A. Nielsen. 2018. Neural Networks and Deep Efficient convolution architectures for convolutional
Learning. (2018). neural network. In 2016 8th International Conference on
http://neuralnetworksanddeeplearning.com/ Wireless Communications Signal Processing (WCSP).
[19] Tara Sainath, Brian Kingsbury, Abdel-rahman 1–5. DOI:http://dx.doi.org/10.1109/WCSP.2016.7752726
Mohamed, George Dahl, George Saon, Hagen Soltau, [25] Matthew Zeiler and Rob Fergus. 2013. Stochastic
Tomas Beran, Aleksandr Aravkin, and Bhuvana Pooling for Regularization of Deep Convolutional
Ramabhadran. 2013. Improvements to Deep Neural Networks. In: ICLR (01 2013).
Convolutional Neural Networks for LVCSR. (09 2013).
DOI:http://dx.doi.org/10.1109/ASRU.2013.6707749 [26] Zhifei Zhang. 2016. Derivation of Backpropagation in
Convolutional Neural Network (CNN). (October 2016),
[20] Yuanbo Shang. 2022. Efficient and Secure Algorithm: 7. https://pdfs.semanticscholar.org/5d79/
The Application and Improvement of ECDSA. In 2022 11c93ddcb34cac088d99bd0cae9124e5dcd1.pdf

Authorized licensed use limited to: Universidad Industrial de Santander. Downloaded on October 16,2024 at 04:12:01 UTC from IEEE Xplore. Restrictions apply.