A Two-Branch Neural Network Architecture for Model Protection within Trusted Execution Environments

Ziyu Liu, Yukui Luo, Xiaolin Xu

23 Sept 2023 (modified: 25 Mar 2024)ICLR 2024 Conference Withdrawn SubmissionEveryoneRevisionsBibTeX
Primary Area: societal considerations including fairness, safety, privacy
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Keywords: Trusted Execution Environment, Security
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Abstract: Deep Neural Networks (DNNs) become increasingly prevalent in mobile applications on edge devices. As the model architecture and weights represent valuable intellectual property for model providers, it's necessary to protect them during inference. Previous works attempted to secure on-device machine learning by leveraging Trusted Execution Environments (TEEs). However, the constrained memory within TEEs prevents the direct model placement, and significant latency overhead is raised when partitioning the model and executing by a sequence in TEE. In our research, we propose a novel framework to restructure conventional CNN models into a unique two-branch architecture that is compatible with TEE deployments. Specifically, the framework generates a model that consists of a branch placed in a normal execution environment and a lightweight counterpart within the TEE. By facilitating unidirectional communication between the two branches, the confidentiality of the model can be protected. To figure out the best architecture for the newly generated network, we introduce a progressive pruning method to gradually identify and remove the redundant channel for the two branches at the same time while maintaining a high inference accuracy for the benign user. Our comprehensive experiments, involving a variety of DNNs and datasets, attest to the effectiveness of our framework. It offers robust security assurances while ensuring efficient computational latency.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 8100