skip to main content
10.1145/3472883.3486988acmconferencesArticle/Chapter ViewAbstractPublication PagesmodConference Proceedingsconference-collections
research-article

Lasagna: Accelerating Secure Deep Learning Inference in SGX-enabled Edge Cloud

Published: 01 November 2021 Publication History

Abstract

Edge intelligence has already been widely regarded as a key enabling technology in a variety of domains. Along with the prosperity, increasing concern is raised on the security and privacy of intelligent applications. As these applications are usually deployed on shared and untrusted edge servers, malicious co-located attackers, or even untrustworthy infrastructure providers, may acquire highly security-sensitive data and code (i.e., the pre-trained model). Software Guard Extensions (SGX) provides an isolated Trust Execution Environment (TEE) for task security guarantee. However, we notice that DNN inference performance in SGX is severely affected by the limited enclave memory space due to the resultant frequent page swapping operations and the high enclave call overhead. To tackle this problem, we propose Lasagna, an SGX oriented DNN inference performance acceleration framework without compromising the task security. Lasagna consists of a local task scheduler and a global task balancer to optimize the system performance by exploring the layered-structure of DNN models. Our experiment results show that our layer-aware Lasagna effectively speeds up the well-known DNN inference in SGX by 1.31x-1.97x.

Supplementary Material

VTT File (Day3_Session11-Order2.vtt)
MP4 File (Day3_Session11-Order2.mp4)
Presentation video

References

[1]
Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'keeffe, Mark L Stillwell, et al. 2016. SCONE: Secure linux containers with intel SGX. In Proceedings of USENIX Symposium on Operating Systems Design and Implementations (OSDI). 689--703.
[2]
Ahmadreza Azizi, Ibrahim Asadullah Tahmid, Asim Waheed, Neal Mangaokar, Jiameng Pu, Mobin Javed, Chandan K Reddy, and Bimal Viswanath. 2021. T-Miner: A generative approach to defend against trojan attacks on DNN-based text classification. In Proceedings of Usenix Security Symposium (USENIX Security). 2255--2272.
[3]
Zewen Chi, Li Dong, Furu Wei, Wenhui Wang, Xian-Ling Mao, and Heyan Huang. 2020. Cross-Lingual natural language generation via pre-training. In Proceedings of AAAI Conference on Artificial Intelligence (AAAI). 7570--7577.
[4]
Tyson Condie, Paul Mineiro, Neoklis Polyzotis, and Markus Weimer. 2013. Machine learning on big data. In Proceedings of IEEE International Conference on Data Engineering (ICDE). 1242--1244.
[5]
Victor Costan and Srinivas Devadas. 2016. Intel SGX explained. In IACR Cryptol. ePrint Arch. 1--118.
[6]
Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. 2016. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In Proceedings of International Conference on Machine Learning (ICML). 201--210.
[7]
Zhongshu Gu, Heqing Huang, Jialong Zhang, Dong Su, Ankita Lamba, Dimitrios Pendarakis, and Ian Molloy. 2018. Securing input data of deep learning inference systems via partitioned enclave execution. In Proceedings of Computing Research Repository.
[8]
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 770--778.
[9]
Gao Huang, Zhuang Liu, Laurens Van Der Maaten, and Kilian Q Weinberger. 2017. Densely connected convolutional networks. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 4700--4708.
[10]
Hengguan Huang, Hao Wang, and Brian Mak. 2019. Recurrent poisson process unit for speech recognition. In Proceedings of AAAI Conference on Artificial Intelligence (AAAI). 6538--6545.
[11]
Yi Huang, Mohammad Esmalifalak, Huy Nguyen, Rong Zheng, Zhu Han, Husheng Li, and Lingyang Song. 2013. Bad data injection in smart grid: attack and defense mechanisms. In Proceedings of IEEE Communications Magazine, Vol. 51. 27--33.
[12]
Loc N Huynh, Youngki Lee, and Rajesh Krishna Balan. 2017. Deepmon: Mobile gpu-based deep learning framework for continuous vision applications. In Proceedings of International Conference on Mobile Systems, Applications, and Services (MobiSys). 82--95.
[13]
Akira Ito, Kotaro Saito, Rei Ueno, and Naofumi Homma. 2021. Imbalanced data problems in deep learning-based side-channel attacks: analysis and solution. In Proceedings of IEEE Transactions on Information Forensics and Security, Vol. 16. 3790--3802.
[14]
Matthew Jagielski, Alina Oprea, Battista Biggio, Chang Liu, Cristina Nita-Rotaru, and Bo Li. 2018. Manipulating machine learning: Poisoning attacks and countermeasures for regression learning. In Proceedings of IEEE Symposium on Security and Privacy (S&P). 19--35.
[15]
Yangqing Jia and Evan Shelhamer. 2015. Caffe model zoo. UC Berkeley (2015).
[16]
Yangqing Jia, Evan Shelhamer, Jeff Donahue, Sergey Karayev, Jonathan Long, Ross Girshick, Sergio Guadarrama, and Trevor Darrell. 2014. Caffe: Convolutional architecture for fast feature embedding. In ACM MM. 675--678.
[17]
Kyungtae Kim, Chung Hwan Kim, Junghwan" John" Rhee, Xiao Yu, Haifeng Chen, Dave Tian, and Byoungyoung Lee. 2020. Vessels: efficient and scalable deep learning prediction on trusted processors. In Proceedings of ACM Symposium on Cloud Computing (SoCC). 462--476.
[18]
Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. 2012. Imagenet classification with deep convolutional neural networks. In Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), Vol. 25. 1097--1105.
[19]
Hyun Kwon, Yongchul Kim, Hyunsoo Yoon, and Daeseon Choi. 2019. Selective audio adversarial example in evasion attack on speech recognition system. In Proceedings of IEEE Transactions on Information Forensics and Security, Vol. 15. 526--538.
[20]
Nicholas D Lane, Sourav Bhattacharya, Petko Georgiev, Claudio Forlivesi, Lei Jiao, Lorena Qendro, and Fahim Kawsar. 2016. Deepx: A software accelerator for low-power deep learning inference on mobile devices. In Proceedings of International Conference on Information Processing in Sensor Networks (IPSN). 1--12.
[21]
Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, Hyesoon Kim, and Marcus Peinado. 2017. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In Proceedings of Usenix Security Symposium (USENIX Security). 557--574.
[22]
Taegyeong Lee, Zhiqi Lin, Saumay Pushp, Caihua Li, Yunxin Liu, Youngki Lee, Fengyuan Xu, Chenren Xu, Lintao Zhang, and Junehwa Song. 2019. Occlumency: Privacy-preserving remote deep-learning inference using SGX. In Proceedings of ACM International Conference on Mobile Computing and Networking (MobiCom). 1--17.
[23]
Yannan Liu, Lingxiao Wei, Bo Luo, and Qiang Xu. 2017. Fault injection attack on deep neural network. In Proceedings of International Conference on Computer-Aided Design (ICCAD). 131--138.
[24]
Guillermo Lloret-Talavera, Marc Jorda, Harald Servat, Fabian Boemer, Chetan Chauhan, Shigeki Tomishima, Nilesh N Shah, and Antonio J Pena. 2021. Enabling homomorphically encrypted inference for large DNN models. In Proceedings of IEEE Transactions on Computers. IEEE.
[25]
Do Le Quoc, Franz Gregor, Sergei Arnautov, Roland Kunkel, Pramod Bhatotia, and Christof Fetzer. 2020. SecureTF: A secure TensorFlow framework. In Proceedings of International Middleware Conference (Middleware). 44--59.
[26]
Joseph Redmon. 2013--2016. Darknet: Open Source Neural Networks in C. http://pjreddie.com/darknet/.
[27]
Joseph Redmon, Santosh Divvala, Ross Girshick, and Ali Farhadi. 2016. You only look once: Unified, real-time object detection. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 779--788.
[28]
Nicholas Rhinehart, Rowan McAllister, Kris Kitani, and Sergey Levine. 2019. PRECOG: Predictions conditioned on goals in visual multi-agent scenarios. In Proceedings of International Conference on Computer Vision (ICCV), Vol. 2. 4.
[29]
Karen Simonyan and Andrew Zisserman. 2015. Very deep convolutional networks for large-scale image recognition. In Proceedings of International Conference on Learning Representations (ICLR).
[30]
Octavian Suciu, Radu Marginean, Yigitcan Kaya, Hal Daume III, and Tudor Dumitras. 2018. When does machine learning FAIL? generalized transferability for evasion and poisoning attacks. In Proceedings of Usenix Security Symposium (USENIX Security). 1299--1316.
[31]
Christian Szegedy, Wei Liu, Yangqing Jia, Pierre Sermanet, Scott Reed, Dragomir Anguelov, Dumitru Erhan, Vincent Vanhoucke, and Andrew Rabinovich. 2015. Going deeper with convolutions. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 1--9.
[32]
Chia-Che Tsai, Donald E Porter, and Mona Vij. 2017. Graphene-SGX: A practical library OS for unmodified applications on SGX. In Proceedings of USENIX Annul Technical Conference (USENIX ATC). 645--658.
[33]
Zhibo Wang, Mengkai Song, Zhifei Zhang, Yang Song, Qian Wang, and Hairong Qi. 2019. Beyond inferring class representatives: User-level privacy leakage from federated learning. In Proceedings of IEEE International Conference on Computer Communications (INFOCOM). 2512--2520.
[34]
Saining Xie, Ross Girshick, Piotr Dollár, Zhuowen Tu, and Kaiming He. 2017. Aggregated residual transformations for deep neural networks. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 1492--1500.
[35]
Shangyu Xie, Bingyu Liu, and Yuan Hong. 2021. Privacy-preserving cloud-based DNN inference. In Proceedings of IEEE International Conference on Acoustics, Speech and SP (ICASSP). IEEE, 2675--2679.
[36]
Guowen Xu, Hongwei Li, Hao Ren, Kan Yang, and Robert H Deng. 2019. Data security issues in deep learning: attacks, countermeasures, and opportunities. In Proceedings of IEEE Communications Magazine, Vol. 57. 116--122.
[37]
Mengwei Xu, Mengze Zhu, Yunxin Liu, Felix Xiaozhu Lin, and Xuanzhe Liu. 2018. DeepCache: Principled cache for mobile deep vision. In Proceedings of ACM International Conference on Mobile Computing and Networking (MobiCom). 129--144.
[38]
Zhi Zhou, Xu Chen, En Li, Liekang Zeng, Ke Luo, and Junshan Zhang. 2019. Edge Intelligence: Paving the last mile of artificial intelligence with edge computing. In Proceedings of the IEEE, Vol. 107. 1738--1762.

Cited By

View all
  • (2025)DePoL: Assuring Training Integrity in Collaborative Learning via Decentralized VerificationJournal of Parallel and Distributed Computing10.1016/j.jpdc.2025.105056(105056)Online publication date: Feb-2025
  • (2024)SeesawProceedings of the 41st International Conference on Machine Learning10.5555/3692070.3693248(29266-29277)Online publication date: 21-Jul-2024
  • (2024)TransLinkGuard: Safeguarding Transformer Models Against Model Stealing in Edge DeploymentProceedings of the 32nd ACM International Conference on Multimedia10.1145/3664647.3680786(3479-3488)Online publication date: 28-Oct-2024
  • Show More Cited By

Index Terms

  1. Lasagna: Accelerating Secure Deep Learning Inference in SGX-enabled Edge Cloud

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SoCC '21: Proceedings of the ACM Symposium on Cloud Computing
    November 2021
    685 pages
    ISBN:9781450386388
    DOI:10.1145/3472883
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 01 November 2021

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. DNN Inference
    2. Edge intelligence
    3. SGX
    4. Task scheduling

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Funding Sources

    Conference

    SoCC '21
    Sponsor:
    SoCC '21: ACM Symposium on Cloud Computing
    November 1 - 4, 2021
    WA, Seattle, USA

    Acceptance Rates

    Overall Acceptance Rate 169 of 722 submissions, 23%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)114
    • Downloads (Last 6 weeks)8
    Reflects downloads up to 16 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)DePoL: Assuring Training Integrity in Collaborative Learning via Decentralized VerificationJournal of Parallel and Distributed Computing10.1016/j.jpdc.2025.105056(105056)Online publication date: Feb-2025
    • (2024)SeesawProceedings of the 41st International Conference on Machine Learning10.5555/3692070.3693248(29266-29277)Online publication date: 21-Jul-2024
    • (2024)TransLinkGuard: Safeguarding Transformer Models Against Model Stealing in Edge DeploymentProceedings of the 32nd ACM International Conference on Multimedia10.1145/3664647.3680786(3479-3488)Online publication date: 28-Oct-2024
    • (2024)HyperTheft: Thieving Model Weights from TEE-Shielded Neural Networks via Ciphertext Side ChannelsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690317(4346-4360)Online publication date: 2-Dec-2024
    • (2024)CHDAER:Consistent Hashing-based Data Allocation for Efficient Recommendation in Edge EnvironmentProceedings of the 33rd ACM International Conference on Information and Knowledge Management10.1145/3627673.3679809(622-631)Online publication date: 21-Oct-2024
    • (2024)No Privacy Left Outside: On the (In-)Security of TEE-Shielded DNN Partition for On-Device ML2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00052(3327-3345)Online publication date: 19-May-2024
    • (2024)Memory-Efficient and Secure DNN Inference on TrustZone-enabled Consumer IoT DevicesIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621088(2009-2018)Online publication date: 20-May-2024
    • (2024)Secure Deep Learning Inference with Intel SGX on Intel Ice Lake-SP Xeon Processor2024 10th International Conference on Smart Computing and Communication (ICSCC)10.1109/ICSCC62041.2024.10690574(55-59)Online publication date: 25-Jul-2024
    • (2024)SecMdp: Towards Privacy-Preserving Multimodal Deep Learning in End-Edge-Cloud2024 IEEE 40th International Conference on Data Engineering (ICDE)10.1109/ICDE60146.2024.00135(1659-1670)Online publication date: 13-May-2024
    • (2023)Predicting the Performance of DNNs to Support Efficient Resource Allocation2023 19th International Conference on Network and Service Management (CNSM)10.23919/CNSM59352.2023.10327894(1-7)Online publication date: 30-Oct-2023
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media