research-article

Prediction Privacy in Distributed Multi-Exit Neural Networks: Vulnerabilities and Solutions

Authors:
Tejas Kannan

University of Chicago, Chicago, IL, USA

University of Chicago, Chicago, IL, USA

0009-0004-9372-9622
View Profile

,
Nick Feamster

University of Chicago, Chicago, IL, USA

University of Chicago, Chicago, IL, USA

0000-0001-9315-5201
View Profile

,
Henry Hoffmann

University of Chicago, Chicago, IL, USA

University of Chicago, Chicago, IL, USA

0000-0003-0816-8150
View Profile

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2023Pages 1123–1137https://doi.org/10.1145/3576915.3623069

Published:21 November 2023Publication History

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Pages 1123–1137

ABSTRACT

Distributed Multi-exit Neural Networks (MeNNs) use partitioning and early exits to reduce the cost of neural network inference on low-power sensing systems. Existing MeNNs exhibit high inference accuracy using policies that select when to exit based on data-dependent prediction confidence. This paper presents a side-channel attack against distributed MeNNs employing data-dependent early exit policies. We find that an adversary can observe when a distributed MeNN exits early using encrypted communication patterns. An adversary can then use these observations to discover the MeNN's predictions with over 1.85× the accuracy of random guessing. In some cases, the side-channel leaks over 80% of the model's predictions. This leakage occurs because prior policies make decisions using a single threshold on varying prediction confidence distributions. We address this problem through two new exit policies. The first method, Per-Class Exiting (PCE), uses multiple thresholds to balance exit rates across predicted classes. This policy retains high accuracy and lowers prediction leakage, but we prove it has no privacy guarantees. We obtain these guarantees with a second policy, Confidence-Guided Randomness (CGR), which randomly selects when to exit using probabilities biased toward PCE's decisions. CGR provides statistically equivalent privacy with consistently higher inference accuracy than exiting early uniformly at random. Both PCE and CGR have low overhead, making them viable security solutions in resource-constrained settings.

References

Martín Abadi, Paul Barham, Jianmin Chen, Zhifeng Chen, Andy Davis, Jeffrey Dean, Matthieu Devin, Sanjay Ghemawat, Geoffrey Irving, Michael Isard, et al. 2016a. TensorFlow: A system for Large-Scale machine learning. In 12th USENIX Symposium on Operating Systems Design and Implementation. 265--283.Google ScholarDigital Library
Martín Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. 2016b. Deep learning with differential privacy. In 23rd ACM Conf. on Computer and Communications Security. 308--318.Google ScholarDigital Library
Fevzi Alimoglu and Ethem Alpaydin. 1996. Methods of combining multiple classifiers based on different representations for pen-based handwritten digit recognition. In 5th Turkish Artificial Intelligence and Artificial Neural Networks Symposium. Citeseer.Google Scholar
Davide Anguita, Alessandro Ghio, Luca Oneto, Xavier Parra Perez, and Jorge Luis Reyes Ortiz. 2013. A public domain dataset for human activity recognition using smartphones. In 21st International European Symposium on Artificial Neural Networks, Computational Intelligence and Machine Learning. 437--442.Google Scholar
Noah Apthorpe, Danny Yuxing Huang, Dillon Reisman, Arvind Narayanan, and Nick Feamster. 2019. Keeping the smart home private with smart(er) IoT traffic shaping. Proceedings on Privacy Enhancing Technologies, Vol. 2019, 3 (2019).Google ScholarCross Ref
Dmitri Asonov and Rakesh Agrawal. 2004. Keyboard acoustic emanations. In IEEE Symposium on Security and Privacy. 3--11.Google ScholarCross Ref
Amin Banitalebi-Dehkordi, Naveen Vedula, Jian Pei, Fei Xia, Lanjun Wang, and Yong Zhang. 2021. Auto-split: A general framework of collaborative edge-cloud AI. In 27th ACM Conf. on Knowledge Discovery & Data Mining. 2543--2553.Google ScholarDigital Library
Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2019. CSI NN: Reverse engineering of neural network architectures through electromagnetic side channel. In 28th USENIX Security Symposium. 515--532.Google Scholar
Konstantin Berestizshevsky and Guy Even. 2019. Dynamically sacrificing accuracy for reduced computation: Cascaded inference based on softmax confidence. In International Conf. on Artificial Neural Networks. Springer, 306--320.Google ScholarDigital Library
Erik Bernhardsson. 2023. Annoy. https://github.com/spotify/annoy.Google Scholar
Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim Šrndić, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. 2013. Evasion attacks against machine learning at test time. In Joint European Conf. on Machine Learning and Knowledge Discovery in Databases. Springer, 387--402.Google ScholarDigital Library
David Brumley and Dan Boneh. 2005. Remote timing attacks are practical. Computer Networks, Vol. 48, 5 (2005), 701--716.Google ScholarDigital Library
Xiang Cai, Rishab Nithyanand, and Rob Johnson. 2014. Cs-BuFLO: A congestion sensitive website fingerprinting defense. In 13th Workshop on Privacy in the Electronic Society. 121--130.Google ScholarDigital Library
Nicholas Carlini, Steve Chien, Milad Nasr, Shuang Song, Andreas Terzis, and Florian Tramer. 2022. Membership inference attacks from first principles. In 43rd IEEE Symposium on Security and Privacy. 1897--1914.Google ScholarCross Ref
Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 38th IEEE Symposium on Security and Privacy. 39--57.Google ScholarCross Ref
Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang. 2010. Side-channel leaks in web applications: A reality today, a challenge tomorrow. In 31st IEEE Symposium on Security and Privacy. 191--206.Google ScholarDigital Library
Gregory Cohen, Saeed Afshar, Jonathan Tapson, and André van Schaik. 2017. EMNIST: an extension of MNIST to handwritten letters. arXiv:1702.05373.Google Scholar
Joan Daemen and Vincent Rijmen. 1999. AES proposal: Rijndael. (1999).Google Scholar
Aveek K Das, Parth H Pathak, Chen-Nee Chuah, and Prasant Mohapatra. 2016. Uncovering privacy leakage in BLE network traffic of wearable fitness trackers. In 17th Workshop on Mobile Computing Systems and Applications. 99--104.Google ScholarDigital Library
Bradley Denby and Brandon Lucia. 2020. Orbital edge computing: Nanosatellite constellations as a new class of computer system. In 25th Conf. on Architectural Support for Programming Languages and Operating Systems. 939--954.Google ScholarDigital Library
Amol Deshpande, Carlos Guestrin, Samuel R Madden, Joseph M Hellerstein, and Wei Hong. 2004. Model-driven data acquisition in sensor networks. In 13th Conf. on Very Large Databases. 588--599.Google ScholarCross Ref
Kevin P Dyer, Scott E Coull, Thomas Ristenpart, and Thomas Shrimpton. 2012. Peek-a-boo, I still see you: Why efficient traffic analysis countermeasures fail. In 33rd IEEE symposium on Security and Privacy. 332--346.Google ScholarDigital Library
Bugra Gedik, Ling Liu, and S Yu Philip. 2007. ASAP: An adaptive sampling approach to data collection in sensor networks. IEEE Transactions on Parallel and Distributed Systems, Vol. 18, 12 (2007), 1766--1783.Google ScholarDigital Library
Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. 2016. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In International Conf. on Machine Learning. PMLR, 201--210.Google Scholar
Graham Gobieski, Brandon Lucia, and Nathan Beckmann. 2019. Intelligence beyond the edge: Inference on intermittent embedded systems. In 24th Conf. on Architectural Support for Programming Languages and Operating Systems. 199--213.Google ScholarDigital Library
Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In International Conf. on Learning Representations.Google Scholar
Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. BadNets: Identifying vulnerabilities in the machine learning model supply chain. arXiv:1708.06733.Google Scholar
Amira Guesmi, Ihsen Alouani, Khaled N Khasawneh, Mouna Baklouti, Tarek Frikha, Mohamed Abid, and Nael Abu-Ghazaleh. 2021. Defensive approximation: Securing CNNs using approximate computing. In 26th Conf. on Architectural Support for Programming Languages and Operating Systems. 990--1003.Google ScholarDigital Library
Mirazul Haque, Anki Chauhan, Cong Liu, and Wei Yang. 2020. ILFO: Adversarial attack on adaptive neural networks. In IEEE Conf. on Computer Vision and Pattern Recognition. 14264--14273.Google ScholarCross Ref
Hanieh Hashemi, Yongqin Wang, and Murali Annavaram. 2021. DarKnight: An accelerated framework for privacy and integrity preserving deep learning using trusted hardware. In 54th IEEE/ACM International Symposium on Microarchitecture. 212--224.Google ScholarDigital Library
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In IEEE Conf. on Computer Vision and Pattern Recognition. 770--778.Google ScholarCross Ref
Shivayogi Hiremath, Geng Yang, and Kunal Mankodiya. 2014. Wearable Internet of Things: Concept, architectural components and promises for person-centered healthcare. In 4th IEEE Conf. on Wireless Mobile Communication and Healthcare. 304--307.Google ScholarCross Ref
JK Holland, EK Kemsley, and RH Wilson. 1998. Use of Fourier transform infrared spectroscopy and partial least squares regression for the detection of adulteration of strawberry purees. Journal of the Science of Food and Agriculture, Vol. 76, 2 (1998), 263--269.Google ScholarCross Ref
Sanghyun Hong, Yiug itcan Kaya, Ionuct -Vlad Modoranu, and Tudor Dumitracs. 2020. A panda? No, it's a sloth: Slowdown attacks on adaptive multi-exit neural network inference. arXiv:2010.02432.Google Scholar
Ting-Kuei Hu, Tianlong Chen, Haotao Wang, and Zhangyang Wang. 2020. Triple wins: Boosting accuracy, robustness and efficiency together by enabling input-adaptive inference. arXiv:2002.10025.Google Scholar
Weizhe Hua, Zhiru Zhang, and G Edward Suh. 2018. Reverse engineering convolutional neural networks through side-channel information leaks. In 55th ACM/ESDA/IEEE Design Automation Conf. 1--6.Google ScholarDigital Library
Gao Huang, Danlu Chen, Tianhong Li, Felix Wu, Laurens Van Der Maaten, and Kilian Q Weinberger. 2017. Multi-scale dense networks for resource efficient image classification. arXiv:1703.09844.Google Scholar
Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Logan Engstrom, Brandon Tran, and Aleksander Madry. 2019. Adversarial examples are not bugs, they are features. Advances in Neural Information Processing Systems, Vol. 32 (2019).Google Scholar
Texas Instruments. 2020. TI MSP430 EnergyTrace Technology. https://www.ti.com/lit/ug/slau157as/slau157as.pdf. Accessed: 04-2023.Google Scholar
Texas Instruments. 2021. TI MSP430 FR5994 Datasheet. https://www.ti.com/lit/ds/symlink/msp430fr5994.pdf. Accessed: 04-2023.Google Scholar
Zohar Jackson. 2022. Free spoken digit dataset. https://github.com/Jakobovski/free-spoken-digit-dataset. Accessed: 04-2023.Google Scholar
Weiyu Ju, Wei Bao, Liming Ge, and Dong Yuan. 2021. Dynamic early exit scheduling for deep neural network inference through contextual bandits. In 30th ACM International Conf. on Information & Knowledge Management. 823--832.Google ScholarDigital Library
Philo Juang, Hidekazu Oki, Yong Wang, Margaret Martonosi, Li Shiuan Peh, and Daniel Rubenstein. 2002. Energy-efficient computing for wildlife tracking: Design tradeoffs and early experiences with ZebraNet. In 10th Conf. on Architectural Support for Programming Languages and Operating Systems. 96--107.Google ScholarDigital Library
Marc Juarez, Mohsen Imani, Mike Perry, Claudia Diaz, and Matthew Wright. 2016. Toward an efficient website fingerprinting defense. In 21st European Symposium on Research in Computer Security. Springer, 27--46.Google ScholarCross Ref
Pandurang Kamat, Wenyuan Xu, Wade Trappe, and Yanyong Zhang. 2007. Temporal privacy in wireless sensor networks. In 27th IEEE International Conf. on Distributed Computing Systems. 23--23.Google ScholarDigital Library
Yiping Kang, Johann Hauswald, Cao Gao, Austin Rovinski, Trevor Mudge, Jason Mars, and Lingjia Tang. 2017. Neurosurgeon: Collaborative intelligence between the cloud and mobile edge. ACM SIGARCH Computer Architecture News, Vol. 45, 1 (2017), 615--629.Google ScholarDigital Library
Tejas Kannan, Nick Feamster, and Henry Hoffmann. 2023. Prediction privacy in distributed multi-exit neural networks: Vulnerabilities and solutions. https://github.com/tejaskannan/privacy-dnn-early-exit/blob/master/dnn_early_exit_privacy_extended.pdf.Google Scholar
Tejas Kannan and Henry Hoffmann. 2022. Protecting adaptive sampling from information leakage on low-power sensors. In 27th ACM Conf. on Architectural Support for Programming Languages and Operating Systems. 240--254.Google ScholarDigital Library
Yigitcan Kaya, Sanghyun Hong, and Tudor Dumitras. 2019. Shallow-deep networks: Understanding and mitigating network overthinking. In International Conf. on Machine Learning. PMLR, 3301--3310.Google Scholar
Diederik P Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization. arXiv:1412.6980.Google Scholar
Paul Kocher, Joshua Jaffe, and Benjamin Jun. 1999. Differential power analysis. In Annual International Cryptology Conf. Springer, 388--397.Google ScholarCross Ref
Pang Wei Koh, Shiori Sagawa, Henrik Marklund, Sang Michael Xie, Marvin Zhang, Akshay Balsubramani, Weihua Hu, Michihiro Yasunaga, Richard Lanas Phillips, Irena Gao, et al. 2021. Wilds: A benchmark of in-the-wild distribution shifts. In International Conf. on Machine Learning. PMLR, 5637--5664.Google Scholar
Alex Krizhevsky, Geoffrey Hinton, et al. 2009. Learning multiple layers of features from tiny images.Google Scholar
Tarald O Kvålseth. 2017. On normalized mutual information: Measure derivations and properties. Entropy, Vol. 19, 11 (2017), 631.Google ScholarCross Ref
Jennifer R Kwapisz, Gary M Weiss, and Samuel A Moore. 2011. Activity recognition using cell phone accelerometers. ACM SigKDD Explorations Newsletter, Vol. 12, 2 (2011), 74--82.Google ScholarDigital Library
Stefanos Laskaridis, Stylianos I Venieris, Mario Almeida, Ilias Leontiadis, and Nicholas D Lane. 2020. SPINN: Synergistic progressive inference of neural networks over device and cloud. In 26th International Conf. on Mobile Computing and Networking. 1--15.Google ScholarDigital Library
Yann LeCun, Yoshua Bengio, and Geoffrey Hinton. 2015. Deep learning. Nature, Vol. 521, 7553 (2015), 436--444.Google Scholar
Yann LeCun, Corinna Cortes, and Chris Burges. 1998. The MNIST database of handwritten digits. http://yann. lecun. com/exdb/mnist/ (1998).Google Scholar
Mathias Lecuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, and Suman Jana. 2019. Certified robustness to adversarial examples with differential privacy. In 40th IEEE Symposium on Security and Privacy. 656--672.Google ScholarCross Ref
Hankook Lee and Jinwoo Shin. 2018. Anytime neural prediction via slicing networks vertically. arXiv:1807.02609.Google Scholar
En Li, Liekang Zeng, Zhi Zhou, and Xu Chen. 2019. Edge AI: On-demand accelerating deep neural network inference via edge computing. IEEE Transactions on Wireless Communications, Vol. 19, 1 (2019), 447--457.Google ScholarCross Ref
Zheng Li, Yiyong Liu, Xinlei He, Ning Yu, Michael Backes, and Yang Zhang. 2022. Auditing membership leakages of multi-exit networks. In ACM Conf. on Computer and Communications Security. 1917--1931.Google ScholarDigital Library
Ji Lin, Wei-Ming Chen, Yujun Lin, Chuang Gan, Song Han, et al. 2020. MCUnet: Tiny deep learning on IoT devices. Advances in Neural Information Processing Systems, Vol. 33 (2020), 11711--11722.Google Scholar
Jian Liu, Mika Juuti, Yao Lu, and Nadarajah Asokan. 2017. Oblivious neural network predictions via MiniONN transformations. In ACM Conf. on Computer and Communications Security. 619--631.Google ScholarDigital Library
Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083.Google Scholar
Alan Mainwaring, David Culler, Joseph Polastre, Robert Szewczyk, and John Anderson. 2002. Wireless sensor networks for habitat monitoring. In 1st ACM Workshop on Wireless Sensor Networks and Applications. 88--97.Google ScholarDigital Library
Aastha Mehta, Mohamed Alzayat, Roberta De Viti, Björn B. Brandenburg, Peter Druschel, and Deepak Garg. 2022. Pacer: Comprehensive Network Side-Channel Mitigation in the Cloud. In 31st USENIX Security Symposium. USENIX Association, Boston, MA, 2819--2838.Google Scholar
Thomas S. Messerges and Ezzy A. Dabbish. 1999. Investigations of Power Analysis Attacks on Smartcards. In USENIX Workshop on Smartcard Technology. USENIX Association.Google Scholar
Fan Mo, Ali Shahin Shamsabadi, Kleomenis Katevas, Soteris Demetriou, Ilias Leontiadis, Andrea Cavallaro, and Hamed Haddadi. 2020. DarkneTZ: Towards model privacy at the edge using trusted execution environments. In 18th Conf. on Mobile Systems, Applications, and Services. 161--174.Google ScholarDigital Library
Payman Mohassel and Yupeng Zhang. 2017. SecureML: A system for scalable privacy-preserving machine learning. In 38th IEEE symposium on Security and Privacy. 19--38.Google ScholarCross Ref
Rishab Nithyanand, Xiang Cai, and Rob Johnson. 2014. Glove: A bespoke website fingerprinting defense. In 13th Workshop on Privacy in the Electronic Society. 131--134.Google ScholarDigital Library
Angela Orebaugh, Gilbert Ramirez, and Jay Beale. 2006. Wireshark & Ethereal network protocol analyzer toolkit. Elsevier.Google Scholar
Xudong Pan, Mi Zhang, Beina Sheng, Jiaming Zhu, and Min Yang. 2022. Hidden Trigger Backdoor Attack on NLP Models via Linguistic Style Manipulation. In 31st USENIX Security Symposium. 3611--3628.Google Scholar
Liam Paninski. 2003. Estimation of entropy and mutual information. Neural computation, Vol. 15, 6 (2003), 1191--1253.Google Scholar
Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z Berkay Celik, and Ananthram Swami. 2017. Practical black-box attacks against machine learning. In 12th ACM Asia Conf. on Computer and Communications Security. 506--519.Google ScholarDigital Library
Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. 2016. Distillation as a defense to adversarial perturbations against deep neural networks. In 37th IEEE symposium on Security and Privacy. 582--597.Google ScholarCross Ref
David E Rumelhart, Geoffrey E Hinton, and Ronald J Williams. 1986. Learning representations by back-propagating errors. Nature, Vol. 323, 6088 (1986), 533--536.Google ScholarCross Ref
Simone Scardapane, Michele Scarpiniti, Enzo Baccarelli, and Aurelio Uncini. 2020. Why should we add early exits to neural networks? Cognitive Computation, Vol. 12, 5 (2020), 954--966.Google ScholarCross Ref
Claude E Shannon. 1949. Communication theory of secrecy systems. The Bell system technical journal, Vol. 28, 4 (1949), 656--715.Google Scholar
Ilia Shumailov, Zakhar Shumaylov, Dmitry Kazhdan, Yiren Zhao, Nicolas Papernot, Murat A Erdogdu, and Ross J Anderson. 2021a. Manipulating SGD with data ordering attacks. Advances in Neural Information Processing Systems, Vol. 34 (2021), 18021--18032.Google Scholar
Ilia Shumailov, Yiren Zhao, Daniel Bates, Nicolas Papernot, Robert Mullins, and Ross Anderson. 2021b. Sponge examples: Energy-latency attacks on neural networks. In 6th IEEE European Symposium on Security and Privacy. 212--231.Google ScholarCross Ref
Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv:1409.1556.Google Scholar
Nitish Srivastava, Geoffrey Hinton, Alex Krizhevsky, Ilya Sutskever, and Ruslan Salakhutdinov. 2014. Dropout: A simple way to prevent neural networks from overfitting. Journal of Machine Learning Research, Vol. 15, 1 (2014), 1929--1958.Google ScholarDigital Library
Johannes Stallkamp, Marc Schlipsing, Jan Salmen, and Christian Igel. 2011. The German Traffic Sign Recognition Benchmark: A multi-class classification competition. In IEEE International Joint Conf. on Neural Networks. 1453--1460.Google ScholarCross Ref
Timothy Stevens, Christian Skalka, Christelle Vincent, John Ring, Samuel Clark, and Joseph Near. 2022. Efficient Differentially Private Secure Aggregation for Federated Learning via Hardness of Learning with Errors. In 31st USENIX Security Symposium. 1379--1395.Google Scholar
Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv:1312.6199.Google Scholar
Surat Teerapittayanon, Bradley McDanel, and Hsiang-Tsung Kung. 2016. Branchynet: Fast inference via early exiting from deep neural networks. In 23rd IEEE International Conf. on Pattern Recognition. 2464--2469.Google ScholarCross Ref
Surat Teerapittayanon, Bradley McDanel, and Hsiang-Tsung Kung. 2017. Distributed deep neural networks over the cloud, the edge and end devices. In 37th IEEE International Conf. on Distributed Computing Systems. 328--339.Google ScholarCross Ref
Stacey Truex, Nathalie Baracaldo, Ali Anwar, Thomas Steinke, Heiko Ludwig, Rui Zhang, and Yi Zhou. 2019. A hybrid approach to privacy-preserving federated learning. In 12th ACM Workshop on Artificial Intelligence and Security. 1--11.Google ScholarDigital Library
Pratik Vaishnavi, Kevin Eykholt, and Amir Rahmati. 2022. Transferring Adversarial Robustness Through Robust Representation Matching. In 31st USENIX Security Symposium. 2083--2098.Google Scholar
Deepak Vasisht, Zerina Kapetanovic, Jongho Won, Xinxin Jin, Ranveer Chandra, Sudipta Sinha, Ashish Kapoor, Madhusudhan Sudarshan, and Sean Stratman. 2017. FarmBeats: An IoT platform for data-driven agriculture. In 14th USENIX Symposium on Networked Systems Design and Implementation. 515--529.Google Scholar
Andreas Veit and Serge Belongie. 2018. Convolutional networks with adaptive inference graphs. In European Conf. on Computer Vision (ECCV). 3--18.Google ScholarDigital Library
Chengcheng Wan, Henry Hoffmann, Shan Lu, and Michael Maire. 2020a. Orthogonalized SGD and nested architectures for anytime neural networks. In International Conf. on Machine Learning. PMLR, 9807--9817.Google Scholar
Chengcheng Wan, Muhammad Santriaji, Eri Rogers, Henry Hoffmann, Michael Maire, and Shan Lu. 2020b. ALERT: Accurate learning for energy and timeliness. In USENIX Annual Technical Conf. 353--369.Google Scholar
Xin Wang, Yujia Luo, Daniel Crankshaw, Alexey Tumanov, Fisher Yu, and Joseph E Gonzalez. 2017. Idk cascades: Fast deep learning by learning not to overthink. arXiv:1706.00885.Google Scholar
Pete Warden. 2018. Speech commands: A dataset for limited-vocabulary speech recognition. arXiv:1804.03209.Google Scholar
Kang Wei, Jun Li, Ming Ding, Chuan Ma, Howard H Yang, Farhad Farokhi, Shi Jin, Tony QS Quek, and H Vincent Poor. 2020. Federated learning with differential privacy: Algorithms and performance analysis. IEEE Transactions on Information Forensics and Security, Vol. 15 (2020), 3454--3469.Google ScholarDigital Library
Lingxiao Wei, Bo Luo, Yu Li, Yannan Liu, and Qiang Xu. 2018. I know what you see: Power side-channel attack on convolutional neural network accelerators. In 34th Annual Computer Security Applications Conf. 393--406.Google ScholarDigital Library
Michael Winkler, Klaus-Dieter Tuchs, Kester Hughes, and Graeme Barclay. 2008. Theoretical and practical aspects of military wireless sensor networks. Journal of Telecommunications and Information Technology (2008), 37--45.Google Scholar
Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-MNIST: A novel image dataset for benchmarking machine learning algorithms. arXiv:1708.07747.Google Scholar
Shuochao Yao, Yiran Zhao, Aston Zhang, Lu Su, and Tarek Abdelzaher. 2017. DeepIoT: Compressing deep neural network structures for sensing systems with a compressor-critic framework. In 15th ACM Conf. on Embedded Network Sensor Systems. 1--14.Google ScholarDigital Library
Kasim Sinan Yildirim, Amjad Yousef Majid, Dimitris Patoukas, Koen Schaper, Przemyslaw Pawelczak, and Josiah Hester. 2018. Ink: Reactive kernel for tiny batteryless sensors. In 16th ACM Conf. on Embedded Networked Sensor Systems. 41--53.Google ScholarDigital Library
Honggang Yu, Haocheng Ma, Kaichen Yang, Yiqiang Zhao, and Yier Jin. 2020. DeepEM: Deep neural networks model recovery through EM side-channel information leakage. In IEEE Symposium on Hardware Oriented Security and Trust. 209--218.Google ScholarCross Ref
Liekang Zeng, En Li, Zhi Zhou, and Xu Chen. 2019. Boomerang: On-demand cooperative deep neural network inference for edge intelligence on the industrial Internet of Things. IEEE Network, Vol. 33, 5 (2019), 96--103.Google ScholarDigital Library
Wangchunshu Zhou, Canwen Xu, Tao Ge, Julian McAuley, Ke Xu, and Furu Wei. 2020. Bert loses patience: Fast and robust inference with early exit. Advances in Neural Information Processing Systems, Vol. 33 (2020), 18330--18341.Google Scholar

Index Terms

Prediction Privacy in Distributed Multi-Exit Neural Networks: Vulnerabilities and Solutions

Recommendations

Extracting rules from neural networks for time series prediction
SoICT '14: Proceedings of the 5th Symposium on Information and Communication Technology

A significant limitation of neural networks is that the representations they learn are usually incomprehensible to humans. There have been a number of research works that focused on how to extract rules from trained neural networks. Recently, Kamruzzaman ...
Read More
Mobile user movement prediction using bayesian learning for neural networks
IWCMC '07: Proceedings of the 2007 international conference on Wireless communications and mobile computing

Nowadays, path prediction is being extensively examined for use in the context of mobile and wireless computing towards more efficient network resource management schemes. Path prediction allows the network and services to further enhance the quality of ...
Read More
Multi-step Learning Rule for Recurrent Neural Models: An Application to Time Series Forecasting

Multi-step prediction is a difficult task that has attracted increasing interest in recent years. It tries to achieve predictions several steps ahead into the future starting from current information. The interest in this work is the development of ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
November 2023
3722 pages
ISBN:9798400700507
DOI:10.1145/3576915
General Chairs:
Weizhi Meng
Technical University of Denmark
,
Christian D. Jensen
Technical University of Denmark
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Engin Kirda
Khoury College of Computer Sciences
Copyright © 2023 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 21 November 2023
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
neural networks
sensor network security
side channels
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate1,261of6,999submissions,18%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 411
  Total Downloads
- Downloads (Last 12 months)411
- Downloads (Last 6 weeks)101
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Prediction Privacy in Distributed Multi-Exit Neural Networks: Vulnerabilities and Solutions

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Extracting rules from neural networks for time series prediction

Mobile user movement prediction using bayesian learning for neural networks

Multi-step Learning Rule for Recurrent Neural Models: An Application to Time Series Forecasting

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Prediction Privacy in Distributed Multi-Exit Neural Networks: Vulnerabilities and Solutions

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Extracting rules from neural networks for time series prediction

Mobile user movement prediction using bayesian learning for neural networks

Multi-step Learning Rule for Recurrent Neural Models: An Application to Time Series Forecasting

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media