Machine learning as a service (MLaaS) offers users the benefit of training state-of-the-art neural network models on fast hardware with low costs. However, it also brings security concerns since the user does not fully trust the cloud. To prove to the user that the ML training results are legitimate, existing approaches mainly adopt cryptographic techniques such as secure multi-party computation, which incur large overheads. In this paper, we model the problem of verifying ML training efforts as an anomaly detection problem. We design a verification system, dubbed VeriTrain , which combines unsupervised anomaly detection approaches and hypothesis testing techniques to verify the legitimacy of training efforts on the MLaaS cloud. VeriTrain is run inside trusted execution environments (TEEs) on the same cloud machine to ensure the integrity of its execution. We consider a threat model where the cloud model trainer is a lazy attacker and tries to fool VeriTrain with minimum training effort. We perform extensive evaluations on multiple neural network models and datasets, which shows that VeriTrain performs well in detecting parameter updates crafted by the attacker. We also implement VeriTrain with Intel SGX and show that it only incurs moderate overheads.
2023-04-12
2024-09-23