Securing AI/ML With A Hardware Root Of Trust

Understand AI workflows to recognize security risks and where cyberattacks can occur.


AI/ML (Artificial Intelligence/Machine Learning) is now pervasive across all industries. It contributes to rationalizing and harnessing the enormous amount of information made available by the current massive wave of digitization. Digitization is transforming how business is run and how value is produced using digital technologies. Data, the raw material of AI/ML and deep learning algorithms, is now available in considerable quantities from all aspects of business operations.

AI operations are typically divided into two essential functions, training and inference. Training corresponds to teaching the model how to perform a specific task, such as how to recognize cars in a traffic video, and inference refers to the neural network’s ability to apply what it has learned to a real-world situation, in this case, to an actual traffic video feed. Traditionally, both the training phase (consisting in configuring and setting up the parameters of the AI algorithm) and inference phase (consisting in using the configured AI algorithm with real-life data) would occur in a data center, but nowadays, inference is often performed at the edge, in a gateway or in an end device.

AI/ML promises to create enormous value. Firms like PWC and McKinsey have prognosticated that AI will add $13 trillion or more to the global economy by 2030. Given that great value, the motivations of adversaries to compromise or steal critical AI assets are huge. The upshot is that security is a mission critical priority for AI/ML operations.

It is important to understand the AI workflows to recognize the security risks and where cyberattacks can occur. Before a training session, the data must be processed, trimmed, and modified for the AI model selected. Selecting the proper training data set and performing proper data preparation is very important as it contributes to the accuracy and the robustness of the model since it directly influences its parameters. Any unexpected modification to the training set can corrupt the model. Training the model results in a set of parameters and model characteristics that are saved in a format specific to the AI framework selected. All the aspects of the above-mentioned process are security-sensitive either because they relate to someone’s intellectual property or because of the privacy concerns regarding the training data.

The result of the process described above, stored in a specific AI format, is used to perform predictions or classifications. The model is ingested into an inference engine powered by a processor running on a device. The device collects the data, images, video, or speech and streams it to the inference engine that performs the prediction. In this process as well, all the resources involved must be protected from prying eyes. Known security attacks on AI inference such as adversarial attacks exist that confuse the prediction and create the wrong classification.

The threats to AI/ML assets are many and include data poisoning, adversarial attacks, data theft, pipeline tampering, model theft, model extraction, and ethical misuse. Training data poisoning involves inserting compromised data into the training set to degrade the performance of the model. An adversarial attack occurs when the model is accessed to test it and find its weaknesses with the goal of identifying artifacts in the data that can be used to fool it into misclassifying. Both training and inference data can be stolen compromising intellectual property and privacy rights. Likewise, models can be stolen or extracted through reverse engineering. While training normally occurs in data centers with hardened physical security, cyberattacks are still a threat. For inferencing, which is increasingly deployed in end devices, AI/ML assets can quite literally be walked or driven to a reverse-engineering lab.

Safeguarding AI/ML assets requires a multi-layered security strategy which has at its foundation a root of trust anchored in hardware. Depending on the complexity of the device, a hardware root of trust can range from a compact state machine architecture to fully programmable security co-processors. A hardware root of trust provides the confidentiality, integrity and authenticity needed to secure AI workloads and assets.

Take secure boot as an example use case. The root of trust ensures the integrity of firmware for the secure boot of an AI accelerator. It can also verify the integrity of the firmware images used by all other AI infrastructure components. Using secure firmware verification, the system can ensure that the models loaded in the AI nodes are the ones intended and have not been modified.

Even more specific to AI/ML is the protection of training algorithms, training data sets and inference models. Hashing of models and data ensures that only valid instances are loaded into the system. Encryption of models and data protects these assets from theft or tampering. The root of trust provides these cryptographic services which safeguard these critical AI/ML assets from adversaries.

Rambus offers a full line up of root of trust solutions appropriate for IoT devices to powerful AI training accelerators and everything in between. All of our root of trust solutions are FIPS 140-2 certified and come with state-of-the-art anti-tamper protections to guard against side channel and reverse-engineering attacks. With the exponential growth in the value generated by AI/ML, designers can safeguard AI assets.

Additional resources:

Leave a Reply

(Note: This name will be displayed publicly)