Pushing data processing to the edge has opened up new security risks, and lots of new opportunities.
Artificial intelligence is migrating from the cloud to IoT edge devices. Now the question is how to apply that same technology to protect data and identify abnormal activity in those devices and the systems connected to them.
This is a complex problem because AI is being used on multiple fronts in this battle, as well as for multiple purposes. The technology has advanced to the point where energy-efficient neural networks can be built on silicon, and that has raised a number of questions and issues that will need to be resolved. Among them:
The general consensus through the first half of 2018 was that AI training, as well as most inferencing, would happen primarily on massively parallel server farms. Edge devices would be collectors of raw data, but the vast majority of processing would happen in the cloud, with clean data pushed back down as needed. That perspective changed as the electronics industry began realizing just how much data would have to be moved if the data was not scrubbed, and how expensive and time-consuming that would be. And underlying all of this is concern about privacy rights for some or all of that data.
A half-year later, a flurry of startups and established companies are developing edge-based AI chips and systems that include everything from novel AI architectures to traditional computer architectures with an AI component. It also has spawned activity at the IP level, which helps explain why Arm launched an AI processor as an IP block.
The next step is to apply AI for a number of new applications, and that effort is just beginning. More AI at the edge, coupled with more devices being connected to the Internet, has opened the door for more AI-based security.
“Today, there is no consistent standard across the IoT, making it difficult to protect from the evolving threat landscape,” said Paul Karazuba, senior director of product marketing at Rambus. “Making security the foundation of the OEM’s design process ensures products come to market with consumer safety in mind. One method of achieving this is basing device security on a hardware root of trust. When implemented with a layered security approach, it offers robust protection against a wide range of threats. That allows organizations to secure devices throughout the product lifecycle from device manufacturing all the way to end-of-life decommissioning.”
A second method is to use AI to provide that security, and there are a number of ways this can be done. “First, is providing security for an IoT service,” said Jeff Miller, senior product marketing manager at Mentor, a Siemens Business. “Second is the actual security services enabled by IoT, including better intrusion detection systems on a network or face recognition systems that run on security cameras—or better authentication systems that use multiple factors to try to authenticate people as they approach the door.”
Moving sensitive data to the edge can have a positive impact on both security and privacy. “We hear about data breaches, which typically happen in transit or in the cloud where data is stored and aggregated,” said Miller. “So the more processing done at the edge, and the less sensitive information being sent outside the edge device, the more secure the world we live in. Compartmentalizing secure information and keeping it where it was collected, and then throwing away the sensitive parts, is going to be a very important part of both IoT security as well as IoT acceptance in a lot of situations. This is something where machine learning and AI really hold a lot of promise. It’s this detection of things that you can’t put your finger on it, but know something isn’t right here. People do a very good job of that, but so far machines haven’t unless it’s really obvious what is unusual.”
Machines also potentially can improve authentication and exception detection, including both the security services and the services trying to be secured. But trying to do all of this centrally can be problematic because not all devices are connected all the time, and even when they are connected the speed of data communications can vary greatly.
“These things need to be autonomous and need to be robust against loss of connectivity,” Miller noted. “Think about cars. You wouldn’t want significant portions of your car’s functionality to shut down when you entered a parking garage or a tunnel and lost signal. Some of these systems truly need to be autonomous or at least capable of periods of autonomous operation. That’s a great argument for edge processing. You need it to deliver the service that you need at the quality of service that your customers expect from it.”
Yet another reason to do data processing at the edge and do a lot of ML processing at the edge is just sheer bandwidth. If there are 1,000 cameras streaming data, no system today can handle that effectively.
“Architects of these IoT systems are going to have to have a really solid understanding of machine learning, and that is a challenging concept to get your head around,” he said. “So they will have to think hard about how AI and machine learning change the applications of what can be done. This also opens up new ways to enable services on top of IoT networks that exist or are being planned, because there are more ways to use this data to make actionable insights. ‘We’re collecting all this data, so let’s do something useful with it. Let’s use machines to process that and give insights to humans or, create non-obvious actions from all of that data.’ And that has to be known to the architects of these systems.”
AI security issues
There is tremendous potential for this new kind of programming paradigm, and models currently are being developed for neural net architectures.
“There’s lots of interest in biometrics, whether it is face recognition or advanced fingerprint recognition, voice biometrics, among others,” said Mike Borza, member of the technical staff for Synopsys security IP. “There are also all kinds of other applications that are really interesting, such as the obvious crossover into the automotive markets because of all the image processing that needs to be done in autonomous vehicle driving. There is lots of other signal processing, as well as the need to do that at very high levels of confidence. As people are busy getting systems up and running, we are starting to recognize some of the challenges that remain to be solved.”
One of these is that the performance of a neural network is extremely dependent on the quality of the data used for training the system. “That means the integrity of all of the data sets around there is crucial,” Borza said. “What people have found is that if you make small changes to bias the training data, or changes to the input data that bias, the network can respond with large-scale disturbances to its behavior. This fact makes the case about being concerned with the integrity of that data, and the easiest and most error-free way to deal with that is to use cryptographic authentication of that kind of data.”
But AI has its own potential security holes. Borza said that some teams have been so focused on solving other problems that they haven’t paid much attention to security. “A lot of them haven’t thought about how somebody might use that fragility to attack their product or the users of their product and how it could be viewed. Some of those teams have only just started to think about it. We’ve been dealing with some teams now that are on their second generation of products. Their customers are saying that they like the functional performance and behavior of the product, but they now need to have some assurance that it’s actually behaving properly and using the data that it’s supposed to be using, and that that data is intact.”
As a result, these companies are coming to realize on their own, or are being told by their customers, that security is now essential. That includes both software, and in the case of embedded systems, embedded hardware. Novel solutions for in-circuit monitoring from companies such as UltraSoC and Moortec speak to the different types of embedded analytics technologies coming to market.
“When you get into the datapath of these products, the performance levels demand hardware security features in order to be able to do the processing in a timely fashion, so we’re seeing things like inline memory encryption becoming more interesting,” Borza said. “In some cases, people want cryptographic authentication on that encrypted memory to make sure that the encrypted data isn’t being manipulated. Also, the model itself is stored and encrypted in authenticated form, then signed with a public key, which needs to be decrypted and placed securely into the neural net processor. The authenticity of that needs to be checked because you don’t want to be loading a model that has been manipulated by somebody else. With these types of things, approaches used in other secure processing systems are starting to show up in the chips that are implementing neural nets.”
Further, providers of semiconductor IP are still struggling with detecting security vulnerabilities in ‘traditional’ hardware, pointed out Sergio Marchese, technical marketing manager at OneSpin Solutions. “For example, rowhammer attacks are well understood, and there are several defensive techniques, including memory protection with error correcting code (ECC) modules. A couple of months back, I read an article about how some academics found a way to get around ECC and inject three consecutive bit-flips into memory.When it comes to AI and hardware for CNNs and ML algorithms, we are just beginning to understand vulnerabilities. Researches demonstrated black-box and white-box, where detail on the internal structure of the CNN are known, strategies to insert errors, invisible to the human eye, in very specific places in an image that results in completely wrong classification.”
Formal verification is likely to have a strong role to ensure that ML algorithms behave within some boundaries, and this is the only way to ensure that certain things cannot happen, no matter what, and that is crucial for safety-critical applications like autonomous vehicles, he stressed. “Overall, security verification and certification of AI systems is even further away. Simulation or emulation approaches are inadequate even for traditional verification, never mind for AI systems. At least for safety-critical system, I see at present no alternative to explainable AI. Engineers need models on which to apply formal proofs and generate evidence of correctness and robustness that supports compliance and certification processes.”
An important consideration right now, especially with everything so fluid and with advances being made very quickly, is that people will have to continue to update models for the foreseeable future.
“We’re going to see some evolution in those products and the architectures, but you’re not likely to see dedicated networks that are just one type of network,” Borza said. “You’re unlikely to see a dedicated residential model or something like that. There are network chips capable of being reconfigured to implement that network architecture, and then the models that are derived on that network architecture or the representation of the algorithms is being distributed to the field to devices that are actually installed. We anticipate people will update those models, especially in fast-moving areas or things that are going to improve as more data is collected, and then those updates will be distributed. But that update needs to be protected in terms of its confidentiality, and especially in terms of its integrity. You want the new model that’s distributed to be the exact one that you’ve calculated and that you sent to the field.”
The edge and beyond
The edge has emerged as a particular security concern because some of these devices can kill you.
“It’s cars and robots and medical devices,” said Kurt Shuler, vice president of marketing at Arteris IP. “These things can kill you two ways. A cosmic ray can cause a bit to flip, and things go awry. The other way is that the AI may work as intended, but what it decides to do from its neural net application is the wrong thing. In that case, the safety of the intended function is bad.”
There’s even a new spec just for this: “ISO/PAS 21448:2019 Road vehicles — Safety of the intended functionality.” That captures how to analyze these AI powered systems going into cars, so they works as designed.
Security can impact all of these systems. “There’s a totally separate set of specs, and a totally separate set of Ph.D. geeks working on safety and on security,” said Shuler. “What’s disconcerting is that the effects of any of these things, especially from a functional safety standpoint and a security standpoint, can be the same. Whether a bit flips or an engineer flipped a bit, someone can get hurt. Yet these sets of experts don’t really talk to each other too much. This was addressed in the new ISO 26262 2018 specification that came out in December, which includes specific text to address this. It basically says you must coordinate with security guys, but unless security is somehow mandated to a certain level — like functional safety is in cars and trains and other verticals — nobody really cares. It’s like insurance. Nobody wants to pay for too much security.”
Additionally, the more security that’s added to a system, the greater the potential performance hit and the more complicated the development task. And at least at this point, liability for poor security is limited, Shuler noted. “What is my responsibility if somebody hacks into this thing? Will I actually get in trouble for it or get sued? Is my company going to be shut down? Am I going to go to jail?’ The answer to most of those is no.”
This is yet another argument for keeping data local.
“When it comes to security, the reason why we have AI is because we have so much data available and it’s sitting somewhere,” Shuler said. “As we put more systems in the field, like vision systems, they’re not only acting based on a model that they have and saying, ‘That’s a stop sign,’ or, ‘That’s a little kid crossing the street.’ They’re also taking in new information that they don’t recognize and firing it up to the data center. Then, the data center is taking all of that information and drawing new inferences. That data store becomes a huge target for security. It’s a huge target because you’ve got your fingers on that. You can steal all the credit card numbers in the world. You can influence elections. You can mess with the financial system. You can delete everybody’s medical records or look at everybody’s medical records. It provides such a wonderful meaty target if it’s not protected well, and it has been demonstrated that IT guys at insurance companies and Facebook and credit card companies are not good at protecting that data.”
Conclusion
AI, machine learning and deep learning are not new concepts, but they are being applied in new ways, including keeping the very data that makes AI possible in the first place. But this is all still in the early stages of development. The entire AI ecosystem must come together to devise cohesive solutions for true data security, and that stretches well beyond the individual devices that contain the data.
Related Stories
Building Security Into RISC-V Systems
Emphasis shifting to firmware, system-level architectures, and collaboration between industry, academia and government.
Finding Security Holes In Hardware
Emphasis on performance, backward compatibility and system complexity are creating vulnerabilities that are difficult to fix.
Tech Talk: HW Security
How to minimize the risk of hardware attacks in the shadow of Meltdown and Spectre.
IoT Device Security Makes Slow Progress
While attention is being paid to security in IoT devices, still more must be done.
Are Devices Getting More Secure?
Manufacturers are paying more attention to security, but it’s not clear whether that’s enough.
Why The IIoT Is Not Secure
Don’t blame the technology. This is a people problem.
 |
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply