Encrypted-Input Obfuscation of Image Classifiers

Encrypted-Input Obfuscation of Image Classifiers

연구 분야: Analysis

학회: IFIP Annual Conference on Data and Applications Security and Privacy

We consider the problem of protecting image classifiers simultaneously from inspection attacks (i.e., attacks that have read access to all details in the program’s code) and black-box attacks (i.e., attacks where have input/output access to the program’s code). Our starting point is cryptographic program obfuscation, which guarantees some provable security against inspection attacks, in the sense that any such attack is not significantly more successful than a related black-box attack. We actually consider the recent model of encrypted-input cryptographic program obfuscation, which uses a key shared between the obfuscation deployer and the input encryptor to generate the obfuscated program. In this model we design an image classifier program and an encrypted-input obfuscator for it, showing that the classifier program is secure against both inspection and black-box attacks, under the existence of symmetric encryption schemes. We evaluate the accuracy of our classifier and show that it is significantly better than the random classifier and not much worse than more powerful classifiers (e.g., k-nearest neighbor) for which however no efficient obfuscator is known.