Protecting Artificial Intelligence and Machine Learning Applications and Data

Artificial Intelligence (AI) and machine learning (ML) technologies are finding their way into mainstream systems, devices, and critical applications as commercial and industrial organizations grow more and more connected. Actual use cases today are widespread across diverse areas, from speech recognition, malware detection, and quality testing to applications that are critical to human safety, like driver assistance systems or medical diagnostics.

An attack on an AI application or even a simple malfunction or an inadvertent manipulation could have life-threatening implications. In the medical field, an incorrect classification could lead to a wrong medical diagnosis and, subsequently, an incorrect treatment. Moreover, AIs are trained on sensitive patient data for which confidentiality and the patient’s anonymity are paramount. This data could be a CT or MRT scan, or information about the patient’s medical history, where a breach on the AI-generated data could have detrimental consequences to the patient.

In the industrial sector, for example, an attacker could meddle with the ML training data, where even seemingly harmless changes, such as altering the color of individual pixels, can have a major effect. Certain manipulated properties might feed through into the trained model that no human observer would ever spot. In a similar vein, an attacker could tamper the pre-processing of the training data, the training parameters, or even the finished trained model to cause mistakes further down the line or make the system deliver incorrect classification output.

The attack surfaces of the machine learning lifecycle are many and protection from manipulation is critical. Manipulation of any data or any algorithm used within the machine learning lifecycle can have disastrous consequences. In addition, the confidentiality of sensitive data and intellectual property contained in it must also be protected, as the training data could e.g. reveal the inner workings of a component. Even the AI application itself or its underlying data about the relevance of specific training parameters might represent intellectual property in this respect.

CodeMeter Protection Suite offers an all-round toolkit for the defense of both executables and data involved in AI and ML applications. Executables are protected from tampering or reverse engineering well beyond the traditional “security-by-obscurity” mechanisms. Executables or sensitive functions are encrypted using established cryptographic algorithms. In addition, cryptographic methods are utilized to protect the integrity of software and data. Functions and data are decrypted at runtime. Sensitive parts of the code can even be decrypted and executed, and key material or certificates can be securely transferred and stored in secure hardware. This does not only keep the key material secret, but it also prevents the manipulation of keys and certificates.

Due to the availability of open-source frameworks, as well as the popularity of the language, AI applications are often written in Python. AxProtector Python protects both the framework code used for training and the data used in the machine learning lifecycle, from manipulation, theft of intellectual property, and unauthorized use.