Towards Securing Quantized Deep Learning
| dc.contributor.advisor | Abbott, Derek | |
| dc.contributor.advisor | Al-Sarawi, Said F. | |
| dc.contributor.author | Ma, Hua | |
| dc.contributor.school | School of Electrical and Mechanical Engineering | |
| dc.date.issued | 2024 | |
| dc.description.abstract | The impressive capabilities of Machine Learning (ML) technology, driven largely by the rapid emergence of Deep Learning (DL), have facilitated a wide array of practical applications, spanning from image recognition, autonomous driving, to speech processing. The significance of DL is further underscored by recent advancements in large language models such as ChatGPT, Bard, LLaMA, and in image-generative Artificial Intelligence (AI) models such as DALL-E, Stable Diffusion, and Midjourney. While larger models remain a significant trend, there is a counter-trend towards small models, often referred to as Tiny Machine Learning (TinyML). These smaller models cater to on-device inference tasks, such as autonomous driving, speech analytics, and real-time medical monitoring, where low latency, memory, and computational resources are crucial factors. Hence, model compression becomes a prerequisite in this context. Quantization emerges as one of the most practical solutions for compressing models. Quantized models can be efficiently deployed on microcontroller-based Internet of Things (IoT) devices, and the quantization process can be executed post-training, facilitated by commercial ML quantization frameworks like TensorFlow-Lite (TFLite) and PyTorch Mobile. Additionally, integer quantization, especially binarization, facilitates the deployment of compressed models on Field Programmable Gate Arrays (FPGAs). Despite the myriad advantages of quantized DL models, they face several security challenges, many of which have not been thoroughly elucidated, raising significant concerns regarding their safety and security in usage. This dissertation takes initial strides towards comprehending the vulnerabilities of quantized DL models, particularly those unique to them. First, It is found that the default usage of commercial ML quantization tools is susceptible to backdoor vulnerabilities. An attacker can implant a dormant backdoor in the full-precision model, and this backdoor behaviour is activated solely based on the quantization operation. As a result, front-end inspection on full-precision models is ineffective in detecting the dormant backdoor, while back-end inspection on quantized models is prohibitively expensive. To counter this, we propose a straightforward prevention countermeasure against this attack. Second, it is found that it is relatively easy to compromise the utility of the global model through local model poisoning in privacy-preserving quantized Federated Learning (FL). Attackers can ignore the legitimate values of the quantized range, and the FL server faces challenges in assessing local model updates in ciphertext. To address this, we introduce the first lightweight malicious client detection scheme for quantized FL in ciphertext, built upon secret sharing within a single-server setting. Our scheme accurately identifies malicious clients by grouping them based on the hypermesh technique and subsequently eliminates their detrimental contributions to maintain the baseline utility of the global model. Lastly, it is observed that the memory footprint of ultimately Binarized Neural Networks (BNNs) can be further improved through multi-task learning capabilities. Instead of training separate BNN models for individual tasks, a single Reconfigurable Binary Neural Network (RBNN) model can be dynamically reconfigured to cater to multiple inference tasks on-demand. However, the physical accessibility of on-device BNNs and their vulnerability to being copied raise concerns of Intellectual Property (IP) infringement. Hence, an IP protection framework that binds RBNN reconfiguration with both a user key and a device key derived from a physical unclonable function is proposed in this thesis. This strategy prevents unauthorized access and execution of the model on unapproved devices, facilitating IP licenses to be issued per device and per user. In summary, this dissertation uncovers the security issues of quantized DL models concerning the confidentiality (IP infringement), integrity (backdoor attacks), and availability (poisoning corruption) of the model, providing corresponding countermeasures for each aspect. | |
| dc.description.dissertation | Thesis (Ph.D.) -- University of Adelaide, School of Electrical and Mechanical Engineering, 2024 | en |
| dc.identifier.uri | https://hdl.handle.net/2440/144684 | |
| dc.language.iso | en | |
| dc.provenance | This electronic version is made publicly available by the University of Adelaide in accordance with its open access policy for student theses. Copyright in this thesis remains with the author. This thesis may incorporate third party material which has been used by the author pursuant to Fair Dealing exceptions. If you are the owner of any included third party copyright material you wish to be removed from this electronic version, please complete the take down form located at: http://www.adelaide.edu.au/legals | en |
| dc.subject | Deep Neural Network | |
| dc.subject | Quantization | |
| dc.title | Towards Securing Quantized Deep Learning | |
| dc.type | Thesis | en |
Files
Original bundle
1 - 1 of 1
No Thumbnail Available
- Name:
- MaH2024_PhD.pdf
- Size:
- 23.51 MB
- Format:
- Adobe Portable Document Format