MixNN: A design for protecting deep learning models

TL;DR

MixNN is a decentralized design for protecting deep learning models that conceals structure, parameters, and communication flows, enhancing privacy and security against adversaries.

Contribution

This paper introduces MixNN, a novel decentralized architecture that secures deep learning models by hiding their structure and parameters using mix network principles.

Findings

MixNN retains classification accuracy within 0.001 of traditional models.

MixNN increases runtime by approximately 7.5 times compared to single virtual machine deployment.

MixNN prevents full control and tampering by adversaries even if some layers collude.

Abstract

In this paper, we propose a novel design, called MixNN, for protecting deep learning model structure and parameters. The layers in a deep learning model of MixNN are fully decentralized. It hides communication address, layer parameters and operations, and forward as well as backward message flows among non-adjacent layers using the ideas from mix networks. MixNN has following advantages: 1) an adversary cannot fully control all layers of a model including the structure and parameters, 2) even some layers may collude but they cannot tamper with other honest layers, 3) model privacy is preserved in the training phase. We provide detailed descriptions for deployment. In one classification experiment, we compared a neural network deployed in a virtual machine with the same one using the MixNN design on the AWS EC2. The result shows that our MixNN retains less than 0.001 difference in terms of classification accuracy, while the whole running time of MixNN is about 7.5 times slower than the one running on a single virtual machine.