RobPI: Robust Private Inference against Malicious Client

TL;DR

RobPI introduces a cryptographic protocol that significantly enhances the security of private inference against malicious clients, reducing attack success rates and increasing query complexity to ensure privacy and robustness.

Contribution

This paper presents RobPI, a novel private inference protocol that defends against malicious clients by integrating encryption-compatible noise, a significant advancement over existing semi-honest models.

Findings

RobPI reduces attack success rate by approximately 92%.

It increases the number of queries needed by malicious clients over 10 times.

RobPI maintains high inference accuracy while enhancing security.

Abstract

The increased deployment of machine learning inference in various applications has sparked privacy concerns. In response, private inference (PI) protocols have been created to allow parties to perform inference without revealing their sensitive data. Despite recent advances in the efficiency of PI, most current methods assume a semi-honest threat model where the data owner is honest and adheres to the protocol. However, in reality, data owners can have different motivations and act in unpredictable ways, making this assumption unrealistic. To demonstrate how a malicious client can compromise the semi-honest model, we first designed an inference manipulation attack against a range of state-of-the-art private inference protocols. This attack allows a malicious client to modify the model output with 3x to 8x fewer queries than current black-box attacks. Motivated by the attacks, we proposed and implemented RobPI, a robust and resilient private inference protocol that withstands malicious clients. RobPI integrates a distinctive cryptographic protocol that bolsters security by weaving encryption-compatible noise into the logits and features of private inference, thereby efficiently warding off malicious-client attacks. Our extensive experiments on various neural networks and datasets show that RobPI achieves ~91.9% attack success rate reduction and increases more than 10x the number of queries required by malicious-client attacks.