Encrypted-Input Obfuscation of Image Classifiers

• Published in: Data and Applications Security and Privacy XXXV pp. 136 - 156
• Main Authors: Di Crescenzo, Giovanni, Bahler, Lisa, Coan, Brian A., Rohloff, Kurt, Cousins, David B., Polyakov, Yuriy
• Format: Book Chapter
• Language: English
• Published: Cham Springer International Publishing
• Series: Lecture Notes in Computer Science
• Subjects: Black-box attacks; Image classifiers; Inspection attacks; Program obfuscation
• ISBN: 9783030812416; 3030812413
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-030-81242-3_8

We consider the problem of protecting image classifiers simultaneously from inspection attacks (i.e., attacks that have read access to all details in the program’s code) and black-box attacks (i.e., attacks where have input/output access to the program’s code). Our starting point is cryptographic program obfuscation, which guarantees some provable security against inspection attacks, in the sense that any such attack is not significantly more successful than a related black-box attack. We actually consider the recent model of encrypted-input cryptographic program obfuscation, which uses a key shared between the obfuscation deployer and the input encryptor to generate the obfuscated program. In this model we design an image classifier program and an encrypted-input obfuscator for it, showing that the classifier program is secure against both inspection and black-box attacks, under the existence of symmetric encryption schemes. We evaluate the accuracy of our classifier and show that it is significantly better than the random classifier and not much worse than more powerful classifiers (e.g., k-nearest neighbor) for which however no efficient obfuscator is known.