【人工智能】Responsible AI 负责任的人工智能：人工智能安全和隐私的未来 The Future of AI Security and Privacy

尽管AI的发展主要集中在研究领域中，并非完全局限于这一方向。具体实践包括分享开放数据集、公开发布模型以及充分利用可用的计算资源等举措均有助于推动人工智能技术的进步。如今，在商业、医疗、政府及国防等多个行业和地区中，AI技术已广泛部署在生产环境中，并且Intel公司为开发者提供了**AI软件工具、框架优化以及行业特定的参考套件**来促进这一从试点向生产环境迁移的过程。然而目前安全措施虽然常见于软件开发领域，在人工智能方面仍需进一步完善。而在许多情况下人工智能反而会提供新的漏洞

尽管 AI 开发的主要领域是研究，在这一过程中通过共享开放数据集、公开发布模型以及利用任何可用的计算资源等多种实践的应用，则有助于推动最先进的技术发展

Grateful as they are, Jason and his team conduct research aimed at identifying vulnerabilities, enabling them to devise methods for testing and mitigating risks in practical settings. During his presentation, Jason utilized the term 'machine learning supply chain' as a useful framework for evaluating various areas of interest. The assets within this system that require protection include:

值得庆幸的是，在过去的时间里, Jason和他的团队正在进行漏洞识别研究,因此他们成功开发出了可以在实际应用中验证并解决这些漏洞的技术。在整个演讲中, Jason采用了"机器学习供应链"这一术语来帮助分析各种问题域,这是一种非常有效的方法论。该系统中需要保护的资产包括：

• Training data - samples and labels
  训练数据——样本和标签

• Model structure

  • Model parameter settings
  • Inference sample quantity
  • Model output results —— prediction or decision

These all can be targets, and for a variety of reasons, via a variety of techniques. Jason’s presentation outlined a sampling of the types of attacks his team has researched and illustrated with examples. Here is a brief summary:
由于各种原因，这些都可以通过各种技术成为目标。 Jason 的演讲概述了他的团队研究并举例说明的攻击类型的样本。这是一个简短的总结：

• Model invasion: through API queries that probe the boundary conditions. Likewise, developing and training these models can be costly. You don't need a bitwise copy of a model to extract its value. A typical example is knowledge distillation, a model compression technique. When this approach is used to steal a model, it's termed as model extraction.

• Data breaches: Beyond mere theft, the substantial value of data enables AI models trained on it to reveal specific information through their outputs. These methods extend beyond traditional theft by leveraging the high value of data to infer sensitive details indirectly.
  AI models constructed from such data offer new avenues for accessing particular information derived solely from their outputs.

• Model reconstruction: When an AI model is trained on such data and learns its underlying patterns, adversaries can reconstruct leaked training data by analyzing the model's learned representations.
• Point membership testing: Through analysis of the model's output features, adversaries can determine whether a specific data point was part of the training dataset used to build the model.

• Tampering: modify the behavior of the model. This can occur during training, inference, or even when manipulating the model's output within its operational ecosystem. Jason elaborated on various forms of tampering by illustrating examples such as a T-shirt that might classify you as a bird during testing, to more sophisticated attacks like malware and signal interference.

Once upon a time, Jason adjusted his reading to better understand the audience's emotions and paused for a moment to reassure them. 'Don’t be concerned; we’ll engage in defensive strategies.'

Given the vast expanse of hidden security loopholes and their ongoing development, there's no singular approach. However, it's possible to begin securing your AI right now.

Take steps to safeguard your data. Implement encryption measures and restrict access to protect static data. Intel® Software Guard Extensions (Intel® SGX) was initially developed by Intel Labs to ensure the protection of confidential and integrity-protected information while in use. By isolating applications, this technology ensures that only authorized models and training procedures are executed remotely. Furthermore, you have the flexibility to develop your own security solutions using SGX technology or leverage existing tools, frameworks, or systems that already integrate this technology.

Data points must be kept isolated for reasons like HIPAA and GDPR privacy regulations, or if they're highly confidential or too vast. However, they can still be combined using federated learning methods to create high-quality models. The platform leverages advanced techniques to transfer computation to the data's original location, enabling the aggregation of partial models into a unified global model. A notable example of this approach is the Federated Tumor Segmentation (FeTS) project. By pooling models from various institutions, they achieved a 33% improvement in model accuracy.

• Protect against model theft using the Intel® Distribution of OpenVINO™ Toolkit Security Add-On. This toolkit provides functionality to control access to deployed OpenVINO models through secure packaging and secure model execution.
  使用 Intel® 分布式... 安全 Add-On 保护 against 模型盗窃.

通过减少模型输出信息量（例如置信度分数）来防止模型提取攻击。其他防止模型提取的技术包括限速查询和检测分布外查询。目前正进行工作以启用模型水印。/

Antagonistic attacks present ongoing challenges. Partnerships with organizations like Intel help ensure data provenance tracking to identify the origins of information. Additionally, initiatives such as DARPA's GARD aim to enhance AI resilience against deception by training models to identify robust features that mirror human visual processing capabilities. Jason highlighted several other techniques his team is currently exploring.

可能从本次会议中学到的关键是要培养安全意识。
相比之下，在大多数AI开发中采用的是开放的研究环境。
开发使用专有或机密数据的生产AI系统需要从生命周期的一开始就内置安全性。
实现完全的安全性同时进行创新相当困难。
但今天的工具在很大程度上能够防止许多攻击。
如果设计系统具备安全故障机制，则可以最大程度地减少负面影响。
随着AI行业不断成熟，将会出现更多的工具和最佳实践。

The Future of Responsible Artificial Intelligence: Exploring the Intersection of Security and Privacy in the Intel Community