Security Guide for Edge ML Designers

With more IoT devices performing mission-critical tasks - security is essential. To achieve the potential of smart devices that implement ML and AI in their applications, we must protect the critical intellectual property that represents the majority of the solution’s value.

author avatar

08 Feb, 2023. 8 min read

This is the third article in a 3-part series that explains the current state of IoT security and introduces cutting-edge, highly secure MCUs from Alif SemiconductorTM. 

There is a surge of interest in Machine Learning (ML) and Artificial Intelligence (AI) applications. This interest is partly driven by the explosion in data generation, which enables modern enterprises to access very large volumes of digital data from a variety of different sources, such as business information systems and internet-connected devices. Based on these data, enterprises can develop ML systems that exhibit better performance than ever before.

Introducing edge machine learning (EdgeML)

Until recently, most ML systems and applications were deployed within cloud computing infrastructures. This provided the means for managing large volumes of data while easing access to the computing capacity needed for training and executing ML models. In recent years there has been a shift of data from remote cloud data centers to local edge clusters and devices, i.e., a shift to the edge computing paradigm. This shift is motivated by the need to support real-time and power-efficient applications that operate close to the field instead of transferring large volumes of data to the cloud. The advent of edge computing has given rise to EdgeML, a novel paradigm for developing and deploying ML applications. Rather than moving data over wide area networks and running ML models inside the cloud, EdgeML applications execute models within various edge computers and devices. This includes edge clusters, gateways, embedded devices, Internet of Things (IoT) devices, and microcontrollers.

ML designers leverage edge computing and edge ML to achieve the following benefits for their applications:

  • Low-Latency Operations for Mission Critical Tasks: Edge processing can be much faster than cloud processing, as it does not incur the latency of transferring data from the source to the cloud. This makes EdgeML suitable for low-latency applications such as real-time identification of abnormal human behaviors in surveillance applications and real-time defect detection in manufacturing processes. 

EdgeML applications can also benefit from the capacity of cloud computing when required. Specifically, it is possible to collect, aggregate, and process data points from multiple edge devices in the cloud. This enables cloud/edge designs and deployments to leverage many data points toward building, training, and executing accurate data models.

EdgeML security challenges

ML designers are commonly resorting to EdgeML configurations to enhance the privacy and data protection advantages of their applications when compared to the respective cloud applications. This is because edge configurations reduce data transfers, which limits the attack surface of the ML applications. EdgeML applications keep sensitive data at their source, which reduces the number of potential data breaches.

Despite these benefits, EdgeML deployments create new security challenges for EdgeML designers, notably challenges associated with the peculiarities of their data sources and edge devices (e.g., IoT devices). This is because edge devices cannot benefit from the security protection functionalities of the cloud data center. Rather they reside at the edge of the network where fewer protective measures are deployed. This renders sensitive information and the devices themselves vulnerable to a variety of security threats.  Therefore, EdgeML designers must consider and remedy prominent vulnerabilities of edge ML devices, including:

  • Malware attacks: In EdgeML deployments, there are always opportunities for adversaries to use malicious code to hijack devices. For example, an attacker may maliciously install older firmware with known security vulnerabilities.
  • Data theft:  Edge devices are vulnerable to breaches that lead to data theft. For instance, cybercriminals can bypass encryption to steal sensitive data.
  • IP theft: There are also cases where malicious parties attempt to steal Intellectual Property (IP) such as software code, ML models, and algorithms. One of the best ways to do this is to breach the memory protection of the device.
  • Rollbacks to Vulnerable Firmware: Adversaries can also replace a device’s firmware with an older version that has known security weaknesses. In this case, they can compromise the device without getting easily noticed.
  • Device Cloning: It is also possible to copy the identity code of the device to manufacture illegal copies of it. This can occur in several ways, such as leveraging software vulnerabilities in different systems that share source code or libraries . Illegal copies with the counterfeit identity code then look like legitimate devices. This is another way to compromise an enterprise’s IP and reduce its product revenue.
  • Network Breaches: Internet-connected devices are also vulnerable to networking attacks. For example, hackers are likely to spoof the device’s authentication to gain access and commit hostile actions. 
  • Attacks against ML models: EdgeML deployments are also vulnerable to attacks that compromise the operation of ML models. For example, hackers can poison the training data to compromise the proper operation of an ML model. Malicious parties can also compromise the operation of deep neural networks by means of adversarial inputs that cannot be correctly classified. This is commonly known as an evasion attack. 

In a world with billions of IoT devices, these challenges can lead to large-scale problems and security attacks. Back in 2016, the Mirai malware was used to compromise thousands of IoT devices, which formed a botnet and launched Distributed Denial of Service (DDoS) attacks. This had severe consequences for major internet service providers and made popular sites (e.g., Twitter, Amazon, Spotify, Netflix, Reddit) unreachable to some users. As these types of attacks become more frequent, it is important that edge ML designers devise effective solutions to the unique security challenges of EdgeML applications.

Popular security solutions for edge applications

To alleviate the security vulnerabilities of non-trivial EdgeML systems, EdgeML designers can implement various security solutions and controls. These solutions address security at different levels (e.g., operating system, application, network) towards remedying vulnerabilities and threats of different natures. A representative set of such solutions and controls follows:

  • Data Encryption: Data encryption is key to safeguarding data at rest. Effective encryption solutions partition data according to their type (e.g., IoT data, device logs, ML models) and provide support for multiple integrity checks. Moreover, they decrypt data only for authenticated users from a small set of origins and trust domains. 
  • Distributed Key Management: To strengthen the effectiveness of the encryption mechanisms, there are security solutions that split unique random keys into parts that reside in different locations. The different pieces of the keys are integrated in memory for short amounts of time only, which makes it very hard for adversarial parties to tamper with them and gain access to the encryption and decryption operations.
  • Operating System (OS) Security Solutions: OS level solutions ensure that the device runs the most secure version of its operating system. In this direction, IoT and security vendors design and implement secure “hardened” configurations of the OS. This entails tasks like removing packages that are not needed, creating and configuring encrypted partitions, configuring stringent data access policies for OS functionalities, and embedding advanced monitoring and logging features within the OS.
  • Application-Level Security Solutions: These solutions protect ML applications against different forms of tampering. For instance, they implement multi-factor authentication that makes it very difficult for hackers to gain access to ML models and applications. Multi-factor authentication requires users to supply multiple authentication credentials (e.g., passwords, PIN codes), beyond physical access to the device. As another example, application-level security ensures the use of secure components (e.g., libraries) for the application at hand, as well as support for the secure downloading of components (e.g., ML models) to prevent data and IP theft.
  • Network-Level Security Solutions: At this level, solutions aim at ensuring secure communications between edge devices and other applications. In this direction, measures like mutual authentication of applications or devices, Transport Level Security (TLS) over Virtual Private networks (VPN), and encryption of sensitive data exchanged over the network are usually implemented. Moreover, special provisions for secure communications that perform firmware updates are made to alleviate malicious changes to the device firmware.
  • ML-Level Security Solutions: Solutions at this level safeguard the model training process. In this direction, they can use unique encryption keys to safeguard the security and confidentiality of the device’s communication with the backend computer where the training takes place. This is important for alleviating poisoning attacks. Moreover, the parameters of the ML models are encrypted and obfuscated, which renders any interception attempt useless.  

Putting the solutions to work in practical use cases

A balanced combination of the above-listed multi-level security solutions is required for every practical ML design and deployment. Consider, for example, the design and deployment of ML-based security and surveillance solutions in smart city environments. These solutions leverage edge computing and edge devices (e.g., cameras) to provide real-time detection of events. For instance, camera feeds are typically processed at the edge to identify license plates and abnormal behaviors of vehicles and citizens. To this end, ML-based computer vision algorithms are deployed within the edge devices.

Such deployments are susceptible to a variety of attacks. For instance, an adversary could gain access and deploy malware on the cameras to change their functionality. Strong authentication measures and network-level security are therefore required. 

As another example, hackers could attempt to steal sensitive data, such as license plates of vehicles in a specific crossing or even the ML models used for detecting abnormalities. The risk of such attacks can be minimized based on secure configurations of the device and proper encryption measures. Similarly, network security and OS-level measures can significantly reduce the risk of malicious firmware updates. Furthermore, ML-level measures can avoid changes to the operation of the ML models and eventually to the proper operation of the security and surveillance applications.

License plate detection requires rigorous security. Image credit: Zain Masood.

Alif semiconductor security solutions 

Alif provides world-class, scalable, and integrated security solutions for state-of-the-art EdgeML deployments. The company’s solutions alleviate the earlier presented challenges based on a rich set of security features and functionalities:

  • Secure boot against malware attacks: In Alif’s EdgeML deployments, all code images are signed prior to their deployment and use in edge devices. Moreover, granular firewalls are configured and used to protect assets like the device’s memory and Central Processing Units (CPUs).  Also, the entire security process employs granular controls for each asset in isolation.
  • Data encryption to prevent data theft: Alif’s provides strong encryption for both data within the device and data transmitted over the device’s network. Hence, it is pointless for a hacker to access the data without the required private key. Alif provides TLS security and uses Public Key Infrastructure (PKI) certificates to protect the payloads of sensitive data.
  • Code encryption to prevent IP theft: Similar to the data theft case, in Alif’s solutions IP theft is avoided thanks to code encryption. The company’s security solutions provide proper in-memory interfaces in support of code decryption in real time. Hence, the solution does not impose any performance penalty on the EdgeML application performance. 
  • Secure network communications: Alif minimizes the risk of network breaches based on support for bi-directional cloud-network authentication. The authentication process leverage certificates verified with a proper Certificate Authority. Moreover, signatures of trusted servers are stored to ensure that all network communications originate from and terminate at trusted computers and devices.
  • Hardware Unique Key (HUK) prevents device Cloning: Alif programs all devices based on a HUK. The HUK is generated at the factory and its authenticity is verified by a special security subsystem of the device. This makes it impossible to clone the device.
  • Authenticated and signed software versions: Alif’s security solutions do not permit the downgrading of a device’s firmware. They only allow the loading of equal or later versions of the firmware. In this direction, Alif provides mechanisms for authenticating (“signed”) software versions by means of a proper signature.

The above-listed measures enable EdgeML designers to implement a holistic, end-to-end approach to safeguarding the operation of large-scale EdgeML applications, even in the light of stringent security requirements.

For more information about Alif’s products and services for state-of-the-art cloud/edge computing deployments, visit Alif's website.

This is the third article in a three-part series examining IoT security problems and solutions as of today. 

The first article provided an overview of the current state of IoT security. 

The second article introduced Alif's latest product. 

About the sponsor: Alif Semiconductor

Alif Semiconductor is the industry-leading supplier of the next-generation Ensemble family of 32-bit microcontrollers and fusion processors. Ensemble scales from single core microcontrollers to a new class of multi-core devices, fusion processors, that combine up to two Cortex-M55 MCU cores, up to two Cortex-A32 microprocessor cores capable of running high-level operating systems, and up to two Ethos-U55 microNPUs for AI/ML acceleration. The Alif Ensemble family delivers increased AI/ML efficiency, lowers power consumption, and provides multi-layered security to keep your data safe, all while offering a scalable processor continuum.