Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keep TensorFlow Model Encrypted on Android

I searched to understand if there is a technique to keep a trained tensorflow model (.pb file) safe in an Android app but didn't find anything useful. I am releasing an app containing a tensorflow model which I built on a training set. When I release the app, anyone can access the model and use it for his own app. I wonder if there is a way to protect a tensorflow model that I put in the asset folder of my Android application?

This is the way that I load my model in Android:

TensorFlowInferenceInterface tf = new TensorFlowInferenceInterface();    
tf.initializeTensorFlow(context.getAssets(), "file:///android_asset/model.pb");

I was thinking to embed the model encrypted in the app and decrypt it during runtime, but if someone debugs the app, it can get the password and decrypt it. Moreover, there is just one implementation of initializeTensorFlow method in the TensorFlowInferenceInterface class that just accepts (AssetManager assetManager, String model). It is possible to write one that accepts the encrypted one, but it needs some modification of Tensorflow C++ library. I wonder if there is a more reliable solution. Any suggestion, please?

like image 814
TryToBeNice Avatar asked Mar 17 '17 23:03

TryToBeNice


People also ask

Can you run TensorFlow on Android?

TensorFlow Lite lets you run TensorFlow machine learning (ML) models in your Android apps. The TensorFlow Lite system provides prebuilt and customizable execution environments for running models on Android quickly and efficiently, including options for hardware acceleration.

How do you encrypt a machine learning model?

You carefully add encryption: the backend will encrypt each ML model per user per video using ephemeral keys and an HPKE-like approach. It means that every ML model will be explicitly encrypted for specific videos by your backend code. This approach is known as application-level encryption (ALE).


1 Answers

As mentioned in the comments, there is no real safe way to keep your model safe when you run it locally. That being said, you can hide your model and make things a tad more difficult than having a .pb around.

Apart from name obfuscation provided by freeze_graph, a good solution is to compile to model to a binary using XLA AOT compilation using tfcompile. It generates a binary library containing your model as well as a header file to use it. Somebody who want to peek at your network would then have to go through compiled code, which is a higher bar to clear than reading a .pb file for most people.

like image 173
P-Gn Avatar answered Oct 27 '22 08:10

P-Gn