嵌入式系统使用神经网络（NNS）的设备对数据处理数据（NNS）的处理，同时符合存储器，功率和计算约束，导致效率和准确性折衷。要将NNS带到边缘设备，通过修剪，量化和现成的架构进行了多种优化，例如具有高效设计的模型压缩，已被广泛采用。这些算法部署到现实世界敏感应用程序时，需要抵制推理攻击以保护用户培训数据的隐私。然而，对推理攻击的阻力不算用于为IOT设计NN模型。在这项工作中，我们分析了IOT设备NNS中的三维隐私 - 准确效率折衷，并提出了壁虎培训方法，在那里我们明确地将抵抗私人推广作为设计目标。我们优化嵌入式设备的推理时间内存，计算和功率约束作为设计NN体系结构的标准，同时还保留隐私。我们选择量化为高效和私人模型的设计选择。这种选择是由观察到的观察，压缩模型与基线模型相比泄漏更多信息，而现成的高效架构表明效率和隐私权衡差。我们展示使用壁虎方法训练的模型与在提供效率的准确性和隐私方面的对黑匣子成员攻击的事先防御。

While machine learning is traditionally a resource intensive task, embedded systems, autonomous navigation, and the vision of the Internet of Things fuel the interest in resource-efficient approaches. These approaches aim for a carefully chosen trade-off between performance and resource consumption in terms of computation and energy. The development of such approaches is among the major challenges in current machine learning research and key to ensure a smooth transition of machine learning technology from a scientific environment with virtually unlimited computing resources into everyday's applications. In this article, we provide an overview of the current state of the art of machine learning techniques facilitating these real-world requirements. In particular, we focus on deep neural networks (DNNs), the predominant machine learning models of the past decade. We give a comprehensive overview of the vast literature that can be mainly split into three non-mutually exclusive categories: (i) quantized neural networks, (ii) network pruning, and (iii) structural efficiency. These techniques can be applied during training or as post-processing, and they are widely used to reduce the computational demands in terms of memory footprint, inference speed, and energy efficiency. We also briefly discuss different concepts of embedded hardware for DNNs and their compatibility with machine learning techniques as well as potential for energy and latency reduction. We substantiate our discussion with experiments on well-known benchmark datasets using compression techniques (quantization, pruning) for a set of resource-constrained embedded systems, such as CPUs, GPUs and FPGAs. The obtained results highlight the difficulty of finding good trade-offs between resource efficiency and predictive performance.

In recent years, deep learning (DL) models have demonstrated remarkable achievements on non-trivial tasks such as speech recognition and natural language understanding. One of the significant contributors to its success is the proliferation of end devices that acted as a catalyst to provide data for data-hungry DL models. However, computing DL training and inference is the main challenge. Usually, central cloud servers are used for the computation, but it opens up other significant challenges, such as high latency, increased communication costs, and privacy concerns. To mitigate these drawbacks, considerable efforts have been made to push the processing of DL models to edge servers. Moreover, the confluence point of DL and edge has given rise to edge intelligence (EI). This survey paper focuses primarily on the fifth level of EI, called all in-edge level, where DL training and inference (deployment) are performed solely by edge servers. All in-edge is suitable when the end devices have low computing resources, e.g., Internet-of-Things, and other requirements such as latency and communication cost are important in mission-critical applications, e.g., health care. Firstly, this paper presents all in-edge computing architectures, including centralized, decentralized, and distributed. Secondly, this paper presents enabling technologies, such as model parallelism and split learning, which facilitate DL training and deployment at edge servers. Thirdly, model adaptation techniques based on model compression and conditional computation are described because the standard cloud-based DL deployment cannot be directly applied to all in-edge due to its limited computational resources. Fourthly, this paper discusses eleven key performance metrics to evaluate the performance of DL at all in-edge efficiently. Finally, several open research challenges in the area of all in-edge are presented.

用于训练机器学习（ML）模型的数据可能是敏感的。成员推理攻击（MIS），试图确定特定数据记录是否用于培训ML模型，违反会员隐私。 ML模型建设者需要一个原则的定义，使他们能够有效地定量（a）单独培训数据记录，（b）的隐私风险，有效地。未在会员资格危险风险指标上均未达到所有这些标准。我们提出了这种公制，SHAPR，它通过抑制其对模型的实用程序的影响来量化朔芙值以量化模型的记忆。这个记忆是衡量成功MIA的可能性的衡量标准。使用十个基准数据集，我们显示ShapR是有效的（精确度：0.94 $ \ PM 0.06 $，回忆：0.88 $ \ PM 0.06 $）在估算MIAS的培训数据记录的易感性时，高效（可在几分钟内计算，较小数据集和最大数据集的约〜90分钟）。 ShapR也是多功能的，因为它可以用于评估数据集的子集的公平或分配估值的其他目的。例如，我们显示Shapr正确地捕获不同子组的不成比例漏洞到MIS。使用SHAPR，我们表明，通过去除高风险训练数据记录，不一定改善数据集的成员隐私风险，从而确认在显着扩展的设置中从事工作（在十个数据集中，最多可删除50％的数据）的观察。

人工智能（AI）软件中深度学习模型的规模正在迅速增加，这阻碍了对资源限制设备（例如智能手机）的大规模部署。为了减轻此问题，AI软件压缩起着至关重要的作用，旨在压缩模型大小的同时保持高性能。但是，大型模型中的固有缺陷可以由压缩后遗传。攻击者很容易利用此类缺陷，因为压缩模型通常部署在大量设备中而没有充分保护的设备中。在本文中，我们试图从安全性的合作观点来解决安全模型压缩问题。具体而言，受到软件工程中测试驱动的开发（TDD）范式的启发，我们提出了一个称为SafeCompress的测试驱动的稀疏训练框架。通过模拟攻击机制作为安全测试，SafeCompress可以在动态稀疏训练范式之后自动将大型模型压缩到一个小模型中。此外，考虑到代表性攻击，即成员推理攻击（MIA），我们开发了一种混凝土安全模型压缩机制，称为MIA-SAFECSPRASS。进行了广泛的实验，以评估用于计算机视觉和自然语言处理任务的五个数据集上的MIA量压缩。结果验证了我们方法的有效性和概括。我们还讨论了如何将SafeCompress适应除MIA以外的其他攻击，并证明了SafCompress的灵活性。

Deep neural networks (DNNs) are currently widely used for many artificial intelligence (AI) applications including computer vision, speech recognition, and robotics. While DNNs deliver state-of-the-art accuracy on many AI tasks, it comes at the cost of high computational complexity. Accordingly, techniques that enable efficient processing of DNNs to improve energy efficiency and throughput without sacrificing application accuracy or increasing hardware cost are critical to the wide deployment of DNNs in AI systems.This article aims to provide a comprehensive tutorial and survey about the recent advances towards the goal of enabling efficient processing of DNNs. Specifically, it will provide an overview of DNNs, discuss various hardware platforms and architectures that support DNNs, and highlight key trends in reducing the computation cost of DNNs either solely via hardware design changes or via joint hardware design and DNN algorithm changes. It will also summarize various development resources that enable researchers and practitioners to quickly get started in this field, and highlight important benchmarking metrics and design considerations that should be used for evaluating the rapidly growing number of DNN hardware designs, optionally including algorithmic co-designs, being proposed in academia and industry.The reader will take away the following concepts from this article: understand the key design considerations for DNNs; be able to evaluate different DNN hardware implementations with benchmarks and comparison metrics; understand the trade-offs between various hardware architectures and platforms; be able to evaluate the utility of various DNN design techniques for efficient processing; and understand recent implementation trends and opportunities.

神经网络修剪一直是减少对资源受限设备的深度神经网络的计算和记忆要求的重要技术。大多数现有的研究主要侧重于平衡修剪神经网络的稀疏性和准确性，通过策略性地删除无关紧要的参数并重新修剪修剪模型。由于记忆的增加而造成了严重的隐私风险，因此尚未调查这种训练样品的这种努力。在本文中，我们对神经网络修剪中的隐私风险进行了首次分析。具体而言，我们研究了神经网络修剪对培训数据隐私的影响，即成员推理攻击。我们首先探讨了神经网络修剪对预测差异的影响，在该预测差异中，修剪过程不成比例地影响了修剪的模型对成员和非会员的行为。同时，差异的影响甚至以细粒度的方式在不同类别之间有所不同。通过这种分歧，我们提出了对修剪的神经网络的自我发起会员推断攻击。进行了广泛的实验，以严格评估不同修剪方法，稀疏水平和对手知识的隐私影响。拟议的攻击表明，与现有的八次成员推理攻击相比，对修剪模型的攻击性能更高。此外，我们提出了一种新的防御机制，通过基于KL-Divergence距离来缓解预测差异，以保护修剪过程，该距离的预测差异已通过实验证明，可以有效地降低隐私风险，同时维持较修剪模型的稀疏性和准确性。

对机器学习模型的会员推理攻击（MIA）可能会导致模型培训中使用的培训数据集的严重隐私风险。在本文中，我们提出了一种针对成员推理攻击（MIAS）的新颖有效的神经元引导的防御方法。我们确定了针对MIA的现有防御机制的关键弱点，在该机制中，他们不能同时防御两个常用的基于神经网络的MIA，表明应分别评估这两次攻击以确保防御效果。我们提出了Neuguard，这是一种新的防御方法，可以通过对象共同控制输出和内部神经元的激活，以指导训练集的模型输出和测试集的模型输出以具有近距离分布。 Neuguard由类别的差异最小化靶向限制最终输出神经元和层平衡输出控制的目标，旨在限制每一层中的内部神经元。我们评估Neuguard，并将其与最新的防御能力与两个基于神经网络的MIA，五个最强的基于度量的MIA，包括三个基准数据集中的新提出的仅标签MIA。结果表明，Neuguard通过提供大大改善的公用事业权衡权衡，一般性和间接费用来优于最先进的防御能力。

从公共机器学习（ML）模型中泄漏数据是一个越来越重要的领域，因为ML的商业和政府应用可以利用多个数据源，可能包括用户和客户的敏感数据。我们对几个方面的当代进步进行了全面的调查，涵盖了非自愿数据泄漏，这对ML模型很自然，潜在的恶毒泄漏是由隐私攻击引起的，以及目前可用的防御机制。我们专注于推理时间泄漏，这是公开可用模型的最可能场景。我们首先在不同的数据，任务和模型体系结构的背景下讨论什么是泄漏。然后，我们提出了跨非自愿和恶意泄漏的分类法，可用的防御措施，然后进行当前可用的评估指标和应用。我们以杰出的挑战和开放性的问题结束，概述了一些有希望的未来研究方向。

机器学习（ML）模型已广泛应用于各种应用，包括图像分类，文本生成，音频识别和图形数据分析。然而，最近的研究表明，ML模型容易受到隶属推导攻击（MIS），其目的是推断数据记录是否用于训练目标模型。 ML模型上的MIA可以直接导致隐私违规行为。例如，通过确定已经用于训练与某种疾病相关的模型的临床记录，攻击者可以推断临床记录的所有者具有很大的机会。近年来，MIS已被证明对各种ML模型有效，例如，分类模型和生成模型。同时，已经提出了许多防御方法来减轻米西亚。虽然ML模型上的MIAS形成了一个新的新兴和快速增长的研究区，但还没有对这一主题进行系统的调查。在本文中，我们对会员推论和防御进行了第一个全面调查。我们根据其特征提供攻击和防御的分类管理，并讨论其优点和缺点。根据本次调查中确定的限制和差距，我们指出了几个未来的未来研究方向，以激发希望遵循该地区的研究人员。这项调查不仅是研究社区的参考，而且还为该研究领域之外的研究人员带来了清晰的照片。为了进一步促进研究人员，我们创建了一个在线资源存储库，并与未来的相关作品继续更新。感兴趣的读者可以在https://github.com/hongshenghu/membership-inference-machine-learning-literature找到存储库。

我们日常生活中的深度学习是普遍存在的，包括自驾车，虚拟助理，社交网络服务，医疗服务，面部识别等，但是深度神经网络在训练和推理期间需要大量计算资源。该机器学习界主要集中在模型级优化（如深度学习模型的架构压缩），而系统社区则专注于实施级别优化。在其间，在算术界中提出了各种算术级优化技术。本文在模型，算术和实施级技术方面提供了关于资源有效的深度学习技术的调查，并确定了三种不同级别技术的资源有效的深度学习技术的研究差距。我们的调查基于我们的资源效率度量定义，阐明了较低级别技术的影响，并探讨了资源有效的深度学习研究的未来趋势。

Differential privacy is a strong notion for privacy that can be used to prove formal guarantees, in terms of a privacy budget, , about how much information is leaked by a mechanism. However, implementations of privacy-preserving machine learning often select large values of in order to get acceptable utility of the model, with little understanding of the impact of such choices on meaningful privacy. Moreover, in scenarios where iterative learning procedures are used, differential privacy variants that offer tighter analyses are used which appear to reduce the needed privacy budget but present poorly understood trade-offs between privacy and utility. In this paper, we quantify the impact of these choices on privacy in experiments with logistic regression and neural network models. Our main finding is that there is a huge gap between the upper bounds on privacy loss that can be guaranteed, even with advanced mechanisms, and the effective privacy loss that can be measured using current inference attacks. Current mechanisms for differentially private machine learning rarely offer acceptable utility-privacy trade-offs with guarantees for complex learning tasks: settings that provide limited accuracy loss provide meaningless privacy guarantees, and settings that provide strong privacy guarantees result in useless models.

We quantitatively investigate how machine learning models leak information about the individual data records on which they were trained. We focus on the basic membership inference attack: given a data record and black-box access to a model, determine if the record was in the model's training dataset. To perform membership inference against a target model, we make adversarial use of machine learning and train our own inference model to recognize differences in the target model's predictions on the inputs that it trained on versus the inputs that it did not train on.We empirically evaluate our inference techniques on classification models trained by commercial "machine learning as a service" providers such as Google and Amazon. Using realistic datasets and classification tasks, including a hospital discharge dataset whose membership is sensitive from the privacy perspective, we show that these models can be vulnerable to membership inference attacks. We then investigate the factors that influence this leakage and evaluate mitigation strategies.

会员推理攻击（MIA）在机器学习模型的培训数据上提出隐私风险。使用MIA，如果目标数据是训练数据集的成员，则攻击者猜测。对MIAS的最先进的防御，蒸馏为会员隐私（DMP），不仅需要私人数据来保护但是大量未标记的公共数据。但是，在某些隐私敏感域名，如医疗和财务，公共数据的可用性并不明显。此外，通过使用生成的对策网络生成公共数据的琐碎方法显着降低了DMP的作者报道的模型精度。为了克服这个问题，我们在不需要公共数据的情况下，使用知识蒸馏提出对米西亚的小说防御。我们的实验表明，我们防御的隐私保护和准确性与MIA研究中使用的基准表格数据集的DMP相媲美，我们的国防有更好的隐私式权限远非现有防御不使用图像数据集CIFAR10的公共数据。

Deep neural networks are susceptible to various inference attacks as they remember information about their training data. We design white-box inference attacks to perform a comprehensive privacy analysis of deep learning models. We measure the privacy leakage through parameters of fully trained models as well as the parameter updates of models during training. We design inference algorithms for both centralized and federated learning, with respect to passive and active inference attackers, and assuming different adversary prior knowledge.We evaluate our novel white-box membership inference attacks against deep learning algorithms to trace their training data records. We show that a straightforward extension of the known black-box attacks to the white-box setting (through analyzing the outputs of activation functions) is ineffective. We therefore design new algorithms tailored to the white-box setting by exploiting the privacy vulnerabilities of the stochastic gradient descent algorithm, which is the algorithm used to train deep neural networks. We investigate the reasons why deep learning models may leak information about their training data. We then show that even well-generalized models are significantly susceptible to white-box membership inference attacks, by analyzing stateof-the-art pre-trained and publicly available models for the CIFAR dataset. We also show how adversarial participants, in the federated learning setting, can successfully run active membership inference attacks against other participants, even when the global model achieves high prediction accuracies.

依赖于并非所有输入都需要相同数量的计算来产生自信的预测的事实，多EXIT网络正在引起人们的注意，这是推动有效部署限制的重要方法。多EXIT网络赋予了具有早期退出的骨干模型，从而可以在模型的中间层获得预测，从而节省计算时间和/或能量。但是，当前的多种exit网络的各种设计仅被认为是为了实现资源使用效率和预测准确性之间的最佳权衡，从未探索过来自它们的隐私风险。这促使需要全面调查多EXIT网络中的隐私风险。在本文中，我们通过会员泄漏的镜头对多EXIT网络进行了首次隐私分析。特别是，我们首先利用现有的攻击方法来量化多exit网络对成员泄漏的脆弱性。我们的实验结果表明，多EXIT网络不太容易受到会员泄漏的影响，而在骨干模型上附加的退出（数字和深度）与攻击性能高度相关。此外，我们提出了一种混合攻击，该攻击利用退出信息以提高现有攻击的性能。我们评估了由三种不同的对手设置下的混合攻击造成的成员泄漏威胁，最终到达了无模型和无数据的对手。这些结果清楚地表明，我们的混合攻击非常广泛地适用，因此，相应的风险比现有的会员推理攻击所显示的要严重得多。我们进一步提出了一种专门针对多EXIT网络的TimeGuard的防御机制，并表明TimeGuard完美地减轻了新提出的攻击。

会员推理攻击是机器学习模型中最简单的隐私泄漏形式之一：给定数据点和模型，确定该点是否用于培训模型。当查询其培训数据时，现有会员推理攻击利用模型的异常置信度。如果对手访问模型的预测标签，则不会申请这些攻击，而不会置信度。在本文中，我们介绍了仅限标签的会员资格推理攻击。我们的攻击而不是依赖置信分数，而是评估模型预测标签在扰动下的稳健性，以获得细粒度的隶属信号。这些扰动包括常见的数据增强或对抗例。我们经验表明，我们的标签占会员推理攻击与先前攻击相符，以便需要访问模型信心。我们进一步证明，仅限标签攻击违反了（隐含或明确）依赖于我们呼叫信心屏蔽的现象的员工推论攻击的多种防御。这些防御修改了模型的置信度分数以挫败攻击，但留下模型的预测标签不变。我们的标签攻击展示了置信性掩蔽不是抵御会员推理的可行的防御策略。最后，我们调查唯一的案例标签攻击，该攻击推断为少量异常值数据点。我们显示仅标签攻击也匹配此设置中基于置信的攻击。我们发现具有差异隐私和（强）L2正则化的培训模型是唯一已知的防御策略，成功地防止所有攻击。即使差异隐私预算太高而无法提供有意义的可证明担保，这仍然存在。

深度学习技术在各种任务中都表现出了出色的有效性，并且深度学习具有推进多种应用程序（包括在边缘计算中）的潜力，其中将深层模型部署在边缘设备上，以实现即时的数据处理和响应。一个关键的挑战是，虽然深层模型的应用通常会产生大量的内存和计算成本，但Edge设备通常只提供非常有限的存储和计算功能，这些功能可能会在各个设备之间差异很大。这些特征使得难以构建深度学习解决方案，以释放边缘设备的潜力，同时遵守其约束。应对这一挑战的一种有希望的方法是自动化有效的深度学习模型的设计，这些模型轻巧，仅需少量存储，并且仅产生低计算开销。该调查提供了针对边缘计算的深度学习模型设计自动化技术的全面覆盖。它提供了关键指标的概述和比较，这些指标通常用于量化模型在有效性，轻度和计算成本方面的水平。然后，该调查涵盖了深层设计自动化技术的三类最新技术：自动化神经体系结构搜索，自动化模型压缩以及联合自动化设计和压缩。最后，调查涵盖了未来研究的开放问题和方向。

Recent increases in the computational demands of deep neural networks (DNNs) have sparked interest in efficient deep learning mechanisms, e.g., quantization or pruning. These mechanisms enable the construction of a small, efficient version of commercial-scale models with comparable accuracy, accelerating their deployment to resource-constrained devices. In this paper, we study the security considerations of publishing on-device variants of large-scale models. We first show that an adversary can exploit on-device models to make attacking the large models easier. In evaluations across 19 DNNs, by exploiting the published on-device models as a transfer prior, the adversarial vulnerability of the original commercial-scale models increases by up to 100x. We then show that the vulnerability increases as the similarity between a full-scale and its efficient model increase. Based on the insights, we propose a defense, $similarity$-$unpairing$, that fine-tunes on-device models with the objective of reducing the similarity. We evaluated our defense on all the 19 DNNs and found that it reduces the transferability up to 90% and the number of queries required by a factor of 10-100x. Our results suggest that further research is needed on the security (or even privacy) threats caused by publishing those efficient siblings.

机器学习中的隐私和安全挑战（ML）已成为ML普遍的开发以及最近对大型攻击表面的展示，已成为一个关键的话题。作为一种成熟的以系统为导向的方法，在学术界和行业中越来越多地使用机密计算来改善各种ML场景的隐私和安全性。在本文中，我们将基于机密计算辅助的ML安全性和隐私技术的发现系统化，以提供i）保密保证和ii）完整性保证。我们进一步确定了关键挑战，并提供有关ML用例现有可信赖的执行环境（TEE）系统中限制的专门分析。我们讨论了潜在的工作，包括基础隐私定义，分区的ML执行，针对ML的专用发球台设计，TEE Awawe Aware ML和ML Full Pipeline保证。这些潜在的解决方案可以帮助实现强大的TEE ML，以保证无需引入计算和系统成本。