{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,14]],"date-time":"2026-04-14T16:29:44Z","timestamp":1776184184477,"version":"3.50.1"},"reference-count":149,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"DOI":"10.13039\/501100003725","name":"National Research Foundation of Korea","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100003725","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100003725","name":"Korea government (Ministry of Science and ICT","doi-asserted-by":"publisher","award":["NRF-2020R1C1C1011980"],"award-info":[{"award-number":["NRF-2020R1C1C1011980"]}],"id":[{"id":"10.13039\/501100003725","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Institute for Information & communication Technology Promotion"},{"DOI":"10.13039\/501100003621","name":"Korea government","doi-asserted-by":"publisher","award":["2019-0-01343"],"award-info":[{"award-number":["2019-0-01343"]}],"id":[{"id":"10.13039\/501100003621","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2021]]},"DOI":"10.1109\/access.2021.3136889","type":"journal-article","created":{"date-parts":[[2021,12,20]],"date-time":"2021-12-20T21:44:36Z","timestamp":1640036676000},"page":"168656-168677","source":"Crossref","is-referenced-by-count":8,"title":["Confidential Machine Learning Computation in Untrusted Environments: A Systems Security Perspective"],"prefix":"10.1109","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6285-3506","authenticated-orcid":false,"given":"Kha Dinh","family":"Duy","sequence":"first","affiliation":[]},{"given":"Taehyun","family":"Noh","sequence":"additional","affiliation":[]},{"given":"Siwon","family":"Huh","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5344-6266","authenticated-orcid":false,"given":"Hojoon","family":"Lee","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3457388.3458665"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW53098.2021.00368"},{"key":"ref33","first-page":"1","article-title":"Stealing links from graph neural networks","author":"he","year":"2021","journal-title":"Proc 30th USENIX Secur Symp (USENIX Secur )"},{"key":"ref32","first-page":"601","article-title":"Stealing machine learning models via prediction APIs","author":"tram\u00e8r","year":"2016","journal-title":"Proc 25th USENIX Secur Symp (USENIX Secur )"},{"key":"ref31","first-page":"1","article-title":"Hermes attack: Steal DNN models with lossless inference accuracy","author":"zhu","year":"2021","journal-title":"Proc 30th USENIX Secur Symp (USENIX Secur )"},{"key":"ref30","first-page":"2003","article-title":"Cache telepathy: Leveraging shared resource attacks to learn DNN architectures","author":"yan","year":"2020","journal-title":"Proc 29th USENIX Secur Symp (USENIX Secur )"},{"key":"ref37","article-title":"Perun: Secure multi-stakeholder machine learning framework with GPU support","author":"ozga","year":"2021","journal-title":"arXiv 2103 16898"},{"key":"ref36","article-title":"Stealing neural networks via timing side channels","author":"duddu","year":"2018","journal-title":"arXiv 1812 11720"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00038"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453090"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66787-4_4"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/DSN48063.2020.00031"},{"key":"ref29","first-page":"1","article-title":"Software grand exposure: SGX cache attacks are practical","author":"brasser","year":"2017","journal-title":"Proc 11th USENIX Workshop Offensive Technol (WOOT)"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00025"},{"key":"ref22","first-page":"283","article-title":"Opaque: An oblivious and encrypted distributed analytics platform","author":"zheng","year":"2017","journal-title":"Proc 14th USENIX Symp Netw Syst Design Implement (NSDI)"},{"key":"ref21","first-page":"447","article-title":"M2r: Enabling stronger privacy in mapreduce computation","author":"dinh","year":"2015","journal-title":"Proc 24th USENIX Secur Symp (USENIX Secur )"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/3386901.3388946"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/3300061.3345447"},{"key":"ref26","article-title":"TensorSCONE: A secure TensorFlow framework using Intel SGX","author":"kunkel","year":"2019","journal-title":"arXiv 1902 04413"},{"key":"ref101","year":"2017","journal-title":"TF Trusted"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/AsianHOST51057.2020.9358260"},{"key":"ref100","article-title":"Intel SGX explained","author":"costan","year":"2016"},{"key":"ref50","first-page":"267","article-title":"Shielding applications from an untrusted cloud with haven","author":"baumann","year":"2014","journal-title":"Proc of USENIX Symp on Operating Systems Design and Implementation (OSDI)"},{"key":"ref51","first-page":"689","article-title":"SCONE: Secure Linux containers with Intel SGX","author":"arnautov","year":"2016","journal-title":"Proc of USENIX Symp on Operating Systems Design and Implementation (OSDI)"},{"key":"ref146","author":"abadi","year":"2015","journal-title":"TensorFlow Large-Scale Machine Learning on Heterogeneous Systems"},{"key":"ref147","first-page":"8024","article-title":"Pytorch: An imperative style, high-performance deep learning library","author":"paszke","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref148","doi-asserted-by":"publisher","DOI":"10.1109\/VTS48691.2020.9107564"},{"key":"ref149","first-page":"1345","article-title":"High accuracy and high fidelity extraction of neural networks","author":"jagielski","year":"2020","journal-title":"Proc 29th USENIX Secur Symp (USENIX Secur )"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-021-00092-8"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2021-0064"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/2592798.2592812"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.25"},{"key":"ref55","first-page":"2","article-title":"Docker: Lightweight Linux containers for consistent development and deployment","volume":"2014","author":"merkel","year":"2014","journal-title":"Linux J"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/3361525.3361541"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE51399.2021.00025"},{"key":"ref52","first-page":"645","article-title":"Graphene-sgx: A practical library OS for unmodified applications on SGX","author":"tsai","year":"2017","journal-title":"Proc USENIX Annu Tech Conf (USENIX ATC)"},{"key":"ref40","article-title":"Confidential inference via ternary model partitioning","author":"gu","year":"2018","journal-title":"arXiv 1807 00969"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046692"},{"key":"ref3","article-title":"Adversarial examples in the physical world","author":"kurakin","year":"2016","journal-title":"arXiv 1607 02533"},{"key":"ref6","article-title":"Decision-based adversarial attacks: Reliable attacks against black-box machine learning models","author":"brendel","year":"2017","journal-title":"arXiv 1712 04248"},{"key":"ref5","article-title":"Transferability in machine learning: From phenomena to black-box attacks using adversarial samples","author":"papernot","year":"2016","journal-title":"arXiv 1605 07277"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516686"},{"key":"ref49","article-title":"CURE: A security architecture with customizable and resilient enclaves","author":"bahmani","year":"2021","journal-title":"Proc 30th USENIX Secur Symp (USENIX Secur )"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3422337.3447836"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363205"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23448"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/3342195.3387532"},{"key":"ref47","first-page":"857","article-title":"Sanctum: Minimal hardware extensions for strong software isolation","author":"costan","year":"2016","journal-title":"Proc 25th USENIX Conf Secur Symp"},{"key":"ref42","author":"cloud","year":"2021","journal-title":"Confidential Computing"},{"key":"ref41","year":"2021","journal-title":"Azure Confidential Computing"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134095"},{"key":"ref43","year":"2021","journal-title":"Nitro Enclaves"},{"key":"ref127","article-title":"Communication-efficient learning of deep networks from decentralized data","author":"mcmahan","year":"2016","journal-title":"arXiv 1602 05629"},{"key":"ref126","article-title":"Mind your weight(s): A large-scale study on insufficient machine learning model protection in mobile apps","author":"sun","year":"2020","journal-title":"arXiv 2002 07687"},{"key":"ref125","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354197"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274704"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3380106"},{"key":"ref72","article-title":"Privacy in deep learning: A survey","author":"mireshghallah","year":"2020","journal-title":"arXiv 2004 12254"},{"key":"ref71","article-title":"Advances and open problems in federated learning","author":"kairouz","year":"2019","journal-title":"arXiv 1912 04977"},{"key":"ref129","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3093711"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1016\/j.sysarc.2021.102163"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM41043.2020.9155414"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"ref77","year":"2021","journal-title":"Protocol Buffers"},{"key":"ref130","article-title":"ESMFL: Efficient and secure models for federated learning","author":"lin","year":"2020","journal-title":"arXiv 2009 01867"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-48405-1_25"},{"key":"ref75","first-page":"1291","article-title":"Updates-leak: Data set inference and reconstruction attacks in online learning","author":"salem","year":"2020","journal-title":"Proc 29th USENIX Secur Symp (USENIX Secur )"},{"key":"ref133","article-title":"Inverting gradients&#x2014;How easy is it to break privacy in federated learning?","author":"geiping","year":"2020","journal-title":"arXiv 2003 14053"},{"key":"ref134","first-page":"1","article-title":"Practical secure aggregation for federated learning on user-held data","author":"bonawitz","year":"2016","journal-title":"Proc NIPS Workshop Private Multi-Party Mach Learn"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1145\/1966895.1966900"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00029"},{"key":"ref79","author":"foundation","year":"2021","journal-title":"Onnx"},{"key":"ref132","article-title":"Deep leakage from gradients","author":"zhu","year":"2019","journal-title":"arXiv 1906 08935"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.1145\/3173162.3177155"},{"key":"ref135","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58951-6_24"},{"key":"ref138","doi-asserted-by":"publisher","DOI":"10.1145\/3373376.3378469"},{"key":"ref137","author":"security","year":"2020","journal-title":"Alibaba Cloud Released Industry&#x2019;s First Trusted and Virtualized Instance With Support for SGX 2 0 and TPM"},{"key":"ref60","article-title":"Differential privacy and machine learning: A survey and review","author":"ji","year":"2014","journal-title":"arXiv 1412 7584 [cs]"},{"key":"ref139","article-title":"Access pattern disclosure on searchable encryption: Ramification, attack and mitigation","author":"islam","year":"2012","journal-title":"NDSS"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1145\/28395.28420"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1145\/62212.62214"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/SFCS.1982.38"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/SFCS.1986.25"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/3472883.3486998"},{"key":"ref140","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23239"},{"key":"ref66","article-title":"Efficient deep learning on multi-source private data","author":"hynes","year":"2018","journal-title":"arXiv 1807 06689"},{"key":"ref141","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23284"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00035"},{"key":"ref142","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23513"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2805680"},{"key":"ref143","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417265"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2018.07.023"},{"key":"ref144","doi-asserted-by":"publisher","DOI":"10.1145\/3419111.3421282"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/1014052.1014066"},{"key":"ref145","doi-asserted-by":"publisher","DOI":"10.1109\/WISA.2016.45"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/1081870.1081950"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2004.01.013"},{"key":"ref95","article-title":"SGX-LKL: Securing the host OS interface for trusted execution","author":"priebe","year":"2019","journal-title":"arXiv 1908 11143"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2017.2761740"},{"key":"ref94","article-title":"DeepPeep: Exploiting design ramifications to decipher the architecture of compact DNNs","author":"jha","year":"2020","journal-title":"arXiv 2007 15248"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00087"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1145\/3029806.3029822"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.1145\/3173162.3173204"},{"key":"ref92","article-title":"Enabling privacy-preserving, compute- and data-intensive computing using heterogeneous trusted execution environment","author":"zhu","year":"2019","journal-title":"arXiv 1904 04782"},{"key":"ref105","first-page":"955","article-title":"Translation leak-aside buffer: Defeating cache side-channel protections with TLB attacks","author":"gras","year":"2018","journal-title":"Proc 27th USENIX Secur Symp (USENIX Secur )"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1109\/IPCCC50635.2020.9391574"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1145\/3065913.3065915"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1145\/3297858.3304021"},{"key":"ref103","first-page":"557","article-title":"Inferring fine-grained control flow inside SGX enclaves with branch shadowing","author":"lee","year":"2017","journal-title":"Proc 26th USENIX Secur Symp (USENIX Secur )"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.45"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1145\/3079856.3080246"},{"key":"ref112","first-page":"1","article-title":"CUDA leaks: Information leakage in GPU architectures","volume":"15","author":"di pietro","year":"2016","journal-title":"ACM Trans Embedded Comput Syst"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1109\/JSSC.2016.2616357"},{"key":"ref98","first-page":"487","article-title":"An off-chip attack on hardware enclaves via the memory bus","author":"lee","year":"2020","journal-title":"Proc 29th USENIX Secur Symp (USENIX Secur )"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00057"},{"key":"ref96","first-page":"1041","article-title":"Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution","author":"bulck","year":"2017","journal-title":"Proc 26th USENIX Secur Symp (USENIX Secur )"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1145\/3152701.3152706"},{"key":"ref10","article-title":"Membership inference attacks against machine learning models","author":"shokri","year":"2016","journal-title":"arXiv 1610 05820"},{"key":"ref11","author":"holmes","year":"2021","journal-title":"533 million Facebook users&#x2019; phone numbers and personal data have been leaked online"},{"key":"ref12","first-page":"619","article-title":"Oblivious multi-party machine learning on trusted processors","author":"ohrimenko","year":"2016","journal-title":"Proc 25th USENIX Secur Symp (USENIX Secur )"},{"key":"ref13","article-title":"Chiron: Privacy-preserving machine learning as a service","author":"hunt","year":"2018","journal-title":"arXiv 1803 05961"},{"key":"ref14","first-page":"533","article-title":"Ryoan: A distributed sandbox for untrusted computation on secret data","author":"hunt","year":"2016","journal-title":"Proc of USENIX Symp on Operating Systems Design and Implementation (OSDI)"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/3423211.3425687"},{"key":"ref82","first-page":"1","article-title":"Reverse engineering convolutional neural networks through side-channel information leaks","author":"hua","year":"2018","journal-title":"Proc 55th ACM\/ESDA\/IEEE Design Autom Conf (DAC)"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.23919\/DATE48585.2020.9116560"},{"key":"ref16","first-page":"817","article-title":"Telekine: Secure computing with cloud GPUs","author":"hunt","year":"2020","journal-title":"Proc 17th USENIX Symp Netw Syst Design Implement (NSDI)"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2487726.2488368"},{"key":"ref117","doi-asserted-by":"publisher","DOI":"10.1145\/3411508.3421376"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1145\/3411495.3421356"},{"key":"ref18","author":"limited","year":"2009","journal-title":"Building a Secure System Using TrustZone Technology"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1109\/HOST45689.2020.9300274"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.10"},{"key":"ref83","first-page":"515","article-title":"CSI NN: Reverse engineering of neural network architectures through electromagnetic side channel","author":"batina","year":"2019","journal-title":"Proc 28th USENIX Secur Symp (USENIX Secur )"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1145\/3458864.3466628"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274696"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1109\/TCSII.2020.2973007"},{"key":"ref116","article-title":"Confidential deep learning: Executing proprietary models on untrusted devices","author":"vannostrand","year":"2019","journal-title":"arXiv 1908 10730"},{"key":"ref80","article-title":"Privado: Practical and secure DNN inference with enclaves","author":"grover","year":"2018","journal-title":"arXiv 1810 00602"},{"key":"ref115","first-page":"431","article-title":"Raccoon: Closing digital side-channels through obfuscated execution","author":"rane","year":"2015","journal-title":"Proc 24th USENIX Secur Symp (USENIX Secur )"},{"key":"ref89","first-page":"681","article-title":"Graviton: Trusted execution environments on GPUs","author":"volos","year":"2018","journal-title":"Proc of USENIX Symp on Operating Systems Design and Implementation (OSDI)"},{"key":"ref120","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00061"},{"key":"ref121","first-page":"549","article-title":"Armageddon: Cache attacks on mobile devices","author":"lipp","year":"2016","journal-title":"Proc 25th USENIX Secur Symp (USENIX Secur )"},{"key":"ref122","article-title":"Truspy: Cache side-channel information leakage from the secure world on arm devices","author":"zhang","year":"2016"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2018.8486293"},{"key":"ref85","article-title":"Slalom: Fast, verifiable and private execution of neural networks in trusted hardware","author":"tram\u00e8r","year":"2018","journal-title":"arXiv 1806 03287"},{"key":"ref86","article-title":"GOAT: GPU outsourcing of deep learning training with asynchronous probabilistic integrity verification inside trusted execution environment","author":"asvadishirehjini","year":"2020","journal-title":"arXiv 2010 08855"},{"key":"ref87","article-title":"ShadowNet: A secure and efficient system for on-device model inference","author":"sun","year":"2020","journal-title":"arXiv 2011 05905"},{"key":"ref88","article-title":"Privacy-preserving inference in machine learning services using trusted execution environments","author":"giri narra","year":"2019","journal-title":"arXiv 1912 03485"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/6287639\/9312710\/09656734.pdf?arnumber=9656734","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,3,28]],"date-time":"2022-03-28T21:19:33Z","timestamp":1648502373000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9656734\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"references-count":149,"URL":"https:\/\/doi.org\/10.1109\/access.2021.3136889","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021]]}}}