Steffen Karcher successfully defended his Master Thesis

Steffen Karcher successfully defended his Master Thesis on „Evaluation of Protective Measures for Machine Learning on Android“

The use of artificial intelligence is currently experiencing strong growth due to the increased computing power of computers in the last decade. Machine Learning (ML) applications can be found in all industries and are becoming increasingly important. However, various attacks against ML applications are known today and many systems are not or only insufficiently secured against them.

Although effective protective measures against these attacks already exist, their research is still young. The research area of attacks against and protective measures for ML applications can be summarized under the term Secure Learning. Secure Learning will also be necessary in the future on devices with limited resources, since many applications will no longer run in powerful data centers only.

An important platform for Secure Learning is Android. The goal of this thesis is to evaluate the feasibility of protective measures for ML on the Android plat form. For this purpose, ML models for the MNIST and CIFAR10 databases are enhanced with the protective measures adversarial training, differential privacy and anomaly detection to increase the robustness and privacy of the models. Then, on the one hand, the impact of these protective measures on the performance of Android devices is tested using benchmarks, and on the other hand, the security of the models on Android is evaluated using attacks against them. This work contributes to lowering the barrier for developing secure ML applications.

Finally, the work shows that achieving security goals on the Android platform is generally possible and Android does not impose limitations on the tested ML models and protective measures, provided that the target devices provide sufficient computing power.

However, the evaluated protection mechanisms need to be explored in more detail for meaningful deployment. Complete protection through the use of Secure Learning cannot be guaranteed in general, since not only the protective measures but also the attacks are constantly evolving and new attacks could be discovered at any time.