Deploying AI at the edge brings advantages such as low latency, improved efficiency, and real-time decision-making. It also introduces new attack surfaces. Adversaries could intercept models in transit, manipulate inputs to degrade performance, or even reverse-engineer AI systems to use them against their creators.
In this Help Net Security interview, Jags Kandasamy, CEO at Latent AI, discusses the technical and strategic measures necessary to safeguard AI models, the balance between security and performance in constrained environments, and the lessons professionals can learn as they deploy AI in high-risk sectors.
Can you explain what deploying AI at the edge entails, particularly in military and critical infrastructure environments?
The moment you bring compute nodes into the far edge, you’re automatically exposing a lot of security challenges in your network. Even if you expect them to be “disconnected devices,” they could intermittently connect to transmit data. So, your security footprint is expanded. You must ensure that every piece of the stack you’re deploying at the edge is secure and trustworthy, including the edge device itself.
When considering security for edge AI, you have to think about transmitting the trained model, runtime engine, and application from a central location to the edge, opening up the opportunity for a person-in-the-middle attack.
Now, the moment your model and application are transferred, and you have them residing on the edge devices, there’s a possibility of somebody stealing the set, trying to reverse engineer it, trying to figure out your intention with edge AI.
This is critical for both commercial industry and military–cyber exploits by a foreign nation, competitor, or even a saboteur, and these adversaries could end up with your AI model and its data and use that to turn it against you.
What are the primary advantages of using edge AI compared to traditional standardized centralized AI systems in these contexts?
Traditional AI systems often rely on cloud-based service architectures, where models execute remotely. This approach introduces inherent limitations. Firstly, cloud services are not always readily available. The “warm-up” time required to initiate inactive services can significantly impact performance, rendering them unsuitable for time-critical applications.
For instance, if you have ten cloud-based models, eight may be constantly active, while the remaining two (e.g., anomaly detection or rare-event models) might be shut down to conserve resources. This “cold-start” behavior introduces significant latency, potentially leading to critical process failures when these models are suddenly required.
To mitigate these challenges, organizations are increasingly adopting edge computing. By deploying models closer to the data source, edge computing reduces bandwidth consumption, minimizes latency, and optimizes resource utilization.
For example, deploying two local servers within a factory can effectively handle a specific application, eliminating the need for a large, resource-intensive cloud infrastructure with associated maintenance and management overhead.
Given the risks, why would you want to put your model at the edge?
Security is an inherent challenge, and inaction can sometimes be the most secure approach. However, this is rarely a practical solution.
In military operations, continuous data streams from millions of global sensors generate an overwhelming volume of information. Cloud-based solutions are often inadequate due to storage limitations, processing capacity constraints, and unacceptable latency.
Therefore, edge computing is crucial for military applications, enabling immediate responses and real-time decision-making.
In commercial settings, many environments lack reliable or affordable connectivity. Edge AI addresses this by enabling local data processing, minimizing the need for constant communication with the cloud.
This localized approach enhances security. Instead of transmitting large volumes of raw data, only essential information (e.g., ‘that’s an anomaly’) is sent to the cloud. Edge AI models are typically designed for specific, narrowly defined tasks, reducing the amount of data transmitted and minimizing potential security risks.
How can security measures be effectively implemented without compromising performance with limited computational resources at the edge?
Security of AI models can be enhanced through built-in protections such as unique identifiers, watermarking, and encryption.
While adversaries can exploit AI training data and manipulate inputs to compromise model performance, post-training watermarking offers a robust defense against theft. By embedding a unique signature within the model’s architecture, we can establish ownership with minimal impact on performance. If an attacker intercepts and modifies a watermarked image, the distortion will become evident, revealing the tampering. Similarly, modifications to a watermarked model will likely distort or even remove the watermark, indicating unauthorized alterations. Watermarketing establishes ownership of the model and enables version control.
With model encryption, the model remains encrypted and inaccessible even if the device is compromised.
Finally, if the model is stolen or replicated by competitors or adversaries, version control mechanisms can help identify and track unauthorized usage, providing valuable evidence for legal or counterintelligence investigations.
What specific cybersecurity strategies should be employed to protect AI-driven edge devices in critical infrastructure from cyberattacks?
Implementing security as an afterthought often leads to inefficient solutions with a high computational overhead. However, our cybersecurity expertise allows us to integrate security measures directly into our core technology.
For example, watermarking techniques can be seamlessly integrated into the model’s architecture, minimizing any performance impact. This approach, where security is inherently part of the model itself, is more efficient than adding security layers as an external add-on.
While encryption inherently introduces some computational overhead, it is an essential and acceptable cost for securing edge deployments.
How can militaries ensure the integrity and trustworthiness of AI systems used in operational environments when they rely on data collected in real time?
Military organizations can implement a combination of system controls and human oversight policies to ensure the trustworthiness of AI systems.
For example, consider a model designed for automated target recognition (ATR). A crucial policy might involve regular human review of the model’s outputs to assess its accuracy and identify potential biases. This human-in-the-loop approach provides a crucial safeguard, ensuring that the system’s decisions are reliable and trustworthy, rather than solely relying on automated outputs. Our adversaries are AI capable and we must have vigilant policies to make sure our AI models remain operationally performant.
What advice would you give professionals deploying or managing AI systems in these environments?
Imagine each edge device as an isolated island. While independent, these islands must remain connected to the mainland, akin to a network of bridges. The term “edge continuum” represents the various islands based on the relationship between sensor and computing. These islands within the edge continuum pose challenges in network security, when data and model information are transmitted.
This island analogy emphasizes the need for both local and network-level security. Each edge device requires its own robust defenses to protect sensitive data and prevent local breaches. Simultaneously, secure communication channels are essential to ensure the integrity of data transmitted between the edge and the central system.
Just as a corrupted shipment can contaminate the mainland, a compromised edge device can jeopardize the security of the entire network. Therefore, robust security measures are crucial at both the individual device and network levels.