Machine learning. We believe that it has the potential to be a game changer that will transform the course of our future. But what actually is machine learning? The term refers to training an artificial intelligence with typically massive sets of data. The resulting trained model can then predict other data. To illustrate this, we can see how medical data could be processed automatically by an artificial intelligence. Think of a doctor screening a patient for TBC. The doctor takes a look at the X-ray image to tell whether the patient is infected or not. This needs years of training and lots of experience. A trained AI could do the same job much more efficiently and make the technique available even to general practitioners. Imagine that a maker of TBC screening systems produces a system that read the X-ray scans and make the diagnosis by itself. All it needs is a good set of X-ray images with the right diagnoses attached. The system is trained with these scans to produce a model that can predict the diagnoses for future scans. What is immediately clear is that the data that the machine is being fed with has to be sound: All incorrect or flawed data has to be screened out, and the meaningful data has to be identified and correlated. The model that slowly grows from this process becomes the intellectual property of the manufacturer. And as soon as intellectual property comes into the picture, we get problems: There will be counterfeiters trying to build similar systems by abusing the property of the original maker. There might even be outright saboteurs who want to manipulate what the system can do in practice. Latest at this point – much sooner, if you ask us – the device maker should start thinking about ways to protect that IP. The IP comes in multiple forms: It is the data used originally to train the model, the training setup itself, and the eventual trained model. It does not matter whether the model in question is a virtual system operating in the cloud or an actual device sitting on a desk in a doctor’s surgery room somewhere. At stake in both cases is a data model that can be accessed via the physical device and that needs to be securely stored in the cloud. And for both threats, CodeMeter has a perfect solution: Encrypting the model to protect it against unauthorized use, copying, or espionage.

1. Axel Engelmann
Architect Protection Technologies – Wibu-Systems
Andreas Schaad
Professor of IT Security – University of Applied Sciences Offenburg
Security and Protection for
Machine Learning
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 1

2. Where to find the accompanying audio
To access the on-demand replay of this masterclass, please visit
www.wibu.com/wibu-systems-webinars/security-and-protection-for-machine-
learning/access.html
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 2

3. Introduction to
Machine Learning
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 3

4. Machine Learning in a Nutshell
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 4
 In the widest sense, a specific field of Artificial Intelligence.
 Machine Learning comprises a set of techniques / tools that
now complement our software development lifecycle.
 Why?
 Can replace hard to maintain rulesets / imperative programming
 Widely available computational frameworks
 CPU power / Cloud platforms / Data
 Available skillset increasing / part of Comp. Science curriculum
 But: Securing the ML Lifecycle is important!

5. Machine Learning in a Nutshell
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 5
 Making predictions based on already known data
 Classifying new data based on known data
y
x
x2
x1

6. Examples
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 6
y
x
x1
 Making predictions based on already known data
 Financial Forecasting
 Maintenance Prediction
 Network Analysis
 ….
 Classifying new data based on known data
 Spam Filtering
 Image Recognition
 Intrusion Detection
 … x2

7. Example
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 7

8. The Machine Learning Lifecycle
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 8
1. Training Phase
Trained model is created.
 Data collection
 Pre-processing & Feature engineering
 Training process using a framework
code
 Outcome: Trained model
2. Inference Phase
Trained model is used to predict results from
new data. Cloud or offline usage.
 Input
 Pre-processing
 Prediction using trained model
 Outcome: Output (Prediction)

9. raw data preprocessing training model
query
result
Data Collection Pre-processing & Training Deployed & Operational Model
The Machine Learning Lifecyle
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 9

10. configuration
raw data preprocessing training model
algorithms
query
result
Data Collection Pre-processing & Training Deployed & Operational Model
The Machine Learning Lifecycle
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 10

11. configuration
raw data preprocessing training model
algorithms
query
result
Data Collection Pre-processing & Training Deployed & Operational Model
The Machine Learning Lifecycle
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 11

12. configuration
raw data preprocessing training model
algorithms
query
result
Data Collection Pre-processing & Training Deployed & Operational Model
Data Owner Cloud Operator
ML Engineers Model Owner
Customer
The Machine Learning Lifecycle
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 12

13. Summary
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 13
 What are the assets we need to protect?
 Source / Training data
 Training configuration
 Licensed access to our trained model
 Secure delivery of results
 …and many stakeholders with different
access or licensing requirements

14. Attacking the ML Lifecycle
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 14
Data Poisoning
Model Stealing
Configuration
Stealing Unlicensed
querying
Model Extraction
Data Leakage
Framework
Backdoors
Data Collection Pre-processing & Training Deployed & Operational Model

15. More Details
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 15
What do I need to
consider to secure
my ML pipeline?
What are known
real-world attacks?
https://joom.ag/gdpd/p40

16. Threats
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 16
Phase Description Category (CIA) Access needed
Training Data Poisoning Integrity no
Training Model Poisoning Integrity yes
Inference Model Stealing Confidentiality yes
Inference Model Replacement Integrity, Availability yes
Inference Model Extraction Confidentiality no
Inference Inference/Exfiltration Attacks Confidentiality no
Inference Perturbation Attacks Integrity no
Both
Software Dependencies of ML System
Exploit
Confidentiality, Integrity, Availiability no

17. Proof of Concept
 Medical ML project
 3500 x-ray pictures
 Data transfer from source to
ML environment already secured
using CodeMeter
 Protection against data
poisoning
 Today’s Demo: Protecting the training model against stealing
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 17

18. CodeMeter
at a Glance
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 18

19. CodeMeter Licensing Systems
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 19
CmCloudContainer
License container
in the WIBU cloud
Bound to a user
CmDongle
License container
in a secure hw element
Bound to a smart card chip
License Server
License Server in LAN / WAN
CmActLicense
License container
in an encrypted file
Bound to an endpoint

20. License Entries
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 20
 License entry = Firm Code | Product Code
 Firm Code: issued by Wibu-Systems
 Product Code:
 Defined by the software vendor
 Per Option / Module / Feature
 4 bn. Product Codes (UInt32)
 Up to 2,000 Product Items per CmContainer
 Product Item Options: Each license can include
combinable options
Firm Code: 6.000.010
…
Product Code: 201.000
Product Code: 201.001
Product Code: 201.002
Product Item Options
Product Item Options
Product Item Options

21. CodeMeter
Protection Suite
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 21

22. Overview CodeMeter Protection Suite
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 22
Windows macOS Linux .NET Python JavaScript Java Android
Automatic Protection 1336-1000 1336-1200 1336-1300 1336-2000 1336-1700 1336-1800 1336-3000 1336-1500
Modular Licensing 1336-1001 1336-1201 1336-1301 1336-2001 1336-1701 1336-1801 1336-3001 1336-1501
IP Protection 1336-1002 1336-1202 1336-1302 1336-2002 1336-1702 1336-1802 1336-3002 1336-1502
CodeMoving 1336-1003 1336-1203 1336-1303 planned 1336-1703 1336-1803 1336-3003 1336-1503
File Encryption planned planned planned planned 1336-1704 1336-1804 planned planned
Additional Targets - - 1336-135x 1336-205x 1336-175x 136-185x planned -

23. Modules of AxProtector
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 23
 Basic
 Protection with one license list (0)
 Encryption on method level
 Modular Licensing
 Use of more than 1 license list out of
license lists other than (0)
 IP Protection
 Encryption without using CodeMeter
licensing capabilities (fixed key)
 CodeMoving
 Use of CodeMoving (CmDongle and
CmCloudContainer)
 File Encryption
 File encryption modus (AI models)

24. IL-Mode AxProtector
Binary-Mode AxProtector
AxProtector Technologies – Overview
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 24
 AxProtector Windows
 AxProtector macOS
 AxProtector Linux
 AxProtector Android
 AxProtector .NET
 AxProtector Python
 AxProtector JavaScript
 AxProtector Java

25. IL-Mode AxProtector
Binary-Mode AxProtector
AxProtector Technologies – Functionality
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 25
 Encryption of the entire application as
one blob
 Encryption on method level requires
manual integration
 Complete decryption during startup
(except for individual defined
methods)
 No unpredictable performance impact
during runtime
 Encryption of individual methods /
classes as individual blobs
 Automatic encryption on method level
 Highest security thanks to on-demand
decryption of every method
 Very small performance impact during
runtime thanks to intelligent caching

26. Compiled Executable Protected Executable
Operating Principle of IL-based AxProtector
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 26
Header Header
AxProtector …
AxEngine
(Security Engine)
2 33 E8 E1 CA
59 16 4B 75 53
E 24 C5 30 D8 85
C7 15 C2
C E6 7E 87 1B A8
9 81 53 62 DE A6 F4 AF
8 D1 D9 6D DD 1B 4 CB 82 63 82
F BD 5D 71
Start(arg) pi = (double) (2*y)
y = x * (2 + x) + 1 y = sin(x)
z = Math.Pow(10, prec) inc(ab)
if (CheckVal(x)) call (fit(y))
i += 10 for(i = 0; i < z; i++)
Picture:BM P0 FF
Icon:01 FF
String:Viewer
Picture:PN G0 FF 00
String:Open File Data:01 FF FF
Code (Methods)
Resources
9 6F F6 48 22 E7 B0 DA D1 4F 3E
2 59 D0 BD A A9 DD F4 67 44 DB
8 35 60 C3 50 C3
A8
6 4A 63 4C FE
5 9C B2 1E FA D3 DD 10 DD E0
3 8F EF C4 4C F0 79
A 5F E9 DC C5 2E C A2 3B 5D 7E
Encrypted Methods
Encrypted Resources
 Firm Code
 Product Code
 …

27. Demo
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 27

28. Demo - Recap
 Client / Server application
 Image classification using a trained model
 Prediction of a tuberculosis desease
 AxProtector Python
 YAML files for encryption specification
 Protection of Python server scripts
 Protection of a trained h5 model
 Application only works with valid licenses
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 28

29. https://www.wibu.com
info@wibu.com
Europe: +49-721-931720
USA: +1-425-7756900
China: +86-21-55661790
Japan: +81-45-5659710
Many thanks for your kind attention
2022-05-11 © WIBU-SYSTEMS AG 2022 - Security and Protection for Machine Learning 29