1、隐私计算在大数据AI领域的应用实践龚奇源 资深架构师|01隐私计算隐私计算02大数据大数据AI+隐私计算隐私计算03应用实践应用实践04总结和展望总结和展望目录目录CONTENT|隐私计算01|隐私计算背景|个人的需求个人的需求隐私和安全的意识提高隐私和安全合规要求隐私和安全合规要求 国外：欧盟GDPR，美国CCPA等 国内：网络安全法，数据安全法，个人信息保护法等隐私和安全的要求和管理隐私和安全的要求和管理宽松宽松严格严格隐私计算背景|https:/ 易用性提高 方向逐步细化 存储、处理更多数据 分析（查询）更多数据 实时分析 建模和预测(机器学习、深度学习)AI 无处不在 从实验室走向生产

2、环境 应用于大规模、分布式大数据“Machine Learning Yearning”,Andrew Ng,2016大数据AI背景|清洗/准备部署/可视化分析/建模获取/存储数据管理数据管理数据分析数据分析数据科学及人工智能数据科学及人工智能集成的数据流水线大数据AI+隐私计算|常见痛点：能否兼容现有的应用 现有的应用(数据分析和AI)能否直接迁移 对其他应用和设施是否有冲击能否处理大规模数据 能否支持大规模数据 计算效率是否足够好 能否解决数据孤岛问题|BigDL PPML:可信的大数据AIHW(SGX/TDX)Protected Secure Big Data AI,even on Unt

3、rusted CloudStandard,distributed AI applications on encrypted dataHardware(Intel SGX/TDX)protected computation(and memory)End-to-end security enabled for the entire workflowProvision and attestation of“trusted cluster environment”on K8s(of SGX nodes)Secrete key management through KMS for distributed

4、 data decryption/encryptionSecure distributed compute and communication(via SGX,encryption,TLS,etc.)K8s(on-prem or cloud)Worker Node.Distributed StorageDriver NodeData Lake/Warehouse Trusted Cluster Environment for Big Data AIWorker NodeWorker NodePPML.大数据AI+隐私计算|Apache Spark中的安全网络加密（TLS/AES）存储加密（AE

5、S）计算（明文）SparkHardware(CPU,Memory,GPU etc)AppOS(Operating System)HypervisorIf OS/VM/Hypervisor/BIOS is hacked by adversaries,then they can dump sensitive data(input,temp,output etc)from Spark.大数据AI+隐私计算|AppHardware(CPU,Memory,GPU etc)AppOS(Operating System)HypervisorINTEL SGXSGX enclaveX英特尔软件防护扩展英特尔软

6、件防护扩展SGX硬件级的可信执行环境(TEE)相对小的攻击面性能影响小足够大的飞地（最大1TB）已经被广泛测试、研究和部署Secure Spark with SGXRunning in SGXHypervisorOSSparkAppCodeWithout SGXSparkAppCodeHypervisorOSSGX SDK大数据AI+隐私计算|攻击者可以获取到应用和敏感数据攻击者无法获取明文数据保护明文和敏感模块缺点：缺点：开发代价大开发代价大代码无法复用代码无法复用https:/ SGXC+/Python/Java/R/OneDNNAppLibOSSGX SDKsgx-lklTensorFl

7、owFlinkSparkIntel SGXSGX AppSGX SDKDLRKMSBlock Chain安全安全+易用性Auth大数据AI+隐私计算|Running unchanged Spark Applications in SGXRunning in SGXHypervisorOSSparkAppCodeSGX LibOSHypervisorOSSGX SDKSparkAppCode保护明文和敏感模块保护整个Spark优点：优点：不需要修改不需要修改Spark和和Spark应用应用大数据AI+隐私计算|Running unchanged Spark Applications in SGX

8、DriverExecutorClientRunning in SGXExecutorTrustedUn-TrustedLibOSLibOSLibOS加密存储加密存储计算计算KMS|大数据AI+隐私计算Attack on distributed SparkDriverExecutorClientRunning in SGXExecutorTrustedUn-TrustedLibOSLibOS加密存储加密存储计算计算KMS|大数据AI+隐私计算远程证明保证应用的完整性Attestation in short:Verify if an application is running in SGXApp

9、lication is expectedWithin SGXRunning env is securedAttestation result(verify evidence/quote)Look goodNot goodAppClientchallengeevidence大数据AI+隐私计算DriverExecutorClientLibOSLibOSExecutorAttestation ServiceDriverExecutorExecutorLibOSLibOSKMSkill需要修改Spark的注册和Submit无需修改Spark和Spark应用远程证明保证应用的完整性大数据AI+隐私计算

10、BigDL PPML Container(Client)Attestation ServiceKey Mgmt Service(w/SGX nodes)BigDL PPML Container(Driver)BigDL PPML Container(Worker)BigDL PPML Container(Worker)BigDL PPML Container(Worker)124356781User submits PolicyUser submits job toK8s(usingBigDLPPML CLI),whichcreates thedriver node Driver create

11、s more worker nodesAS attests Driver/executorDriver and workers request keys from KMSWorkers read and decrypt input dataWorkers run distributed Big Data,ML and DL programsWorkers encrypt and write output data23456778BigDL PPML端到端一站式架构大数据AI+隐私计算BigDL PPML WorkflowStep 0 DeploymentStep 1 PreparationSt

12、ep 2 Build AppStep 3 Submit JobStep 4 Read Result Set up K8s cluster Set up K8s-SGX plugin Set up Attestation service Set up KMS(key management service)Upload BigDL PPML docker image to K8s registery Encypt and upload data SubmitPolicy Buid standard Big Data and ML applications()Optionally use BigDL

13、 PPML APIs(ctypto,VFL,etc.)UseBigDL PPML container and CLI to submit job to K8s Decrypt and read result of the job集群管理员集群管理员开发者开发者/数据科学家数据科学家正常的建模和查询正常的建模和查询SGX相关的准备和开发相关的准备和开发https:/ 隐私保护的机器学习Intel SGXonTrusted Big Data&AI AppsTrusted SQL&DataframeTrusted MLTrustedDLTrusted FL(Federated Learning)E2

14、E Distributed PipelineLibrary and FrameworkOrcaDistributed AI(TensorFlow/PyTorch/OpenVINO/Ray)PipelineDLlibDistributed Deep Learning Framework for Apache SparkApache FlinkSecure Execution LayerSecure Parameter SyncSecure Storage I/OSecure Network I/OSecure Data AlignmentCryptoLibOSSGX SDKHomomorphic

15、 EncryptionApache SparkXGBoostRayTensorFlowPyTorhOpenVINOKey MgmtAttestationSecure&Trusted Big Data and AI,even on Untrusted Cloud(using SGX)应用实践03|实时的流计算-天池大赛|Alibaba,Intel and Occlum community co-host Kaggle-like PPML competition for spam detection in online e-commence recommendation.100Building P

16、PML ApplicationsDeployed on Alibaba CloudXeon Servers(SGX)Alibaba Apsara PPMLUser ApplicationsFlinkPyTorchPPML layerOcclum100+IceLakeInstances4500TeamsTensorFlow https:/ Mobile Edge Computing provides common 5G services at the edge of the mobile telecommunication network.This POC runs Trusted Model

17、Serving on BigDL PPML,providing secure,real-time,distributed DL model inference service across a cluster of Ice Lake servers100Secure Inference per MEC VME2E Inference Pipeline Overhead MEC PlatformHTTPmodelmodeluser requestresponseInference EngineSGX Enclave1300image/sec5%overheadshttps:/ TPC-DS|Dr

18、iverExecutorClientExecutorTrustedUn-TrustedLibOSLibOSLibOS机密计算机密计算KMSAttestationSpark SQL w/SGX Performance Comparison联邦学习|https:/ Federated LearningBuild united model across different paritiesTraining data remain localAggregation temp/partial resultsSecured computation environment with SGXWin-Win for all partiesEnd usersEnterprisesCloud Service providers总结和展望04|总结和展望|隐私计算+大数据AI若干痛点用SGX构建安全的执行环境LibOS帮助应用无缝迁移保证性能影响最小能够支持大规模数据联邦学习解决数据孤岛BigDL PPML构建一站式的隐私计算方案总结和展望|TEE发展趋势发展趋势易用性TDX/Realm/SEV-SNP，机密容器安全性：TEEOS,Micro kernel拓展性IO的支持加速器的支持：GPU/QAT/FPGA非常感谢您的观看|