gms | German Medical Science

66. Jahrestagung der Deutschen Gesellschaft für Medizinische Informatik, Biometrie und Epidemiologie e. V. (GMDS), 12. Jahreskongress der Technologie- und Methodenplattform für die vernetzte medizinische Forschung e. V. (TMF)

26. - 30.09.2021, online

A step towards securing machine learning models via cloud computing

Meeting Abstract

Suche in Medline nach

  • Sven Festag - Institute of Medical Statistics, Computer and Data Sciences, Jena University Hospital, Jena, Germany
  • Sasanka Potluri - Institute of Medical Statistics, Computer and Data Sciences, Jena University Hospital, Jena, Germany
  • Cord Spreckelsen - Institute of Medical Statistics, Computer and Data Sciences, Jena University Hospital, Jena, Germany

Deutsche Gesellschaft für Medizinische Informatik, Biometrie und Epidemiologie. 66. Jahrestagung der Deutschen Gesellschaft für Medizinische Informatik, Biometrie und Epidemiologie e. V. (GMDS), 12. Jahreskongress der Technologie- und Methodenplattform für die vernetzte medizinische Forschung e.V. (TMF). sine loco [digital], 26.-30.09.2021. Düsseldorf: German Medical Science GMS Publishing House; 2021. DocAbstr. 146

doi: 10.3205/21gmds061, urn:nbn:de:0183-21gmds0617

Veröffentlicht: 24. September 2021

© 2021 Festag et al.
Dieser Artikel ist ein Open-Access-Artikel und steht unter den Lizenzbedingungen der Creative Commons Attribution 4.0 License (Namensnennung). Lizenz-Angaben siehe



Data protection and patient privacy belong to the core objectives of modern data-driven medical applications. Especially, the Machine Learning (ML) approaches that rely heavily on large datasets pose a risk to these aims. In recent years, many threats to ML-based applications have been identified [1]. This work aims at summarising the possible attacks and presenting preliminary ideas of supplementary security mechanisms for the deployment of ML-based medical applications in the cloud.

In a previous publication, we have already discussed a privacy-preserving collaborative training mechanism [2]. For that reason, the present work focuses exclusively on the protection approaches for the inference phase. On the one hand, attacks can be classified as evasion or adversarial, impersonation and inversion [1]. On the other hand, they can be classified as white-box and black-box attacks [3].

In medical applications, adversarial attacks may target diagnostic or billing models to deliberately make them suggest wrong outputs. These results can be used by attackers to blackmail or defraud the associated medical institutions [4]. Impersonation attacks mostly affect identification systems like biometric patient classifiers. An example of the reconstruction of biometric patient profiles collected by wearable devices was described by Garcia-Ceja et al. [5]. Inversion attacks can be considered as a supergroup of the impersonation attacks. These attacks aim at extracting information about the training dataset that were not meant for publication [6].

White-box attacks have access to the learned parameters and topologies of the targeted ML models. However, black-box attackers can only use queries and corresponding outputs of the models. Even black-box attacks pose a significant risk to the training data privacy [5], [7]. Hence, it is important to ensure that deployed ML models are secured against these attacks.

Cloud-based computing frameworks such as GAIA-X partially enable the secure deployment of trained models [8]. GAIA-X offers a sovereign GDPR compliant cloud infrastructure. In contrast to self-hosted servers, cloud infrastructures provide several advantages such as improved access control, security monitoring etc. However, they alone cannot ensure data protection and privacy, as black-box attacks can overcome their security mechanisms. For that reason, Alves et al. proposed a countermeasure that modifies certain outputs of the ML models [7]. Based on this approach we identified further requirements for the implementation of an application-dependent gatekeeping mechanism which supplements the security mechanisms of cloud infrastructures. It must modify certain outputs of a model in addition to controlling incoming query streams to counter the often-underestimated risk of inversion attacks. For the analysis of the incoming data our approach presented in [9] is suitable.

This preliminary work summarises types of attacks on deployed ML models and some countermeasures. To ensure data protection and privacy in universally accessible ML solutions for medical applications, it is necessary to develop a gatekeeping mechanism, which builds upon the ideas described in [7], [9], on top of the available cloud computing infrastructure. Our future research focuses on the opportunities of GDPR compliant cloud solutions for securely deploying medical ML models after training instead of adhering to poorly scalable and less secure private servers.

The authors declare that they have no competing interests.

The authors declare that an ethics committee vote is not required.


Liu Q, Li P, Zhao W, Cai W, Yu S, Leung VCM. A Survey on Security Threats and Defensive Techniques of Machine Learning: A Data Driven View. IEEE Access. 2018;6:12103–17. DOI: 10.1109/ACCESS.2018.2805680 Externer Link
Festag S, Spreckelsen C. Privacy-Preserving Deep Learning for the Detection of Protected Health Information in Real-World Data: Comparative Evaluation. JMIR Form Res. 2020;4(5):e14064. DOI: 10.2196/14064 Externer Link
Sablayrolles A, Douze M, Schmid C, Ollivier Y, Jegou H. White-box vs Black-box: Bayes Optimal Strategies for Membership Inference. In: Chaudhuri K, Salakhutdinov R, editors. Proceedings of the 36th International Conference on Machine Learning. PMLR; 2019. p. 5558–67.
Finlayson SG, Bowers JD, Ito J, Zittrain JL, Beam AL, Kohane IS. Adversarial attacks on medical machine learning. Science. 2019 Mar 22;363(6433):1287–9. DOI: 10.1126/science.aaw4399 Externer Link
Garcia-Ceja E, Morin B, Aguilar-Rivera A, Riegler MA. A Genetic Attack Against Machine Learning Classifiers to Steal Biometric Actigraphy Profiles from Health Related Sensor Data. J Med Syst. 2020;44(10):187. DOI: 10.1007/s10916-020-01646-y Externer Link
Fredrikson M, Jha S, Ristenpart T. Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver, Colorado, USA: ACM; 2015. p. 1322–33.
Alves TAO, Franca FMG, Kundu S. MLPrivacyGuard: Defeating Confidence Information based Model Inversion Attacks on Machine Learning Systems. In: Proceedings of the 2019 on Great Lakes Symposium on VLSI. New York, NY, USA: ACM; 2019. p. 411–5. DOI: 10.1145/3299874.3319457 Externer Link
Biegel F, Andreas B, Chidambaram R, Feld T, Garloff K, Ingenrieth F, et al. GAIA-X: Driver of digital innovation in Europe. Berlin: Federal Ministry for Economic Affairs and Energy; 2020. p. 30.
Potluri S, Ahmed S, Diedrich C. Convolutional Neural Networks for Multi-class Intrusion Detection System. In: Groza A, Prasath R, editors. Mining Intelligence and Knowledge Exploration. Cham: Springer International Publishing; 2018. p. 225–38. DOI: 10.1007/978-3-030-05918-7_20. Externer Link