Qin Liu,Jiamin Yang,Hongbo Jiang,Jie Wu,Tao Peng,Tian Wang,Guojun Wang

DOI: https://doi.org/10.1109/infocom48880.2022.9796975

2022-01-01

Abstract:While cloud-based deep learning benefits for high-accuracy inference, it leads to potential privacy risks when exposing sensitive data to untrusted servers. In this paper, we work on exploring the feasibility of steganography in preserving inference privacy. Specifically, we devise GHOST and GHOST+, two private inference solutions employing steganography to make sensitive images invisible in the inference phase. Motivated by the fact that deep neural networks (DNNs) are inherently vulnerable to adversarial attacks, our main idea is turning this vulnerability into the weapon for data privacy, enabling the DNN to misclassify a stego image into the class of the sensitive image hidden in it. The main difference is that GHOST retrains the DNN into a poisoned network to learn the hidden features of sensitive images, but GHOST+ leverages a generative adversarial network (GAN) to produce adversarial perturbations without altering the DNN. For enhanced privacy and a better computation-communication trade-off, both solutions adopt the edge-cloud collaborative framework. Compared with the previous solutions, this is the first work that successfully integrates steganography and the nature of DNNs to achieve private inference while ensuring high accuracy. Extensive experiments validate that steganography has excellent ability in accuracy-aware privacy protection of deep learning.

Fei Dai,Guozhi Liu,Bi Huang,Xiaolong Xu,Chaochao Chen,Zhangbing Zhou,Xiaokang Zhou

DOI: https://doi.org/10.1109/ithings-greencom-cpscom-smartdata-cybermatics55523.2022.00070

2022-01-01

Abstract:Industrial Internet of Things (IIoT) systems can leverage deep learning (DL) models to provide intelligent applications. However, the training process of such DL models tends to leak privacy when the training data contain sensitive operational and management information. Most studies about privacy-preserving DL require a trusted data collector and thus are not suitable in an untrusted environment. In this paper, we propose a distributed privacy-preserving framework for DL with edge-cloud computing, where direct privacy leakage and indirect privacy leakage of training data are both considered. First, a pre-trained convolutional neural network (CNN) is partitioned into two parts for limiting direct privacy leakage of raw data, namely the feature module and the classification module. The feature module consisting of the lower layers of the CNN is deployed on an edge server, which is used to attract the feature of raw data. The feature data is fed to the classification module consisting of the higher layers of the CNN, which is deployed on the cloud server to compute image classification tasks. Second, a perturbation module between the feature module and the classification module is designed for limiting indirect privacy leakage during feature data transmission. The perturbation module uses local differential privacy (LDP) to produce noise in the feature data. Third, to further improve the accuracy, we retrain the classification module with the randomized feature data from edge servers. Experimental results show that the proposed framework achieves high accuracy under low privacy budgets.

Liyao Xiang,Shuang Zhang,Quanshi Zhang

DOI: https://doi.org/10.1109/tmc.2023.3340338

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Powered by machine learning services in the cloud, numerous learning-driven mobile applications are gaining popularity in the market. As deep learning tasks are mostly computation-intensive, it has become a trend to process raw data on devices and send the deep neural network (DNN) features to the cloud, where the features are further processed to return final results. However, there is always an unexpected leakage with the release of features, by which an adversary could infer much information on the original data. We propose a privacy-preserving framework on top of the mobile cloud infrastructure from the perspective of DNN structures. Our framework aims to learn a policy to modify the base DNNs to prevent information leakage while maintaining high inference accuracy. The policy can also be readily transferred to large-size DNNs and large-scale datasets to speed up learning. Extensive evaluations on a variety of DNNs have shown that our framework successfully finds privacy-preserving DNN structures to defend privacy attacks.

Chang Xia,Jingyu Hua,Wei Tong,Yayuan Xiong,Sheng Zhong

DOI: https://doi.org/10.1109/icme46284.2020.9102960

2020-07-01

Abstract:In recent years, more and more mobile applications adopt deep learning technologies, especially CNN-based image recognition. To protect service providers’ interests, the CNN models are usually deployed on the cloud, and the users are required to upload raw images, which cause serious privacy concerns since images may contain sensitive information unrelated to the desired recognition tasks. The previous solution off-loads the shallow portions of the CNN to the clients, and thus the uploaded data becomes the extracted lower-level features rather than the raw images. Nevertheless, although service providers are prevented from obtaining the original images, it is still probably for them to perform some sensitive recognition tasks other than the desired one on the lower-lever features (even after being perturbed to satisfy Differential Privacy). Different from such solution, in this paper, we propose an independent local CNN, which is dedicated for the image perturbation on the clients. It is co-trained with the cloud CNN to learn to intelligently allocate diverse noises among pixels depending on their significance to the desired recognition service. Extensive experiments demonstrate that our mechanism can well prevent curious service providers from performing undesired recognition tasks while maintaining the high accuracy of the desired one.

Jianfeng Zhang,Wensheng Zhang,Jingdong Xu

DOI: https://doi.org/10.3233/jcs-220042

2022-01-01

Journal of Computer Security

Abstract:Due to the limited capabilities of user devices, such as smart phones, and the Internet of Things (IoT), edge intelligence is being recognized as a promising paradigm to enable effective analysis of the data generated by these devices with complex artificial intelligence (AI) models, and it often entails either fully or partially offloading the computation of neural networks from user devices to edge computing servers. To protect users’ data privacy in the process, most existing researches assume that the private (sensitive) attributes of user data are known in advance when designing privacy-protection measures. This assumption is restrictive in real life, and thus limits the application of these methods. Inspired by the research in image steganography and cyber deception, in this paper, we propose StegEdge, a conceptually novel approach to this challenge. StegEdge takes as input the user-generated image and a randomly selected “cover” image that does not pose any privacy concern (e.g., downloaded from the Internet), and extracts the features such that the utility tasks can still be conducted by the edge computing servers, while potential adversaries seeking to reconstruct/recover the original user data or analyze sensitive attributes from the extracted features sent from users to the server, will largely acquire information of the cover image. Thus, users’ data privacy is protected via a form of deception. Empirical results conducted on the CelebA and ImageNet datasets show that, at the same level of accuracy for utility tasks, StegEdge reduces the adversaries’ accuracy of predicting sensitive attributes by up to 38% compared with other methods, while also defending against adversaries seeking to reconstruct user data from the extracted features.

Song Gao,Xiaoxuan Wang,Bingbing Song,Renyang Liu,Shaowen Yao,Wei Zhou,Shui Yu

DOI: https://doi.org/10.1109/tetci.2024.3367812

2024-01-01

IEEE Transactions on Emerging Topics in Computational Intelligence

Abstract:Deep neural networks (DNNs) are sensitive to adversarial examples which are generated by corrupting benign examples with imperceptible perturbations, or have significant changes but can still achieve original prediction results. The latter case is termed as the Type I adversarial example which, however, has limited attention in the literature. In this paper, we introduce two methods, termed HRG and GAG, to generate Type I adversarial examples and attempt to apply them to the privacy-preserving Machine Learning as a Service (MLaaS). Existing methods for the privacy-preserving MLaaS are mostly based on cryptographic techniques, which often incur additional communication and computation overhead, while using Type I adversarial examples to hide users' privacy data is a brand-new exploration. Specifically, HRG utilizes the high-level representations of DNNs to guide generators, and GAG leverages the generative adversarial network to transform original images. Our solution does not involve any model modifications and allows DNNs to run directly on transformed data, thus arousing no additional communication and computation overhead. Extensive experiments on MNIST, CIFAR-10, and ImageNet show that HRG can perfectly hide images into noise and achieve similar accuracy as the original accuracy, and GAG can generate natural images that are completely different from the original images with a small loss of accuracy.

Ang Li,Jiayi Guo,Huanrui Yang,Flora D. Salim,Yiran Chen

DOI: https://doi.org/10.1145/3450268.3453519

2019-01-01

Abstract:Deep learning has been widely applied in many computer vision applications,with remarkable success. However, running deep learning models on mobiledevices is generally challenging due to the limitation of computing resources.A popular alternative is to use cloud services to run deep learning models toprocess raw data. This, however, imposes privacy risks. Some prior artsproposed sending the features extracted from raw data to the cloud.Unfortunately, these extracted features can still be exploited by attackers torecover raw images and to infer embedded private attributes. In this paper, wepropose an adversarial training framework, DeepObfuscator, which prevents theusage of the features for reconstruction of the raw images and inference ofprivate attributes. This is done while retaining useful information for theintended cloud service. DeepObfuscator includes a learnable obfuscator that isdesigned to hide privacy-related sensitive information from the features byperforming our proposed adversarial training algorithm. The proposed algorithmis designed by simulating the game between an attacker who makes efforts toreconstruct raw image and infer private attributes from the extracted featuresand a defender who aims to protect user privacy. By deploying the trainedobfuscator on the smartphone, features can be locally extracted and then sentto the cloud. Our experiments on CelebA and LFW datasets show that the qualityof the reconstructed images from the obfuscated features of the raw image isdramatically decreased from 0.9458 to 0.3175 in terms of multi-scale structuralsimilarity. The person in the reconstructed image, hence, becomes hardly to bere-identified. The classification accuracy of the inferred private attributesthat can be achieved by the attacker is significantly reduced to arandom-guessing level.

Weizhong Qiang,Renwan Liu,Hai Jin

DOI: https://doi.org/10.1016/j.future.2021.06.037

IF: 7.307

2021-01-01

Future Generation Computer Systems

Abstract:As the IoT has developed, edge computing has played an increasingly important role in the IoT ecosystem. The edge computing paradigm offers low latency and high computing performance, which is conducive to machine learning tasks such as object detection in autonomous driving. However, data privacy risks in edge computing still exist and the existing privacy-preserving methods are not satisfactory due to the large computational overhead and unbearable accuracy loss. We have designed a privacy-preserving machine learning framework for both user and cloud data. Users and the cloud provide data for inference and training respectively, and the privacy protection of these two aspects is both considered in this paper. Users provide test data and want to access the data-processing models in cloud for inference, and the cloud provides the training data used for training an eligible model. For user data, in order to maintain the overall performance of the machine learning framework while using homomorphic encryption, instead of providing encrypted data to all machine learning tasks, we divide the neural network into two parts, with one part kept on the trusted edge and provided with plaintext, and the other deployed on the untrusted cloud and provided with encrypted input. For cloud data, we apply the binary neural network, a network with the binarized value of weights. This method is practical for narrowing the confidence score gap (between the training and test sets) predicted by the model, which accounts most for a successful exploratory attack on training data. Experiments demonstrate that the results of the adversary's membership inference attack are close to random guessing, and the accuracy is only slightly affected. Compared with the unencrypted network on VGG19, when the network is split from conv4_1 to fc8, the efficiency of using HE is only 100 to 30 times slower. (C) 2021 Elsevier B.V. All rights reserved.

Taegyeong Lee,Zhiqi Lin,Saumay Pushp,Caihua Li,Yunxin Liu,Youngki Lee,Fengyuan Xu,Chenren Xu,Lintao Zhang,Junehwa Song

DOI: https://doi.org/10.1145/3300061.3345447

2019-01-01

Abstract:Deep-learning (DL) is receiving huge attention as enabling techniques for emerging mobile and IoT applications. It is a common practice to conduct DNN model-based inference using cloud services due to their high computation and memory cost. However, such a cloud-offloaded inference raises serious privacy concerns. Malicious external attackers or untrustworthy internal administrators of clouds may leak highly sensitive and private data such as image, voice and textual data. In this paper, we propose Occlumency, a novel cloud-driven solution designed to protect user privacy without compromising the benefit of using powerful cloud resources. Occlumency leverages secure SGX enclave to preserve the confidentiality and the integrity of user data throughout the entire DL inference process. DL inference in SGX enclave, however, impose a severe performance degradation due to limited physical memory space and inefficient page swapping. We designed a suite of novel techniques to accelerate DL inference inside the enclave with a limited memory size and implemented Occlumency based on Caffe. Our experiment with various DNN models shows that Occlumency improves inference speed by 3.6x compared to the baseline DL inference in SGX and achieves a secure DL inference within 72% of latency overhead compared to inference in the native environment.

Ang Li,Jiayi Guo,Huanrui Yang,Flora D. Salim,Yiran Chen

DOI: https://doi.org/10.1145/3450268.3453519

2021-01-01

Abstract:Deep learning has been widely applied in many computer vision applications, with remarkable success. However, running deep learning models on mobile devices is generally challenging due to the limitation of computing resources. A popular alternative is to use cloud services to run deep learning models to process raw data. This, however, imposes privacy risks. Some prior arts proposed sending the features extracted from raw data (e.g., images) to the cloud. Unfortunately, these extracted features can still be exploited by attackers to recover raw images and to infer embedded private attributes (e.g., age, gender, etc.). In this paper, we propose an adversarial training framework, DeepObfuscator, which prevents the usage of the features for reconstruction of the raw images and inference of private attributes. This is done while retaining useful information for the intended cloud service (i.e., image classification). DeepObfuscator includes a learnable encoder, namely, obfuscator that is designed to hide privacy-related sensitive information from the features by performing our proposed adversarial training algorithm. The proposed algorithm is designed by simulating the game between an attacker who makes efforts to reconstruct raw image and infer private attributes from the extracted features and a defender who aims to protect user privacy. By deploying the trained obfuscator on the smartphone, features can be locally extracted and then sent to the cloud. Our experiments on CelebA and LFW datasets show that the quality of the reconstructed images from the obfuscated features of the raw image is dramatically decreased from 0.9458 to 0.3175 in terms of multi-scale structural similarity (MS-SSIM). The person in the reconstructed image, hence, becomes hardly to be re-identified. The classification accuracy of the inferred private attributes that can be achieved by the attacker is significantly reduced to a random-guessing level, e.g., the accuracy of gender is reduced from 97.36% to 58.85%. As a comparison, the accuracy of the intended classification tasks performed via the cloud service is only reduced by 2%. We also demonstrate the efficiency of DeepObfuscator, showcasing real-time performance of the deployed models on smartphones.

Shuang Zhang,Liyao Xiang,Congcong Li,Yixuan Wang,Zeyu Liu,Quanshi Zhang,Bo Li

2019-01-01

Abstract:Powered by machine learning services in the cloud, numerous learning-driven mobile applications are gaining popularity in the market. As deep learning tasks are mostly computation-intensive, it has become a trend to process raw data on devices and send the neural network features to the cloud, whereas the part of the neural network residing in the cloud completes the task to return final results. However, there is always the potential for unexpected leakage with the release of features, with which an adversary could infer a significant amount of information about the original data. To address this problem, we propose a privacy-preserving deep learning framework on top of the mobile cloud infrastructure: the trained deep neural network is tailored to prevent information leakage through features while maintaining highly accurate results. In essence, we learn the strategy to prevent leakage by modifying the trained deep neural network against a generic opponent, who infers unintended information from released features and auxiliary data, while preserving the accuracy of the model as much as possible.

Guowen Xu,Hongwei Li,Hao Ren,Jianfei Sun,Shengmin Xu,Jianting Ning,Haomiao Yang,Kan Yang,Robert H. Deng

DOI: https://doi.org/10.1145/3427228.3427232

2020-01-01

Abstract:Outsourced inference service has enormously promoted the popularity of deep learning, and helped users to customize a range of personalized applications. However, it also entails a variety of security and privacy issues brought by untrusted service providers. Particularly, a malicious adversary may violate user privacy during the inference process, or worse, return incorrect results to the client through compromising the integrity of the outsourced model. To address these problems, we propose SecureDL to protect the model’s integrity and user’s privacy in Deep Neural Networks (DNNs) inference process. In SecureDL, we first transform complicated non-linear activation functions of DNNs to low-degree polynomials. Then, we give a novel method to generate sensitive-samples, which can verify the integrity of a model’s parameters outsourced to the server with high accuracy. Finally, We exploit Leveled Homomorphic Encryption (LHE) to achieve the privacy-preserving inference. We shown that our sensitive-samples are indeed very sensitive to model changes, such that even a small change in parameters can be reflected in the model outputs. Based on the experiments conducted on real data and different types of attacks, we demonstrate the superior performance of SecureDL in terms of detection accuracy, inference accuracy, computation, and communication overheads.

Yulong Wang,Xingshu Chen,Qixu Wang

DOI: https://doi.org/10.48550/arXiv.2212.06428

2022-12-13

Abstract:Cloud-edge collaborative inference approach splits deep neural networks (DNNs) into two parts that run collaboratively on resource-constrained edge devices and cloud servers, aiming at minimizing inference latency and protecting data privacy. However, even if the raw input data from edge devices is not directly exposed to the cloud, state-of-the-art attacks targeting collaborative inference are still able to reconstruct the raw private data from the intermediate outputs of the exposed local models, introducing serious privacy risks. In this paper, a secure privacy inference framework for cloud-edge collaboration is proposed, termed CIS, which supports adaptively partitioning the network according to the dynamically changing network bandwidth and fully releases the computational power of edge devices. To mitigate the influence introduced by private perturbation, CIS provides a way to achieve differential privacy protection by adding refined noise to the intermediate layer feature maps offloaded to the cloud. Meanwhile, with a given total privacy budget, the budget is reasonably allocated by the size of the feature graph rank generated by different convolution filters, which makes the inference in the cloud robust to the perturbed data, thus effectively trade-off the conflicting problem between privacy and availability. Finally, we construct a real cloud-edge collaborative inference computing scenario to verify the effectiveness of inference latency and model partitioning on resource-constrained edge devices. Furthermore, the state-of-the-art cloud-edge collaborative reconstruction attack is used to evaluate the practical availability of the end-to-end privacy protection mechanism provided by CIS.

Cryptography and Security

Xiaoyu Zhang,Chao Chen,Yi Xie,Xiaofeng Chen,Jun Zhang,Yang Xiang

DOI: https://doi.org/10.1016/j.csi.2022.103672

2023-01-01

Abstract:Deep Neural Network (DNN), one of the most powerful machine learning algorithms, is increasingly leveraged to overcome the bottleneck of effectively exploring and analyzing massive data to boost advanced scientific development. It is not a surprise that cloud computing providers offer the cloud-based DNN as an out-of-the-box service. Though there are some benefits from the cloud-based DNN, the interaction mechanism among two or multiple entities in the cloud inevitably induces new privacy risks. This survey presents the most recent findings of privacy attacks and defenses appeared in cloud-based neural network services. We systematically and thoroughly review privacy attacks and defenses in the pipeline of cloud-based DNN service, i.e., data manipulation, training, and prediction. In particular, a new theory, called cloud-based ML privacy game, is extracted from the recently published literature to provide a deep understanding of state-of-the-art research. Finally, the challenges and future work are presented to help researchers to continue to push forward the competitions between privacy attackers and defenders.

computer science, software engineering, hardware & architecture

Yujia Liu,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1155/2017/1897438

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:Online image sharing in social platforms can lead to undesired privacy disclosure. For example, some enterprises may detect these large volumes of uploaded images to do users’ in-depth preference analysis for commercial purposes. And their technology might be today’s most powerful learning model, deep neural network (DNN). To just elude these automatic DNN detectors without affecting visual quality of human eyes, we design and implement a novel Stealth algorithm, which makes the automatic detector blind to the existence of objects in an image, by crafting a kind of adversarial examples. It is just like all objects disappear after wearing an “invisible cloak” from the view of the detector. Then we evaluate the effectiveness of Stealth algorithm through our newly defined measurement, named privacy insurance. The results indicate that our scheme has considerable success rate to guarantee privacy compared with other methods, such as mosaic, blur, and noise. Better still, Stealth algorithm has the smallest impact on image visual quality. Meanwhile, we set a user adjustable parameter called cloak thickness for regulating the perturbation intensity. Furthermore, we find that the processed images have transferability property; that is, the adversarial images generated for one particular DNN will influence the others as well.

Ji Wang,Jianguo Zhang,Weidong Bao,Xiaomin Zhu,Bokai Cao,Philip S. Yu

DOI: https://doi.org/10.1145/3219819.3220106

2018-01-01

Abstract:The increasing demand for on-device deep learning services calls for a highly efficient manner to deploy deep neural networks (DNNs) on mobile devices with limited capacity. The cloud-based solution is a promising approach to enabling deep learning applications on mobile devices where the large portions of a DNN are offloaded to the cloud. However, revealing data to the cloud leads to potential privacy risk. To benefit from the cloud data center without the privacy risk, we design, evaluate, and implement a cloud-based framework ARDEN which partitions the DNN across mobile devices and cloud data centers. A simple data transformation is performed on the mobile device, while the resource-hungry training and the complex inference rely on the cloud data center. To protect the sensitive information, a lightweight privacy-preserving mechanism consisting of arbitrary data nullification and random noise addition is introduced, which provides strong privacy guarantee. A rigorous privacy budget analysis is given. Nonetheless, the private perturbation to the original data inevitably has a negative impact on the performance of further inference on the cloud side. To mitigate this influence, we propose a noisy training method to enhance the cloud-side network robustness to perturbed data. Through the sophisticated design, ARDEN can not only preserve privacy but also improve the inference performance. To validate the proposed ARDEN, a series of experiments based on three image datasets and a real mobile application are conducted. The experimental results demonstrate the effectiveness of ARDEN. Finally, we implement ARDEN on a demo system to verify its practicality.

Bo Liu,Ming Ding,Tianqing Zhu,Yong Xiang,Wanlei Zhou

DOI: https://doi.org/10.1109/glocom.2018.8647189

2018-01-01

Abstract:The unprecedented accuracy of deep learning methods has earned themselves as the foundation of new AI-based services on the Internet. At the same time, it presents obvious privacy issues. The deep learning aided privacy attack can dig out sensitive personal information not only from the text but also from unstructured data such as images and videos. In this paper, we proposed a framework to protect image privacy against the deep learning tools. We also propose two new metrics to measure the image privacy. Moreover, we propose two different image privacy protection schemes based on the two metrics, utilizing the adversarial example idea. The performance of our schemes is validated by simulation on a large-scale dataset. Our study shows that we can protect the image privacy by adding a small amount of noise, while the added noise has a humanly imperceptible impact on the image quality.

Hongyu Huang,Hongyuan Zhao,Chunqiang Hu,Chao Chen,Yantao Li

DOI: https://doi.org/10.1109/ijcnn52387.2021.9534066

2021-01-01

Abstract:In recent years, there have been increasing demands for using deep neural networks (DNNs) to provide image processing services for mobile devices. Considering the privacy of users' images, we utilize a two-tiers DNN which deploys the shallow and deep model on mobile devices and the cloud respectively. Then we propose a novel privacy protection mechanism which is deployed on the mobile device to satisfy the differential privacy. Meanwhile, based on the convolution kernel analysis, we also propose a novel method to improve the computation efficiency of mobile devices. The highlight of our mechanism is that it not only provides customized privacy protection which can resist the attack of Generative Adversarial Network (GAN), but also improves the accuracy of the neural network model. The experimental results on the ImageNet dataset show that we have improved the top-5 accuracy of image classification by 2%-3%. Under the premise of ensuring that the accuracy of the network is not degraded, our method reduces the CPU consumption on the VGG16 and ResNet50 networks to 74.6% and 48.9%, respectively, and can reduce 90% of the memory overhead. This improvement makes it possible to enable mobile deep neural network applications.

Xiaoyu Zhang,Chao Chen,Yi Xie,Xiaofeng Chen,Jun Zhang,Yang Xiang

DOI: https://doi.org/10.48550/arXiv.2105.06300

2021-05-13

Abstract:Deep Neural Network (DNN), one of the most powerful machine learning algorithms, is increasingly leveraged to overcome the bottleneck of effectively exploring and analyzing massive data to boost advanced scientific development. It is not a surprise that cloud computing providers offer the cloud-based DNN as an out-of-the-box service. Though there are some benefits from the cloud-based DNN, the interaction mechanism among two or multiple entities in the cloud inevitably induces new privacy risks. This survey presents the most recent findings of privacy attacks and defenses appeared in cloud-based neural network services. We systematically and thoroughly review privacy attacks and defenses in the pipeline of cloud-based DNN service, i.e., data manipulation, training, and prediction. In particular, a new theory, called cloud-based ML privacy game, is extracted from the recently published literature to provide a deep understanding of state-of-the-art research. Finally, the challenges and future work are presented to help researchers to continue to push forward the competitions between privacy attackers and defenders.

Cryptography and Security,Artificial Intelligence

Xuanang Yang,Jing Chen,Kun He,Hao Bai,Cong Wu,Ruiying Du

DOI: https://doi.org/10.1109/tifs.2023.3287072

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Inference outsourcing enables model owners to deploy their machine learning models on cloud servers to serve users. In this paradigm, the privacy of model owners and users should be considered. Existing solutions focus on Convolutional Neural Networks (CNNs) but their efficiency is much lower than GALA, which is a solution that only protects user privacy. Furthermore, these solutions adopt approximations that reduce the model accuracy and thus require model owners to retrain the models. In this paper, we present an efficient CNN inference outsourcing solution that protects the privacy of both model owners and users. Specifically, we design secure two-party computation protocols based on two non-colluding cloud servers, which calculate with additive secret shares of the model and the user’s input. Our protocols avoid the expensive permutation operations in linear calculations and approximations in non-linear calculations. We implement our solution on realistic CNNs and experimental results show that our solution is even 2–4 times faster than GALA.