ETSI GR SAI 009 V1.1.1 (2023-02)

ETSI GR SAI 009 V1.1.1 (2023-02)






GROUP REPORT
Securing Artificial Intelligence (SAI);
Artificial Intelligence Computing Platform Security Framework
Disclaimer
The present document has been produced and approved by the Securing Artificial Intelligence (SAI) ETSI Industry Specification
Group (ISG) and represents the views of those members who participated in this ISG.
It does not necessarily represent the views of the entire ETSI membership.

---------------------- Page: 1 ----------------------
2 ETSI GR SAI 009 V1.1.1 (2023-02)

Reference
DGR/SAI-009
Keywords
artificial intelligence, security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure Program:
https://www.etsi.org/standards/coordinated-vulnerability-disclosure
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
arranty is made of merchantability or fitness
and/or governmental rule and/or regulation and further, no representation or w
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2023.
All rights reserved.

ETSI

---------------------- Page: 2 ----------------------
3 ETSI GR SAI 009 V1.1.1 (2023-02)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
Introduction . 5
1 Scope . 7
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 7
3 Definition of terms, symbols and abbreviations . 8
3.1 Terms . 8
3.2 Symbols . 8
3.3 Abbreviations . 8
4 Convention Description . 9
4.1 Notation . 9
5 Overview . 9
5.1 AI computing platform description . 9
5.2 Implementation recommendations . 10
5.3 Threats analysis of AI computing platform . 11
5.4 Security objectives and requirements for AI computing platform . 15
6 AI Computing Platform Security Architecture. 16
6.1 Baseline security capabilities of an AI computing platform . 16
6.1.1 Overview . 16
6.1.2 Identity management and access control . 16
6.1.3 Integrity protection . 16
6.1.4 System hardening . 17
6.1.5 Data protection . 17
6.1.6 Secure audit . 17
6.1.7 Secure response . 18
6.1.8 Resilience . 18
6.2 Security functions/services of an AI computing platform . 18
6.2.1 Overview . 18
6.2.2 AI assets confidentiality protection . 18
6.2.2.1 AI assets encryption/decryption . 18
6.2.2.2 AI-specific computing resource isolation . 19
6.2.3 AI related log protection . 19
6.2.4 Training procedure recovery . 20
6.2.5 Inference attack detection function . 20
6.3 Reference architecture of an AI computing platform . 21
7 Security Components . 22
7.1 Overview . 22
7.2 Security components in hardware layer . 22
7.2.1 Security related hardware element description . 22
7.2.1.1 Introduction . 22
7.2.1.2 TEE . 22
7.2.1.3 TPM . 22
7.2.1.4 SE . 22
7.2.1.5 HSM . 22
7.2.2 Host HMEE security function module . 23
7.2.3 AI accelerator HMEE security function module . 23
7.2.4 Hardware abnormality detection module . 24
7.2.5 AI accelerator resource isolation module . 24
7.2.6 Host trusted boot module . 24
ETSI

---------------------- Page: 3 ----------------------
4 ETSI GR SAI 009 V1.1.1 (2023-02)
7.2.7 AI accelerator trusted boot module . 24
7.2.8 Host HBRT . 24
7.2.9 AI accelerator HBRT . 25
7.2.10 Minimal system . 25
7.2.11 Host HUK . 25
7.2.12 AI accelerator HUK . 26
7.3 Security components in basic software layer. 26
7.3.1 System abnormality detection module . 26
7.3.2 Trust measurement module . 26
7.3.3 Integrity protection module. 27
7.4 Security components in application enabling layer . 27
7.4.1 Security management module . 27
7.4.2 Inference attack detection engine . 27
7.4.3 Encryption/decryption module. 28
7.4.4 Training procedure recovery module . 28
7.4.5 Log protection module . 28
8 Reference points and service-based interface . 29
8.1 Reference point between security components . 29
8.2 Service-based interface for platform users . 29
9 Mechanism of Security Functions/Services . 31
9.1 Overview . 31
9.2 AI assets encryption/decryption . 31
9.2.1 Description of a reference example for the mechanism . 31
9.2.2 Involved security components . 31
9.2.3 Reference point and service-based interface . 31
9.2.4 Mechanism procedure . 32
9.2.5 Reference deployment . 35
9.3 AI-specific computing resource isolation . 37
9.3.1 Mechanism description . 37
9.3.2 Involved security components . 37
9.3.3 Reference point and service-based interface . 37
9.3.4 Mechanism procedure . 38
9.3.5 Reference deployment . 39
9.4 AI related log protection . 40
9.4.1 Description of reference example for the mechanism . 40
9.4.2 Involved security components . 40
9.4.3 Reference point and service-based interface . 40
9.4.4 Mechanism procedure . 40
9.4.5 Reference deployment . 41
9.5 Training procedure recovery . 42
9.5.1 Description of reference example for the mechanism . 42
9.5.2 Involved security components . 42
9.5.3 Reference point and service-based interface . 42
9.5.4 Mechanism procedure . 43
9.6 Inference attack detection . 44
9.6.1 Description of reference example for the mechanism . 44
9.6.2 Involved security components . 44
9.6.3 Reference point and service-based interface . 44
9.6.4 Mechanism procedure . 44
9.6.5 Reference deployment . 45
9.7 Measured boot . 47
9.8 Recovery from minimal system . 47
Annex A: Bibliography . 48
History . 49


ETSI

---------------------- Page: 4 ----------------------
5 ETSI GR SAI 009 V1.1.1 (2023-02)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI Web server (https://ipr.etsi.org/).
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its

Members. 3GPP™ and LTE™ are trademarks of ETSI registered for the benefit of its Members and of the 3GPP
Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of the
®
oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Group Report (GR) has been produced by ETSI Industry Specification Group (ISG) Securing Artificial
Intelligence (SAI).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
Artificial Intelligence is evolving very fast. It has been deployed everywhere trying to improve the quality of daily life.
The compromise of AI systems will directly affect a vast number of people and can cause severe results. In an AI
system, AI computing platform acts as the infrastructure for AI applications that provides resource and executing
environments. Therefore, it is very important to study the security of AI computing platform. The reasons are two-folds:
• The security of AI computing platform is the baseline guarantee for AI system. If the platform is
compromised, all of the applications running on it will be controlled by malicious attackers.
• Common security requirements from different AI applications are best resolved by AI computing platform that
will apparently improve the protection levels for AI application and bring convenience for relevant
stakeholders during development, use and maintenance of AI applications.
ETSI

---------------------- Page: 5 ----------------------
6 ETSI GR SAI 009 V1.1.1 (2023-02)
The present document first studies the role of AI computing platform in AI systems, its common structure and security
requirements in AI systems. Secondly, the security components and interaction between these components that form
the security framework of AI computing platform are studied. Last but not the least, the mechanisms which guarantee
the security of the platform itself and provide services for relevant stakeholders in AI systems are studied in detail. The
aim of the present document is to set out a reference security framework for AI computing platform developer and users
to mitigate the security threats against AI systems in a cooperatively manner.
The study uses ETSI GR SAI 006 [i.3] as a starting point for hardware aspects and avoids overlap.

ETSI

---------------------- Page: 6 ----------------------
7 ETSI GR SAI 009 V1.1.1 (2023-02)
1 Scope
The present document describes a security framework of AI computing platform containing hardware and basic
software to protect valuable assets like models and data deployed on AI computing platform when they are used in
runtime or stored at rest. The security framework consists of security components in AI computing platform and
security mechanisms executed by security components in the platform. By specifying the security framework, an AI
computing platform can be consolidated against the relevant attack and can provide security capabilities to facilitate the
stakeholders in AI systems to better protect the valuable assets (model/data) on an AI computing platform.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI GR SAI 004: "Securing Artificial Intelligence (SAI); Problem Statement".
[i.2] ETSI GR SAI 005: "Securing Artificial Intelligence (SAI); Mitigation Strategy Report".
[i.3] ETSI GR SAI 006: "Securing Artificial Intelligence (SAI); The role of hardware in security of
AI".
[i.4] Pingchuan Ma, Stavros Petridis, Maja Pantic: "Detecting adversarial attack on audiovisual speech
recognition", IEEE International Conference on Acoustics, Speech and Signal Processing
(ICASSP), 2021, Toronto, ON, Canada.
NOTE: Available at https://arxiv.org/pdf/1912.08639.pdf.
[i.5] Celia Cintas, Skyler Speakman, Victor Akinwande, William Ogallo, Komminist Weldemariam,
Srihari Sridharan and Edward Mcfowland: "Detecting Adversarial Attacks via Subset Scanning of
Autoencoder Activations and Reconstruction Error", Proceedings of the Twenty-Ninth
International Joint Conference on Artificial Intelligence.
NOTE: Available at https://www.ijcai.org/proceedings/2020/0122.pdf.
[i.6] Mika Juuti, Sebastian Szyller, Samuel Marchal, N. Asokan: "PRADA: Protecting Against DNN
Model Stealing Attacks", 2019 IEEE European Symposium on Security and Privacy (EuroS&P).
[i.7] Ren Pang, Xinyang Zhang, shouling Ji, Xiapu Luo, Ting Wang: "AdvMind: Inferring Adversary
Intent of Black-Box Attacks", Proceedings of the 26th ACM SIGKDD, 2020.
NOTE: Available at https://arxiv.org/pdf/2006.09539.pdf.
[i.8] ETSI GS NFV-SEC 009: "Network Functions Virtualisation (NFV); NFV Security; Report on use
cases and technical approaches for multi-layer host administration".
[i.9] ETSI GS NFV-SEC 012: "Network Functions Virtualisation (NFV) Release 3; Security; System
architecture specification for execution of sensitive NFV components".
ETSI

---------------------- Page: 7 ----------------------
8 ETSI GR SAI 009 V1.1.1 (2023-02)
3 Definition of terms, symbols and abbreviations
3.1 Terms
For the purposes of the present document, the following terms apply:
AI asset: anything that has value to the organization, its business operation and its continuity relevant to AI
NOTE: Model, dataset and training script belongs to AI asset category.
3.2 Symbols
Void.
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AE AutoEncoder
AI Artificial Intelligence
API Application Programming Interface
BIOS Basic Input Output System
BMC Baseboard management controller
CPU Central Processing Unit
CVE Common Vulnerabilities & Exposures
DDoS Distributed Denial of Service
DNS Domain Name System
DoS Denial of Service
GPU Graphics Processing Unit
HBRT Hardware Based Root of Trust
HDD Hard Disk Drive
HMEE Hardware-Mediated Execution Enclave
HSM Hardware Security Module
HTTPS Hypertext Transfer Protocol Secure
HUK Hardware Unique Key
IO Input Output
IOT Internet Of Things
JTAG Joint Test Action Group
NIC Network interface card
NPU Neural network Processing Unit
OS Operating System
PCI Peripheral Component Interconnect
PCIe Peripheral Component Interconnect express
REE Rich Execution Environment
RoT Root of Trust
RTS Root of Trust for Storage
RTR Root of Trust for Report
RPO Recovery Point Objective
RTO Recovery Time Objective
SDK Software Development Kit
SE Secure Element
SIM Subscriber Identity Module
SMTP Simple Mail Transfer Protocol
SoC System on Chip
SSD Solid State Disk
TEE T
...