Rethinking Certification for Trustworthy Machine-Learning-Based Applications

Machine learning (ML) is increasingly used to implement advanced applications with nondeterministic behavior, which operate on the cloud–edge continuum. The pervasive adoption of ML is urgently calling for assurance solutions to assess applications’ nonfunctional properties (e.g., fairness, robustness, and privacy) with the aim of improving their trustworthiness. Certification has been clearly identified by policy makers, regulators, and industrial stakeholders as the preferred assurance technique to address this pressing need. Unfortunately, existing certification schemes are not immediately applicable to nondeterministic applications built on ML models. This article analyzes the challenges and deficiencies of current certification schemes, discusses open research issues, and proposes a first certification scheme for ML-based applications.


✦
Modern applications consist of elastic server-side processes running in the cloud, implemented as micro-and nano-services developed with cloud-native technologies and orchestrated at run time.The availability of new orchestration platforms and programming frameworks is making it possible to execute these applications at line speed [1].In the fullness of time, an intelligent cloud continuum will support autonomous, self-configuring applications that will request the activation of its services wherever they are needed, including innovative IoT devices [2].While this new paradigm promises many advantages in terms of availability, elasticity, and, ultimately, quality of service, its complexity is much higher than its predecessors'.This complexity leap is affecting the governance, risk, and compliance landscape, and even the procedures to guarantee security and safety of citizens.
To understand why, let us discuss where we stand right now in terms of available solutions to assess and verify applications behavior. . .Traditionally, assurance techniques have been used to assess and verify the trustworthiness of a system or application [3].Along the years, certification has become the most popular assurance technique, providing a way for a trusted authority to assert that a system or application supports a given (set of) non-functional property according to some evidence on its operation.Test-based certification schemes have been applied to software systems since the Eighties, with the release of the Orange book. 1 Test-based schemes underwent a crisis in the middle of the past decade, when it became clear that certifying service-based applications, even with the low degree of autonomy available at the time, required monitoring and run-time re-verification, as different services were recruited at each execution.In 2012, on the crest of the service-oriented computing wave, the seminal ASSERT4SOA project 2 led the way toward new generation of dynamic certification techniques with the following slogan: You live in a certified house, you drive a certified car, why would you use an uncertified service?At that time, certification enabled users to select and compose applications on the basis of their certified properties.
Today, a second crisis of certification schemes is looming, as the massive adoption of machine learning is radically transforming applications behavior [4].
Opaque ML models pose new concerns on how to test and certify the trustworthiness, safety, and reliability of the applications.The challenges we faced in 2012 are back today, like the most classic of groundhog days.A new slogan is then emerging: You use certified services, you hire certified professionals, why would you use an application driven by uncertified machine learning?
This question sheds some light on the motivations of the increasing push towards the definition of sound techniques for the non-functional certification of ML-based applications [5], [6].What needs to be certified is the behavior of the application driven by ML models, rather than some theoretical notion on the ML models.For instance, fairness means there is no discrimination among users accessing an application; privacy and security mean that the application safely processes user data; robustness means that the application will keep operating reliably while under attack.Nevertheless, these properties depend on the ML models driving the application, and on the process/data used to train them.Training data can be partial or inaccurate (affecting fairness), poisoned (affecting robustness and security), and sensitive (affecting privacy and explainability).
This article outlines the key elements of a sound certification scheme for ML-based applications.To this aim, we start from current certification schemes and analyze their limitations.We then give a first definition of a certification  scheme for ML-based applications, based on simultaneous verification of three factors: i) the data used for training, ii) the training process, and iii) the ML model.We finally apply the scheme in a real-world example of its application.

TRADITIONAL CERTIFICATION SCHEMES
Traditional certification schemes evolved into dynamic schemes suitable for deterministic composite applications, where services are orchestrated at run time according to their non-functional properties [7].Application properties are inferred from the ones of its components and continuously verified across service changes [8], [9]. Figure 1 shows the typical process of a certification scheme.The process starts with a Certification Authority (CA) defining the certification model, that is, a specification of the activities to be executed to certify an application.Formally, the certification model is a tuple CM= ⟨p, T oC, E⟩, where p is the non-functional property to be certified (e.g., confidentiality), T oC the target of certification, that is, the application to be certified (e.g., a cloud-based application), and E the evidence collection model (e.g., a set of test cases).An accredited lab, delegated by the CA, executes E to collect the evidence that may support the awarding of a certificate proving p on T oC [3], [7].
Recently, certification schemes broaden the definition of target of certification [7] towards multi-factor certification.
Multi-factor certification is a natural evolution of certification schemes to accomodate the peculiarities of a modern applications.The non-functional posture of an application, in fact, depends on its software artifacts as well as on the processes that brought it to operation (e.g., development and deployment processes).
However, even dynamic, multi-factor certification schemes struggle with the latest evolution of modern applications towards ML.

CHALLENGES IN ML-BASED APPLICATIONS CERTIFICATION
Today, the certification of ML-based applications (ML certification in the following) is more an art than a science [10], resulting in ad hoc solutions tailored to specific properties (e.g., explainability, fairness, and robustness [11], [12], [13]).Research is a standstill: no certification scheme for ML is available, despite the increasing push coming from society [5]; at the same time, none of the existing system certification schemes [3] can be adapted to the certification of ML.We argue that this standstill is due to four unsolved challenges we designate here as C1-C4.
To exemplify the challenges, we introduce a reference scenario that considers a malware detection application (malware detector in short).It is based on a Deep Learning model trained on real data collected from the field, as well as synthetic data generated according to a GAN [14].Data are performance metrics retrieved from the underlying system.To operate in an adversarial environment, the malware detector must be certified for property robustness against inference-time attacks, that is, its ability to correctly operate in the presence of adversaries interfering with the malware detection process by perturbing collected data.
C1: Target definition.A target of certification T oC is commonly defined as a list of components (i.e., endpoints, services, functions) with clear and unambiguous (i.e., deterministic) behavior.This approach does not suit applications whose components are not deterministic [13].Current definitions of T oC are inapplicable to ML-based applications and must evolve to accomplish the uncertainty introduced by ML models.In our reference scenario, the behavior of the deep learner must be certified in terms of the robustness of the dataset and process used for training, as well as the characteristics of the learned model.
C2: Property definition.The literature is rich of wellformalized non-functional properties (e.g., k-anonymity for privacy, confidentiality, integrity and availability for security), where property definition is decoupled from property verification.The latter is in fact left to the evidence collection model.ML certification instead lacks of commonly accepted and rigorous definitions of ML properties (e.g., explainability, fairness, and robustness), where property verification must be included in the property definition.Property verification in fact substantially characterizes the property itself and defines the means driving evidence collection [11], [12].For instance, in our reference scenario, property ML robustness must specify how adversarial samples are crafted for run-time verification of the adversarial attacks.
C3: Certification process.Certification process relies on evidence collection models executing test cases or monitoring rules to collect the evidence at the basis of a certificate award [3].Traditional evidence collection statically assesses application interfaces, which might be insufficient to certify the behavior of an ML-based application.Evidence collection model for ML certification must consider three factors, namely, (training) data, (training) process, and the ML model itself.In particular, factor data is novel and must consider how a model is learned (i.e., developed), including the specific characteristics of the training set.The latter is completely neglected in traditional systems certification and would compare to the evaluation of the application developer (e.g., her experience and skills).
C4: ML pipelines.The structure of an ML-based application is recursive: each of its components can implement an ML pipeline orchestrating other components implementing an aspect of ML, from data ingestion to data processing.Certification schemes must support such a structure.In our reference scenario, the certification of property robustness should consider the robustness of the ML model against inference-time attacks, as well as the integrity of retrieved performance metrics.In some cases, this can be achieved by customizing existing solutions for certificate composition [8].However, this challenge remains an open issue that we leave for our future work.

ML-BASED APPLICATIONS CERTIFICATION
To address challenges C1-C3, we need to reshape traditional certification schemes according to three main aspects: i) multi-factor certification of ML-based applications behavior (challenge C1), ii) ML-specific non-functional properties (e.g., fairness, explainability, robustness) definition (challenge C2), iii) ML-specific evidence collection models supporting non-functional properties verification at point ii) (challenge C3).

Multi-factor certification of ML-based applications behavior.
Multi-factor certification schemes [7] are the natural choice for certifying ML-based applications.Three factors f should be considered as follows: • factor data (f d ), including information on the dataset used for model training/validation (e.g., characteristics of the samples); • factor process (f p ), including information on the training process (e.g., adoption of boosting, transfer learning); • factor model (f m ), including information on the behavior of the ML model in operation.
Our three-factor certification model CM is a set of three independent certification models {CM f d , CM fp , CM fm }, where each CM * is a tuple of the form ⟨p * ,T oC * , E * ⟩.Each certification model implements a certification process as follows.
Certification model CM f d =⟨p f d , T oC f d , E f d ⟩ (factor data) evaluates the dataset used for training and its impact on the ML model.For instance, a poisoned training set negatively impacts on property robustness of malware detector, since it reduces its ability to distinguish between benign and malign samples.CM f d includes a property p f d specific for data, a target T oC f d modeling the dataset used for training/validation, and an evidence collection model E f d specifying the procedure for collecting evidence on the T oC, including evidence on dataset balancing and feature extraction.
Certification model CM fp =⟨p fp , T oC fp , E fp ⟩ (factor process) expresses how the training process is implemented and its impact on the ML model.For instance, a sanitization technique for fixing poisoned samples in the dataset positively impacts on property robustness of malware detector, decreasing the shift in the learnt classification boundaries.CM fp includes a property p fp specific for the training process, a target T oC fp modeling the training process, and an evidence collection model E fp including the procedure for collecting evidence on the design and execution of the training process, such as the inspection of checkpoints generated during training.
Certification model CM fm =⟨p fm , T oC fm , E fm ⟩ (factor model) evaluates the ML model in operation.It is a crucial target of certification and its verification is strongly intertwined with the property to be verified.For instance, property robustness of the malware detector can be actively tested assessing its ability to spot an adversary trying to inject adversarial samples to alter the ML model predictions.As another example, property privacy can be compromised by attacks that infer the presence of a sample in the training set.This is done by inspecting the ML model predictions [15].However, if the application returns the predicted label only, the attack fails and privacy is preserved despite the lack of a specific protection.CM fm includes a property p fm specific for the ML model, a target T oC fm describing the ML model (e.g., its architecture and parameters), and an evidence collection model E fm including the procedure for collecting evidence on the behavior of the ML-based application, such as functions exercizing the ML model.

ML-specific non-functional properties.
ML certification requires the definition of ML specific non-functional properties (e.g., fairness, explainability, robustness, safety) and the redesign of traditional non-functional properties (e.g., confidentiality, integrity, availability -CIA).In general, these properties are the union of factor-specific properties p f d , p fp , and p fm , and must specify the verification means driving evidence collection (see challenge C2).We note that, depending on the property, some factors might not be relevant and verification means might be neglected.
Let us consider property robustness in our reference scenario.It is the union of property robustness of the training set (p f d ), the training process (p fp ), and the ML model (p fm ).For example, property robustness of the training set (p f d ) is defined as the absence of targeted poisoning in the training set; its definition includes the function used to detect poisoned points.
Let us then consider property integrity.It traditionally proves the integrity of the application and its artifacts.Property integrity of ML instead proves the integrity of the ML model behavior according to the three factors.Property integrity in factor data is the integrity of training data (e.g., verifying that the dataset cannot be altered).Property integrity in factor process is the integrity of the training process (e.g., a training process that includes adversarial training specification).Property integrity in factor model is the integrity of the generated ML model (e.g., verifying that the packaged ML model is tamper-proof).
ML-specific evidence collection models.Evidence collection models are factor-specific, and describe how to collect evidence according to the three factors.All evidence and metadata collected during the certification of each factor must be stored in certificates, to ensure reproducibility and trustworthiness.
Let us consider property robustness in our reference sce-  In addition, let us consider an evidence collection process E fm for property privacy.This property can be verified in terms of the (in)ability to reverse-engineer training data while operating the ML model [15], [16].

CERTIFICATION IN ACTION
We demonstrate our ML certification scheme in our reference scenario, which considers a malware detection application (see [14] for more details on the malware detector).We recall that the property of interest is robustness against inference-time attacks, that is, the ability of the malware detector to behave correctly in the presence of an adversarial perturbation aimed to hide malware activities.Table 1 summarizes the three factors and their outcome.

Factor data. It defines a certification model CM
• Property robustness p f d is defined as the absence of poisoned samples from the training set.They are samples injected in the training set to alter the classification boundaries learnt by the model, thus masking malware activities at inference time [17].
• Target T oC f d is the training set.
• Evidence collection model E f d adapts the poisoning removal technique in [18] to flag possibly poisoned samples.
In our scenario, no poisoned samples are retrieved, and the assessment for factor data f d is positive (✓).In our scenario, the process inspection fails due to the lack of both techniques and the assessment for factor process f p is negative (✗).

Factor
model.It defines a certification model CM fm =⟨p fm ,T oC fm , E fm ⟩ as follows.
• Property robustness p fm is defined as the effectiveness of adversarial attacks against the ML model.It specifies how samples of adversarial attacks are crafted and sent to the model.

•
Target T oC fm is the malware detector.
• Evidence collection model E fm exercises the malware detector, sending adversarial (malware) samples and verifying whether the recall retrieved on such samples is larger than 0.95.
In our scenario, recall on adversarial samples is 0, meaning that they are all misclassified as benign.The assessment for factor model f m is negative (✗).
To conclude, the malware detector lacks of the proper robustness to operate in adversarial settings.Although it might appear that f m is the only relevant factor and traditional certification is sufficient, the certification of the three factors allows the final users to completely understand how the data, the training process, and the model in operation jointly contribute or not to the requested non-functional property.For instance, the failure in factor process motivates the failure in factor model.A certificate can be awarded for each factor independently, in case of positive outcome (✓), or a single certificate can be released by merging the three assessments according to predefined rules.

CONCLUSIONS
This paper makes a first step towards the certification of ML-based applications.The road ahead is still long and impervious.Our evidence collection techniques based on analysis of the training set, training process, and ML model predictions (Table 1) must be complemented by other approaches such as abstract interpretation [19] or inspection of a surrogate white-box model [20].The life cycle of ML models and their certificates must be carefully managed.ML models need in fact to be continuously adapted according to evolving system behavior, novel requirements, and drift in the incoming data, to name but a few.This requires certification to follow the changes of ML models along their life cycle.However, certification should not be limited to track changes; it should drive ML models evolution, so that ML models can evolve while supporting the desired properties in all factors.
To conclude on an optimistic note, we are confident that certification will eventually succeed in supporting trust in ML-based application behavior.It is a good omen that ongoing regulatory discussions [5], [6] agree that certification should target all artifacts involved in ML training and operations.
Ernesto Damiani is Full Professor at the Università degli Studi di Milano and Founding Director of the Center for Cyber-Physical Systems, Khalifa University, UAE.His research interests include cybersecurity, big data, and cloud/edge processing.He received an Honorary Doctorate from Institute National des Sciences Appliquées de Lyon, France, in 2017.He is a Distinguished Scientist of ACM and was a recipient of the 2017 Stephen Yau Award.Contact him at ernesto.damiani@ku.ac.ae.

−−
Robustness against inference-time attacks (Absence of adversarial poisoning in the training set) Training set − Check the presence of poisoned samples − evidence: poisoned samples=∅ ✓ fp Robustness against inference-time attacks (Usage of randomized smoothing and adversarial training) Training process Check the training process and checkpoints − evidence: training process does not include randomized smoothing and adversarial training ✗ fm Robustness against inference-time attacks (Ineffectiveness of adversarial attacks) Craft and send adversarial samples to the ML model − evidence: recall=0 ✗ nario.E fp and E fm must be adapted to collect data coming from the training process and the ML model coping with their opaqueness.For instance, E fp verifies the robustness of the training process by ensuring the usage of strengthening techniques.E fm crafts and sends adversarial samples to verify robustness.

Factor process .
It defines a certification model CM fp =⟨p fp ,T oC fp , E fp ⟩ as follows.•Property robustness p fp is defined as the usage of two strengthening techniques during the training process: randomized smoothing and adversarial training.These techniques reduce the presence of poisoned samples and the impact of adversarial samples, respectively.• Target T oC fp is the training process.It does not include any strengthening techniques.• Evidence collection model E fp inspects the training code, as well as the checkpoints created during training, to retrieve evidence on the usage of randomized smoothing and adversarial training.

Table 1
Summary of the certification scheme applied on our scenario.