Privacy-preserving classification of compute workloads

Establish whether the high-level customer and workload telemetry already collected by cloud and data center providers can be used to develop reliable, privacy-preserving workload classification techniques that detect (a) AI training runs above specified compute thresholds and (b) inference workloads involving malicious cyber activity, and specify how such techniques must adapt to changes in hardware, software packages, and algorithms over time.

Background

Compute governance actions such as reporting of large training runs or monitoring for malicious inference may rely on providers classifying workloads without inspecting sensitive customer data. The paper notes that providers already collect high-level telemetry, suggesting a path for detecting training above thresholds or malicious inference without violating privacy.

However, making such classification robust requires addressing heterogeneity and evolution in chips, software stacks, and algorithms. Determining feasibility and design constraints for privacy-preserving workload classification would directly support compliance and enforcement in compute-governance regimes.

References

An open question is thus whether it is possible to use this data to develop reliable workload classification techniques, for example, determining whether a training workload exceeds certain compute thresholds, or whether an inference workload involves malicious cyberactivity. Such techniques would need to account for changes in the hardware, software packages, and specific algorithms used in AI workloads over time.

Open Problems in Technical AI Governance  (2407.14981 - Reuel et al., 2024) in Section 3.2.2 Classification of Workloads