 Hello, everyone. So my name is Tommy. I'm a senior software developer at IBM's and my team is mostly focused on open source and my specifically is focused on you know, ML infrastructure on Kubernetes and Today's talk I'm going to focus on ML setup with automated online and offline ML model evaluation on Kubernetes So Thomas Jay Watson one of the former CEO of IBM once said the toughest thing about power of choice is that it's very difficult to build and it's very easy to destroy and We actually look at the AI world right now AI is powering a lot of our critical workflows and trust is very essential Because as we see like AI is being used in our credit system employment systems customer management and health care So we need to either we need to like know how we could trust AI to do all these tasks And we take a look into like what does it make to trust a decision made by a machine or an AI Just like looking at is that they are accurate about this task is not enough We also need to like dive into like is this they are making a fair decisions. Is this decision easy to understand is Decisions transparent knowing how it's being made and also does it handle like privacy about in a personal information Informations and lastly like with to make sure that the AI doesn't temper anyone based on the decision outcomes So because of this I'll be in itself to the open source multiple of the trust AI library to help, you know The community to you know, do this trust AI tasks using open source So we have you know open source they four different kind of category libraries So one is for you know, I make sure that robustness of AI is good So the ones get tampered with it Make sure that the AI is making fair decisions based on outcomes and able to explain why the AI is making this decision By evaluating how each attribute is being impacted on outcomes And of course lastly the linear is to tell like what kind of data is being used so we know like all the ingredients that is being consumed for that AI and Over time we kind of see that the adversarial persons to boss AI efforts Furnace 360 to boss and the AI experiment 360 to is very useful on building, you know security for a eyes and the community Where lights it so I begin actually, you know cooperate with L of AI and data and able to donate these three projects under the L AI and data foundation So anyone in the community are comfortable to use it from the open source and you know apply that in their organizations And now I want to dive into a little bit more on like what is security in AI? So When you talk about trust AI we want to like kind of focus on you know, the aspect of AI securities as We could see it over time right like the cybercrime actually follows the issue of the days and because of this Let's say for examples I drink when the early days of covets. We could see that in the United States There's a lot of attack is actually covert team So the attackers actually, you know follow a lot on the current news And update on the attacks of strategies and because of that we see that a lot of the Executives say that They have you know concerned about security and privacy and that is the one of their main brokers are not using AI in their organizations and We dive in deeper like what is is necessary to build a private and secure AI? So we kind of like break down into three main aspects One is we need to build like trust in privacy. So we want to ensure, you know privacy of data and a model is, you know Accurate here. So we want to minimize the data is being used and assessment on What kind of risk is introduced in this AI and we also need to like make sure trust in security So protect against in any account of every serial threat, right? If someone want to modify the model, modify the input, how we can defend against it and last the execute trust in execution Where we want to provide the confidentiality and trust under any environment So even though you in like a trust environment, you could still use This AI to make sure the AI is provided, you know trusted and you know robust outcomes And now let's dive into is, you know subcategories. So when we kind of look into, you know, the aspect of AI privacy I think one of the very useful impacts of GDPR introduced by Europe is how you can impact on the AI aspects So when we talk about a by privacy Usually we can see that it's difficult to, you know, comply with privacy regulation when it comes to AI because it's difficult to know how the AI is being trained, what kind of data is being used and With the introduction of GDPR, although it's not targeted for AI But it actually like covers on like how the right of being forgotten Data minimizations, consents and purpose limitation when it comes to, you know, consuming data for that day And because of that Using the GDPR rules, some of the AI models right now can actually legally like classified as personal data So it actually is your forced organization to actually, you know, consider to like minimize the data personal data has been used on the AI. So whenever you build the AI that is compliance with the GDPR rules They could, you know, minimize the number of information that might potentially exploit to the public works So that covers, you know, some of the important aspects of AI privacy But of course, we still have a lot to do. And another aspect of the AI is AI, you know, securities, right? So one of the, you know, way that, you know, could impact AI security is using an adversarial machine learnings So just on a high level, like adversarial machine learning, you know, can be used to trick machine learning models By providing, you know, incorrect predictions. So you look at in these scenarios When someone built an adversarial, you know, models that able to target, let's say, the hand written digit regulations, but just modifying a few pixel of this Picture, right, it could able to fool the model from recognizing the original check of $153 into $753 And, you know, adversarial kind of attack is smart enough, they're able to also lower the clever score Where the clever score usually is used to identify whether or not this number need to be checked by the real humans and because of that the attack is smart enough to be able to also lower that score It's very unlikely for a human being to actually look into this check and know that this is actually infected by an adversarial attack Another scenario this could happen is actually in self-drawing cars So because adversarial attacks are very common in like image recommendations, it's very easy to, you know, Apply a simple, you know, pixel filters on the image that captured by, you know, self-drawing cars In this scenario, when you just modify several pixel on the image, let's say for the American stop signs You can actually make like the self-drawing car recognition to ignore the stop sign and keep going So that is the very big vulnerability when we view like self-drawing car softwares And in addition to that, we kind of see like this more and more in adversarial exploits as in AI become more popular And this is why we need to, you know, step up and make sure like AI is being secured and able to use in every organizations So when we actually look at like different kind of every serial address in machine learning We kind of break down into four, you know, main categories One is like obviously the invasion attacks by just modifying, you know, inputs to influence the models We will also see like a lot of different kind of stuff like like poisoning where you actually could like Change the training data that the organization used to add some backdoors to the AI Where and also like extractions where you gradually steal certain information on how the Proprietary model is being built and lastly the more important part is to using inference where we cut the attacker is able to learn, you know What kind of data is consumed by the models by just, you know, like Providing several inference to the public model and gain that personal information This is why one of the reasons, you know, AI privacy is important and not able to not use extra information when building a machine learning models and Because, you know, all these kind of attack is very complicated You know, IBM have developed this open source tool called every serial robustness tool box to help, you know Developers and researchers use this tool box to help them, you know, defend and understand what AI Every serial could done to their organizations This tool, of course, not only provide you tools to, you know, do like different kinds of attack But also provide tools for you to defend those kind of attack and understand why is this important and how you could, you know Apply this into your AI systems So when we kind of look into, you know, like defending evaluating with, you know, this tool box You could use, you know, the our serial robustness tool box spread team tools that actually, you know Create different kind of every serial attack so you can understand how each attack is being done Let's say on the training data levels on the model levels and on the influencing levels Once you understand how the attacker take those actions, you could use the our serial robustness tool box Blue team tools actually go defense them. Let's say you, you know, make sure like the data is not being Exploited with, you know, bad data and using every serial training make sure the model is able to like not be too sensitive against, you know Our serial injected pixels those kind of, you know, mechanism can help you, you know Make your AI's mobile bus and exploit it yet less when the vulnerabilities, you know When you put your public's, put your model into the public's and The R community is very popular as you can see the our serial robustness tool box This has 3.4 K get hub stars now has, you know 376,000 downloads and more than 10,000 commits and many organizations actually using this tool box to build on the top of the AI library and their tools as well. We can see, you know, different companies like 2.6 labs and Azure Leverage every serial robustness tool box to build their, you know, command line tools and Of course our IBM team also use this to, you know, to provide, you know, privacy and compliance for AI model as well and You know, you could actually trust this tool box because it's very mature and has been graduated this year So every serial robustness tool box just announced graduation I think This year 2022. So this is a graduate project. So you could very comfortably use it And it is actually ensure that we will provide full support. You have any question You can feel free to ask committee and we will answer your questions and I will just show you a simple demo how, you know, a simple Every serial attack could be done. Let's say you have an image Organizations just to show what this image is about. Let's say this image is about a cat and Using this tool box you're implying some every serial attacks You can actually convert adding few pixels and convert this image be recognized as an ambulance and Once you understand how this attack is being done, you got to attach some Attach some simple defending mechanism in this case of smoothing all the pixels. You can actually make sure like the model is less Sensitive against those pixels been applied and make sure like on the prediction result is back to Categorize as a cat. So this is one simple way you could understand how the attack is being done and Based on that apply the necessary defense that Prevent that kind of attack So this is kind of like high level how you could, you know, apply security on AI but that is very manner process that someone have to understand how the AI is being done and Create different defending mechanism for it and it's very difficult to use in the production environments So this is why I want to introduce how you could integrate all this kind of trust AI tool on top of Kubernetes and On Kubernetes when we, you know, run out machine learning infrastructure one of the popular project we use is Q-Flows So now I'm going to introduce how you actually apply, you know trust the AI on different, you know, Q-Flows projects So I think one of the way, you know, popular, you know Machine learning infrastructure that wants on Kubernetes Q-Flows pipelines I think we have many, you know, data scientists use Q-Flows pipelines that run their machine learning tasks on top of Kubernetes and This is very useful because like all of your ML test is actually containerized into one container So you can actually easy apply any kind of Task doing your developments and it's actually driven by Python DSL So data scientist is very easy to like use it and you could modify different parameters when you trigger different ones and use different parameters to run different experiments of your developments and As part of your, you know, machine learning developments for, you know, Q-Flows pipelines because it's actually containerized into individual tasks It's very easy to just plug in like any trust the AI tools as part of your developments So in this case, we have, you know, developed a component for each of the trust the AI tools So you in this case, for example, you could once you train your models, you could apply Let's say a robustness check to make sure that this model is robust enough to prevent the adversarial attacks If it's let's say in this example If it prevents adversarial attacks, then we were able to like deploy this model to productions If not, this primary to be, you know, set back and be retrained and we do the, you know, development cycles And you could see like the component is genetic enough Whereas you only need to provide the information for the input of the model and use those usually those information is available when it input into your pipeline because you're using a pipeline as your development tool and With just those informations, we were able to like, you know, provide you some useful metrics for examples Every server person to box components could provide you. Okay, like your original test data accuracy Let's say this example is 87% when it's under an adversarial attacks The accuracy actually went down to 30% accuracy and the overall competency were actually down by 24% So these are like very useful metrics to tell you all your model is not ready for production You should accept that and consider like adding some AI security into the model before you use it in your in your organizations And of course, like this is more like for Q4 pipeline is more like focus on AI and ML model developments But after the developments, how you actually inject kind of AI security to make sure your production model is not under a particular attacks And for that, we have a project called a case of on open source This is found by Google seldom IBM Bloomberg and Microsoft and the case of goal is actually to have a serverless ML inferencing on Kubernetes and Support can you go out and model is my nation's And this is able to you know support multiple frameworks and it's able to scale and run very effectively on Kubernetes and We case of because it has the model explanation capabilities We are able to integrate all of it Such the AI tools on top of case of it's my mid inspirability tools box as well So when you deploy case of the day you can actually, you know, directly use in AFN S360 Explain it is 360 and every single person is toolbox as one of your explainer for your production models And now I want to kind of dive in like kind of a different kind of Kind of explanation or model evaluation you do once, you know, your model is in production So one of the concept on case of is like explainer where this is kind of referring to like on that online the evaluations Whereas you want to get like a real-time, you know feedback on how this Trust action of the application has been made So usually a user would give you a trust action. Let's say one of make sure it's this long is approved or not Behind the scenes it would do like a real-time evaluation on like why this long is being approved based on whatever features and And and information is actually go directly to the explainer server first and then go to the model servers to get extra information on how these predictions been made And this approach is very useful when you want to explain how a model is being built and also Also useful when you want to check whether or not the bottle is robust enough for this particular transactions But a more common way of organization with use is actually just Evaluate in a batch or actually detect any like vulnerability over times So an offline evaluation and detections is more common in like large-scale You know AI production models whereas it's usually event and time base and the evaluations actually act Evaluate asynchronously so From a user aspect they would still doing the regular prediction to the models But they will not get the immediate Model feedbacks at that time those information on the transfer will actually logs back in like some data store behind the scenes and Whatever it's been a explanation server or finished server for personal server you have will actually go into the data store based on an event or based on Chrome timing to actually evaluate whether or not is this of transaction fear or robust over time and if not it would just create a D-able to detect them and create event and notify the developer and admins about an Explorer of a security concern and now I'll just kind of show you like how a online evaluation could be done on case of so this is a real-time synchronous Evaluations so let's say for example. I have an you know handwritten Digit I want to like categorize and you are the like just create an attacks on it I could use something called a square attack methods So this method actually like apply on a black box models Whereas a black box model means you don't have to know like the model structure You don't need to know like what how the model is being built You only need to like more make multiple inference to the models and able to understand how this model work and apply some pixel change to make sure to turn this model categorize this image into a different categories and You know to apply this capability on to in a case of it's very simple So all you need to do is like in addition to the regular model deployment define as predictor You just have to like of a define What we call explainer and say what kind of attack you want to perform as part of this deployments So at the bottom it was a specified, you know square attack and no like how many class in this model Will be categorized so in handwritten digital you only have nine to ten zero to nine, so that's the only ten class And behind the scenes when a user actually just call the predictors The we case of actually using is due to you know, row different traffic So able to like route your prediction into explainer first train the adversarial models and the adversarial models You know get few prediction from The actual model you host on a predictors based on the outcomes It will show you how you actually could modify Seropixel on your original image to fool the model you have on your production environments and You know, this is one example on the MS MS data set So this is just trained with like 20 seconds on like a two CPU VMs And you would done in real time and this is running, you know, it's synchronously, you know, on case of and Because we only train for 20 seconds on CPUs You could see like the original image free by just changing, you know come some color sets on You know some background for the image free you could actually make the model categorized this image as you know Nines, so this is very useful to just know how much It certainly needs to be changed for this particular image to able to fool this model into categorizing into and different categories So now we kind of see like how this could be done in real times For this particular transaction, but what happened you want to just detect something is one of vulnerable over times You know, like for example is one of the things when you want to calculate, you know, fairness Detections this you cannot just like calculate fairness on one particular transaction You have to look at like a model whether or not is fear by you know examine a multiple or even like multiple hours of transaction to make sure like Oh, this model is not done fairly for this time frame so in this example we kind of see that like When we calculate the fairness metrics we usually, you know Captured, you know, let's say in this example like four different predictions and based on those predictions We could basically see like these predictions are to be more favorable to a particular category as a age group or gender groups for Let's say approving loans outcomes so this is why like we need to like collect multiple you know metrics over times and Those informations need to be you know captured and able to refer like in a time series matters So because of that, you know case I actually introduce a way to you know, log your payloads So you actually get stored them and we use them over times and in the case of You know a logging system you actually inject a Concept called loggers where you could actually put that into you know, both will predictor explainer and transformer what it does is it will capture your request and response and send those requests and respond as a cloud events and That car event actually just have you know your blog data So later on I would introduce some proof of concept how you could use this kind of my cloud and blog data to perform your you know offline evaluation and Create detection on any vulnerability you have all your AI models So I was just gonna introduce like this proof of concept how it's been done and So right now on the high levels so when I model actually just create the predictions the auto prediction actually sending events to the What we we use like Kennedy ingress brokers so those events actually went into the brokers and You could use any event streaming but in the proof of concept We are using the Kafka event stream to actually collect all those information So when you actually send events to the Kennedy ingress those event get pushed into Kafka So Kafka basically just collect all your events and you know it's been to use into any of your data ingestion systems So because we need to do a data ingestion So we actually build a custom Kafka connectors to actually take those Kafka events ingress those data and push that into a database We are certainly the base that could be consumed by any explainers And in this case for this example, we are using a AFN-360 explainer This experience actually just detecting any bias over times for that model. So if there's a Any metric get below a certain threshold it will actually notify the user and the admins So let them know the AIs is not robust in or not fear in a certain aspect and let them know they need to update their AIs and Of course those broad, you know metric information if it's just landing there It's difficult, you know to evaluate and trace back when you know this event has been happened So we usually also have like a metric transformer. So you want to like display how this AI or this how how this metric is Produced you could you know create that into a like a table manner, but you want to just track based on like Times them over times you could you know convert them into a time series Data where and that time series data could push to promenades So it's easy to use any you know time series Visualization let's say for example Grafana to visualize those data and now I have like Small demos like two-minute demos that you know display how this whole process works so So once you have something set up right you will set up a Kafka broker that accept any you know card event from ksurf and this Kafka Broker also has a connector and My SQL database to ready Ingestal data and store them into the database and we also have a model is ready. So this is the case of model that is doing like loan approval and All the user needs to do is just send prediction into this URL endpoints So when we add when I actually just you know, they send 10 different payloads Those information is just directly sent into the model predictors and come back with you know Disresolve so one is denying the loans and two is approving the loan So we could see there's only one person get approved alone and in this person is actually a male and behind the scenes we could see that Kafka is actually you know collecting those Cloud events as a event topics. So we want to see that happening in real time So I will show this right now So what happened in real times you could see when the prediction come backs the Kafka actually capture those information and the connector push those information into the MySQL database so as you could see So once I refresh this like because we did multiple predictions so the number of columns that we collect for the predicted Metrics is of the predicted results is actually increasing so from 86 when we flesh it is actually pushed to 88 in this case and Of course behind the scenes, but we mentioned that the AFN is 360 explainer is actually You know evaluating metrics over times. So I will show you Our metrics actually like right now is like a time base. So you will evaluate metrics every hour So after each hour actually will update the metrics in this case This is the disparate the impacts metrics, which is you know evaluating you know a group of Metrics let's say on male and females how how how the what's the ratio of like number of males get approved versus number of females Get approved because we're actually injecting, you know, like kind of bias data Where we usually just approve now more often, you know using the same predictions You could see over time like this ratio are actually dropping. So you reset a certain threshold This model eventually will go below that threshold and able to send notification to the developers saying that the real world data is actually giving some bias result Based on your model inputs. So this is very useful in the information You could see how over time it could decrease or increase and you could trace back on like when this event that happens and how, you know like user or like We'll be able to get you know change over time so and The last here is a whole page on like where you could involve into the trust AI So we have like a list of GitHub repository on the left. You could join different trust AI communities We have every server in both the two box FNs 360 X 360 Each of them has a corresponding slack channel on the top right hand corners You could join them and let us know like how to improve this Package and we're happy to help you as well And we also have a monthly reading for the Linux foundation for AI and data It's actually happening monthly on the fourth Thursday on 7 a.m. PDT Anyone could be drawn and I have the link here and anyone who didn't you know cash cash link is also on the Presentation schedules as well. So you could go in there and get into disinviting and get involved on how you know To use trust AI or to your organization and you have any information you want to provide to us You're happy to let us know as well. So with this I will go into like Take question. Is there any question about you know trust AI? How do you stress AI? communities Yes part of your infrastructure showed Istio service mesh is part of the Configuration is that something that that Microsoft is now supporting as well Do you know or is that? So the the Istio pie is actually just for the case. So let me repeat. So you you said like the It's still infrastructure is like kind of supported by Microsoft Before Microsoft was sort of neutral on Istio, and I was just wondering if they were now Getting active in that project if you were aware or not. Oh You just want to see like how is the Microsoft community is active on The Istio project itself So So I'm not working directly on the Istio communities. I'm not quite sure so But the reason we use Istio for you know case service that when case of as founded We need a way to serve you know serverless models or humanities And we found that like it still is very useful way to scale things from zero to n and it's easier to do like Canary deployments and at that time, you know Microsoft also were interested. So we actually Go together and contribute this concept, you know and turn it into case Of course, I we also see different use case for using case of with our Istio I mean in IBM. We also have a concept called model matches is also different features on case We could use with our Istio And of course model mesh also support, you know the concept explaining a lot of so, you know You feel free to use it it just in this example use is still because it's the default deployment on case of and it's easier than It's time for a company. So you want to use case of or like there's a new, you know, different features case of also in Introducing you can also use them to achieve the same result as well Thank you. Are there any other questions? If not, yeah, thank you very much for joining