A Review of Deep Learning Security and Privacy Defensive Techniques

Department of Computer Science, Superior University, Lahore, Pakistan College of Computer Science and Information Technology (CCSIT), King Faisal University, Al-Ahsa, Saudi Arabia Department of Computer Engineering, +e University of Lahore, Lahore, Pakistan School of Systems and Technology, +e University of Management and Technology (UMT), Lahore, Pakistan School of Computer and Information Technology, Beaconhouse National University, Lahore, Pakistan Department of Physics (Electronics), Government College University, Lahore, Pakistan


Introduction
Deep Learning is also called hierarchical learning and deep-structured learning, and it is comprised of supervised or unsupervised machine learning techniques. e idea of Deep Learning derived from the structure and functionality of the human brain and also the processing of signals through neurons in the human mind. Deep Learning is also taking the benefits of artificial neural networks, and it also consists of input, output, and many hidden layers. Each layer of Deep Learning relies upon the nonlinear response based on the data provided through the input layer. For the last few years, the Deep Learning technique has been mostly and widely used in the signal processing of voice recognition, graphic recognition, discovery of the thing, and so numerous other areas, such as the discovery of the medicine for diseases and genomics [1]. Deep Learning developed a structure to deal with big data sets through a backpropagation algorithm to highlight in what way the device changes its core parameters that are being opted to calculate the representation in each rendering layer in the previous layer [2].
Despite their enormous size, successful Deep Neural Networks can make a very minor difference between training and test presentation. Traditional wisdom attributes the error of small circularization to the typical characteristics of the family or to the organizational techniques used during training [3]. e crucial problem of the DL is its encrypted data that flows from training and interface modules. e security and privacy issues are very important due to mostly adopted DL models in many applications as mentioned above. Further, actually Deep Learning prevailing in all models for training part relies upon a huge number of big data, sensitive, and confidential data of the user particularly training data. Keeping this in view, DL models must not disclose confidential and sensitive data. In this paper, systematic literature reviewed was conducted about the Deep Learning security threats, privacy threats regarding private data, and their corresponding developed defense techniques. e paper also included most secured techniques that use cryptographic primitives without the indulgence of the third party and the summary of the future challenges and opportunities.

Application of Deep Learning.
Deep learning has introduced new ways to look at technologies. Artificial Intelligence (AIT) and its branches ML and Deep Learning have a lot of excitements. It is a reality that Deep Learning changed the ways of living and will also affect life in the near future. DL is grabbing market space day by day and we are sure, in coming five to ten years, the tools, techniques, and libraries of DL will include in every development toolkit.
Here, we will discuss the Deep Learning applications that captured the marked in 2019 and beyond.
1.1.1. Self-Driving Car. Many of the car manufacturing companies have built self-driving cars with the help of digital sensor systems. It is accomplished through training algorithms through the huge unstructured amount of data.

DL in Healthcare.
Deep learning is also used to bring improvement in the field of Healthcare especially in breast cancer diagnostics and monitoring apps. It is also used to predict personalized medicine keeping in view the Biobank data. Deep learning completely reshaped the healthcare industry as well as life sciences. e key features of Deep Learning are advancing the future of health management.

DL in Voice Search.
e most famous utilization of Deep Learning is voice recognition, searching, and activation. is facility is already available in every smartphone since 2011. Google and Apple are already offering these services, and now Microsoft Cortana has also launched a voice activation assistant.

Automatic Machine Translation.
e google translator is the main example of the translation of one language into another language. e user entered the word, sentences, paragraphs, and phrases of one language, and it easily converts to another language. Although this facility is available for a long time, DL is getting improvement in the results with the passage of time, and now machine translation is also translating images. Image to text conversion is an example of machine translation and is the innovation of Deep Learning.

Automatic Handwriting Generation. Deep
Learning has also played a vital role in the automatic handwriting generation. e system automatically captures the movement of the pen and the letters to learn. e DL also facilitates the generation of new writing styles.
Also, there are numerous applications of the Deep Learning that cannot be covered in one paper, and the more applications of Deep Learning are as follows: Learning private data frameworks, and Deep Learning treats and attacks are discussed in Section 4 of the paper, and defense techniques against security issues in Deep Learning briefly explained in Section 5 of the paper. e final conclusion of the paper is also discussed in Section 6 of the paper.

Deep Learning.
Deep learning permits high computational models that consist of multiple layers of processing to learn the depiction of data at multiple levels of abstraction layers. ese techniques have vastly improved the state of the art in voice recognition, visual recognition, discovery of the object, and so many other areas, such as the discovery of the medicine for diseases and genomics. Deep learning artificial neural networks regularly contain additional trainable model parameters as compared with the number of samples in which they have been trained [4]. However, some of these models show a significantly lower circular error, that is, the difference between the training error and the test error. It is certainly easy to reach normal typical structures with little circulation [5]. What then distinguishes neural networks that generalize well from those that do not? A satisfactory answer to this question will not only help make neural networks more interpretable but can also lead to a more reliable and reliable architectural design. To answer this question, the theory of statistical learning proposed several different measures of complexity capable of controlling the error of generalization. ese include the VC dimension, Rademacher complexity, and uniform stability. Also, when the number of parameters is large, the theory suggests that some type of regulation is needed to guarantee a small circular error. e regulation may be implicit as with the early suspension [6]. Machine learning technology operates many sides of current society like from online research to content filtering on social networks to recommendations on e-commerce sites and are increasingly present in consumer products such as cameras and smartphones. Machine learning systems are used to identify objects in pictures, convert voice into text, relate news items, publications or products with user interests, and identify relevant search results. Increasingly, all these applications are using Deep Learning [7].
According to [8], traditional machine learning techniques have not completed the ability to manipulate natural network data in its original shape. For decades, the establishment of a machine learning system requires precise engineering and substantial experience in the field to design a feature extractor that transforms raw information into an appropriate internal representation [9].

Deep Neural Networks (DNNs).
is greater use of Deep Learning creates incentives for opponents to approach Deep Neural Networks (DNNs) to impose a poor classification of inputs. For example, Deep Learning applications use image workstations to differentiate themselves from inappropriate content, textures, and images to distinguish spam from nonintrusive mail [10]. An adversary capable of formulating erroneous inputs would benefit from the evasion of detection; even today, these attacks occur in classification systems other than Deep Learning. In the real world, consider a driverless car system that uses deep learning to identify traffic signals. If a change in the "stop" marks causes the Deep Neural Networks to be incorrectly classified, the vehicle will not stop [11]. e neural network basically consists of 03 elements, one is called the input layer, which is basically the data that the user wants to analyze [12]. e second layer is actually hidden layers; it may consist of one node or maybe more than more nodes; the primary function of this node is to complete the computation in the light of the Deep Learning algorithm. e last layer is always the output layer, which calculates the result. Figure 1 illustrates the basic neural network, and Figure 2 illustrates the Deep Learning Neural Network.
For classification tasks, higher representation layers amplify important entry aspects of discrimination and suppress irrelevant differences. For example, the image comes in the form of an array of pixel values, and the features learned in the first rendering layer generally represent the presence or absence of edges in certain directions and locations in the image. e second layer usually discovers the motifs by detecting a certain arrangement of the edges, regardless of the small differences in the positions of the edges. e third layer can group shapes into larger groups that correspond to parts of familiar objects, and the following layers will discover the objects as groups of these parts.
e main feature of DL layers is that these layers are not designed by the human; actually, it has been learned from the data through a general-purpose learning procedure. Deep learning is making great progress in solving problems that have withstood the best efforts of the AI community for many years. It has proven to be very good at detecting complex structures in high-dimensional data and, therefore, is applicable to many fields of science, business, and government addition to multiply the registers in picture recognition and voice recognition; other machine learning methods have been overcome by actively predicting possible drug molecules, analyzing particle accelerator data, reconstructing cerebral circuits, and predicting the effects of mutations in noncoding DNA on gene expression and disease. Perhaps, most surprising thing is that Deep Learning has yielded very promising results for several tasks in the understanding of natural language, the classification of the particular topic, the analysis of morals, the answer to questions, and the translation of the language [13].
It is pertinent to add here that weaknesses in DL systems have recently been discovered in a big number of publications. It is very dangerous that these applications are based on a small understanding of security and privacy in DL systems [14].
Although many research studies have been published on attacks and the defense of the security and privacy of Deep Learning, they are still fragmented. Here, we review recent attempts to secure Artificial Intelligence and Private Data of Artificial Intelligence.
In order to meet the requirement for strong AI systems in information security and private data, we need to develop a take Secured Artificial Intelligence system.
at secure Artificial Intelligence system should provide security Mobile Information Systems guarantee, and Private Data Artificial Intelligence should maintain data privacy of the system [15].
e Secure Artificial Intelligence always focuses on attacks, threats, vulnerabilities, and accordingly defense of Artificial Intelligence systems, in respect of Deep Learning, which is a more effective model. e attacks on Deep Learning generate false predications by injecting wrong samples, such types of attacks are called white-box attacks, and it includes gradient-based techniques to compromise the system. In contrast, attacks from the black-box cause the suspect system to make fake predictions, without getting some information about the system. It has been observed that almost every attack exploits the predictive confidence of the system without getting information about the structure and parameters of the system [16].
In order to develop defense against these attacks, various methods have been proposed such as adversarial training, generative adversarial network, statistical approach, and recurrent neural network. e input data of the user contains sensitive data to the Deep Learning machines for recognition. e more secure option for the user is to install the Deep Learning model on its platform and execute it and obviously; it is not feasible for the user because the Deep Learning model always consists of

Input layer
Hidden layer Output layer Hidden layer Hidden layer Hidden layer

Input layer
Hidden layer Output layer massive data and it processed them [17]. Every organization desires to keep their data confidential, and their competitors may not use it for their business purposes. e upshot, the Deep Learning machine, should meet three main requirements while preserving privacy: (i) e data stored in the training model should not be disclosed to the cloud server (ii) e user request should not be disclosed to the cloud server (iii) e configurations of the cloud server should not be disclosed to the user It is highly needed for the organizations using Deep Learning to establish privacy frameworks in which neither any intruder nor any attacker discloses information during the shared computation or modify it. In order to strengthen privacy computation in respect of Deep Learning, it is critically significant to plan new privacy-specific techniques that can minimize the complexity of secure function evaluation protocols [18]. e purpose of this research is to study the recent development of deep leering on private data and security issues attached to Deep Learning in different domains. Furthermore, we describe different types of Deep Learning possible security and privacy attacks along with different defense methods. e core part of the Deep Neural Network is called Artificial Neuron. Artificial Neurons purely calculate the weighted amount of inputs and output, according to the following equation: where y is denoted as the output, x is for the input, σ is denoted as the activation function which is actually a nonlinear function, and w is called the weights. Artificial Neurons are basically used to develop construct layer (details are given in below figures), and if these layers are piled up, then it constructs DNN. e nonlinearity of the σ piles up the number of DNN layers that cultivates and allows the Deep Neural Networks to estimate the objective functions without any manmade feature selections. Figure 3 is a high-level group diagram of the learning process to develop a stereotype Deep Learning model. e performance of the DL model depends on the size of the existing available training data. Nevertheless, training samples are typically gathered from the content of users stored on cloud machines that hold sensitive information, like photographs, video, sound, and location records. e privacy of the user is a major concern in Deep Learning during training and inference [19]. Internet service providing organizations are providing Deep Learning as a service where users can insert input to the cloud machines and obtain the result based on prediction.

Architectures of DNNs.
e DNN model has different types of architectures that are briefly explained below.

Feed-Forward Neural Network (FNN).
is is the fundamental and core building block of the Deep Neural Network. It consists of different types of the multiple layers, and these middle layers are completely connected with each other while the nodes within the layer are not linked to each other [20]. Figures 1 and 2 are examples of Feed-Forward Neural Network.

Convolutional Neural Network.
is architecture is demonstrated in Figure 4. A CNN architecture consists of many convolutional and pooling layers. ese layers use convolutional operations to compute and generate layerwise outcomes. e convolutional and pooling layer's operation permits the DNN network to get more knowledge about spatial. Hence, the CNN architecture shows exceptional results particularly on image applications [21,22].

Recurrent Neural Network.
It is extensively opted to process sequential information. As illustrated in Figure 5, the RNN calculates the output after updating the currently hidden units, past hidden units, and presently available input data [23]. e RNN also faces problems like gradient vanishing problem and long short-term memory. To solve these problems, the gated recurrent unit is used.

Generative Adversarial Network.
is architecture of DNNs is basically comprised of two modules, one is called Discriminator (D) and the other is known as Generator (G).
e Generator generates false data in the architecture while Discriminator is used in the architecture to inform whether the Generator's data are real or not? as illustrated in Figure 6.
e Generator and Discriminator are usually used in DNNs, and it has many types of structures based upon the application of the network [24]. Generative Adversarial Networks are opted by many fields like image processing, voice recognizing, and domain adaptation.

Deep Learning Privacy Preserving Techniques.
In the forthcoming section, the prevailing cryptographic primitives that are presently opted by the organizations for privacy preserving both for training and interface of the Deep Neural Networks (DNNs) are discussed.

Homomorphic Encryption (HE).
Homomorphic Encryption (HE) is primitive encryption that allows a party to encrypt data and send it to another party that can then perform certain operations on the encrypted version of the data [25]. An encryption system that allows arbitrary calculations to be encoded on encrypted data without decryption or access to any symmetric cryptographic decryption key is known HE [26]. When the account ends, the encrypted version of the result is sent to the first party that can decrypt and get the result in plain text.

Mobile Information Systems
Homomorphic encryption methods can be partially divided into completely Homomorphic Encryption and partially Homomorphic Encryption [27]. For example, the Paillier encryption system only supports adding to the two-digit encrypted version, which is partially Homomorphic Encryption. In contrast, a fully symmetric encryption system supports arbitrary functional logic.
e Homomorphic Encryption scheme (Enc) follows the following equation: where Enc: X ⟶ Y is a Homomorphic Encryption scheme wherein X is used for a set of messages and Y is used for ciphertext. Furthermore, a and b are messages in X and Δ, * are linear operations. At the beginning when Homomorphic Encryption used partial scheme and with the passage of time, researchers developed a full Homomorphic Encryption scheme which allowed complete computation on any type of data.

Garbled Circuits (GCs).
Yao's garbled circuit method provides a general mechanism for building a secure two parties x and y, respectively, to develop an arbitrary Boolean function f(x, y) without disclosing information regarding

Input layer
Hidden layer Output layer Context layer inputs irrespective of output of the function. e basic idea behind this algorithm is that one party will prepare the encrypted version of the circuit by computing f and the second party will obviously compute the output of the garbled circuit without knowing any value and information of the first circuit [28]. For example, in the 1st step, the first party will assign random keys to each wire of the circuit. e mentioned circuit has gates, and the first party shall encrypt output keys of the gates by using the associated input key and generate a garbled table [29]. e first party will then send the developed tables to the second party along with the associated input keys. On the other hand, the second party will get generated garbled tables and input keys. e second party then decrypts each gate that was encrypted by the first party until they find the output keys of the circuit [30]. e first party after decryption of the circuit will map the output keys to generate the plain text of the circuit.

Goldreich Micali Wigderson (GMW).
It is also a generic secure function evaluation protocol, and it was developed in the year 1987 with the idea to evaluate the circuit through wire values by using secure linear secret sharing. is is like the Garbled Circuit protocol; this also requires the function that designates as a Boolean circuit [31,32]. However, unlike Garbled Circuits, two users are required to cooperate for each AND gate.
us, all AND gates are handled independently and in parallel, and the linear complexity is used in respect of the circuit. is technique is only used in short-level communication.

Differential Privacy (DP)
. DP is a metric that determines how much information about one entry in a database is exposed when a query is made to the database [33]. To preserve the privacy of database entries, carefully selected noise is added to the database so that the statistical properties of the database are retained while each data point is changed due to added noise [34]. Equally, DP can be considered as a way to reduce the dependency between the query result and individual data points in the database, thus reducing the leakage of information. It ensures that the attacker cannot infer any high confidence information from the databases or forms that have been released [35].

Share Secret (SS).
It is a way to distribute the secret to two or more parties where each share does not give any information/data about the secret, but the secret can be reconstructed from the posts. One of the utmost famous Share Secret variants is Share Secret additive. In this case, the secret is shared by taking random samples and creating the last post so that collecting all the shares gets the secret value [36]. e secret of the algorithm can be reconstructed by inserting all the shares.

Deep Learning Private Data Frameworks
In this section, we will briefly describe the most efficient private data security frameworks for Deep Learning. All the given below frameworks are highly protected in the light of the Honest-but-Curious (HbC) adversary model. All parties adhering with this protocol are supposed to follow the protocol's instruction, but it is also observed that parties might infer more information. e said protocol is very secured as it stops the malicious attacks and also stops parties to deviate from protocol norms.

Shokri and Shmatikov.
e authors suggested a method for maintaining privacy based on Differential Privacy (DP) for Deep Learning when the data are laid with different parties. In this situation, each party locally installs its own version of the neural network and selectively participates in some parameters updated with other parts. e authors proposed that the algorithm should be run on different machines in parallel, and then the results of the separate machines shall be aggregated to generate the final result. In order to protect the private data of the users, the Differential Privacy algorithm shall be applied when the parameters are shared instead of sharing the initial values. As a result, an  exchange is introduced between the precision of the trained neural network and the specificity of the data.

3.2.
SecureML. It is a system to learn to maintain privacy in general and neural networks in particular.
e system is based on the HE, GC, and SS protocols. Data owners secretly share their data with servers that do not comply with the rules and that train the particular neural network [37]. SecureML uses a more efficient custom activation feature to train a neural network using secure account protocols [31]. At the end of the account, the managed model is shared privately between the servers. In addition to training, SecureML also provides a conclusion to maintain privacy.

Google.
A secure collection protocol was introduced for high-dimensional operators maintained by premium users.
ese protocols can be used in a unified education in which users maintain their databases and forms [38]. e core server recognizes the intelligent intelligence model by securely assembling the user's learning updates. e method is based on the covert exchange of the code and is powerful against users who exit the protocol at any time [39].

CryptoNets.
CryptoNets, by applying ML to the problem regarding medical, educational, financial, or other kinds of confidential data, requires not only accurate forecasts but also careful cares to keep them safe and secure [40]. CryptoNets is basically developed by the Microsoft Research group, by introducing levelled Homomorphic Encryption (LHC). Due to nonlinear activation functions that cannot be achieved using LHE, the authors proposed that the activation functions are approached using polynomials of multiple degrees [41]. erefore, the neural network must be retrained in plain text with the same activation function to maintain good prediction accuracy. Another disadvantage of this approach is that there is a certain limit on the number of serial multipliers imposed by LHE that makes the solution prohibitive. In addition, CryptoNets has an exchange of privacy/utility to achieve a higher level of privacy, and accuracy must be reduced within the same computing capabilities.

MiniONN.
e authors observed that there are still privacy-preserving risks, and clients are still facing disclosure of sensitive information threats [42]. e MiniONN introduced the method for transmuting the existing DNN to the newly developed Oblivious Neural Network that addresses the privacy-preserving risks. It offers that the server does not know about the input of the client-side and the client also does not know about the model [42]. e performance of the MiniONN is better than CryptoNets and SecureML. It influences additive Homomorphic Encryption, Garbled Circuits, and secret sharing and also supports activation functions viz-a-viz pooling for CNN. It also has two main stages: (i) An offline phase that supports additive Homomorphic Encryption that is not dependent on input (ii) An online phase consists of GC and SS; nonlinear layers use GC and SS for processing 3.6. Chameleon. is protocol consists of mix frameworks regarding privacy preservation.
is framework gets the benefits of the existing work of GMW protocol for in-depth analysis of the activation function and other Garbled Circuits for complicated activation functions and pooling layers. Chameleon uses secret sharing for arithmetic and addition functions. It has offline and online phases like in MiniONN [41]. e offline computation provided more fast computation for prediction instead of the online phase. Like SecureML, the Chameleon also requires two noncolluding machines, and unlike SecureML, it does not allow the involvement of the third party during the online phase. e Chameleon is more efficient as compared with all other discussed techniques.

3.7.
DeepSecure. It is one of the modern frameworks based on the Garbled Circuit protocol. Since garbled circuit is a generic function evaluation protocol, the framework supports all nonlinear activation functions. DeepSecure offers the idea of decreasing the size of the data and the network before the implementation of the Garbled Circuits, thus compressing the account and connecting up to two things in size [43]. e preprocessing phase is independent of the basic encryption protocol and can be adopted by any other backend engine for its inference. DeepSecure also supports secure outsourcing of the account to a secondary server when the client has restricted resources.

Deep Learning Threats and Attacks
Deep learning faces various types of threats and attacks, and all famous threats and attacks are listed below.

Security Attack Taxonomy.
Ji et al. [44] proposed classification of security threats for Deep Learning in 3 different angles, which influence classifieds, security breaches, and privacy of attacks.
In the view of impact, security risks and threats of Deep Learning are characterized into two categories.

Causative Attack.
In the causative attack used to decrease the performance and reliability of the training processes, the machine learning algorithm provided incorrect training data after modification in the labels of the samples that are not covered under the decision limit. Many researchers performed causative attacks on the images and revealed that it expressively decreases the performance of the training phase.
is means that the opponents have the ability to change the input of training data, which becomes the cause of changes in the parameters of the learning models during recycling, resulting in a substantial reduction in the presentation of jobs in succeeding taxonomy tasks.

Exploratory Attack.
e exploratory attacks basically do not influence on a training dataset. e key objective of the exploratory attacks is to get knowledge with respect to the learning algorithm as much as it can about the basic system. Model invasion attack, model extraction, and membership inference are the examples of the exploratory attacks.
In a security break viewpoint, threats to Deep Learning may be characterized into 3 groups: (1) Integrity Attack. e integrity attack occurs and then the Deep Learning models failed to trace the negative cases when categorizing harmful samples. e output of the system will clearly show that the integrity of the learning machine has been compromised. Suppose, we used spam filter to stop unwanted/harm messages, and if the attacker sends a message that has unwanted/harm words then, the filter does not get it. e integrity attack is tested through exploratory testing.
(2) Availability Attack. e availability attack is the opposite of an integrity attack in which the Deep Learning models filtered out the legitimate cases during the categorization of the unwanted/harmful samples. e output of the system will clearly show that the availability of the learning machine has been compromised and it is no more available and hacked. e DoS attack is one of the examples of availability wherein legitimate cases failed to cross the filters and ultimately the system becomes compromised.
(3) Privacy Violation Attack. In the privacy violation attack, the attacker becomes successful to get the sensitive/confidential information of the system from both training and learning models. In terms of attack privacy, security threats for Deep Learning have further 02 categories.

Targeted Attack.
It is highly dangerous, and it directly decreases the performance of the classifier in a single specific sample or set of one of the samples.

Indiscriminate
Attack. An indiscriminate attack is the subtype of the poisoning attack. e attacker's key goals are to increase the general classification error. Further, the indiscriminate attack always chooses a random value from the training sample. It randomly fails the classifier.

Deep Learning Attack Types. Although Deep
Learning becomes successful to get draw the attention of the industry its security and privacy challenges, unfortunately, it could not get full attention as it should have. Here, we discuss the attack surface of the machine learning and discuss the weaknesses in the implementation of Deep Learning.
During the research, numerous types of attacks targeting DL applications and containing DoS attacks, evasion attacks, and organic termination attacks are revealed. ough all these attacks are different in its nature and in terms of their offensive objectives, the attacker's attack sources in Deep Learning applications are essentially from the following three angles.

Deep Learning Attack Surface Type-I.
Deep learning application after trained mostly works on input data of the user for its classification. e attacker planned a malformed input attack on the input files or sometimes the network [24]. is type of attack applies to image recognition application which uses files on input and also applied to the applications that use sensors and cameras on the input. Due to the input type of the application, this risk can be reduced to implement risk mitigation techniques but the risk cannot be eliminated.

Deep Learning Attack Surface Type-II.
is surface attack is also called a poisoning attack. e earlier surface type attack is due to the contaminated input data type of the application.
is type of attack is not dependent on the application flaws or software breaches. However, defects in applications can become the reason of data poisoning easier. Suppose we observed variation in the procedure of analyzing the image in the frame and in common desktop applications.
is variation allows the contamination of confidential data without being observed by the people who monitor the training process.

Deep Learning Attack Surface Type-III.
It is a great chance of an attack on the Deep Learning applications if the developer will opt the model developed by the experts. Even though many programmers plan and create models from the beginning, many templates of the models exist for programmers who do not sufficient knowledge of machine learning. In this scenario, the attacker has also access to the template of the models. Like attacks of data poisoning, an attacker can easily attack all those applications and can get access to the private data that uses external models without any barrier. However, implementation flaws, such as a security vulnerability in the form analysis code, help attackers hide damaged models. e readers should keep in mind that there are many types of attack surfaces and differ from each other, and it depends on the particular application, but above these 03 types of attack, surfaces cover most of the attack area. e comparison of attacking techniques against Deep Learning is given in Table 1.

Types of reats.
During the literature review, the authors studied many types of threats that affect the functionality of Deep Learning, and these threats targets different stages of Deep Learning. Here, in this paper, we are going to present the threat caused by the malformed input with the assumption that Deep Learning applications are taking input from files or networks.

Deep Learning
reat Type-I. e most common weaknesses in Deep Learning frameworks are program errors that which cause software crashes, an infinite loop, or full memory depletion. e immediate threat of these errors is the denial of service attacks for applications running at the top of the window [72].

Deep Learning reat Type-II. Deep Neural
Networks are vulnerable to attacks at the time of its testing [45][46][47][48]. For example, in image recognition, an attacker may insert little noise to test a sample so that the error is classified as a DNN [73]. An example of a noise test is called an adversarial example. e noise is usually so small for a human. e benign is the alternate name of the adversarial example.
Evasion attacks are one of the Deep Learning attacks that restrict sensitive security and protection applications, like vehicles that drive on their own. Examples of self-driving adversaries can make unwanted decisions [74][75][76][77][78]. For example, one of the basic capabilities of autonomous cars is to automatically identify stop signals and traffic lights of the road.
Let us say, the adversary generates an adversarial stop, which means that the adversarial adds many imperceptible points to the stop, so that the vehicle that is driving alone is not recognized as a stop. As a result, vehicles that drive on their own will not stop at the stop sign and may collide with other vehicles, which could lead to serious traffic accidents.
ere are many memory corruption-related bug in Deep Learning framework which may be a cause of wrong output. e evasion can be achieved through exploiting bugs in the Deep Learning framework by overwriting classification and control flow. In order to develop an effective defense against evasion attack, Goodfellow et al. [79] proposed adversarial training and adversarial example by introducing training of a DNN through augmenting training dataset. In order to train a DNN, the system generates training adversarial example through evasion attacks. e learner understands both the original training example and relating adversarial examples.
e adversarial training is weak as compared with adversarial examples that cannot be seen during training. Papernot et al. [80] developed a decontamination based technique to train Deep Neural Networks and Carlini and Wagner [81] revealed that their generated attacks have maximum success for Deep Neural Networks trained with concentration. Furthermore, Carlini and Wagner [81] determined that all measures must be assessed against the taxonomy of evasion attacks.

Deep Learning reat Type-III.
e software bugs of the systems that hosted Deep Learning applications on its operating system can be hijacked due to remote compromise and application bugs [44,82]. is mostly happens when the system is connected with the cloud system and the Deep Learning applications are also running on that cloud-based system. All the input to the Deep Learning system is received through the network.

Defense Techniques against Security Issues in Deep Learning
During the literature review, many defense techniques against security concerns of Deep Learning were found, and we categorized these techniques into two major categories known as evasion and poisoning. Further, there are many evasion attack mitigation techniques, but in this chapter, only well-known and effective types are explained herein. Whereas, in a similar faction, the defense techniques against the poisoning attack proposed by the researcher are also given in Section 5.1. ese defense techniques cannot 100% overcome the attacks, but these techniques can improve the prediction of the results.

Defense against Evasion
Attacks. e most effective method of defense against evasion attack is to augment the adversarial examples and detect adversarial examples, adversarial training, and defensive distillation.

Detecting Adversarial Examples.
e researchers [81,83,84] proposed different techniques to detect adversarial examples in the input and to create different benign and adversarial examples. As we mentioned earlier, the target of the attacker is to add more noise to formulate  [47] Changes the discriminant results Resource consuming [50][51][52] Misclassifies positive sample Integrity attack [53] False negative passes through the system Easily detected [54][55][56] Availability attack [57] False positive results in blocking records Time and resource consuming [58][59][60] Privacy violation attack [61] Easily exploit the training dataset Its performance is not reliable as it based on iterations [62][63][64] Targeted attack [65] Misclassified to any arbitrary class It does not provide assurance about the generated samples [66][67][68] Indiscriminate attack [69] Good trade-off Perturbation is high [70,71] Highly efficient effective adversarial examples. According to [83], it is not easy to detect such adaptive attacks, and some detection techniques effectively work while some ineffective. e main problem in the detection of adversarial examples is that it is unclear, and it is very hard to manage the testing example that is used to predict the adversarial example. erefore, the expert should label the test examples manually. We give the above example of an automated/self-driving car which automatically takes decisions; it is not possible for the human to mark the label manually to detect adversarial example [75,[85][86][87][88][89][90].
Meng and Chen [84] proposed an approach to verify adversarial examples through testing examples and also the template of the testing example. According to the authors, if during verification of the adversarial example, it is proved through testing examples, then there is no need to label the classifier; otherwise, in the case of not predicted, the testing examples are required to be reformed through the reformer by removing unwanted noise from the testing example. After the completion of this task, the classifier shall label the example of testing to the Deep Neural Network and will consider it a genuine testing example. e experiments of MagNet show that it successfully presented defense against the evasion attacks. e learner of the system will use the backpropagation algorithm to get the knowledge of the Deep Neural Network through the original benign example and the attack adversarial example. e following authors also proposed the variants of the adversarial training. e authors used robust optimization techniques to solve min-max optimization problems. e core issue in the adversarial training is accuracies in the benign example.

Defense against Poisoning Attack.
e framework suggested in [91] takes the method of eliminating extreme values that fall outside the relevant group. In the binary grouping, they seek to discover the midpoints of the positive and negative categories. en, the authors eliminate the points that are not near to the relevant focal point. To get information about these points, they use the defense field that eliminates points outside the radius of the ball, and a slab defense ignores points away from the line in a complementary manner.
Sun et al. [57] selected to rename the data points that are external values instead of deleting them. Attack flipping label is a distinct item for data poisoning that permits an attacker/ hacker to control the appointment of a trifling number of training points. e author further describes a mechanism that studies points beyond the limits of the resolution to be harmful and reclassifies them. e procedure resets the label of every case.
Paudice et al. [92] also propose a protection mechanism to alleviate the intensity of poisoning attacks through remote sensing. e label tries to have the utmost influence on the protector with an inadequate number of poison points. e external detection process computes the external result of every x in the original data set. Further, there are many and different methods to calculate the external result.
It is stated that the impact functions are used to trail the predictions of the model and find the best persuasive data points that are accountable for the given forecast. It shows that the approximation of functions is still able to provide important materials that are nontransferable and nondiscriminatory models where the theory collapses [93]. e authors also assert that by using impact functions; the protector can verify the priority data only by the degree of impact. is method is superior to the previous methods to determine the greatest loss of training to eliminate contaminated samples. e authors of this paper, to convince of the researchers, compared the advantages and disadvantages of existing countermeasure methods of Deep Learning, as presented in Table 2.
Various Deep Learning security attacks and corresponding countermeasures have drawn the attention of the industry and researchers. Table 3 presents comparative results and qualitative analysis of attacks and corresponding defensive techniques.

Observations and Recommendations
Deep Learning is providing new techniques to solve security problems. It introduced significant improvements over stereotype techniques and classical ML algorithms. Table 4 is a list of Deep Learning papers related to Deep Learning that we reviewed during the literature review. is table consists of methods used to solve the problems and citations of each paper. e authors reviewed 41 papers in this survey; the majority of the researchers conducted their study on malware detection and intrusion detection. During the survey, we also noticed some new areas of health security and vehicle security wherein Deep Learning techniques can be applied. Autoencoder technique is the most favorite one for the researchers to detect malware; thereafter, the Recurrent Neural Networks (RNNs) are also used for the same purpose

Countermeasure methods Advantages Disadvantages
Adversarial training [94] Very easy to understand and implement It depends upon the sample size in the training phase Scalable and have the ability to handle the complex dataset Defense distillation [80] Sample and have the defense ability Difficult to converge and high complexity Ensemble method [95] Model-independent, good generalization Do not rebut the training data and computation overhead Differential Privacy [96] Preserves the privacy of training and learning data It also affects legitimate data and model-independent Low overhead, low complexity Homomorphic Encryption [97] Maintains security and privacy of data and simple It increases the data size and extensive computation overhead as well as to detect information security threats. Restricted Boltzmann Machines (RBMs) are also used for the same purpose, but we cannot find much study using this technique for security purposes. Different authors combined autoencoders and RNN techniques to train the unlabelled data. RBM is a popular technique due to its easy implementation and simplicity. After studying the above techniques, it is very difficult for the authors to exactly define the performance of the techniques due to different datasets and metrics. It is pertinent to add here that the performance of these techniques/methods varies across security areas. e information security domain has a vast range of data collected through different sources to apply Deep Learning tests. e researches/studies could not be completed and generate accurate results because a large volume of datasets is not publically available. e majority of the dataset sources are small and old. To develop a security solution through the meaningful method, it is necessary to test the method on large, updated, and reliable datasets.
e results of the methods should be compared with each other through real-time scenarios.

Conclusion
Deep learning has now become part of our daily lives, and when new technology invested, definitely security and privacy issues arise. In recent years, extensive research was carried out on the security and privacy preserving issues and its counter frameworks for Deep Learning and Deep Neural Network's training and interface modules. erefore, security and privacy become very critical and important issues as in the other technologies that cannot be overlooked.
During the literature review, we found two basic types of security attacks: evasion and poisoning. We also presented the effective countermeasures of these two types of attacks. We explained both security and private attacks, frameworks, and countermeasure techniques. ese frameworks have cryptographic primitives and numerous characteristics. It should be noted that private interference frameworks have no complete capability to provide DNNs security and privacy. We outline the details of different types of security attacks on Deep Learning. ere are many types of attacks that are invested to exploit the Deep Learning results so that model information may be extracted or get the knowledge about the training data like model inversion, model extraction, and membership inference. e said attacks steel training data and generate expected results. e private training section of Deep Learning has more computation overhead as compared with the interface. erefore, more concentration and research are required in this direction to develop a more efficient solution for the privacy preservation of the data while maintaining models.
Privacy risks always persist due to various characteristics of the Deep Neural Networks which is actually relying upon a huge amount of input training data. In this chapter, we also discussed possible privacy threats on sensitive and confidential Deep Learning model's data. Various studies have been conducted on privacy preserving attacks by using Deep Learning.
For future work, it is essential for the researchers to deeply investigate different cryptographic primitive's solutions for DNNs. A mixed protocol technique can reduce the computation overhead on the security and privacy preserving solutions. Furthermore, customization of the privacy and security protocols for DNNs is also an interesting and open research area to develop a viable solution. e authors are also intended to perform their research in the application  [117]