Model Extraction Warning in MLaaS Paradigm
Manish Kesarwani,Bhaskar Mukhoty,Vijay Arya,Sameep Mehta +3 more
- pp 371-380
TLDR
A model extraction monitor that quantifies the extraction status of models by continually observing the API query and response streams of users is introduced and two novel strategies that measure either the information gain or the coverage of the feature space spanned by user queries to estimate the learning rate of individual and colluding adversaries are presented.Abstract:
Machine learning models deployed on the cloud are susceptible to several security threats including extraction attacks. Adversaries may abuse a model's prediction API to steal the model thus compromising model confidentiality, privacy of training data, and revenue from future query payments. This work introduces a model extraction monitor that quantifies the extraction status of models by continually observing the API query and response streams of users. We present two novel strategies that measure either the information gain or the coverage of the feature space spanned by user queries to estimate the learning rate of individual and colluding adversaries. Both approaches have low computational overhead and can easily be offered as services to model owners to warn them against state of the art extraction attacks. We demonstrate empirical performance results of these approaches for decision tree and neural network models using open source datasets and BigML MLaaS platform.read more
Citations
More filters
Proceedings ArticleDOI
PRADA: Protecting Against DNN Model Stealing Attacks
TL;DR: In this article, the authors proposed a generic and effective detection of DNN model extraction attacks by generating synthetic queries and optimizing training hyperparameters, which outperformed state-of-the-art model extraction in terms of transferability of both targeted and non-targeted adversarial examples.
Proceedings ArticleDOI
Privacy Risks of Securing Machine Learning Models against Adversarial Examples
TL;DR: This paper measures the success of membership inference attacks against six state-of-the-art defense methods that mitigate the risk of adversarial examples, and proposes two new inference methods that exploit structural properties of robust models on adversarially perturbed data.
Posted Content
PRADA: Protecting against DNN Model Stealing Attacks
TL;DR: The first step towards generic and effective detection of DNN model extraction attacks is proposed, PRADA, which analyzes the distribution of consecutive API queries and raises an alarm when this distribution deviates from benign behavior, and it is shown that PRADA can detect all priormodel extraction attacks with no false positives.
Posted Content
DAWN: Dynamic Adversarial Watermarking of Neural Networks
TL;DR: DAWN (Dynamic Adversarial Watermarking of Neural Networks), the first approach to use watermarking to deter model extraction theft, is introduced and is shown to be resilient against two state-of-the-art model extraction attacks.
Posted Content
Stealing Neural Networks via Timing Side Channels.
TL;DR: A black box Neural Network extraction attack is proposed by exploiting the timing side channels to infer the depth of the network and the proposed approach is scalable and independent of type of Neural Network architectures.
References
More filters
Journal ArticleDOI
Induction of Decision Trees
TL;DR: In this paper, an approach to synthesizing decision trees that has been used in a variety of systems, and it describes one such system, ID3, in detail, is described, and a reported shortcoming of the basic algorithm is discussed.
Proceedings ArticleDOI
Towards Evaluating the Robustness of Neural Networks
Nicholas Carlini,David Wagner +1 more
TL;DR: In this paper, the authors demonstrate that defensive distillation does not significantly increase the robustness of neural networks by introducing three new attack algorithms that are successful on both distilled and undistilled neural networks with 100% probability.
Posted Content
Explaining and Harnessing Adversarial Examples
TL;DR: The authors argue that the primary cause of neural networks' vulnerability to adversarial perturbation is their linear nature, which is supported by new quantitative results while giving the first explanation of the most intriguing fact about adversarial examples: their generalization across architectures and training sets.
Book ChapterDOI
Differential privacy: a survey of results
TL;DR: This survey recalls the definition of differential privacy and two basic techniques for achieving it, and shows some interesting applications of these techniques, presenting algorithms for three specific tasks and three general results on differentially private learning.
Proceedings ArticleDOI
The Limitations of Deep Learning in Adversarial Settings
Nicolas Papernot,Patrick McDaniel,Somesh Jha,Matt Fredrikson,Z. Berkay Celik,Ananthram Swami +5 more
TL;DR: This work formalizes the space of adversaries against deep neural networks (DNNs) and introduces a novel class of algorithms to craft adversarial samples based on a precise understanding of the mapping between inputs and outputs of DNNs.