A Simple Neural Network Based Countermeasure for Replay Attack

“…• Knowledge distillation (KD) [9]. The KD attack retrains a model from scratch by minimizing the distance between the teacher's and student's soft predictions plus the cross-entropy loss between the student's prediction…”

“…According to Shafieinejad et al [33], existing watermark embedding techniques [14], [32] and some fingerprinting solutions [10], [24] cannot withstand model extraction attacks. Distillation [34] was first proposed to distill the knowledge of teacher models into student models and later extended as an attack against methods that protect model copyrights [9]. Distilled models are often able to evade copyright tracking, as demonstrated in works such as Cao et al [24] and Lukas et al [25].…”

“…• Black-box attacker. Attackers, who are external entities attempting to exploit the functionality of the victim model, employ various attacks such as model extraction attacks [6] and model distillation attacks [9]. • White-box attacker.…”

“…Model extraction attack efficiently transfers the functionality of a victim model to a stolen copy using limited query answers. Additionally, attackers, who may be insiders with full access to the victim models, employ techniques such as distillation [9], fine-tuning [10], or pruning [11], [12] in an attempt to reverse-engineer the tracking.…”

“…Many stealing mechanisms have minimal side effects on the model's functionality but disable the watermarks from given suspect models. However, WE techniques have certain limitations, including tampering with the training process, potential side effects on model functionality, and vulnerability to watermark erasure attacks [9], [10], [26]. In contrast, the OT methods extract the intrinsic characteristics (fingerprints) of DNN models, making them non-invasive and more resilient to adaptive attacks [15], [23].…”

A Systematic View of Leakage Risks in Deep Neural Network Systems

“…• Knowledge distillation (KD) [9]. The KD attack retrains a model from scratch by minimizing the distance between the teacher's and student's soft predictions plus the cross-entropy loss between the student's prediction…”

“…According to Shafieinejad et al [33], existing watermark embedding techniques [14], [32] and some fingerprinting solutions [10], [24] cannot withstand model extraction attacks. Distillation [34] was first proposed to distill the knowledge of teacher models into student models and later extended as an attack against methods that protect model copyrights [9]. Distilled models are often able to evade copyright tracking, as demonstrated in works such as Cao et al [24] and Lukas et al [25].…”

“…• Black-box attacker. Attackers, who are external entities attempting to exploit the functionality of the victim model, employ various attacks such as model extraction attacks [6] and model distillation attacks [9]. • White-box attacker.…”

“…Model extraction attack efficiently transfers the functionality of a victim model to a stolen copy using limited query answers. Additionally, attackers, who may be insiders with full access to the victim models, employ techniques such as distillation [9], fine-tuning [10], or pruning [11], [12] in an attempt to reverse-engineer the tracking.…”

“…Many stealing mechanisms have minimal side effects on the model's functionality but disable the watermarks from given suspect models. However, WE techniques have certain limitations, including tampering with the training process, potential side effects on model functionality, and vulnerability to watermark erasure attacks [9], [10], [26]. In contrast, the OT methods extract the intrinsic characteristics (fingerprints) of DNN models, making them non-invasive and more resilient to adaptive attacks [15], [23].…”

A Systematic View of Leakage Risks in Deep Neural Network Systems

Voice spoofing detection using a neural networks assembly considering spectrograms and mel frequency cepstral coefficients