Exploiting Explanations for Model Inversion Attacks

Zhao, Xuejun; Zhang, Wencan; Xiao, Xiaokui; Lim, Brian Y.

doi:10.48550/arxiv.2104.12669

Cited by 2 publications

(2 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Research has shown that the output of feature importance methods like SHAP, through repeated queries, are prone to membership attacks that can reveal intimate details about the classification boundary [69]. Similar research has shown that counterfactual explanations are vulnerable to similar attacks [3], as are image-based explanations like saliency maps [89]. Such results reveal the risk that when providing explanations to external stakeholders, the recipients of such explanations can collude to reconstruct the inner workings of a model.…”

Section: Challenge 5 Xai Techniques In General Lack Robustness and Ha...mentioning

confidence: 99%

Seven challenges for harmonizing explainability requirements

Chen,

Storchan

2021

Preprint

View full text Add to dashboard Cite

Regulators have signalled an interest in adopting explainable AI (XAI) techniques to handle the diverse needs for model governance, operational servicing, and compliance in the financial services industry. In this short overview, we review the recent technical literature in XAI and argue that based on our current understanding of the field, the use of XAI techniques in practice necessitate a highly contextualized approach considering the specific needs of stakeholders for particular business applications.

show abstract

Section: Challenge 5 Xai Techniques In General Lack Robustness and Ha...mentioning

confidence: 99%

Seven challenges for harmonizing explainability requirements

Chen,

Storchan

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…In addition, recent works [29,33,36,43] have shown that an adversary could train a substitute model via model stealing and use it for crafting adversarial examples [12] in a black-box setting, which poses a serious threat when the model is deployed in security critical applications. A stolen model could also compromise the privacy of users by leaking confidential data through a membership inference attack [32] or model inversion [41,42]. Fig.…”

Section: Introductionmentioning

confidence: 99%

Towards Data-Free Model Stealing in a Hard Label Setting

Sunandini¹,

Addepalli²,

Babu³

2022

Preprint

View full text Add to dashboard Cite

Machine learning models deployed as a service (MLaaS) are susceptible to model stealing attacks, where an adversary attempts to steal the model within a restricted access framework. While existing attacks demonstrate near-perfect clone-model performance using softmax predictions of the classification network, most of the APIs allow access to only the top-1 labels. In this work, we show that it is indeed possible to steal Machine Learning models by accessing only top-1 predictions (Hard Label setting) as well, without access to model gradients (Black-Box setting) or even the training dataset (Data-Free setting) within a low query budget. We propose a novel GAN-based framework 1 that trains the student and generator in tandem to steal the model effectively while overcoming the challenge of the hard label setting by utilizing gradients of the clone network as a proxy to the victim's gradients. We propose to overcome the large query costs associated with a typical Data-Free setting by utilizing publicly available (potentially unrelated) datasets as a weak image prior. We additionally show that even in the absence of such data, it is possible to achieve state-ofthe-art results within a low query budget using synthetically crafted samples. We are the first to demonstrate the scalability of Model Stealing in a restricted access setting on a 100 class dataset as well.

show abstract

Exploiting Explanations for Model Inversion Attacks

Cited by 2 publications

References 31 publications

Seven challenges for harmonizing explainability requirements

Seven challenges for harmonizing explainability requirements

Towards Data-Free Model Stealing in a Hard Label Setting

Contact Info

Product

Resources

About