Knockoff Nets: Stealing Functionality of Black-Box Models

Orekondy, Tribhuvanesh; Schiele, Bernt; Fritz, Mario

doi:10.1109/cvpr.2019.00509

Cited by 393 publications

(387 citation statements)

References 40 publications

Supporting

Mentioning

385

Contrasting

Order By: Relevance

“…For example, imagine a model that some company has developed through many years of research in a specific field. The knowledge synthesized in the model built might be considered to be confidential, and it may be compromised even by providing only input and output access [356]. The latter shows that, under minimal assumptions, data model functionality stealing is possible.…”

Section: Explanations For Ai Security: Xai and Adversarial Machine Lementioning

confidence: 99%

“…Notwithstanding this explicit concern from regulatory bodies, loss of privacy has been compromised by DL methods in scenarios where no data fusion is performed. For instance, a few images are enough to threaten users' privacy even in the presence of image obfuscation [420], and the model parameters of a DNN can be exposed by simply performing input queries on the model [356,357]. An approach to explain loss of privacy is by using privacy loss and intent loss subjective scores.…”

Section: Opportunities and Challenges In Privacy And Data Fusion Undementioning

confidence: 99%

“…The former provides a subjective measure of the severity of the privacy violation depending on the role of a face in the image, while the latter captures the intent of the bystanders to appear in the picture. These kind of explanations have motivated, for instance, secure matching cryptographic protocols for photographer and bystanders to preserve privacy [356,421,422]. We definite advocate for more efforts invested in this direction, namely, in ensuring that XAI methods do not pose a threat in regards to the privacy of the data used for training the ML model under target.…”

Section: Opportunities and Challenges In Privacy And Data Fusion Undementioning

confidence: 99%

See 2 more Smart Citations

Explainable Artificial Intelligence (XAI): Concepts, taxonomies, opportunities and challenges toward responsible AI

et al. 2020

View full text Add to dashboard Cite

In the last few years, Artificial Intelligence (AI) has achieved a notable momentum that, if harnessed appropriately, may deliver the best of expectations over many application sectors across the field. For this to occur shortly in Machine Learning, the entire community stands in front of the barrier of explainability, an inherent problem of the latest techniques brought by sub-symbolism (e.g. ensembles or Deep Neural Networks) that were not present in the last hype of AI (namely, expert systems and rule based models). Paradigms underlying this problem fall within the so-called eXplainable AI (XAI) field, which is widely acknowledged as a crucial feature for the practical deployment of AI models. The overview presented in this article examines the existing literature and contributions already done in the field of XAI, including a prospect toward what is yet to be reached. For this purpose we summarize previous efforts made to define explainability in Machine Learning, establishing a novel definition of explainable Machine Learning that covers such prior conceptual propositions with a major focus on the audience for which the explainability is sought. Departing from this definition, we propose and discuss about a taxonomy of recent contributions related to the explainability of different Machine Learning models, including those aimed at explaining Deep Learning methods for which a second dedicated taxonomy is built and examined in detail. This critical literature analysis serves as the motivating background for a series of challenges faced by XAI, such as the interesting crossroads of data fusion and explainability. Our prospects lead toward the concept of Responsible Artificial Intelligence, namely, a methodology for the large-scale implementation of AI methods in real organizations with fairness, model explainability and accountability at its core. Our ultimate goal is to provide newcomers to the field of XAI with a thorough taxonomy that can serve as reference material in order to stimulate future research advances, but also to encourage experts and professionals from other disciplines to embrace the benefits of AI in their activity sectors, without any prior bias for its lack of interpretability.

show abstract

Section: Explanations For Ai Security: Xai and Adversarial Machine Lementioning

confidence: 99%

Section: Opportunities and Challenges In Privacy And Data Fusion Undementioning

confidence: 99%

Section: Opportunities and Challenges In Privacy And Data Fusion Undementioning

confidence: 99%

See 1 more Smart Citation

Explainable Artificial Intelligence (XAI): Concepts, taxonomies, opportunities and challenges toward responsible AI

et al. 2020

View full text Add to dashboard Cite

show abstract

“…In these adversary models, adversary is not assumed to have access to pre-trained models: both the target and the substitute model DNNs are trained from scratch. Since the time of this writing, stealing DNNs for more complicated datasets like CIFAR-10 6 , have been done by assuming both the target model and attacker models are finetuned from pre-trained ImageNet classifiers [37], [40]. These attacks benefit from correlations between different [40] or same [37] pre-trained models.…”

Section: G Takeawaysmentioning

confidence: 99%

PRADA: Protecting Against DNN Model Stealing Attacks

Juuti

Szyller

Marchal

et al. 2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

327

254

View full text Add to dashboard Cite

Machine learning (ML) applications are increasingly prevalent. Protecting the confidentiality of ML models becomes paramount for two reasons: (a) a model can be a business advantage to its owner, and (b) an adversary may use a stolen model to find transferable adversarial examples that can evade classification by the original model. Access to the model can be restricted to be only via well-defined prediction APIs. Nevertheless, prediction APIs still provide enough information to allow an adversary to mount model extraction attacks by sending repeated queries via the prediction API.In this paper, we describe new model extraction attacks using novel approaches for generating synthetic queries, and optimizing training hyperparameters. Our attacks outperform state-of-theart model extraction in terms of transferability of both targeted and non-targeted adversarial examples (up to +29-44 percentage points, pp), and prediction accuracy (up to +46 pp) on two datasets. We provide take-aways on how to perform effective model extraction attacks.We then propose PRADA, the first step towards generic and effective detection of DNN model extraction attacks. It analyzes the distribution of consecutive API queries and raises an alarm when this distribution deviates from benign behavior. We show that PRADA can detect all prior model extraction attacks with no false positives.

show abstract

“…A similar work [32] shows the simplicity of reverse-engineering black-box neural network weights, architecture, optimization method and the training/data split. In [33], authors reframe the goal from model theft, to arriving at a 'knockoff' model exhibiting the same functionality. In [34], authors ignore model parameters and instead attempt to steal the hyperparameters of a network.…”

Section: Attacks On Deployed Neural Networkmentioning

confidence: 99%

Survey of Attacks and Defenses on Edge-Deployed Neural Networks

Isakov¹,

Gadepally

Gettings

et al. 2019

2019 IEEE High Performance Extreme Computing Conference (HPEC)

View full text Add to dashboard Cite

Deep Neural Network (DNN) workloads are quickly moving from datacenters onto edge devices, for latency, privacy, or energy reasons. While datacenter networks can be protected using conventional cybersecurity measures, edge neural networks bring a host of new security challenges. Unlike classic IoT applications, edge neural networks are typically very compute and memory intensive, their execution is data-independent, and they are robust to noise and faults. Neural network models may be very expensive to develop, and can potentially reveal information about the private data they were trained on, requiring special care in distribution. The hidden states and outputs of the network can also be used in reconstructing user inputs, potentially violating users' privacy. Furthermore, neural networks are vulnerable to adversarial attacks, which may cause misclassifications and violate the integrity of the output. These properties add challenges when securing edge-deployed DNNs, requiring new considerations, threat models, priorities, and approaches in securely and privately deploying DNNs to the edge. In this work, we cover the landscape of attacks on, and defenses, of neural networks deployed in edge devices and provide a taxonomy of attacks and defenses targeting edge DNNs.

show abstract

Knockoff Nets: Stealing Functionality of Black-Box Models

Cited by 393 publications

References 40 publications

Explainable Artificial Intelligence (XAI): Concepts, taxonomies, opportunities and challenges toward responsible AI

Explainable Artificial Intelligence (XAI): Concepts, taxonomies, opportunities and challenges toward responsible AI

PRADA: Protecting Against DNN Model Stealing Attacks

Survey of Attacks and Defenses on Edge-Deployed Neural Networks

Contact Info

Product

Resources

About