Model Extraction Warning in MLaaS Paradigm

Kesarwani, Manish; Mukhoty, Bhaskar; Arya, Vijay; Mehta, Sameep

doi:10.1145/3274694.3274740

Cited by 105 publications

(66 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is a white-box attack which produces an extracted model f with the same hyperparameters and architectures as the original model f . To compare f and f , we adopt extraction rate [1], [6] to measure the proportion of matching predictions (i.e., both f and f predict the same label) in an evaluation query set. Formally,…”

Section: Attack and Evaluation Metricsmentioning

confidence: 99%

“…Lee et al [27] proposed perturbations using the mechanism of reverse sigmoid to inject deceptive noises to output confidence, which preserved the validity of top and bottom rank labels. Kesarwani et al [6] monitored user-server streams to evaluate the threat level of model extraction with two strategies based on entropy and compact model summaries. The former derived information gain with a decision tree while the latter measured feature coverage of the input space partitioned by source model, both of which were highly correlated to extraction level.…”

Section: Model Extractionmentioning

confidence: 99%

“…However, even if the service provider completely eliminates this value in the prediction API, that is, to offer prediction label only, an adversary can still defeat this protection by issuing large number of fine-tuned queries and train a replica of the original model with great similarity [1], [3], [5]. The other countermeasure is to detect malicious extraction by monitoring feature coverage [6] or query distribution [7], and stop the service when a certain threshold is reached. However, since we cannot preclude user collusion, all queries and responses must be considered aggregately, which leads to significant false positive cases and eventually the early termination of service.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Protecting Decision Boundary of Machine Learning Model With Differentially Private Perturbation

Zheng

et al. 2022

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Section: Attack and Evaluation Metricsmentioning

confidence: 99%

Section: Model Extractionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Protecting Decision Boundary of Machine Learning Model With Differentially Private Perturbation

Zheng

et al. 2022

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

“…• Exploration attacks (Sethi and Kantardzic, 2018); • Model extraction attacks (Correia-Silva et al, 2018;Kesarwani et al, 2018;Joshi and Tammana, 2019;Reith et al, 2019); • Model inversion attacks (Yang et al, 2019); • Model-reuse attacks (Ji et al, 2018); • Trojan attacks (Liu et al, 2018).…”

Section: Attacks On Cloud-hosted Machine Learning Models: Thematic Anmentioning

confidence: 99%

Securing Machine Learning in the Cloud: A Systematic Review of Cloud Machine Learning Security

et al. 2020

View full text Add to dashboard Cite

With the advances in machine learning (ML) and deep learning (DL) techniques, and the potency of cloud computing in offering services efficiently and cost-effectively, Machine Learning as a Service (MLaaS) cloud platforms have become popular. In addition, there is increasing adoption of third-party cloud services for outsourcing training of DL models, which requires substantial costly computational resources (e.g., high-performance graphics processing units (GPUs)). Such widespread usage of cloud-hosted ML/DL services opens a wide range of attack surfaces for adversaries to exploit the ML/DL system to achieve malicious goals. In this article, we conduct a systematic evaluation of literature of cloud-hosted ML/DL models along both the important dimensions—attacks and defenses—related to their security. Our systematic review identified a total of 31 related articles out of which 19 focused on attack, six focused on defense, and six focused on both attack and defense. Our evaluation reveals that there is an increasing interest from the research community on the perspective of attacking and defending different attacks on Machine Learning as a Service platforms. In addition, we identify the limitations and pitfalls of the analyzed articles and highlight open research issues that require further investigation.

show abstract

“…This substitute model is trained using queries issued by the attacker and their responses obtained by the target classifier as training data. Constructing substitute classifiers is known as model extraction attacks [19], [21], [22]. Although the authors of [21] do not refer to adversarial examples, subsequent research results [19], [22] discuss the relation between model extraction attacks and black-box adversarial examples generation.…”

Section: Generation With Limited Informationmentioning

confidence: 99%

Simple Black-Box Adversarial Examples Generation with Very Few Queries

Senzaki¹,

Ohata

Matsuura

2020

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Research on adversarial examples for machine learning has received much attention in recent years. Most of previous approaches are white-box attacks; this means the attacker needs to obtain beforehand internal parameters of a target classifier to generate adversarial examples for it. This condition is hard to satisfy in practice. There is also research on black-box attacks, in which the attacker can only obtain partial information about target classifiers; however, it seems we can prevent these attacks, since they need to issue many suspicious queries to the target classifier. In this paper, we show that a naive defense strategy based on surveillance of number query will not suffice. More concretely, we propose to generate not pixel-wise but block-wise adversarial perturbations to reduce the number of queries. Our experiments show that such rough perturbations can confuse the target classifier. We succeed in reducing the number of queries to generate adversarial examples in most cases. Our simple method is an untargeted attack and may have low success rates compared to previous results of other black-box attacks, but needs in average fewer queries. Surprisingly, the minimum number of queries (one and three in MNIST and CIFAR-10 dataset, respectively) is enough to generate adversarial examples in some cases. Moreover, based on these results, we propose a detailed classification for black-box attackers and discuss countermeasures against the above attacks.

show abstract

Model Extraction Warning in MLaaS Paradigm

Cited by 105 publications

References 15 publications

Protecting Decision Boundary of Machine Learning Model With Differentially Private Perturbation

Protecting Decision Boundary of Machine Learning Model With Differentially Private Perturbation

Securing Machine Learning in the Cloud: A Systematic Review of Cloud Machine Learning Security

Simple Black-Box Adversarial Examples Generation with Very Few Queries

Contact Info

Product

Resources

About