Towards Reverse-Engineering Black-Box Neural Networks

Oh, Seong Joon; Schiele, Bernt; Fritz, Mario

doi:10.1007/978-3-030-28954-6_7

Cited by 194 publications

(135 citation statements)

References 20 publications

Supporting

Mentioning

133

Contrasting

Order By: Relevance

“…We further assume that the shadow model uses the same ML algorithm and has the same hyperparameters as the target model. To achieve this in practice, the adversary can either rely on the same MLaaS provider which builds the target model or perform model extraction to approximate the target model [43], [30], [45]. Later in this section, we show this assumption can be relaxed as well.…”

Section: A Threat Modelmentioning

confidence: 99%

See 1 more Smart Citation

ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models

Salem

Zhang

Humbert

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

Self Cite

526

697

View full text Add to dashboard Cite

Machine learning (ML) has become a core component of many real-world applications and training data is a key factor that drives current progress. This huge success has led Internet companies to deploy machine learning as a service (MLaaS). Recently, the first membership inference attack has shown that extraction of information on the training set is possible in such MLaaS settings, which has severe security and privacy implications.However, the early demonstrations of the feasibility of such attacks have many assumptions on the adversary, such as using multiple so-called shadow models, knowledge of the target model structure, and having a dataset from the same distribution as the target model's training data. We relax all these key assumptions, thereby showing that such attacks are very broadly applicable at low cost and thereby pose a more severe risk than previously thought. We present the most comprehensive study so far on this emerging and developing threat using eight diverse datasets which show the viability of the proposed attacks across domains.In addition, we propose the first effective defense mechanisms against such broader class of membership inference attacks that maintain a high level of utility of the ML model.

show abstract

Section: A Threat Modelmentioning

confidence: 99%

“…Despite being popular, ML models are vulnerable to various security and privacy attacks, such as model inversion [12], adversarial examples [15], and model extraction [43], [30], [45]. In this paper, we concentrate on one such attack, namely membership inference attack.…”

Section: Introductionmentioning

confidence: 99%

ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models

Salem

Zhang

Humbert

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

Self Cite

526

697

View full text Add to dashboard Cite

show abstract

“…However, for more complex models such as neural networks, the attacker cannot simply solve nonlinear equations to arrive at model weights, but must instead train a 'student' network on inputoutput pairs collected from the API [31]. A similar work [32] shows the simplicity of reverse-engineering black-box neural network weights, architecture, optimization method and the training/data split. In [33], authors reframe the goal from model theft, to arriving at a 'knockoff' model exhibiting the same functionality.…”

Section: Attacks On Deployed Neural Networkmentioning

confidence: 99%

“…In order to violate the integrity of a machine learning model, attackers may attempt to find adversarial examples [35]. While most attacks rely on having access to the white-box model or the output gradient, several works have shown that even black-box networks [32] and networks with obfuscated gradients [36] are not resistant to determined attackers.…”

Section: Attacks On Deployed Neural Networkmentioning

confidence: 99%

“…API defenses: The majority of API attacks we have mentioned attempt to steal the model or the model architecture, learn which inputs have been used to train the model, or find adversarial examples for the model running on the device. As finding adversarial examples typically involves first stealing the model [32], we focus only on defenses against model exfiltration and membership inference attacks.…”

Section: Defending Edge Devices Running Neural Networkmentioning

confidence: 99%

See 1 more Smart Citation

Survey of Attacks and Defenses on Edge-Deployed Neural Networks

Isakov¹,

Gadepally

Gettings

et al. 2019

2019 IEEE High Performance Extreme Computing Conference (HPEC)

View full text Add to dashboard Cite

Deep Neural Network (DNN) workloads are quickly moving from datacenters onto edge devices, for latency, privacy, or energy reasons. While datacenter networks can be protected using conventional cybersecurity measures, edge neural networks bring a host of new security challenges. Unlike classic IoT applications, edge neural networks are typically very compute and memory intensive, their execution is data-independent, and they are robust to noise and faults. Neural network models may be very expensive to develop, and can potentially reveal information about the private data they were trained on, requiring special care in distribution. The hidden states and outputs of the network can also be used in reconstructing user inputs, potentially violating users' privacy. Furthermore, neural networks are vulnerable to adversarial attacks, which may cause misclassifications and violate the integrity of the output. These properties add challenges when securing edge-deployed DNNs, requiring new considerations, threat models, priorities, and approaches in securely and privately deploying DNNs to the edge. In this work, we cover the landscape of attacks on, and defenses, of neural networks deployed in edge devices and provide a taxonomy of attacks and defenses targeting edge DNNs.

show abstract

Physics‐constrained symbolic model discovery for polyconvex incompressible hyperelastic materials

Bahmani,

Sun

2024

Numerical Meth Engineering

View full text Add to dashboard Cite

We present a machine learning framework capable of consistently inferring mathematical expressions of hyperelastic energy functionals for incompressible materials from sparse experimental data and physical laws. To achieve this goal, we propose a polyconvex neural additive model (PNAM) that enables us to express the hyperelastic model in a learnable feature space while enforcing polyconvexity. An upshot of this feature space obtained via the PNAM is that (1) it is spanned by a set of univariate basis functions that can be re‐parametrized with a more complex mathematical form, and (2) the resultant elasticity model is guaranteed to fulfill the polyconvexity, which ensures that the acoustic tensor remains elliptic for any deformation. To further improve the interpretability, we use genetic programming to convert each univariate basis into a compact mathematical expression. The resultant multi‐variable mathematical models obtained from this proposed framework are not only more interpretable but are also proven to fulfill physical laws. By controlling the compactness of the learned symbolic form, the machine learning‐generated mathematical model also requires fewer arithmetic operations than its deep neural network counterparts during deployment. This latter attribute is crucial for scaling large‐scale simulations where the constitutive responses of every integration point must be updated within each incremental time step. We compare our proposed model discovery framework against other state‐of‐the‐art alternatives to assess the robustness and efficiency of the training algorithms and examine the trade‐off between interpretability, accuracy, and precision of the learned symbolic hyperelastic models obtained from different approaches. Our numerical results suggest that our approach extrapolates well outside the training data regime due to the precise incorporation of physics‐based knowledge.

show abstract

Towards Reverse-Engineering Black-Box Neural Networks

Cited by 194 publications

References 20 publications

ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models

ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models

Survey of Attacks and Defenses on Edge-Deployed Neural Networks

Physics‐constrained symbolic model discovery for polyconvex incompressible hyperelastic materials

Contact Info

Product

Resources

About