ModelDiff: testing-based DNN similarity comparison for model reuse detection

Li, Yuanchun; Zhang, Ziqi; Liu, Bingyan; Yang, Zeliang; Liu, Yunxin

doi:10.1145/3460319.3464816

Cited by 21 publications

(7 citation statements)

References 72 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our attack can certainly incorporate other inference targets as well (see Section 9 for some discussion). Note that model type/hyperparameter stealing is well recognized by the scientific community [9,29,30,42].…”

Section: Threat Modelmentioning

confidence: 99%

“…1 Our code is available at https://github.com/boz083/Plot_Steal. Recent studies demonstrate that ML models are vulnerable to information stealing attacks, such as model type [9,29] and hyperparameters [30,42]. These attacks first leverage a dataset to query a target ML model and obtain the responses.…”

Section: Introductionmentioning

confidence: 99%

“…Model Information Stealing Attacks. Model information stealing attacks aim to infer the type [9,29] or hyperparameters of a target model [30,42]. While existing attacks rely on query responses from the target model to infer model information, we propose a new attack leveraging only the publicly accessible scientific plots.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Plot is Worth a Thousand Words: Model Information Stealing Attacks via Scientific Plots

Zhang¹,

He²,

Shen³

et al. 2023

Preprint

View full text Add to dashboard Cite

Building advanced machine learning (ML) models requires expert knowledge and many trials to discover the best architecture and hyperparameter settings. Previous work demonstrates that model information can be leveraged to assist other attacks, such as membership inference, generating adversarial examples. Therefore, such information, e.g., hyperparameters, should be kept confidential. It is well known that an adversary can leverage a target ML model's output to steal the model's information. In this paper, we discover a new side channel for model information stealing attacks, i.e., models' scientific plots which are extensively used to demonstrate model performance and are easily accessible. Our attack is simple and straightforward. We leverage the shadow model training techniques to generate training data for the attack model which is essentially an image classifier. Extensive evaluation on three benchmark datasets shows that our proposed attack can effectively infer the architecture/hyperparameters of image classifiers based on convolutional neural network (CNN) given the scientific plot generated from it. We also reveal that the attack's success is mainly caused by the shape of the scientific plots, and further demonstrate that the attacks are robust in various scenarios. Given the simplicity and effectiveness of the attack method, our study indicates scientific plots indeed constitute a valid side channel for model information stealing attacks. To mitigate the attacks, we propose several defense mechanisms that can reduce the original attacks' accuracy while maintaining the plot utility. However, such defenses can still be bypassed by adaptive attacks. 1

show abstract

Section: Threat Modelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Plot is Worth a Thousand Words: Model Information Stealing Attacks via Scientific Plots

Zhang¹,

He²,

Shen³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…To make the fingerprinting robust to model distillation, Lukas et al [30] further propose the conferrable adversarial examples as the model fingerprints. To detect the plagiarism models which have different output space from the source model, Li et al [27] proposed a model fingerprinting scheme that compares the behavioral patterns on a set of normal and special adversarial inputs. As described above, optimizing such trigger sets is both time-consuming and model-specific.…”

Section: Model Fingerprintingmentioning

confidence: 99%

Perceptual Hashing of Deep Convolutional Neural Networks for Model Copy Detection

Chen

Zhou

Zhang

et al. 2023

ACM Trans. Multimedia Comput. Commun. Appl.

View full text Add to dashboard Cite

In recent years, many model intellectual property (IP) proof methods for IP protection have been proposed, such as model watermarking and model fingerprinting. However, with the increasing number of models transmitted and deployed on the Internet, quickly finding the suspect model among thousands of models on the model-sharing platforms such as GitHub is in great demand, which concurrently triggers the new security problem of model copy detection for IP protection. And as an important part of the model IP protection system, the model copy detection task has not received enough attention. Due to the high computational complexity, both model watermarking and model fingerprinting lack the capability to efficiently find suspected infringing models among tens of millions of models. In this paper, inspired by the hash-based image retrieval methods, we introduce a novel model copy detection mechanism: perceptual hashing for convolutional neural networks (CNNs). The proposed perceptual hashing algorithm can convert the weights of CNNs to fixed-length binary hash codes so that the lightly modified version has the similar hash code as the original model. By comparing the similarity of a pair of hash codes between a query model and a test model in the model library, similar versions of a query model can be retrieved efficiently. To the best of our knowledge, this is the first perceptual hashing algorithm for deep neural network models. Specifically, we first select the important model weights based on the model compression theory, then calculate the normal test statistics (NTS) on the segments of important weights, and finally encode the NTS features into hash codes. The experiment performed on a model library containing 3,565 models indicates that our perceptual hashing scheme has a superior copy detection performance.

show abstract

“…Also, there has been many evaluations, surveys or reviews the existing state of the art models like [2], [3], [4], [5] to just mention a few recent works. Having so many existing solutions there are even methods to compare the models between each other based on their behavioral responses [6]. The majority of these solutions are based on the supervised approach since, due to its deterministic nature, are easier to evaluate.…”

Section: Introductionmentioning

confidence: 99%

Hybrid Restricted Boltzmann Machine– Convolutional Neural Network Model for Image Recognition

Sobczak

Kapela

2022

IEEE Access

View full text Add to dashboard Cite

Convolutional Neural Networks (CNNs) have become a standard approach to many image processing dilemmas. Consequently, most of the proposed CNN architectures tend to increase the model deepness or layer complexity. Thus, they are composed of many parameters and need considerable computing resources and training examples. However, some recent works show that either shallow neural networks or architectures without convolutions can achieve similar results with these models often being used in systems with limited resources. Consideration of these aspects led us to a relatively simple preprocessing layer that increases the accuracy of CNN or may reduce its complexity. The layer is composed of two parts: the first is used to transform RGB data to binary representation, the second is a neural network that transforms the binary data into a multi-channel, real-value matrix and is trained in a fully unsupervised manner. Our proposal also includes a metric that may be used for measuring the similarity of training data, with the latter proving useful when performing transfer learning. Our experiments show that the resulting architecture not only helps to improve accuracy but is also more robust to image noise, including adversarial attacks, when compared to state-of-the-art models.

show abstract

ModelDiff: testing-based DNN similarity comparison for model reuse detection

Cited by 21 publications

References 72 publications

A Plot is Worth a Thousand Words: Model Information Stealing Attacks via Scientific Plots

A Plot is Worth a Thousand Words: Model Information Stealing Attacks via Scientific Plots

Perceptual Hashing of Deep Convolutional Neural Networks for Model Copy Detection

Hybrid Restricted Boltzmann Machine– Convolutional Neural Network Model for Image Recognition

Contact Info

Product

Resources

About