SoK: Machine Learning Governance

Chandrasekaran, Varun; Jia, Hengrui; Thudi, Anvith; Travers, Adelin; Yaghini, Mohammad; Papernot, Nicolas

doi:10.48550/arxiv.2109.10870

Cited by 1 publication

(1 citation statement)

References 154 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, these approaches have been shown to cause utility degradation [27], or can be made ineffective using an adaptive query synthesis strategy [5]. Further, Chandrasekaran et al [5,6] provide theoretical insights to demonstrate that "model extraction is inevitable", even in a realistic setting with only hard labels, and even when models use randomised defenses. Hence, a model with a reasonably good accuracy would always leak information that could lead to model extraction.…”

Section: Defenses Against Model Stealingmentioning

confidence: 99%

Towards Data-Free Model Stealing in a Hard Label Setting

Sunandini¹,

Addepalli²,

Babu³

2022

Preprint

View full text Add to dashboard Cite

Machine learning models deployed as a service (MLaaS) are susceptible to model stealing attacks, where an adversary attempts to steal the model within a restricted access framework. While existing attacks demonstrate near-perfect clone-model performance using softmax predictions of the classification network, most of the APIs allow access to only the top-1 labels. In this work, we show that it is indeed possible to steal Machine Learning models by accessing only top-1 predictions (Hard Label setting) as well, without access to model gradients (Black-Box setting) or even the training dataset (Data-Free setting) within a low query budget. We propose a novel GAN-based framework 1 that trains the student and generator in tandem to steal the model effectively while overcoming the challenge of the hard label setting by utilizing gradients of the clone network as a proxy to the victim's gradients. We propose to overcome the large query costs associated with a typical Data-Free setting by utilizing publicly available (potentially unrelated) datasets as a weak image prior. We additionally show that even in the absence of such data, it is possible to achieve state-ofthe-art results within a low query budget using synthetically crafted samples. We are the first to demonstrate the scalability of Model Stealing in a restricted access setting on a 100 class dataset as well.

show abstract

Section: Defenses Against Model Stealingmentioning

confidence: 99%