I Know What You Trained Last Summer: A Survey on Stealing Machine Learning Models and Defences-Reference-Cited by-同舟云学术

I Know What You Trained Last Summer: A Survey on Stealing Machine Learning Models and Defences

Published:2023-07-17 Issue:14s Volume:55 Page:1-41
ISSN:0360-0300
Container-title:ACM Computing Surveys
language:en
Short-container-title:ACM Comput. Surv.

Author:

Oliynyk Daryna¹^ORCID,Mayer Rudolf²^ORCID,Rauber Andreas³^ORCID

Affiliation:

1. SBA Research, Austria

2. SBA Research & Vienna University of Technology, Austria

3. Vienna University of Technology, Austria

Abstract

Machine-Learning-as-a-Service (MLaaS) has become a widespread paradigm, making even the most complex Machine Learning models available for clients via, e.g., a pay-per-query principle. This allows users to avoid time-consuming processes of data collection, hyperparameter tuning, and model training. However, by giving their customers access to the (predictions of their) models, MLaaS providers endanger their intellectual property such as sensitive training data, optimised hyperparameters, or learned model parameters. In some cases, adversaries can create a copy of the model with (almost) identical behaviour using the the prediction labels only. While many variants of this attack have been described, only scattered defence strategies that address isolated threats have been proposed. To arrive at a comprehensive understanding why these attacks are successful and how they could be holistically defended against, a thorough systematisation of the field of model stealing is necessary. We address this by categorising and comparing model stealing attacks, assessing their performance, and exploring corresponding defence techniques in different settings. We propose a taxonomy for attack and defence approaches and provide guidelines on how to select the right attack or defence strategy based on the goal and available resources. Finally, we analyse which defences are rendered less effective by current attack strategies.

Funder

European Union’s Horizon 2020

Publisher

Association for Computing Machinery (ACM)

Subject

General Computer Science,Theoretical Computer Science

Link

https://dl.acm.org/doi/pdf/10.1145/3595292

Reference148 articles.

1. Florian Tramèr, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction APIs. In USENIX Security Symposium. USENIX Association. Retrieved from https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/tramer.

2. Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. 2017. Practical black-box attacks against machine learning. In ACM Asia Conference on Computer and Communications Security (ASIA CCS). ACM. DOI:10.1145/3052973.3053009

3. Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2019. Knockoff nets: Stealing functionality of black-box models. In IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE. DOI:10.1109/CVPR.2019.00509

4. How to steal a machine learning classifier with deep learning

5. Kalpesh Krishna, Gaurav Singh Tomar, Ankur Parikh, Nicolas Papernot, and Mohit Iyyer. 2020. Thieves of Sesame Street: Model extraction on BERT-based APIs. In International Conference on Learning Representations (ICLR). Retrieved from https://iclr.cc/virtual_2020/poster_Byl5NREFDr.html.

Cited by 6 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. PtbStolen: Pre-trained Encoder Stealing Through Perturbed Samples;Communications in Computer and Information Science;2024

2. Detecting Adversarial Examples Using Surrogate Models;Machine Learning and Knowledge Extraction;2023-11-27

3. Attack Tree Analysis for Adversarial Evasion Attacks;2023 IEEE 28th Pacific Rim International Symposium on Dependable Computing (PRDC);2023-10-24

4. IP Protection in TinyML;2023 60th ACM/IEEE Design Automation Conference (DAC);2023-07-09

5. Identifying Appropriate Intellectual Property Protection Mechanisms for Machine Learning Models: A Systematization of Watermarking, Fingerprinting, Model Access, and Attacks;IEEE Transactions on Neural Networks and Learning Systems;2023