论文标题

我知道您去年夏天训练了什么:一项有关窃取机器学习模型和防御的调查

I Know What You Trained Last Summer: A Survey on Stealing Machine Learning Models and Defences

论文作者

Oliynyk, Daryna, Mayer, Rudolf, Rauber, Andreas

论文摘要

机器学习与服务(MLAAS)已成为广泛的范式,即使是通过例如,也使客户可以使用的机器学习模型最复杂。一个按要求付费的原则。这使用户可以避免数据收集,超参数调整和模型培训的耗时过程。但是,通过让客户访问(预测)模型,MLAAS提供商危害其知识产权,例如敏感培训数据,优化的超参数或学到的模型参数。对手只能使用(几乎)相同的行为使用预测标签来创建模型的副本。尽管已经描述了这种攻击的许多变体,但仅提出了零散的防御策略,以解决孤立的威胁。这增加了对模型窃取领域进行彻底系统化的必要性,以全面了解这些攻击是成功的原因,以及如何全面地捍卫它们。我们通过对模型窃取攻击,评估其性能以及在不同设置中探索相应的防御技术来解决这一问题。我们为攻击和防御方法提出了分类法,并提供有关如何根据目标和可用资源选择正确的攻击或国防策略的指南。最后,我们分析了当前攻击策略使哪些防御能力降低。

Machine Learning-as-a-Service (MLaaS) has become a widespread paradigm, making even the most complex machine learning models available for clients via e.g. a pay-per-query principle. This allows users to avoid time-consuming processes of data collection, hyperparameter tuning, and model training. However, by giving their customers access to the (predictions of their) models, MLaaS providers endanger their intellectual property, such as sensitive training data, optimised hyperparameters, or learned model parameters. Adversaries can create a copy of the model with (almost) identical behavior using the the prediction labels only. While many variants of this attack have been described, only scattered defence strategies have been proposed, addressing isolated threats. This raises the necessity for a thorough systematisation of the field of model stealing, to arrive at a comprehensive understanding why these attacks are successful, and how they could be holistically defended against. We address this by categorising and comparing model stealing attacks, assessing their performance, and exploring corresponding defence techniques in different settings. We propose a taxonomy for attack and defence approaches, and provide guidelines on how to select the right attack or defence strategy based on the goal and available resources. Finally, we analyse which defences are rendered less effective by current attack strategies.

扫码加入交流群

加入微信交流群

微信交流群二维码

发送 求 20220608451 免费下载英文原文