Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Two-Sided Malicious Security for Private Intersection-Sum with Cardinality Kapitel lesen Erstes Kapitel lesen

2020 | OriginalPaper | Buchkapitel

Cryptanalytic Extraction of Neural Network Models

verfasst von : Nicholas Carlini, Matthew Jagielski, Ilya Mironov

Erschienen in: Advances in Cryptology – CRYPTO 2020

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

We argue that the machine learning problem of model extraction is actually a cryptanalytic problem in disguise, and should be studied as such. Given oracle access to a neural network, we introduce a differential attack that can efficiently steal the parameters of the remote model up to floating point precision. Our attack relies on the fact that ReLU neural networks are piecewise linear functions, and thus queries at the critical points reveal information about the model parameters.
We evaluate our attack on multiple neural network models and extract models that are \(2^{20}\) times more precise and require \(100{\times }\) fewer queries than prior work. For example, we extract a 100, 000 parameter neural network trained on the MNIST digit recognition task with \(2^{21.5}\) queries in under an hour, such that the extracted model agrees with the oracle on all inputs up to a worst-case error of \(2^{-25}\), or a model with 4, 000 parameters in \(2^{18.5}\) queries with worst-case error of \(2^{-40.4}\). Code is available at https://​github.​com/​google-research/​cryptanalytic-model-extraction.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Nearly Optimal Robust Secret Sharing Against Rushing Adversaries
Nächstes Kapitel Automatic Verification of Differential Characteristics: Application to Reduced Gimli
Fußnoten
1
This is the only assumption fundamental to our work. Switching to any activation that is not piecewise linear would prevent our attack. However, as mentioned, all state-of-the-art models use exclusively (piecewise linear generalizations of) the ReLU activation function [SIVA17, TL19].
 
2
For the expansive networks we will discuss in Sect. 4.4 it is actually impossible; therefore this section introduces the most general method.
 
Literatur
[BBJP19]
Batina, L., Bhasin, S., Jap, D., Picek, S.: CSI NN: reverse engineering of neural network architectures through electromagnetic side channel. In: 28th USENIX Security Symposium (2019)
[BCB15]
Bahdanau, D., Cho, K., Bengio, Y.: Neural machine translation by jointly learning to align and translate. In: 3rd International Conference on Learning Representations (ICLR) (2015)
[BCM+13]
[BFH+18]
Bradbury, J., et al.: JAX: composable transformations of Python+NumPy programs (2018)
[BS91]
[CCG+18]
Chandrasekaran, V., Chaudhuri, K., Giacomelli, I., Jha, S., Yan, S.: Exploring connections between active learning and model extraction. arXiv preprint arXiv:​1811.​02054 (2018)
[CLE+19]
Carlini, N., Liu, C., Erlingsson, Ú., Kos, J., Song, D.: The secret sharer: evaluating and testing unintended memorization in neural networks. In: USENIX Security Symposium, pp. 267–284 (2019)
[DGKP20]
Das, A., Gollapudi, S., Kumar, R., Panigrahy, R.: On the learnability of random deep networks. In: ACM-SIAM Symposium on Discrete Algorithms, SODA 2020, pp. 398–410 (2020)
[EKN+17]
Esteva, A., et al.: Dermatologist-level classification of skin cancer with deep neural networks. Nature 542(7639), 115–118 (2017)CrossRef
[FJR15]
Fredrikson, M., Jha, S., Ristenpart, T.: Model inversion attacks that exploit confidence information and basic countermeasures. In: ACM CCS, pp. 1322–1333 (2015)
[GBDL+16]
Gilad-Bachrach, R., Dowlin, N., Laine, K., Lauter, K., Naehrig, M., Wernsing, J.: CryptoNets: applying neural networks to encrypted data with high throughput and accuracy. In: International Conference on Machine Learning, pp. 201–210 (2016)
[Gen09]
Gentry, C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford University (2009)
[HDK+20]
Hong, S., Davinroy, M., Kaya, Y., Dachman-Soled, D., Dumitraş, T.: How to 0wn the NAS in your spare time. In: International Conference on Learning Representations (2020)
[HZRS16]
He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)
[JCB+19]
Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., Papernot, N.: High-fidelity extraction of neural network models. arXiv:​1909.​01838 (2019)
[JOB+18]
Jagielski, M., Oprea, A., Biggio, B., Liu, C., Nita-Rotaru, C., Li, B.: Manipulating machine learning: poisoning attacks and countermeasures for regression learning. In: 2018 IEEE Symposium on Security and Privacy (S&P), pp. 19–35. IEEE (2018)
[KBD+17]
[KLA+19]
Karras, T., Laine, S., Aittala, M., Hellsten, J., Lehtinen, J., Aila, T.: Analyzing and improving the image quality of StyleGAN. CoRR, abs/1912.04958 (2019)
[KTP+19]
Krishna, K., Tomar, G.S., Parikh, A.P., Papernot, N., Iyyer, M.: Thieves on sesame street! Model extraction of BERT-based APIs. arXiv preprint arXiv:​1910.​12366 (2019)
[Lev14]
Levinovitz, A.: The mystery of Go, the ancient game that computers still can’t win. Wired, May 2014
[MLS+20]
Mishra, P., Lehmkuhl, R., Srinivasan, A., Zheng, W., Popa, R.A.: DELPHI: a cryptographic inference service for neural networks. In: 29th USENIX Security Symposium (2020)
[MSDH19]
Milli, S., Schmidt, L., Dragan, A.D., Hardt, M.: Model reconstruction from model explanations. In: Proceedings of the Conference on Fairness, Accountability, and Transparency, FAT* 2019, pp. 1–9 (2019)
[NH10]
Nair, V., Hinton, G.E.: Rectified linear units improve restricted Boltzmann machines. In: Proceedings of the 27th International Conference on Machine Learning (ICML), pp. 807–814 (2010)
[RK19]
Rolnick, D., Kording, K.P.: Identifying weights and architectures of unknown ReLU networks. arXiv preprint arXiv:​1910.​00744 (2019)
[RWT+18]
Riazi, M.S., Weinert, C., Tkachenko, O., Songhori, E.M., Schneider, T., Koushanfar, F.: Chameleon: a hybrid secure computation framework for machine learning applications. In: ACM ASIACCS, pp. 707–721 (2018)
[SHM+16]
Silver, D., et al.: Mastering the game of Go with deep neural networks and tree search. Nature 529(7587), 484 (2016)CrossRef
[SIVA17]
Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, Inception-ResNet and the impact of residual connections on learning. In: Proceedings of the Thirty-First AAAI Conference on Artificial Intelligence, AAAI 2017, pp. 4278–4284. AAAI Press (2017)
[SSRD19]
Shamir, A., Safran, I., Ronen, E., Dunkelman, O.: A simple explanation for the existence of adversarial examples with small Hamming distance. CoRR, abs/1901.10861 (2019)
[SZS+14]
Szegedy, C., et al.: Intriguing properties of neural networks. In: 2nd International Conference on Learning Representations (ICLR 2014). arXiv:​1312.​6199 (2014)
[TL19]
Tan, M., Le, Q.V.: EfficientNet: rethinking model scaling for convolutional neural networks. arXiv preprint arXiv:​1905.​11946 (2019)
[TZJ+16]
Tramèr, F., Zhang, F., Juels, A., Reiter, M.K., Ristenpart, T.: Stealing machine learning models via prediction APIs. In: USENIX Security Symposium, pp. 601–618 (2016)
[Wen90]
Wenskay, D.L.: Intellectual property protection for neural networks. Neural Netw. 3(2), 229–236 (1990)CrossRef
[WG18]
Wang, B., Gong, N.Z.: Stealing hyperparameters in machine learning. In: 2018 IEEE Symposium on Security and Privacy (S&P), pp. 36–52. IEEE (2018)
[WSC+16]
Wu, Y., et al.: Google’s neural machine translation system: bridging the gap between human and machine translation. arXiv preprint arXiv:​1609.​08144 (2016)
[XHLL19]
Xie, Q., Hovy, E., Luong, M.-T., Le, Q.V.: Self-training with noisy student improves ImageNet classification. arXiv preprint arXiv:​1911.​04252 (2019)
[Yao86]
Yao, A.C.-C.: How to generate and exchange secrets. In: FOCS 1986, pp. 162–167. IEEE (1986)
[ZL16]
Metadaten
Titel
Cryptanalytic Extraction of Neural Network Models
verfasst von
Nicholas Carlini
Matthew Jagielski
Ilya Mironov
Copyright-Jahr
2020
Buch
Advances in Cryptology – CRYPTO 2020

Print ISBN: 978-3-030-56876-4

Electronic ISBN: 978-3-030-56877-1

Copyright-Jahr: 2020

DOI
https://doi.org/10.1007/978-3-030-56877-1_7

Premium Partner

    Bildnachweise