Top

Automatic Control and Computer Sciences

Published in:

01-12-2023

Protection of Computational Machine Learning Models against Extraction Threat

Authors: M. O. Kalinin, M. D. Soshnev, A. S. Konoplev

Published in: Automatic Control and Computer Sciences | Issue 8/2023

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The extraction threat to machine learning models is considered. Most contemporary methods of defense against the extraction of computational machine learning models are based on the use of a protective noise mechanism. The main disadvantage inherent in the noise mechanism is that it reduces the precision of the model’s output. The requirements for the efficient methods of protecting the machine learning models from extraction are formulated, and a new method of defense against this threat, supplementing the noise with a distillation mechanism, is presented. It is experimentally shown that the developed method provides the resistance of machine learning models to extraction threat while maintaining the quality their operating results due to the transformation of protected models into the other simplified models equivalent to the original ones.

previous article Defense against Adversarial Attacks on Image Recognition Systems Using an Autoencoder

next article Improving the Efficiency of Multiagent Information Security Systems by Post-Quantum Cryptography Methods

Machine Learning as a Service Market: Global Industry Analysis, Size, Share, Growth, Trends, Regional Outlook, and Forecast 2022-2030, 2023. https://www.precedenceresearch.com/machine-learning-as-a-service-market. Cited July 5, 2023.

Data base of information security threats. https://bdu.fstec.ru/threat. Cited July 5, 2023.

Wang, B. and Gong, N.Z., Stealing hyperparameters in machine learning, 2018 IEEE Symp. on Security and Privacy (SP), San Francisco, 2018, IEEE, 2018, pp. 36–52. https://doi.org/10.1109/sp.2018.00038

Liu, S., Model extraction attack and defense on deep generative models, J. Phys.: Conf. Ser., 2022, vol. 2189, no. 1, p. 012024. https://doi.org/10.1088/1742-6596/2189/1/012024CrossRef

Li, D., Liu, D., Guo, Yi., Ren, Ya., Su, J., and Liu, J., Defending against model extraction attacks with physical unclonable function, Inf. Sci., 2023, vol. 628, pp. 196–207. https://doi.org/10.1016/j.ins.2023.01.102CrossRef

Chandrasekaran, V., Chaudhuri, K., Giacomelli, I., Jha, S., and Yan, S., Exploring connections between active learning and model extraction, Proc. 29th USENIX Conf. on Security Symp., USENIX Association, 2020, pp. 1309–1326. https://www.usenix.org/conference/usenixsecurity20/presentation/chandrasekaran.

Moosavi-Dezfooli, S.-M., Fawzi, A., and Frossard, P., DeepFool: A simple and accurate method to fool deep neural networks, 2016 IEEE Conf. on Computer Vision and Pattern Recognition (CVPR), Las Vegas, 2016, IEEE, 2016, pp. 2574–2582. https://doi.org/10.1109/cvpr.2016.282

The CW attack algorithm. https://wiki.spencerwoo.com/cw-algorithm.html. Cited July 5, 2023.

Adversarial machine learning. https://www.javatpoint.com/adversarial-machine-learning. Cited July 5, 2023.

10.

Kleinings, H., What is data extraction? [Techniques, Tools + Use Cases], 2022. levity.ai/blog/what-is-data-extraction. Cited July 5, 2023.

11.

Tramèr, F., Zhang, F., Juels, A., Reiter, M.K., and Ristenpart, T., Stealing machine learning models via prediction APIs, 25th USENIX Security Symp., Austin, TX: USENIX Association, 2016, pp. 601–618. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/tramer.

12.

Hu, H. and Pang, J., Stealing machine learning models: Attacks and countermeasures for generative adversarial networks, Annual Computer Security Applications Conference, New York: Association for Computing Machinery, 2021, pp. 1–6. https://doi.org/10.1145/3485832.3485838

13.

Wiegreffe, S. and Pinter, Yu., Attention is not not explanation, Proc. 2019 Conf. on Empirical Methods in Natural Language Processing and the 9th Int. Joint Conf. on Natural Language Processing (EMNLP-IJCNLP), Inui, K., Jiang, J., Ng, V., and Wan, X., Eds., Hong Kong: Association for Computational Linguistics, 2019, pp. 11–20. https://doi.org/10.18653/v1/D19-1002

14.

Pal, S., Gupta, Ya., Kanade, A., and Shevade, Sh., Stateful detection of model extraction attacks, 2021. https://doi.org/10.48550/arXiv.2107.05166

15.

Zhang, Z., Chen, Yi., and Wagner, D., SEAT: Similarity encoder by adversarial training for detecting model extraction attack queries, Proc. 14th ACM Workshop on Artificial Intelligence and Security, New York: Association for Computing Machinery, 2021, pp. 37–48. https://doi.org/10.1145/3474369.3486863

16.

Li, Yi., Zhu, L., Jia, X., Jiang, Yo., Xia, Sh.-T., and Cao, X., Defending against model stealing via verifying embedded external features, Proc. AAAI Conf. Artif. Intell., 2022, vol. 36, no. 2, pp. 1464–1472. https://doi.org/10.1609/aaai.v36i2.20036

17.

Krishna, K., Tomar, G.S., Parikh, A.P., Papernot, N., and Iyyer, M., Thieves on sesame street! Model extraction of BERT-based APIs, 2020. https://openreview.net/forum?id=Byl5NREFDr.

18.

Juuti, M., Szyller, S., Marchal, S., and Asokan, N., PRADA: Protecting against DNN model stealing attacks, 2019 IEEE Eur. Symp. on Security and Privacy (EuroS&P), Stockholm, 2019, IEEE, 2019, pp. 512–527. https://doi.org/10.1109/eurosp.2019.00044

19.

Shokri, R., Stronati, M., Song, C., and Shmatikov, V., Membership inference attacks against machine learning models, 2017 IEEE Symp. on Security and Privacy (SP), San Jose, Calif., 2017, IEEE, 2017, pp. 3–18. https://doi.org/10.1109/sp.2017.41

20.

Ermis, B. and Cemgil, A.T., Differentially private dropout, 2017. https://doi.org/10.48550/arXiv.1712.01665

21.

Alfeld, S., Zhu, X., and Barford, P., Data poisoning attacks against autoregressive models, Proc. AAAI Conf. Artif. Intell., 2023, vol. 30, no. 1. https://doi.org/10.1609/aaai.v30i1.10237

22.

Dziedzic, A., Kaleem, M.A., Lu, Yu.Sh., and Papernot, N., Increasing the cost of model extraction with calibrated proof of work, Int. Conf. on Learning Representations, 2022. https://openreview.net/forum?id=EAy7C1cgE1L.

23.

You, Z., Ye, J., Li, K., Xu, Z., and Wang, P., Adversarial noise layer: Regularize neural network by adding noise, 2019 IEEE Int. Conf. on Image Processing (ICIP), Taipei, 2019, IEEE, 2019, pp. 909–913. https://doi.org/10.1109/icip.2019.8803055

24.

Chabanne, H., Despiegel, V., and Guiga, L., A protection against the extraction of neural network models, Proc. 7th Int. Conf. on Information Systems Security and Privacy ICISSP, SCITEPRESS, 2020, vol. 1, pp. 258–269. https://doi.org/10.5220/0010373302580269

25.

Volodin, I.V., Putyato, M.M., Makaryan, A.S., and Evglevsky, V.Yu., Classification of attack mechanisms and research of protection methods for systems using machine learning and artificial intelligence algorithms, Prikaspiiskii Zh.: Upr. Vysokie Tekhnol., 2021, no. 2, pp. 91–98. https://doi.org/10.21672/2074-1707.2021.53.1.090-098

26.

Boenisch, F., A systematic review on model watermarking for neural networks, Front. Big Data, 2021, vol. 4, p. 729663. https://doi.org/10.3389/fdata.2021.729663CrossRefPubMedPubMedCentral

27.

Hinton, G., Vinyals, O., and Dean, J., Distilling the knowledge in a neural network, 2015. https://doi.org/10.48550/arXiv.1503.02531

28.

Lendave, V., A beginner’s guide to knowledge distillation in deep learning, Analytics India Mag., 2022. https://analyticsindiamag.com/a-beginners-guide-to-knowledge-distillation-in-deep-learning/.

29.

Kotak, J. and Elovici, Yu., IoT device identification using deep learning, 13th Int. Conf. on Computational Intelligence in Security for Information Systems (CISIS 2020), Herrero, Á., Cambra, C., Urda, D., Sedano, J., Quintián, H., and Corchado, E., Eds., Advances in Intelligent Systems and Computing, vol. 1267, Cham: Springer, 2021, pp. 76–86. https://doi.org/10.1007/978-3-030-57805-3_8

30.

Meidan, Ya., Bohadana, M., Shabtai, A., Guarnizo, J.D., Ochoa, M., Tippenhauer, N.O., and Elovici, Yu., ProfilIoT: A machine learning approach for IoT device identification based on network traffic analysis, Proc. Symp. on Applied Computing, Marrakech, Morocco, 2017, New York: Association for Computing Machinery, 2017, pp. 506–509. https://doi.org/10.1145/3019612.3019878

31.

Hussein, M., Mohammed, Ye.S., Galal, A.I., Abd-Elrahman, E., and Zorkany, M., Smart cognitive iot devices using multi-layer perception neural network on limited microcontroller, Sensors, 2023, vol. 22, no. 14, p. 5106. https://doi.org/10.3390/s22145106ADSCrossRef

Title: Protection of Computational Machine Learning Models against Extraction Threat
Authors: M. O. Kalinin
M. D. Soshnev
A. S. Konoplev
Publication date: 01-12-2023
Publisher: Pleiades Publishing
Published in: Automatic Control and Computer Sciences / Issue 8/2023
Print ISSN: 0146-4116
Electronic ISSN: 1558-108X
DOI: https://doi.org/10.3103/S0146411623080084

Springer Professional

Abstract

Please log in to get access to your license.

Other articles of this Issue 8/2023

Confidentiality of Machine Learning Models

Framework for Modeling Security Policies of Big Data Processing Systems

Method for Detecting Manipulation Attacks on Recommender Systems with Collaborative Filtering

Searching for Software Vulnerabilities Using an Ensemble of Algorithms for the Analysis of a Graph Representation of the Code

Resistance of a Two-Component Steganographic System to Unauthorized Information Extraction

Improving the Efficiency of Multiagent Information Security Systems by Post-Quantum Cryptography Methods