Stealing Machine Learning Models via Prediction...
Transcript of Stealing Machine Learning Models via Prediction...
Stealing Machine Learning Models via Prediction APIsFlorian Tramèr1, Fan Zhang2, Ari Juels3, Michael Reiter4, Thomas Ristenpart3
1EPFL, 2Cornell, 3Cornell Tech, 4UNC
http://silver.web.unc.edu Cloud Security Horizons Summit, March 2016
Goals Approach cont.
ResultsApproach
§ Machine learning models may be deemed confidential due to
§ Sensitive training data§ Commercial value§ Use in security applications
§ In practice, ML models are deployed with public prediction APIs.
§ We show simple, efficient attacks that can steal the model through legitimate prediction queries.
DB#Data#owner#
Train#model##
Extrac3on#adversary#
f̂
ML#service#
f(x1)
f(xq)
xq
x1
…#
Decision Tree: Path-Finding Attacks
Success of equation-solving attacks
SVM: Retraining
§ Retraining with uniform queries§ Line-search retraining§ Adaptive retraining
§ We propose a new Path-Finding attack§ Exploited the ability to query APIs with
incomplete inputs.§ Also apply to regression trees.
LR and MLP: Equation-Solving
§ Logistic Regression: 𝒘 ⋅ 𝒙 = 𝜎 𝑓 𝒙§ Multiclass LR (MLR) and Multilayer
Perceptron (MLP):
§ Kernelized LR:
𝜎(𝑖, 𝒘𝟏 ⋅ 𝒙, … , 𝒘𝒄 ⋅ 𝒙) = 𝑓.(𝒙)
𝜎(𝑖, 𝜶0 ⋅ 𝜅 𝒙, 𝝉 , … , 𝜶4 ⋅ 𝜅 𝒙, 𝝉 )= 𝑓.(𝒙)
Makinguseoftheconfidencevalues.
Makinguseofonlytheclasslabel.
Model Unknowns Queries 1-R_test 1-R_unif Time (s)
Softmax 530265 99.96% 99.75% 2.6530 100.00% 100.00% 3.1
OvR 530265 99.98% 99.98% 2.8530 100.00% 100.00% 3.5
MLP 2,2252,225 98.68% 97.23% 1684,450 99.89% 99.82% 196
Training data extractionTraining data:
Recovered:
Model Extraction against MLaaS
Service Model Data set Queries Time (s)Amazon LR Digits 650 70
LR Adult 1,485 149BigML DT German Credits 1,150 632
DT Steak Survey 4,013 2,088
ü Tables shows the number of prediction queries made to the ML API in an attack that extracts a 100% equivalent model: