Stealing Machine Learning Models via Prediction APIsFlorian Tramèr1, Fan Zhang2, Ari Juels3, Michael Reiter4, Thomas Ristenpart3
1EPFL, 2Cornell, 3Cornell Tech, 4UNC
http://silver.web.unc.edu Cloud Security Horizons Summit, March 2016
Goals Approach cont.
ResultsApproach
§ Machine learning models may be deemed confidential due to
§ Sensitive training data§ Commercial value§ Use in security applications
§ In practice, ML models are deployed with public prediction APIs.
§ We show simple, efficient attacks that can steal the model through legitimate prediction queries.
DB#Data#owner#
Train#model##
Extrac3on#adversary#
f̂
ML#service#
f(x1)
f(xq)
xq
x1
…#
Decision Tree: Path-Finding Attacks
Success of equation-solving attacks
SVM: Retraining
§ Retraining with uniform queries§ Line-search retraining§ Adaptive retraining
§ We propose a new Path-Finding attack§ Exploited the ability to query APIs with
incomplete inputs.§ Also apply to regression trees.
LR and MLP: Equation-Solving
§ Logistic Regression: 𝒘 ⋅ 𝒙 = 𝜎 𝑓 𝒙§ Multiclass LR (MLR) and Multilayer
Perceptron (MLP):
§ Kernelized LR:
𝜎(𝑖, 𝒘𝟏 ⋅ 𝒙, … , 𝒘𝒄 ⋅ 𝒙) = 𝑓.(𝒙)
𝜎(𝑖, 𝜶0 ⋅ 𝜅 𝒙, 𝝉 , … , 𝜶4 ⋅ 𝜅 𝒙, 𝝉 )= 𝑓.(𝒙)
Makinguseoftheconfidencevalues.
Makinguseofonlytheclasslabel.
Model Unknowns Queries 1-R_test 1-R_unif Time (s)
Softmax 530265 99.96% 99.75% 2.6530 100.00% 100.00% 3.1
OvR 530265 99.98% 99.98% 2.8530 100.00% 100.00% 3.5
MLP 2,2252,225 98.68% 97.23% 1684,450 99.89% 99.82% 196
Training data extractionTraining data:
Recovered:
Model Extraction against MLaaS
Service Model Data set Queries Time (s)Amazon LR Digits 650 70
LR Adult 1,485 149BigML DT German Credits 1,150 632
DT Steak Survey 4,013 2,088
ü Tables shows the number of prediction queries made to the ML API in an attack that extracts a 100% equivalent model: