Stealing Machine Learning Models via Prediction APIsFlorian Tramèr1, Fan Zhang2, Ari Juels3, Michael Reiter4, Thomas Ristenpart3

1EPFL, 2Cornell, 3Cornell Tech, 4UNC

http://silver.web.unc.edu Cloud Security Horizons Summit, March 2016

Goals Approach cont.

ResultsApproach

§ Machine learning models may be deemed confidential due to

§ Sensitive training data§ Commercial value§ Use in security applications

§ In practice, ML models are deployed with public prediction APIs.

§ We show simple, efficient attacks that can steal the model through legitimate prediction queries.

DB#Data#owner#

Train#model##

Extrac3on#adversary#

f̂

ML#service#

f(x1)

f(xq)

xq

x1

…#

Decision Tree: Path-Finding Attacks

Success of equation-solving attacks

SVM: Retraining

§ Retraining with uniform queries§ Line-search retraining§ Adaptive retraining

§ We propose a new Path-Finding attack§ Exploited the ability to query APIs with

incomplete inputs.§ Also apply to regression trees.

LR and MLP: Equation-Solving

§ Logistic Regression: 𝒘 ⋅ 𝒙 = 𝜎 𝑓 𝒙§ Multiclass LR (MLR) and Multilayer

Perceptron (MLP):

§ Kernelized LR:

𝜎(𝑖, 𝒘𝟏 ⋅ 𝒙, … , 𝒘𝒄 ⋅ 𝒙) = 𝑓.(𝒙)

𝜎(𝑖, 𝜶0 ⋅ 𝜅 𝒙, 𝝉 , … , 𝜶4 ⋅ 𝜅 𝒙, 𝝉 )= 𝑓.(𝒙)

Makinguseoftheconfidencevalues.

Makinguseofonlytheclasslabel.

Model Unknowns Queries 1-R_test 1-R_unif Time (s)

Softmax 530265 99.96% 99.75% 2.6530 100.00% 100.00% 3.1

OvR 530265 99.98% 99.98% 2.8530 100.00% 100.00% 3.5

MLP 2,2252,225 98.68% 97.23% 1684,450 99.89% 99.82% 196

Training data extractionTraining data:

Recovered:

Model Extraction against MLaaS

Service Model Data set Queries Time (s)Amazon LR Digits 650 70

LR Adult 1,485 149BigML DT German Credits 1,150 632

DT Steak Survey 4,013 2,088

ü Tables shows the number of prediction queries made to the ML API in an attack that extracts a 100% equivalent model: