Stealing Machine Learning Models via Prediction ? Stealing Machine Learning Models via Prediction

Download Stealing Machine Learning Models via Prediction ? Stealing Machine Learning Models via Prediction

Post on 11-Jun-2018

212 views

Category:

Documents

0 download

TRANSCRIPT

Stealing Machine Learning Models via Prediction APIsFlorian Tramr1, Fan Zhang2, Ari Juels3, Michael Reiter4, Thomas Ristenpart31EPFL, 2Cornell, 3Cornell Tech, 4UNChttp://silver.web.unc.edu Cloud Security Horizons Summit, March 2016Goals Approach cont.ResultsApproach Machine learning models may be deemed confidential due to Sensitive training data Commercial value Use in security applications In practice, ML models are deployed with public prediction APIs. We show simple, efficient attacks that can steal the model through legitimate prediction queries.DB#Data#owner#Train#model##Extrac3on#adversary#fML#service#f(x1)f(xq)xqx1#Decision Tree: Path-Finding AttacksSuccess of equation-solving attacksSVM: Retraining Retraining with uniform queries Line-search retraining Adaptive retraining We propose a new Path-Finding attack Exploited the ability to query APIs with incomplete inputs. Also apply to regression trees. LR and MLP: Equation-Solving Logistic Regression: = Multiclass LR (MLR) and Multilayer Perceptron (MLP): Kernelized LR: (, , , ) = .()(, 0 , , , 4 , )= .()Makinguseoftheconfidencevalues.Makinguseofonlytheclasslabel.Model Unknowns Queries 1-R_test 1-R_unif Time (s)Softmax 530265 99.96% 99.75% 2.6530 100.00% 100.00% 3.1OvR 530265 99.98% 99.98% 2.8530 100.00% 100.00% 3.5MLP 2,2252,225 98.68% 97.23% 1684,450 99.89% 99.82% 196Training data extractionTraining data:Recovered:Model Extraction against MLaaSService Model Data set Queries Time (s)Amazon LR Digits 650 70LR Adult 1,485 149BigML DT German Credits 1,150 632DT Steak Survey 4,013 2,088 Tables shows the number of prediction queries made to the ML API in an attack that extracts a 100% equivalent model: