arXiv Paper Spotlight: Stealing Machine Learning Models via Prediction APIs
Despite their confidentiality, machine learning models which have public-facing APIs are vulnerable to model extraction attacks, which attempt to "steal the ingredients" and duplicate functionality. The paper at hand investigates.
In the era of prediction using Big Data, algorihms are the secret sauce. But just how secret can the ingredients be when models are opened up via API?
A recent paper by Florian Tramèr (EPFL), Fan Zhang (Cornell University), Ari Juels (Cornell Tech, Jacobs Institute), Michael K. Reiter (UNC Chapel Hill), and Thomas Ristenpart (Cornell Tech) researches this very issue. The central premise of the researchers is that, despite their confidentiality, machine learning models which have public-facing APIs are vulnerable to model extraction attacks, which attempt to "steal the ingredients" and duplicate functionality.
The authors' research focuses on a pair of publicly-accessible ML platforms, and outlines the steps required to replicate model functionality themselves. Their efforts were fruitful: "attacks" were able to replicate certain models, of which there was no previous understanding, with 100% accuracy, all in very short order. These results point to repercussions regarding model deployment, accessibility, and safeguarding.
From the paper's abstract:
The tension between model confidentiality and public access motivates our investigation of model extraction attacks. In such attacks, an adversary with black-box access, but no prior knowledge of an ML model's parameters or training data, aims to duplicate the functionality of (i.e., "steal") the model. Unlike in classical learning theory settings, ML-as-a-service offerings may accept partial feature vectors as inputs and include confidence values with predictions. Given these practices, we show simple, efficient attacks that extract target ML models with near-perfect fidelity for popular model classes including logistic regression, neural networks, and decision trees. We demonstrate these attacks against the online services of BigML and Amazon Machine Learning. We further show that the natural countermeasure of omitting confidence values from model outputs still admits potentially harmful model extraction attacks. Our results highlight the need for careful ML model deployment and new model extraction countermeasures.
With the advancement of the API economy, the prevalence of the cloud, and the obsession with Everything-as-a-Service as relates to Big Data and prediction, this research is of obvious interest and consequence.
- 5 More arXiv Deep Learning Papers, Explained
- 9 Key Deep Learning Papers, Explained
- Deep Learning Reading Group: Skip-Thought Vectors