Journal article 72 views 23 downloads
ShrewdAttack: Low Cost High Accuracy Model Extraction
Entropy, Volume: 25, Issue: 2, Start page: 282
Swansea University Author: Yang Liu
-
PDF | Version of Record
© 2023 by the authors.This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Download (2.54MB)
DOI (Published version): 10.3390/e25020282
Abstract
Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by mode...
Published in: | Entropy |
---|---|
ISSN: | 1099-4300 |
Published: |
MDPI AG
2023
|
Online Access: |
Check full text
|
URI: | https://cronfa.swan.ac.uk/Record/cronfa67390 |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Abstract: |
Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by model extraction attacks—an attacker steals the functionality of a trained model provided by MLaaS and builds a substitute model locally. In this paper, we proposed a model extraction method with low query costs and high accuracy. In particular, we use pre-trained models and task-relevant data to decrease the size of query data. We use instance selection to reduce query samples. In addition, we divided query data into two categories, namely low-confidence data and high-confidence data, to reduce the budget and improve accuracy. We then conducted attacks on two models provided by Microsoft Azure as our experiments. The results show that our scheme achieves high accuracy at low cost, with the substitution models achieving 96.10% and 95.24% substitution while querying only 7.32% and 5.30% of their training data on the two models, respectively. This new attack approach creates additional security challenges for models deployed on cloud platforms. It raises the need for novel mitigation strategies to secure the models. In future work, generative adversarial networks and model inversion attacks can be used to generate more diverse data to be applied to the attacks. |
---|---|
Keywords: |
model extraction attack; machine learning; MLaaS |
College: |
Faculty of Science and Engineering |
Funders: |
This work is supported by Shenzhen Basic Research (General Project) (No. JCYJ20190806142601687), Shenzhen Stable Supporting Program (General Project) (No. GXWD20201230155427003-20200821160539001), Peng Cheng Laboratory Project (Grant No. PCL2021A02), Guangdong Provincial Key Laboratory of Novel Security Intelligence Technologies (2022B1212010005), and Shenzhen Basic Research (Key Project) (No. JCYJ20200109113405927). |
Issue: |
2 |
Start Page: |
282 |