Cargando…

ShrewdAttack: Low Cost High Accuracy Model Extraction

Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by mode...

Descripción completa

Detalles Bibliográficos
Autores principales: Liu, Yang, Luo, Ji, Yang, Yi, Wang, Xuan, Gheisari, Mehdi, Luo, Feng
Formato: Online Artículo Texto
Lenguaje:English
Publicado: MDPI 2023
Materias:
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9955283/
https://www.ncbi.nlm.nih.gov/pubmed/36832648
http://dx.doi.org/10.3390/e25020282
_version_ 1784894312693104640
author Liu, Yang
Luo, Ji
Yang, Yi
Wang, Xuan
Gheisari, Mehdi
Luo, Feng
author_facet Liu, Yang
Luo, Ji
Yang, Yi
Wang, Xuan
Gheisari, Mehdi
Luo, Feng
author_sort Liu, Yang
collection PubMed
description Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by model extraction attacks—an attacker steals the functionality of a trained model provided by MLaaS and builds a substitute model locally. In this paper, we proposed a model extraction method with low query costs and high accuracy. In particular, we use pre-trained models and task-relevant data to decrease the size of query data. We use instance selection to reduce query samples. In addition, we divided query data into two categories, namely low-confidence data and high-confidence data, to reduce the budget and improve accuracy. We then conducted attacks on two models provided by Microsoft Azure as our experiments. The results show that our scheme achieves high accuracy at low cost, with the substitution models achieving 96.10% and 95.24% substitution while querying only 7.32% and 5.30% of their training data on the two models, respectively. This new attack approach creates additional security challenges for models deployed on cloud platforms. It raises the need for novel mitigation strategies to secure the models. In future work, generative adversarial networks and model inversion attacks can be used to generate more diverse data to be applied to the attacks.
format Online
Article
Text
id pubmed-9955283
institution National Center for Biotechnology Information
language English
publishDate 2023
publisher MDPI
record_format MEDLINE/PubMed
spelling pubmed-99552832023-02-25 ShrewdAttack: Low Cost High Accuracy Model Extraction Liu, Yang Luo, Ji Yang, Yi Wang, Xuan Gheisari, Mehdi Luo, Feng Entropy (Basel) Article Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by model extraction attacks—an attacker steals the functionality of a trained model provided by MLaaS and builds a substitute model locally. In this paper, we proposed a model extraction method with low query costs and high accuracy. In particular, we use pre-trained models and task-relevant data to decrease the size of query data. We use instance selection to reduce query samples. In addition, we divided query data into two categories, namely low-confidence data and high-confidence data, to reduce the budget and improve accuracy. We then conducted attacks on two models provided by Microsoft Azure as our experiments. The results show that our scheme achieves high accuracy at low cost, with the substitution models achieving 96.10% and 95.24% substitution while querying only 7.32% and 5.30% of their training data on the two models, respectively. This new attack approach creates additional security challenges for models deployed on cloud platforms. It raises the need for novel mitigation strategies to secure the models. In future work, generative adversarial networks and model inversion attacks can be used to generate more diverse data to be applied to the attacks. MDPI 2023-02-02 /pmc/articles/PMC9955283/ /pubmed/36832648 http://dx.doi.org/10.3390/e25020282 Text en © 2023 by the authors. https://creativecommons.org/licenses/by/4.0/Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
spellingShingle Article
Liu, Yang
Luo, Ji
Yang, Yi
Wang, Xuan
Gheisari, Mehdi
Luo, Feng
ShrewdAttack: Low Cost High Accuracy Model Extraction
title ShrewdAttack: Low Cost High Accuracy Model Extraction
title_full ShrewdAttack: Low Cost High Accuracy Model Extraction
title_fullStr ShrewdAttack: Low Cost High Accuracy Model Extraction
title_full_unstemmed ShrewdAttack: Low Cost High Accuracy Model Extraction
title_short ShrewdAttack: Low Cost High Accuracy Model Extraction
title_sort shrewdattack: low cost high accuracy model extraction
topic Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9955283/
https://www.ncbi.nlm.nih.gov/pubmed/36832648
http://dx.doi.org/10.3390/e25020282
work_keys_str_mv AT liuyang shrewdattacklowcosthighaccuracymodelextraction
AT luoji shrewdattacklowcosthighaccuracymodelextraction
AT yangyi shrewdattacklowcosthighaccuracymodelextraction
AT wangxuan shrewdattacklowcosthighaccuracymodelextraction
AT gheisarimehdi shrewdattacklowcosthighaccuracymodelextraction
AT luofeng shrewdattacklowcosthighaccuracymodelextraction