Cargando…
ShrewdAttack: Low Cost High Accuracy Model Extraction
Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by mode...
Autores principales: | , , , , , |
---|---|
Formato: | Online Artículo Texto |
Lenguaje: | English |
Publicado: |
MDPI
2023
|
Materias: | |
Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9955283/ https://www.ncbi.nlm.nih.gov/pubmed/36832648 http://dx.doi.org/10.3390/e25020282 |
_version_ | 1784894312693104640 |
---|---|
author | Liu, Yang Luo, Ji Yang, Yi Wang, Xuan Gheisari, Mehdi Luo, Feng |
author_facet | Liu, Yang Luo, Ji Yang, Yi Wang, Xuan Gheisari, Mehdi Luo, Feng |
author_sort | Liu, Yang |
collection | PubMed |
description | Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by model extraction attacks—an attacker steals the functionality of a trained model provided by MLaaS and builds a substitute model locally. In this paper, we proposed a model extraction method with low query costs and high accuracy. In particular, we use pre-trained models and task-relevant data to decrease the size of query data. We use instance selection to reduce query samples. In addition, we divided query data into two categories, namely low-confidence data and high-confidence data, to reduce the budget and improve accuracy. We then conducted attacks on two models provided by Microsoft Azure as our experiments. The results show that our scheme achieves high accuracy at low cost, with the substitution models achieving 96.10% and 95.24% substitution while querying only 7.32% and 5.30% of their training data on the two models, respectively. This new attack approach creates additional security challenges for models deployed on cloud platforms. It raises the need for novel mitigation strategies to secure the models. In future work, generative adversarial networks and model inversion attacks can be used to generate more diverse data to be applied to the attacks. |
format | Online Article Text |
id | pubmed-9955283 |
institution | National Center for Biotechnology Information |
language | English |
publishDate | 2023 |
publisher | MDPI |
record_format | MEDLINE/PubMed |
spelling | pubmed-99552832023-02-25 ShrewdAttack: Low Cost High Accuracy Model Extraction Liu, Yang Luo, Ji Yang, Yi Wang, Xuan Gheisari, Mehdi Luo, Feng Entropy (Basel) Article Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by model extraction attacks—an attacker steals the functionality of a trained model provided by MLaaS and builds a substitute model locally. In this paper, we proposed a model extraction method with low query costs and high accuracy. In particular, we use pre-trained models and task-relevant data to decrease the size of query data. We use instance selection to reduce query samples. In addition, we divided query data into two categories, namely low-confidence data and high-confidence data, to reduce the budget and improve accuracy. We then conducted attacks on two models provided by Microsoft Azure as our experiments. The results show that our scheme achieves high accuracy at low cost, with the substitution models achieving 96.10% and 95.24% substitution while querying only 7.32% and 5.30% of their training data on the two models, respectively. This new attack approach creates additional security challenges for models deployed on cloud platforms. It raises the need for novel mitigation strategies to secure the models. In future work, generative adversarial networks and model inversion attacks can be used to generate more diverse data to be applied to the attacks. MDPI 2023-02-02 /pmc/articles/PMC9955283/ /pubmed/36832648 http://dx.doi.org/10.3390/e25020282 Text en © 2023 by the authors. https://creativecommons.org/licenses/by/4.0/Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/). |
spellingShingle | Article Liu, Yang Luo, Ji Yang, Yi Wang, Xuan Gheisari, Mehdi Luo, Feng ShrewdAttack: Low Cost High Accuracy Model Extraction |
title | ShrewdAttack: Low Cost High Accuracy Model Extraction |
title_full | ShrewdAttack: Low Cost High Accuracy Model Extraction |
title_fullStr | ShrewdAttack: Low Cost High Accuracy Model Extraction |
title_full_unstemmed | ShrewdAttack: Low Cost High Accuracy Model Extraction |
title_short | ShrewdAttack: Low Cost High Accuracy Model Extraction |
title_sort | shrewdattack: low cost high accuracy model extraction |
topic | Article |
url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9955283/ https://www.ncbi.nlm.nih.gov/pubmed/36832648 http://dx.doi.org/10.3390/e25020282 |
work_keys_str_mv | AT liuyang shrewdattacklowcosthighaccuracymodelextraction AT luoji shrewdattacklowcosthighaccuracymodelextraction AT yangyi shrewdattacklowcosthighaccuracymodelextraction AT wangxuan shrewdattacklowcosthighaccuracymodelextraction AT gheisarimehdi shrewdattacklowcosthighaccuracymodelextraction AT luofeng shrewdattacklowcosthighaccuracymodelextraction |