PRADA: Protecting against DNN Model Stealing Attacks (1805.02628v5)

Abstract: Machine learning (ML) applications are increasingly prevalent. Protecting the confidentiality of ML models becomes paramount for two reasons: (a) a model can be a business advantage to its owner, and (b) an adversary may use a stolen model to find transferable adversarial examples that can evade classification by the original model. Access to the model can be restricted to be only via well-defined prediction APIs. Nevertheless, prediction APIs still provide enough information to allow an adversary to mount model extraction attacks by sending repeated queries via the prediction API. In this paper, we describe new model extraction attacks using novel approaches for generating synthetic queries, and optimizing training hyperparameters. Our attacks outperform state-of-the-art model extraction in terms of transferability of both targeted and non-targeted adversarial examples (up to +29-44 percentage points, pp), and prediction accuracy (up to +46 pp) on two datasets. We provide take-aways on how to perform effective model extraction attacks. We then propose PRADA, the first step towards generic and effective detection of DNN model extraction attacks. It analyzes the distribution of consecutive API queries and raises an alarm when this distribution deviates from benign behavior. We show that PRADA can detect all prior model extraction attacks with no false positives.

• The paper introduces novel model extraction attacks that improve prediction accuracy by up to 46 percentage points and transferability by 29-44 percentage points.
• The analysis highlights key success factors such as optimized hyperparameter search and the greater value of prediction probabilities over class labels.
• PRADA is a state-of-the-art detection technique that analyzes API query distributions to identify attacks with 100% accuracy and zero false positives.

Overview of PRADA: Protecting Against DNN Model Stealing Attacks

The paper "PRADA: Protecting Against DNN Model Stealing Attacks" addresses the rising threat of model extraction attacks in the machine learning field, particularly for Deep Neural Networks (DNNs). Given the increasing deployment of Machine Learning models in various applications, protecting these models has become paramount. The paper introduces new attack methods that improve upon existing model extraction techniques and proposes a novel defense mechanism, PRADA, to detect such sophisticated attacks effectively.

Key Contributions

1. Novel Model Extraction Attacks: The paper describes advanced model extraction attacks that utilize synthetic query generation and optimization of training hyperparameters. These methods significantly outperform prior attacks in terms of prediction accuracy and the transferability of adversarial examples, showing improvements of 29-44 percentage points in transferability and up to 46 percentage points in prediction accuracy.
2. Analysis of Success Factors: The research provides insights into factors affecting the success of model extraction attacks, highlighting the importance of hyperparameter optimization, prediction probabilities vs. class labels, and architectural choices. It shows that cross-validated hyperparameter search results in better attack performance compared to heuristic or same-model hyperparameter usage.
3. PRADA Detection Technique: PRADA is introduced as a state-of-the-art defense mechanism to detect DNN model extraction attacks. It works by analyzing the distribution of API queries and raising alerts upon deviations from expected benign behavior. PRADA demonstrates a 100% detection rate with no false positives against all prior model extraction attacks assessed.

Implications and Future Directions

The research presented in this paper is highly significant for both academia and industry. The novel attack methods demonstrate the vulnerabilities present in current DNN-based systems, underscoring the need for effective protective measures. By advancing model extraction techniques, the paper provides a baseline for future studies attempting to refine or counteract such attacks.

On the defense side, PRADA's methodology offers a promising approach to safeguard ML models from extraction attempts. By maintaining a distribution of queries and leveraging statistical tests, PRADA provides a generic solution applicable to various models and input data types without requiring knowledge of the target model. The implications of this are considerable, as it shifts the focus towards developing resilient systems that can withstand not only known but also newly devised attacks leveraging synthetic query strategies.

Future work could explore improving the robustness and lowering the overhead of PRADA while exploring its applicability in larger, more complex ML systems like those found in federated learning environments. There is also scope to extend PRADA's functionality to simultaneously detect and mitigate various types of adversarial actions in real-time, reducing the risk of potential false positives or negatives.

In summary, this paper makes significant strides in the domain of adversarial machine learning, offering practical insights and a robust framework for both understanding and defending against DNN model extraction attacks. As the field progresses, the balance between model accessibility and security will remain a critical area of exploration, with PRADA playing a crucial role in this ongoing development.