A paper review summary part of my coursework in IST597: Trustworthy Machine Learning
Stealing Machine Learning Models via Prediction APIs
Florian Tramèr, Fan Zhang, Ari Juels, Michael K. Reiter, Thomas Ristenpart
Summary
The paper discusses model extraction attacks on machine learning models, particularly in the context of machine learning-as-a-service (MLaaS) providers. It explores different attack scenarios, such as avoiding query charges and violating training-data privacy, and demonstrates successful attacks on various models including logistic regression, neural networks, and decision trees. The paper also discusses potential countermeasures and evaluates different retraining strategies for model extraction. It highlights the security risks associated with exposing model information and suggests safer approaches.
Results
The experimental setups in the paper involved training models on a variety of public datasets to simulate proprietary ones. The experiments were validated locally using standard machine learning libraries. Additionally, case studies were conducted on BigML and Amazon to demonstrate the effectiveness of the model extraction attacks. The experiments on decision trees utilized a varied set of models publicly available on BigML’s platform, which were trained by real Machine Learning as a Service (MLaaS) users, providing a realistic benchmark for the evaluation of the extraction attacks. The paper also used synthetic datasets, including classic examples of non-linearly separable data such as concentric circles and interleaving moons, as well as Gaussian clusters of points assigned to multiple classes.
Strengths
The paper demonstrates the effectiveness of extraction attacks on different machine learning models, including logistic regression, neural networks, and decision trees, by conducting experiments on various public datasets and against machine learning-as-a-service providers such as BigML and Amazon. The attacks are shown to be computationally fast and capable of extracting models matching the targets on 100% of tested inputs. Additionally, the paper highlights the success of simple equation-solving model extraction attacks against Amazon’s service and the extraction of decision trees using a new path-finding algorithm.
Possible directions for future work
The paper presents valuable contributions, however there are a few observations. The potential ineffectiveness of prediction API minimization as a defense against extraction attacks. The paper notes that even if an API is stripped to only provide class labels, successful attacks remain possible at a much higher query cost. The paper acknowledges that ensemble methods such as random forests may be more resilient to extraction attacks, as attackers may only be able to obtain relatively coarse approximations of the target function. However, it also notes that ensemble methods may still be vulnerable to other attacks such as model evasion.
References
USENIX Security ’16 - Stealing Machine Learning Models via Prediction APIs from https://www.youtube.com/watch?v=BD7RcRLkk_0