Stealing Machine Learning Models via Prediction APIs 1 Florian Tramèr , Fan 2 Zhang , Ari 3 Juels , Michael 4 Reiter , Thomas 3 Ristenpart 1EPFL, 2Cornell, 3Cornell Tech, 4UNC Goals § Machine learning models may be deemed confidential due to § Sensitive training data § Commercial value § Use in security applications § In practice, ML models are deployed with public prediction APIs. § We show simple, efficient attacks that can steal the model through legitimate prediction queries. Approach cont. Decision Tree: Path-Finding Attacks § We propose a new Path-Finding attack § Exploited the ability to query APIs with incomplete inputs. § Also apply to regression trees. Results Approach Model Extraction against MLaaS ML#service# Data#owner# f (x1 ) β¦# Train# model## DB# x1 Extrac3on# adversary# xq fΛ ü Tables shows the number of prediction queries made to the ML API in an attack that extracts a 100% equivalent model: f (xq ) LR and MLP: Equation-Solving Service Model Data set Amazon LR Digits LR Adult BigML DT German Credits DT Steak Survey Makinguseoftheconfidencevalues. § Logistic Regression: π β π = π π π § Multiclass LR (MLR) and Multilayer Perceptron (MLP): π(π, ππ β π, β¦ , ππ β π) = π. (π) Model π(π, πΆ0 β π π, π , β¦ , πΆ4 β π π, π ) = π. (π) Makinguseofonlytheclasslabel. § Retraining with uniform queries § Line-search retraining § Adaptive retraining http://silver.web.unc.edu Time (s) 70 149 632 2,088 Success of equation-solving attacks § Kernelized LR: SVM: Retraining Queries 650 1,485 1,150 4,013 Unknowns Softmax 530 OvR 530 MLP 2,225 Queries 1-R_test 1-R_unif Time (s) 265 530 265 530 2,225 4,450 99.96% 100.00% 99.98% 100.00% 98.68% 99.89% 99.75% 100.00% 99.98% 100.00% 97.23% 99.82% 2.6 3.1 2.8 3.5 168 196 Training data extraction Training data: Recovered: Cloud Security Horizons Summit, March 2016
© Copyright 2025 Paperzz