Journal article 77 views 25 downloads
ShrewdAttack: Low Cost High Accuracy Model Extraction
Yang Liu 
,
Ji Luo,
Yi Yang,
Xuan Wang,
Mehdi Gheisari ,
Feng Luo
,
Ji Luo,
Yi Yang,
Xuan Wang,
Mehdi Gheisari ,
Feng Luo
Entropy, Volume: 25, Issue: 2, Start page: 282
Swansea University Author:
Yang Liu
-
PDF | Version of Record
© 2023 by the authors.This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Download (2.54MB)
DOI (Published version): 10.3390/e25020282
Abstract
Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by mode...
| Published in: | Entropy |
|---|---|
| ISSN: | 1099-4300 |
| Published: |
MDPI AG
2023
|
| Online Access: |
Check full text
|
| URI: | https://cronfa.swan.ac.uk/Record/cronfa67390 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| first_indexed |
2024-09-20T13:35:36Z |
|---|---|
| last_indexed |
2024-09-20T13:35:36Z |
| id |
cronfa67390 |
| recordtype |
SURis |
| fullrecord |
<?xml version="1.0" encoding="utf-8"?><rfc1807 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><bib-version>v2</bib-version><id>67390</id><entry>2024-08-15</entry><title>ShrewdAttack: Low Cost High Accuracy Model Extraction</title><swanseaauthors><author><sid>ba37dab58c9093dc63c79001565b75d4</sid><ORCID>0000-0003-2486-5765</ORCID><firstname>Yang</firstname><surname>Liu</surname><name>Yang Liu</name><active>true</active><ethesisStudent>false</ethesisStudent></author></swanseaauthors><date>2024-08-15</date><deptcode>MACS</deptcode><abstract>Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by model extraction attacks—an attacker steals the functionality of a trained model provided by MLaaS and builds a substitute model locally. In this paper, we proposed a model extraction method with low query costs and high accuracy. In particular, we use pre-trained models and task-relevant data to decrease the size of query data. We use instance selection to reduce query samples. In addition, we divided query data into two categories, namely low-confidence data and high-confidence data, to reduce the budget and improve accuracy. We then conducted attacks on two models provided by Microsoft Azure as our experiments. The results show that our scheme achieves high accuracy at low cost, with the substitution models achieving 96.10% and 95.24% substitution while querying only 7.32% and 5.30% of their training data on the two models, respectively. This new attack approach creates additional security challenges for models deployed on cloud platforms. It raises the need for novel mitigation strategies to secure the models. In future work, generative adversarial networks and model inversion attacks can be used to generate more diverse data to be applied to the attacks.</abstract><type>Journal Article</type><journal>Entropy</journal><volume>25</volume><journalNumber>2</journalNumber><paginationStart>282</paginationStart><paginationEnd/><publisher>MDPI AG</publisher><placeOfPublication/><isbnPrint/><isbnElectronic/><issnPrint/><issnElectronic>1099-4300</issnElectronic><keywords>model extraction attack; machine learning; MLaaS</keywords><publishedDay>2</publishedDay><publishedMonth>2</publishedMonth><publishedYear>2023</publishedYear><publishedDate>2023-02-02</publishedDate><doi>10.3390/e25020282</doi><url/><notes/><college>COLLEGE NANME</college><department>Mathematics and Computer Science School</department><CollegeCode>COLLEGE CODE</CollegeCode><DepartmentCode>MACS</DepartmentCode><institution>Swansea University</institution><apcterm/><funders>This work is supported by Shenzhen Basic Research (General Project) (No. JCYJ20190806142601687), Shenzhen Stable Supporting Program (General Project) (No. GXWD20201230155427003-20200821160539001), Peng Cheng Laboratory Project (Grant No. PCL2021A02), Guangdong Provincial Key Laboratory of Novel Security Intelligence Technologies (2022B1212010005), and Shenzhen Basic Research (Key Project) (No. JCYJ20200109113405927).</funders><projectreference/><lastEdited>2024-09-20T14:37:25.7383287</lastEdited><Created>2024-08-15T16:59:58.0646835</Created><path><level id="1">Faculty of Science and Engineering</level><level id="2">School of Mathematics and Computer Science - Computer Science</level></path><authors><author><firstname>Yang</firstname><surname>Liu</surname><orcid>0000-0003-2486-5765</orcid><order>1</order></author><author><firstname>Ji</firstname><surname>Luo</surname><order>2</order></author><author><firstname>Yi</firstname><surname>Yang</surname><order>3</order></author><author><firstname>Xuan</firstname><surname>Wang</surname><order>4</order></author><author><firstname>Mehdi</firstname><surname>Gheisari</surname><orcid>0000-0002-5643-0021</orcid><order>5</order></author><author><firstname>Feng</firstname><surname>Luo</surname><order>6</order></author></authors><documents><document><filename>67390__31418__c2b3795407474457a797f388a1a8e137.pdf</filename><originalFilename>67390.VoR.pdf</originalFilename><uploaded>2024-09-20T14:36:06.4011357</uploaded><type>Output</type><contentLength>2664762</contentLength><contentType>application/pdf</contentType><version>Version of Record</version><cronfaStatus>true</cronfaStatus><documentNotes>© 2023 by the authors.This article is an open access article distributed under the terms and
conditions of the Creative Commons Attribution (CC BY) license.</documentNotes><copyrightCorrect>true</copyrightCorrect><language>eng</language><licence>https://creativecommons.org/licenses/by/4.0/</licence></document></documents><OutputDurs/></rfc1807> |
| spelling |
v2 67390 2024-08-15 ShrewdAttack: Low Cost High Accuracy Model Extraction ba37dab58c9093dc63c79001565b75d4 0000-0003-2486-5765 Yang Liu Yang Liu true false 2024-08-15 MACS Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by model extraction attacks—an attacker steals the functionality of a trained model provided by MLaaS and builds a substitute model locally. In this paper, we proposed a model extraction method with low query costs and high accuracy. In particular, we use pre-trained models and task-relevant data to decrease the size of query data. We use instance selection to reduce query samples. In addition, we divided query data into two categories, namely low-confidence data and high-confidence data, to reduce the budget and improve accuracy. We then conducted attacks on two models provided by Microsoft Azure as our experiments. The results show that our scheme achieves high accuracy at low cost, with the substitution models achieving 96.10% and 95.24% substitution while querying only 7.32% and 5.30% of their training data on the two models, respectively. This new attack approach creates additional security challenges for models deployed on cloud platforms. It raises the need for novel mitigation strategies to secure the models. In future work, generative adversarial networks and model inversion attacks can be used to generate more diverse data to be applied to the attacks. Journal Article Entropy 25 2 282 MDPI AG 1099-4300 model extraction attack; machine learning; MLaaS 2 2 2023 2023-02-02 10.3390/e25020282 COLLEGE NANME Mathematics and Computer Science School COLLEGE CODE MACS Swansea University This work is supported by Shenzhen Basic Research (General Project) (No. JCYJ20190806142601687), Shenzhen Stable Supporting Program (General Project) (No. GXWD20201230155427003-20200821160539001), Peng Cheng Laboratory Project (Grant No. PCL2021A02), Guangdong Provincial Key Laboratory of Novel Security Intelligence Technologies (2022B1212010005), and Shenzhen Basic Research (Key Project) (No. JCYJ20200109113405927). 2024-09-20T14:37:25.7383287 2024-08-15T16:59:58.0646835 Faculty of Science and Engineering School of Mathematics and Computer Science - Computer Science Yang Liu 0000-0003-2486-5765 1 Ji Luo 2 Yi Yang 3 Xuan Wang 4 Mehdi Gheisari 0000-0002-5643-0021 5 Feng Luo 6 67390__31418__c2b3795407474457a797f388a1a8e137.pdf 67390.VoR.pdf 2024-09-20T14:36:06.4011357 Output 2664762 application/pdf Version of Record true © 2023 by the authors.This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license. true eng https://creativecommons.org/licenses/by/4.0/ |
| title |
ShrewdAttack: Low Cost High Accuracy Model Extraction |
| spellingShingle |
ShrewdAttack: Low Cost High Accuracy Model Extraction Yang Liu |
| title_short |
ShrewdAttack: Low Cost High Accuracy Model Extraction |
| title_full |
ShrewdAttack: Low Cost High Accuracy Model Extraction |
| title_fullStr |
ShrewdAttack: Low Cost High Accuracy Model Extraction |
| title_full_unstemmed |
ShrewdAttack: Low Cost High Accuracy Model Extraction |
| title_sort |
ShrewdAttack: Low Cost High Accuracy Model Extraction |
| author_id_str_mv |
ba37dab58c9093dc63c79001565b75d4 |
| author_id_fullname_str_mv |
ba37dab58c9093dc63c79001565b75d4_***_Yang Liu |
| author |
Yang Liu |
| author2 |
Yang Liu Ji Luo Yi Yang Xuan Wang Mehdi Gheisari Feng Luo |
| format |
Journal article |
| container_title |
Entropy |
| container_volume |
25 |
| container_issue |
2 |
| container_start_page |
282 |
| publishDate |
2023 |
| institution |
Swansea University |
| issn |
1099-4300 |
| doi_str_mv |
10.3390/e25020282 |
| publisher |
MDPI AG |
| college_str |
Faculty of Science and Engineering |
| hierarchytype |
|
| hierarchy_top_id |
facultyofscienceandengineering |
| hierarchy_top_title |
Faculty of Science and Engineering |
| hierarchy_parent_id |
facultyofscienceandengineering |
| hierarchy_parent_title |
Faculty of Science and Engineering |
| department_str |
School of Mathematics and Computer Science - Computer Science{{{_:::_}}}Faculty of Science and Engineering{{{_:::_}}}School of Mathematics and Computer Science - Computer Science |
| document_store_str |
1 |
| active_str |
0 |
| description |
Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by model extraction attacks—an attacker steals the functionality of a trained model provided by MLaaS and builds a substitute model locally. In this paper, we proposed a model extraction method with low query costs and high accuracy. In particular, we use pre-trained models and task-relevant data to decrease the size of query data. We use instance selection to reduce query samples. In addition, we divided query data into two categories, namely low-confidence data and high-confidence data, to reduce the budget and improve accuracy. We then conducted attacks on two models provided by Microsoft Azure as our experiments. The results show that our scheme achieves high accuracy at low cost, with the substitution models achieving 96.10% and 95.24% substitution while querying only 7.32% and 5.30% of their training data on the two models, respectively. This new attack approach creates additional security challenges for models deployed on cloud platforms. It raises the need for novel mitigation strategies to secure the models. In future work, generative adversarial networks and model inversion attacks can be used to generate more diverse data to be applied to the attacks. |
| published_date |
2023-02-02T14:37:24Z |
| _version_ |
1810722396961767424 |
| score |
11.031947 |