A0456
Title: Model privacy: A unified framework to understand model stealing attack and defense
Authors: Ganghua Wang - University of Minnesota (United States) [presenting]
Jie Ding - University of Minnesota (United States)
Yuhong Yang - University of Minnesota (United States)
Abstract: The use of machine learning (ML) has become increasingly prevalent in various domains, thereby highlighting the importance of understanding and ensuring its safety. One pressing concern is the vulnerability of ML applications to model-stealing attacks, where adversaries attempt to recover a learned model from limited query-response interactions, such as through cloud-based services or on-chip artificial intelligence (AI) interfaces. Existing literature has proposed various attack and defence strategies; however, they often lack a theoretical foundation and a standardized evaluation criterion for their efficacy. In response, a framework called "Model Privacy" is presented, providing a foundation for comprehensively analyzing model stealing attacks and defences. In particular, a rigorous formulation for the threat model and objectives are established, approaches that quantify the goodness of attack and defense strategies are proposed, and fundamental tradeoffs regarding the utility and privacy of ML models are analyzed. The developed theory offers valuable insights for enhancing the security of ML models, illustrated by various regression learning scenarios, including those based on k-nearest neighbors, polynomials, reproducing kernels, and neural networks. The importance of breaking data independence is also highlighted in devising powerful defenses. Moreover, this framework exhibits intimate connections to other critical AI areas, such as teacher-student learning.
