I Know What You Trained Last Summer: A Survey on Stealing Machine Learning Models and Defences
Our article “I Know What You Trained Last Summer: A Survey on Stealing Machine Learning Models and Defences” by Daryna Oliynyk, Rudolf Mayer and Andreas Rauber, researchers at SBA Research, was just published by ACM Computing Surveys. The survey paper provides an extensive overview of the main security threat concerning intellectual property protection of machine learning models: model stealing. It covers more than 100 related works, provides a categorisation for both attacks and defences and depicts the current status of their standoff. Additionally, it provides guidelines for picking the most suitable attack (or defence) strategy based on capabilities and goals.
Title
I Know What You Trained Last Summer: A Survey on Stealing Machine Learning Models and Defences
Authors
Daryna Oliynyk, Rudolf Mayer and Andreas Rauber
Journal
ACM Computing Surveys, Volume 55, Issue 14s
Abstract
Machine-Learning-as-a-Service (MLaaS) has become a widespread paradigm, making even the most complex Machine Learning models available for clients via, e.g., a pay-per-query principle. This allows users to avoid time-consuming processes of data collection, hyperparameter tuning, and model training. However, by giving their customers access to the (predictions of their) models, MLaaS providers endanger their intellectual property such as sensitive training data, optimised hyperparameters, or learned model parameters. In some cases, adversaries can create a copy of the model with (almost) identical behaviour using the the prediction labels only. While many variants of this attack have been described, only scattered defence strategies that address isolated threats have been proposed. To arrive at a comprehensive understanding why these attacks are successful and how they could be holistically defended against, a thorough systematisation of the field of model stealing is necessary. We address this by categorising and comparing model stealing attacks, assessing their performance, and exploring corresponding defence techniques in different settings. We propose a taxonomy for attack and defence approaches and provide guidelines on how to select the right attack or defence strategy based on the goal and available resources. Finally, we analyse which defences are rendered less effective by current attack strategies.