SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection

Abstract

Recent works developed an emerging attack, called Model Stealing (MS), to steal the functionalities of remote models, rendering the privacy of cloud-based machine learning services under threat. In this paper, we propose a new defense against MS attacks, using Semantic Inspection (called SeInspect). SeInspect mainly achieves two breakthroughs in this line of work. First, state-of-the-art MS attacks tend to craft malicious queries within a distribution close to benign ones. Such a characteristic increases the stealthiness of these attacks and makes them able to circumvent most of the existing MS defenses. In SeInspect, we introduce a semantic feature based detection method to amplify the query distribution discrepancy between malicious and benign users. Thus, SeInspect can detect stealthy MS attacks with a higher detection rate than existing defenses. Second, in our evaluation, we notice that existing defenses cause significantly increased response latency of model service due to repetfitive user-by-user inspection (e.g., increased by 7.01 times for PRADA, EuroS &P 2019). To mitigate the problem, we propose to analyze semantic features with a two-layer defense mechanism. The first layer can achieve a “quickshot” on users in batches and pick out all potentially malicious users. Then, the second layer identifies the attacker in a user-by-user manner. In our evaluation, we experiment with SeInspect on eight typical MS attacks. The result shows that SeInspect can detect two more attacks than prior works while reducing latency by at least \(54.00\%\).

A Appendix

1.1 A.1 Maximum Mean Discrepancy

The maximum mean discrepancy (MMD) measures the closeness between two distributions \(\mathbb {P}\) and \(\mathbb {Q}\) [33], represented as:

$$\begin{aligned} \begin{aligned} \text {MMD}(\mathcal {F},\mathbb {P},\mathbb {Q}) = \sup _{f\in \mathcal {F}} \left| \mathbb {E}_{X\sim \mathbb {P}}[f(X)] - \mathbb {E}_{Y\sim \mathbb {Q}}[f(Y)] \right| . \end{aligned} \end{aligned}$$

(12)

where \(\mathcal {F}\) is a set containing all continuous functions, X and Y are independent and identically distributed (iid) datasets. The MMD depends on \(\mathcal {F}\). To ensure that the test of MMD is consistent in power, thus providing an analytic solution, \(\mathcal {F}\) is restricted to be a unit ball in the reproducing kernel Hilbert space (RKHS). Thereby the kernel based MMD is defined as:

$$\begin{aligned} \begin{aligned} \text {MMD}(\mathcal {F},\mathbb {P},\mathbb {Q}) = \sup _{f\in \mathcal {H}, \left\| f \right\| _{\mathcal {H} \le 1 } }\left| \mathbb {E}_{X\sim \mathbb {P}}[f(X)] - \mathbb {E}_{Y\sim \mathbb {Q}}[f(Y)] \right| . \end{aligned} \end{aligned}$$

(13)

where k is a kernel regarding RKHS \(\mathcal {H}_k\).

1.2 B.2 Settings of the Global Monitor

In our experiments, three types of global monitors are evaluated: RF, XGBoost and LightGBM. The final output of the global monitor is based on “one-vote veto” mechanism of four sub-models:

$$\begin{aligned} \begin{aligned} \mathcal {M_G}&=\{ \mathcal {M}^1_{\mathcal {G}}, \mathcal {M}^2_{\mathcal {G}}, \mathcal {M}^3_{\mathcal {G}}, \mathcal {M}^4_{\mathcal {G}} \} , \\ s.t., \mathcal {M_G}(x)&= \mathcal {M}^{1}_{\mathcal {G}}(x) \vee \mathcal {M}^{2}_{\mathcal {G}}(x) \vee \mathcal {M}^{3}_{\mathcal {G}}(x) \vee \mathcal {M}^{4}_{\mathcal {G}}(x). \end{aligned} \end{aligned}$$

(14)

where x denotes an input. The four sub-models focus on different proportions of attack samples, which are \([10\%, 25\%)\), \([25\%, 40\%)\), \([40\%, 70\%)\) and \([70\%, 100\%)\). To better detect attack samples with low proportion, we limit the proportions of attack samples of \(\mathcal {M}^{1}_{\mathcal {G}}(x)\) and \(\mathcal {M}^{2}_{\mathcal {G}}(x)\) within a smaller scale. Here we give a detailed description of each sub-model in Table 7.

Table 6. Test set accuracy (%) of the surrogate model obtained by MS attackers, when the target model is deployed with different defenses on FashionMNIST. ‘Accuracy’ (%) denotes accuracy of the surrogate model when the attack is detected. ‘Reduction’ (%) indicates the reduction of test set accuracy caused by defense. ‘Reduction’ (%) indicates the reduction of test set accuracy caused by defenses. ‘Top’ (%) represents the highest test set accuracy of the surrogate model without defense and budget constraints. ‘-’ denotes the defender fails to detect the attack within the query budget.

Table 7. Settings of the global monitors (RF, XGBoost and LightGBM) on FashionMNIST and SVHN.

1.3 C.3 Accuracy Reduction on FashionMNSIT

We present the accuracy reduction of three defenses (FashionMNIST) in Table 6. Compared with PRADA, SeInspect reduces accuracy by \(12.67\%\). It is notable that, SeInspect causes a more significant accuracy reduction on SVHN than on FashionMNIST (especially on type-2 attacks T-RND-FGSM and COLOR), because the surrogate model on FashionMNIST can be trained by much fewer queries than on SVHN.