Model Stealing Attacks and Defenses: Where Are We Now?

The success of deep learning in many application domains has been nothing short of dramatic. This has brought the spotlight onto security and privacy concerns with machine learning (ML). One such concern is the threat of model theft. I will discuss work on exploring the threat of model theft, especially in the form of “model extraction attacks” — when a model is made available to customers via an inference interface, a malicious customer can use repeated queries to this interface and use the information gained to construct a surrogate model. I will also discuss possible countermeasures, focusing on deterrence mechanisms that allow for model ownership resolution (MOR) based on watermarking or fingerprinting. In particular, I will discuss the robustness of MOR schemes. I will touch on the issue of conflicts that arise when protection mechanisms for multiple different threats need to be applied simultaneously to a given ML model, using MOR techniques as a case study.

This talk is based on work done with my students and collaborators, including Buse Atli Tekgul, Jian Liu, Mika Juuti, Rui Zhang, Samuel Marchal, and Sebastian Szyller. The work was funded in part by Intel Labs in the context of the Private AI consortium.