cloudleak
play

CloudLeak: Large-Scale Deep Learning Models Stealing Through - PowerPoint PPT Presentation

Nov 04, 2022 •223 likes •468 views

CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples Honggang Yu 1 , Kaichen Yang 1 , Teng Zhang 2 , Yun-Yun Tsai 3 , Tsung-Yi Ho 3 , Yier Jin 1 1 University of Florida, 2 University of Central Florida, 3 National

  1. CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples Honggang Yu 1 , Kaichen Yang 1 , Teng Zhang 2 , Yun-Yun Tsai 3 , Tsung-Yi Ho 3 , Yier Jin 1 1 University of Florida, 2 University of Central Florida, 3 National Tsing Hua University Email: yier.jin@ece.ufl.edu 1 April 3, 2020 – NDSS 2020

  2. Outline Background and Motivation § AI Interface API in Cloud § Existing Attacks and Defenses Adversarial Examples based Model Stealing § Adversarial Examples § Adversarial Active Learning § FeatureFool § MLaaS Model Stealing Attacks Case Study § Commercial APIs hosted by Microsoft, Face++, IBM, Google and Clarifai Defenses Conclusions 2 April 3, 2020

  3. Success of DNN “Perceptron” “Multi-Layer Perceptron” “Deep Convolutional Neural Network” DNN based systems are widely used in various applications: Revolution of DNN Struture 1E+10 160 152 7M 61M 60M 100000000 138M # Parameters 120 # Layers 1000000 80 10000 40 22 100 16 8 1 0 AlexNet VGG-16 GoogLeNet ResNet-152 Parameters Layers 3 April 3, 2020

  4. Commercialized DNN Machine Learning as a Service (MLaaS) § Google Cloud Platform, IBM Watson Visual Recognition, and Microsoft Azure Intelligent Computing System (ICS) § TensorFlow Lite, Pixel Visual Core (in Pixel 2), and Nvidia Jetson TX 4 April 3, 2020

  5. Machine Learning as a Service Training API Prediction API Sensitive Data Black-box Inputs Outputs Dataset Goal 1: Rich Goal 2: Model Prediction API Confidentiality User Suppliers $$$ per query Overview of MLaaS Working Flow 5 April 3, 2020

  6. Machine Learning as a Service Model Confidence Services Products and Solutions Customization Function Black-box Monetize Types Scores √ √ √ √ Custom Vision Traffic Recognition NN Microsoft √ √ √ √ Custom Vision Flower Recognition NN Face Emotion × √ √ √ Face++ Emotion Recognition API NN Verification √ √ √ √ IBM Watson Visual Recognition Face Recognition NN √ √ √ √ Google AutoML Vision Flower Recognition NN Offensive Content × √ √ √ Clarifai Not Safe for Work (NSFW) NN Moderation 6 April 3, 2020

  7. Model Stealing Attacks Various model stealing attacks have been developed None of them can achieve a good tradeoffs among query counts, accuracy, cost, etc. Proposed Attacks Parameter Size Queries Accuracy Black-box? Stealing Cost √ F. Tramer (USENIX’16) ~ 45k ~ 102k High Low √ Juuti (EuroS&P’19) ~10M ~ 111k High - √ Correia-Silva (IJCNN’18) ~ 200M ~66k High High √ Papernot (AsiaCCS’17) ~ 100M ~7k Low - 7 April 3, 2020

  8. Adversarial Example based Model Stealing 8 April 3, 2020

  9. Adversarial Examples in DNN Adversarial examples are model inputs generated by an adversary to fool deep learning models. “source example” “adversarial perturbation” “advesarial example” “target label” � = = + Goodfellow et al, 2014 9 April 3, 2020

  10. Adversarial Examples Source Non-Feature-based Adversarial § Projected Gradient Descent (PGD) attack § C&W Attack Source Adversarial Feature-based Carlini et al, 2017 § Feature adversary attack § FeatureFool Source Guide Adversarial Adversarial Perturbation Perturbation Guide Source 10 April 3, 2020

  11. A Simplified View of Adversarial Examples f x < ( ) 0 Source example Medium-confidence legitimate example Minimum-confidence legitimate example Minimum-confidence adversarial example Medium-confidence adversarial example Maximum-confidence adversarial example f x > ( ) 0 A high-level illustration of the adversarial example generation 11 April 3, 2020

  12. Adversarial Active Learning We gather a set of “useful examples” to train a substitute model with the performance similar to the black-box model. f x < ( ) 0 Source example Medium-confidence legitimate example Medium-confidence adversarial example Maximum-confidence adversarial example Minimum-confidence legitimate example Minimum-confidence adversarial example “Useful examples” f x > ( ) 0 Illustration of the margin-based uncertainty sampling strategy. 12 April 3, 2020

  13. FeatureFool: Margin-based Adversarial Examples To reduce the scale of the perturbation, we further propose a feature-based attack to generate more robust adversarial examples. § Attack goal: Low confidence score for true class (we use ! to control the confidence score). * , ( ) + - . /011 2,3 ( ) * minimize ' ( ) * ∈ [0,1] ? such that ( ) * , we formally define it as: For the triplet loss /011 2,3 ( ) * = max(C ∅ E ( ) * , ∅ E ( F /011 2,3 ( ) − * , ∅ E ( ) C ∅ E ( ) + !, 0) § In order to solve the reformulated optimization problem above, we apply the box- constrained L-BFGS for finding a minimum of the loss function. 13 April 3, 2020

  14. FeatureFool: A New Adversarial Attack (a) Source image (b) Adversarial perturbation (d) Feature Extractor (e) Salient Features + &(" # + $) " # $ (c) Guide Image &(" % ) L-BFGS " % (1) Input an image and extract the corresponding n-th layer feature mapping using the feature extractor; (2) Compute the class salience map to decide which points of feature mapping should be modified; (3) Search for the minimum perturbation that satisfies the optimization formula. 14 April 3, 2020

  15. FeatureFool: A New Adversarial Attack Source Adversarial Source Guide Guide Adversarial Source Adversarial Guide Neutral: Happy: Happy: 0.99 √ 0.98 √ 0.01 × 15 April 3, 2020

  16. MLaaS Model Stealing Attacks Our attack approach: § Use all adversarial examples to generate the malicious inputs; § Obtain input-output pairs by querying black-box APIs with malicious inputs; § Retrain the substitute models which are generally chosen from candidate Model Zoo. Candidate Library MLaaS Adversary Model Zoo (AlexNet, VGGNet, Inputs ResNet) Search Malicious Examples Outputs (PGD, C&W, FeatureFool) Illustration of the proposed MLaaS model stealing attacks 16 April 3, 2020

  17. MLaaS Model Stealing Attacks Overview of the transfer framework for the model theft attack (a) Unlabeled Synthetic Datatset (c) Synthetic (d) Feature Transfer (b) MLaaS (e) Prediction Source Domain Dataset with Query Stolen Labels ? DB Problem Domain Retrained Layers Reused Layers Layer copied from Teacher Layer trained by Student (Adversary) (1) Generate unlabeled dataset (2) Query MLaaS (3) Use transfer learning method to retrain the substitute model 17 April 3, 2020

  18. Example: Emotion Classification Procedure to extract a copy of the Emotion Classification model 1) Choose a more complex/relevant network, e.g., VGGFace. 2) Generate/Collect images relevant to the classification problem in source domain and in problem domain (relevant queries). 3) MLaaS query. 4) Local model training based on the cloud query results. Architecture Choice for stealing Face++ Emotion Classification API (A = 0.68k; B = 1.36k; C = 2.00k) 18 April 3, 2020

  19. Experimental Results Adversarial perturbations result in a more successful transfer set. In most cases, our FeatureFool method achieves the same level of accuracy with fewer queries than other methods Dataset Service Model Price ($) Queries RS PGD CW FA FF 0.43k 10.21% 10.49% 12.10% 11.64% 15.96% 0.43 1.29k 45.30% 59.91% 61.25% 49.25% 66.91% 1.29 Traffic 2.15k 70.03% 72.20% 74.94% 71.30% 76.05% 2.15 Microsoft 0.51k 26.27% 27.84% 29.41% 28.14% 31.86% 1.53 1.53k 64.02% 68.14% 69.22% 68.63% 72.35% 4.59 Flower 2.55k 79.22% 83.24% 89.20% 84.12% 88.14% 7.65 Comparison of performance on the victim model (Microsoft) and their local substitute models. 19 April 3, 2020

  20. Comparison with Existing Attacks Our attack framework can steal large-scale deep learning models with high accuracy, few queries and low costs simultaneously. The same trend appears while we use different transfer architectures to steal black-box target model. Proposed Attacks Parameter Size Queries Accuracy Black-box? Stealing Cost √ F. Tramer (USENIX’16) ~ 45k ~ 102k High Low √ Juuti (EuroS&P’19) ~10M ~ 111k High - √ Correia-Silva (IJCNN’18) ~ 200M ~66k High High √ Papernot (AsiaCCS’17) ~ 100M ~7k Low - √ Our Method ~ 200M ~3k High Low A Comparison to prior works. 20 April 3, 2020

  21. Evading Defenses Evasion of PRADA Detection § Our attacks can easily bypass their defense by carefully selecting the parameter M from 0.1 ' to 0.8 ' . § Other types of adversarial attacks can also bypass the PRADA defense if * is small. Queries made until detection Model ( ! value) FF PGD CW FA " = 0.8' " = 0.5' " = 0.1' Traffic ( * = 0.92 ) missed missed missed missed 150 130 Traffic ( * = 0.97 ) 110 110 110 110 110 110 Flower ( * = 0.87 ) 110 missed 220 missed 290 140 Flower ( * = 0.90 ) 110 340 220 350 120 130 Flower ( * = 0.94 ) 110 340 220 350 120 130 21 April 3, 2020

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Commercial MLaaSPlatforms Yun-Yun Tsai &amp; Tsung-Yi Ho National Tsing Hua University #BHUSA

Commercial MLaaSPlatforms Yun-Yun Tsai &amp; Tsung-Yi Ho National Tsing Hua University #BHUSA

CloudLeak: DNN Model Extractions from Commercial MLaaSPlatforms Yun-Yun Tsai &amp; Tsung-Yi Ho National Tsing Hua University #BHUSA @BLACKHATEVENTS Who We Are Yun-Yun Tsai Research Assistant Department of Computer Science National Tsing Hua

525 views • 37 slides
by learning the Distributions of Adversarial Examples Boqing Gong Joint work with Yandong Li,

by learning the Distributions of Adversarial Examples Boqing Gong Joint work with Yandong Li,

by learning the Distributions of Adversarial Examples Boqing Gong Joint work with Yandong Li, Lijun Li, Liqiang Wang, &amp; Tong Zhang Published in ICML 2019 Intriguing properties of deep neural networks (DNNs) Szegedy, C., Zaremba, W.,

750 views • 43 slides
Words &amp; their Meaning: Distributional Semantics CMSC 470 Marine Carpuat Slides credit: Dan

Words &amp; their Meaning: Distributional Semantics CMSC 470 Marine Carpuat Slides credit: Dan

Words &amp; their Meaning: Distributional Semantics CMSC 470 Marine Carpuat Slides credit: Dan Jurafsky Reminders Read the syllabus Respond to office hour survey on piazza TODAY Get started on homework 1 due Tue Sep 3 by 1:00pm

616 views • 40 slides
OpenStack based telco clouds Todays Panel Sunil Sood Moderator Ericsson VP, IT &amp; Cloud

OpenStack based telco clouds Todays Panel Sunil Sood Moderator Ericsson VP, IT &amp; Cloud

OpenStack Summit - Sydney I pity the fool that builds his own cloud. Panel Discussion Ericsson (Moderator) AT&amp;T SKT Overcoming NTT challenges of OpenStack based telco clouds Todays Panel Sunil Sood Moderator Ericsson VP, IT

724 views • 7 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Online Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Stack-based buffer overflow-1 a. Brief history of buffer overflow b.

873 views • 73 slides
Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A

Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A

Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A pragmatic implementation of non-blocking linked lists, Tim Harris, DISC 2001 Five ways not to fool yourself 1. Measure as you go Starting and stopping

585 views • 25 slides
Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo CEA - - 2/11 Introduction The

Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo CEA - - 2/11 Introduction The

BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-level Analysis Robin David S ebastien Bardin Thanh Dinh Ta Josselin Feist Laurent Mounier Marie-Laure Potet Jean-Yves Marion SANER 2016, Osaka, Japan, March 16th Outline

467 views • 22 slides
Joey Stanley University of Georgia joeystan@uga.edu @joey_stan joeystanley.com Special thanks

Joey Stanley University of Georgia joeystan@uga.edu @joey_stan joeystanley.com Special thanks

T HE PERCEPTION AND PRODUCTION OF TWO VOWEL MERGERS IN C OWLITZ C OUNTY , W ASHINGTON Joey Stanley University of Georgia joeystan@uga.edu @joey_stan joeystanley.com American Dialect Society Annual Meeting Austin, Texas January 5, 2017 C

501 views • 37 slides
Robustness and geometry of deep neural networks Alhussein Fawzi DeepMind May 23rd 2019 The

Robustness and geometry of deep neural networks Alhussein Fawzi DeepMind May 23rd 2019 The

Robustness and geometry of deep neural networks Alhussein Fawzi DeepMind May 23rd 2019 The Mathematics of Deep Learning and Data Science University of Cambridge 1 Recent advances in machine learning Error rate (%) He et., al., Delving

809 views • 70 slides
Agile Adoption and Parenting Max Keeler September 28, 2009 The Goal 2 September 28, 2009

Agile Adoption and Parenting Max Keeler September 28, 2009 The Goal 2 September 28, 2009

1 Agile Adoption and Parenting Max Keeler September 28, 2009 The Goal 2 September 28, 2009 Hopes For This Presentation Share Agile adoption experience and lessons. Present a simple portfolio management and governance strategy.

553 views • 41 slides
Adversarial Connective-exploiting Networks for Implicit Discourse Relation Classification Lianhui

Adversarial Connective-exploiting Networks for Implicit Discourse Relation Classification Lianhui

Adversarial Connective-exploiting Networks for Implicit Discourse Relation Classification Lianhui Qin, Zhisong Zhang, Hai Zhao, Zhiting Hu , Eric P. Xing Shubham Jain Discourse Relations Connect linguistic units (like sentences) semantically

576 views • 19 slides
Making Default Address Selection More Robust FoolProof

Making Default Address Selection More Robust FoolProof

Making Default Address Selection More Robust FoolProof draft-linkova-6man-default-addr-selection-update-00 Jen Linkova IETF99, Prague, July 2017 When Does a Host Stop Using an Address? Preferred lifetime expired An RA received

540 views • 14 slides
Fool Proof Luke 24:13-35 April 1, 2018 1957 Swiss Spaghetti Harvest 1976 Zero-G Day

Fool Proof Luke 24:13-35 April 1, 2018 1957 Swiss Spaghetti Harvest 1976 Zero-G Day

Fool Proof Luke 24:13-35 April 1, 2018 1957 Swiss Spaghetti Harvest 1976 Zero-G Day 1998 Left-Handed Whopper 1993 Lightning Strike First Easter April Fools Day Fool Proof And he said to them, O foolish ones, and slow of

484 views • 24 slides
Three Fools and a Wise Woman (1 Samuel 25) I hope youre enjoying our sermon series on

Three Fools and a Wise Woman (1 Samuel 25) I hope youre enjoying our sermon series on

Belmont UMC / Feb. 4, 2018 Profiles in Courage, Grace, and Wisdom (#3) Three Fools and a Wise Woman (1 Samuel 25) I hope youre enjoying our sermon series on Profiles in Courage, Grace, and Wisdom, which focuses on the

472 views • 6 slides
Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya Hatami 2 William M. Hoza 3 UT Austin Stanford UT Austin Ohio State UT Austin BIRS Workshop 19w5088 July 8, 2019 1Supported by NSF Grant

1.69k views • 139 slides
Adversaries &amp; Interpretability SIDN: An IAP Practicum Shibani Santurkar Dimitris Tsipras

Adversaries &amp; Interpretability SIDN: An IAP Practicum Shibani Santurkar Dimitris Tsipras

Adversaries &amp; Interpretability SIDN: An IAP Practicum Shibani Santurkar Dimitris Tsipras gradient-science.org Outline for today 1. Simple gradient explanations Exercise 1: Gradient saliency Exercise 2: SmoothGrad 2. Adversarial

534 views • 37 slides
Outsourcing Source Code Distribution Requirements Alexios Zavras, Stefano Zacchiroli Intel,

Outsourcing Source Code Distribution Requirements Alexios Zavras, Stefano Zacchiroli Intel,

Outsourcing Source Code Distribution Requirements Alexios Zavras, Stefano Zacchiroli Intel, alexios.zavras@intel.com Sofware Heritage, zack@upsilon.cc 4 February 2018 FOSDEM Brussels, Belgium Alexios Zavras, Stefano Zacchiroli Outsourcing

420 views • 29 slides
For the wise men of old, the cardinal problem of human life was how to conform the soul to

For the wise men of old, the cardinal problem of human life was how to conform the soul to

For the wise men of old, the cardinal problem of human life was how to conform the soul to objective reality, and the solution was wisdom, self-discipline, and virtue. For the modern, the cardinal problem is how to conform reality to the

351 views • 10 slides
Living in a fools wireless - secured paradise Stefan Kiese Topics Wireless (consumer)

Living in a fools wireless - secured paradise Stefan Kiese Topics Wireless (consumer)

Living in a fools wireless - secured paradise Stefan Kiese Topics Wireless (consumer) alarm systems Hardware Software Hacking it ;) 2015/10/02 Stefan Kiese 2 About me Security Analyst @ ERNW Heidelberg, Germany

690 views • 23 slides
Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes &amp; George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes &amp; George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes &amp; George Danezis UCL Adversarial examples transfer between different models. An adversarial example crafted against one model will generally fool other models.

515 views • 18 slides
Data Sovereignty The importance of geolocating data in the cloud Zachary N J Peterson Mark

Data Sovereignty The importance of geolocating data in the cloud Zachary N J Peterson Mark

HotCloud 2011 Data Sovereignty The importance of geolocating data in the cloud Zachary N J Peterson Mark Gondree Rob Beverly Your Data is Here But, maybe it should be here Or Here? Breaking the Abstraction Is data within some political

584 views • 20 slides

P P P P P P P P P P P P

455 views • 13 slides
Mapping of the space change of Oued Ali Mountains (Mascara, Algeria) by Landsat optical imagery

Mapping of the space change of Oued Ali Mountains (Mascara, Algeria) by Landsat optical imagery

Mapping of the space change of Oued Ali Mountains (Mascara, Algeria) by Landsat optical imagery Farida BACHIR BELMEHDI (1) , Kamel HASNI (2) , Bachir GOURINE (2) and Moussa LESGAA 1 (1) University of Oran 2, Faculty of Earth Sciences and Universe,

615 views • 6 slides
Bayesian Learning By Harivinod N Vivekananda College of Engineering Technology, Puttur 15CS73

Bayesian Learning By Harivinod N Vivekananda College of Engineering Technology, Puttur 15CS73

Module-IV Bayesian Learning By Harivinod N Vivekananda College of Engineering Technology, Puttur 15CS73 - Machine Learning Harivinod N Hypothesis A hypothesis is a certain function that we

1.03k views • 44 slides

More recommend