Stealing Machine Learning Models: Attacks and Countermeasures for Generative Adversarial Networks

Hu, Hailong; Pang, Jun

doi:10.1145/3485832.3485838

Download

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Stealing Machine Learning Models: Attacks and Countermeasures for Generative Adversarial Networks

Hu, Hailong; Pang, Jun

2021 • In Proceedings of the 37th Annual Computer Security Applications Conference (ACSAC'21)

Peer reviewed

Permalink
https://hdl.handle.net/10993/48864

DOI
10.1145/3485832.3485838

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

ACSAC21.pdf

Author preprint (2.48 MB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Disciplines :

Computer science

Author, co-author :

Hu, Hailong ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > PI Mauw

Pang, Jun ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)

External co-authors :

yes

Language :

English

Title :

Stealing Machine Learning Models: Attacks and Countermeasures for Generative Adversarial Networks

Publication date :

2021

Event name :

37th Annual Computer Security Applications Conference

Event date :

2021

Audience :

International

Main work title :

Proceedings of the 37th Annual Computer Security Applications Conference (ACSAC'21)

Publisher :

ACM

Pages :

1-16

Peer reviewed :

Peer reviewed

FnR Project :

FNR13550291 - Privacy Attacks And Protection In Machine Learning As A Service, 2019 (01/12/2019-30/11/2023) - Hailong Hu

Available on ORBilu :

since 08 December 2021

Statistics

Number of views

114 (35 by Unilu)

Number of downloads

23 (5 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

Bibliography

Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. 2016. Deep learning with differential privacy. In ProceedingsofACMSIGSACConferenceonComputerandCommunicationsSecurity (CCS). ACM, 308-318.
Eirikur Agustsson, Alexander Sage, Radu Timofte, and Luc Van Gool. 2019. Optimal Transport Maps For Distribution Preserving Operations on Latent Spaces of Generative Models. In Proceedings of International Conference on Learning Representations (ICLR).
Samaneh Azadi, Catherine Olsson, Trevor Darrell, Ian Goodfellow, and Augustus Odena. 2019. Discriminator Rejection Sampling. In Proceedings of International Conference on Learning Representations (ICLR).
Yasaman Bahri, Jonathan Kadmon, Jeffrey Pennington, Sam S. Schoenholz, Jascha Sohl-Dickstein, and Surya Ganguli. 2020. Statistical Mechanics of Deep Learning. Annual Review of Condensed Matter Physics 11, 1 (2020), 501-528.
David Bau, Jun-Yan Zhu, Jonas Wulff, William Peebles, Hendrik Strobelt, Bolei Zhou, and Antonio Torralba. 2019. Seeing what a gan cannot generate. In Proceedings of IEEE International Conference on Computer Vision (ICCV). IEEE, 4502-4511.
Andrew Brock, Jeff Donahue, and Karen Simonyan. 2019. Large Scale GAN Training for High Fidelity Natural Image Synthesis. In Proceedings of International Conference on Learning Representations (ICLR).
Tom B Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, et al. 2020. Language models are few-shot learners. arXiv preprint arXiv:2005.14165 (2020).
Xiaoyu Cao, Jinyuan Jia, and Neil Zhenqiang Gong. 2021. IPGuard: Protecting intellectual property of deep neural networks via fingerprinting the classification boundary. In Proceedings of ACM Asia Conference on Computer and Communications Security (ASIA CCS). 14-25.
Nicholas Carlini, Matthew Jagielski, and Ilya Mironov. 2020. Cryptanalytic Extraction of Neural Network Models. In Proceedings of Annual International Cryptology Conference (CRYPTO). Springer.
Nicholas Carlini, Florian Tramer, Eric Wallace, Matthew Jagielski, Ariel Herbert-Voss, Katherine Lee, Adam Roberts, Tom Brown, Dawn Song, Ulfar Erlingsson, et al. 2021. Extracting Training Data from Large Language Models. In Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association, 2633-2650.
Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In Proceedings of IEEE Symposium on Security and Privacy (S&P). IEEE, 39-57.
Varun Chandrasekaran, Kamalika Chaudhuri, Irene Giacomelli, Somesh Jha, and Songbai Yan. 2020. Exploring Connections Between Active Learning and Model Extraction. In Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association.
Dingfan Chen, Ning Yu, Yang Zhang, and Mario Fritz. 2020. Gan-leaks: A taxonomy of membership inference attacks against generative models. In Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 343-362.
Kangjie Chen, Shangwei Guo, Tianwei Zhang, Xiaofei Xie, and Yang Liu. 2021. Stealing Deep Reinforcement Learning Models for Fun and Profit. In Proceedings of ACM Asia Conference on Computer and Communications Security (ASIA CCS). 307-319.
Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2018. BERT: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018).
Xin Ding, Z Jane Wang, and William J Welch. 2020. Subsampling Generative Adversarial Networks: Density Ratio Estimation in Feature Space With Softplus Loss. IEEE Transactions on Signal Processing 68 (2020), 1910-1922.
Joachim Folz. 2020. simplejpeg 1.4.0. https://gitlab.com/jfolz/simplejpeg
Karan Ganju, Qi Wang, Wei Yang, Carl A Gunter, and Nikita Borisov. 2018. Property inference attacks on fully connected neural networks using permutation invariant representations. In Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 619-633.
Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. 2014. Generative adversarial nets. In Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 2672-2680.
Jamie Hayes, Luca Melis, George Danezis, and Emiliano De Cristofaro. 2019. LOGAN: Membership inference attacks against generative models. In Proceedings on Privacy Enhancing Technologies, Vol. 2019. Sciendo, 133-152.
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 770-778.
Yingzhe He, Guozhu Meng, Kai Chen, Xingbo Hu, and Jinwen He. 2019. Towards Privacy and Security of Deep Learning Systems: A Survey. arXiv preprint arXiv:1911.12562 (2019).
Martin Heusel, Hubert Ramsauer, Thomas Unterthiner, Bernhard Nessler, and Sepp Hochreiter. 2017. Gans trained by a two time-scale update rule converge to a local nash equilibrium. In Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 6626-6637.
Benjamin Hilprecht, Martin Härterich, and Daniel Bernau. 2019. Monte carlo and reconstruction membership inference attacks against generative models. In Proceedings on Privacy Enhancing Technologies, Vol. 2019. Sciendo, 232-249.
Xun Huang and Serge Belongie. 2017. Arbitrary style transfer in real-time with adaptive instance normalization. In Proceedings of IEEE International Conference on Computer Vision (ICCV). IEEE, 1501-1510.
Xun Huang, Yixuan Li, Omid Poursaeed, John Hopcroft, and Serge Belongie. 2017. Stacked generative adversarial networks. In Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 5077-5086.
Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. 2020. High Accuracy and High Fidelity Extraction of Neural Networks. In Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association.
Shouling Ji, Weiqing Li, Neil Zhenqiang Gong, Prateek Mittal, and Raheem A Beyah. 2015. On Your Social Network De-anonymizablity: Quantification and Large Scale Evaluation with Seed Knowledge. In Proceedings of Network and Distributed Systems Security Symposium (NDSS). Internet Society.
Hengrui Jia, Christopher A Choquette-Choo, Varun Chandrasekaran, and Nicolas Papernot. 2021. Entangled watermarks as a defense against model extraction. In Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association, 1937-1954.
Mika Juuti, Sebastian Szyller, Samuel Marchal, and N Asokan. 2019. PRADA: protecting against DNN model stealing attacks. In Proceedings of IEEE European Symposium on Security and Privacy (Euro S&P). IEEE, 512-527.
Tero Karras, Timo Aila, Samuli Laine, and Jaakko Lehtinen. 2018. Progressive Growing of GANs for Improved Quality, Stability, and Variation. In Proceedings of International Conference on Learning Representations (ICLR).
Tero Karras, Samuli Laine, and Timo Aila. 2019. A style-based generator architecture for generative adversarial networks. In Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 4401-4410.
Tero Karras, Samuli Laine, Miika Aittala, Janne Hellsten, Jaakko Lehtinen, and Timo Aila. 2020. Analyzing and improving the image quality of stylegan. In Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 8110-8119.
Kalpesh Krishna, Gaurav Singh Tomar, Ankur P. Parikh, Nicolas Papernot, and Mohit Iyyer. 2020. Thieves on Sesame Street! Model Extraction of BERT-based APIs. In Proceedings of International Conference on Learning Representations (ICLR).
Jinhyuk Lee, Wonjin Yoon, Sungdong Kim, Donghyeon Kim, Sunkyu Kim, Chan Ho So, and Jaewoo Kang. 2020. BioBERT: a pre-trained biomedical language representation model for biomedical text mining. Bioinformatics 36, 4 (2020), 1234-1240.
Taesung Lee, Benjamin Edwards, Ian Molloy, and Dong Su. 2019. Defending against model stealing attacks using deceptive perturbations. In Proceedings of IEEE Security and Privacy Workshops. IEEE, 43-49.
Chuan Li and Michael Wand. 2016. Precomputed real-time texture synthesis with markovian generative adversarial networks. In Proceedings of European conference on computer vision (ECCV). Springer, 702-716.
Huiying Li, Emily Wenger, Ben Y Zhao, and Haitao Zheng. 2019. Piracy Resistant Watermarks for Deep Neural Networks. arXiv preprint arXiv:1910.01226 (2019).
Chieh Hubert Lin, Chia-Che Chang, Yu-Sheng Chen, Da-Cheng Juan, Wei Wei, and Hwann-Tzong Chen. 2019. COCO-GAN: generation by parts via conditional coordinating. In Proceedings of IEEE International Conference on Computer Vision (ICCV). IEEE, 4512-4521.
Ming-Yu Liu, Xun Huang, Arun Mallya, Tero Karras, Timo Aila, Jaakko Lehtinen, and Jan Kautz. 2019. Few-shot unsupervised image-to-image translation. In Proceedings of IEEE International Conference on Computer Vision (ICCV). IEEE, 10551-10560.
Ziwei Liu, Ping Luo, Xiaogang Wang, and Xiaoou Tang. 2015. Deep Learning Face Attributes in the Wild. In Proceedings of IEEE International Conference on Computer Vision (ICCV). IEEE, 3730-3738.
Daniel Lowd and Christopher Meek. 2005. Adversarial learning. In Proceedings of ACM SIGKDD international conference on Knowledge discovery in data mining (KDD). ACM, 641-647.
Mario Lučić, Michael Tschannen, Marvin Ritter, Xiaohua Zhai, Olivier Bachem, and Sylvain Gelly. 2019. High-Fidelity Image Generation With Fewer Labels. In Proceedings of International Conference on Machine Learning (ICML). 4183-4192.
Dhruv Mahajan, Ross Girshick, Vignesh Ramanathan, Kaiming He, Manohar Paluri, Yixuan Li, Ashwin Bharambe, and Laurens van der Maaten. 2018. Exploring the Limits of Weakly Supervised Pretraining. In Proceedings of European conference on computer vision (ECCV). Springer, 181-196.
Smitha Milli, Ludwig Schmidt, Anca D Dragan, and Moritz Hardt. 2019. Model reconstruction from model explanations. In Proceedings of Conference on Fairness, Accountability, and Transparency. ACM, 1-9.
Anish Mittal, Rajiv Soundararajan, and Alan C Bovik. 2012. Making a “completely blind” image quality analyzer. IEEE Signal processing letters 20, 3 (2012), 209-212.
Takeru Miyato, Toshiki Kataoka, Masanori Koyama, and Yuichi Yoshida. 2018. Spectral Normalization for Generative Adversarial Networks. In Proceedings of International Conference on Learning Representations (ICLR).
Augustus Odena, Christopher Olah, and Jonathon Shlens. 2017. Conditional image synthesis with auxiliary classifier GANs. In Proceedings of International Conference on Machine Learning (ICML). 2642-2651.
Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2019. Knockoff nets: Stealing functionality of black-box models. In Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 4954-4963.
Soham Pal, Yash Gupta, Aditya Shukla, Aditya Kanade, Shirish Shevade, and Vinod Ganapathy. 2020. ACTIVETHIEF: Model Extraction Using Active Learning and Unannotated Public Data. In Proceedings of AAAI Conference on Artificial Intelligence (AAAI), Vol. 34. AAAI, 865-872.
Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z Berkay Celik, and Ananthram Swami. 2017. Practical black-box attacks against machine learning. In Proceedings of ACM on Asia conference on computer and communications security (ASIA CCS). ACM, 506-519.
Taesung Park, Ming-Yu Liu, Ting-Chun Wang, and Jun-Yan Zhu. 2019. Semantic image synthesis with spatially-adaptive normalization. In Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 2337-2346.
Alec Radford, Luke Metz, and Soumith Chintala. 2016. Unsupervised representation learning with deep convolutional generative adversarial networks. In Proceedings of International Conference on Learning Representations (ICLR).
Eitan Richardson and Yair Weiss. 2018. On gans and gmms. In Proceedings of Advances in Neural Information Processing Systems (NeurIPS), Vol. 31. Curran Associates, Inc., 5847-5858.
Olga Russakovsky, Jia Deng, Hao Su, Jonathan Krause, Sanjeev Satheesh, Sean Ma, Zhiheng Huang, Andrej Karpathy, Aditya Khosla, Michael Bernstein, Alexander C. Berg, and Li Fei-Fei. 2015. ImageNet Large Scale Visual Recognition Challenge. International journal of computer vision 115, 3 (2015), 211-252.
Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, and Michael Backes. 2019. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In Proceedings of Network and Distributed Systems Security Symposium (NDSS). Internet Society.
Tim Salimans, Ian Goodfellow, Wojciech Zaremba, Vicki Cheung, Alec Radford, and Xi Chen. 2016. Improved techniques for training GANs. In Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 2234-2242.
Yujun Shen, Jinjin Gu, Xiaoou Tang, and Bolei Zhou. 2020. Interpreting the latent space of gans for semantic face editing. In Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 9243-9252.
Reza Shokri, Martin Strobel, and Yair Zick. 2019. Privacy risks of explaining machine learning models. arXiv preprint arXiv:1907.00164 (2019).
Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models. In Proceedings of IEEE Symposium on Security and Privacy (S&P). IEEE, 3-18.
Tatsuya Takemura, Naoto Yanai, and Toru Fujiwara. 2020. Model Extraction Attacks against Recurrent Neural Networks. arXiv preprint arXiv:2002.00123 (2020).
Luke Tierney. 1994. Markov chains for exploring posterior distributions. The Annals of Statistics (1994), 1701-1728.
Hugo Touvron, Andrea Vedaldi, Matthijs Douze, and Hervé Jégou. 2019. Fixing the train-test resolution discrepancy. In Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 8250-8260.
Florian Tramèr, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction APIs. In Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association, 601-618.
Ryan Turner, Jane Hung, Eric Frank, Yunus Saatchi, and Jason Yosinski. 2019. Metropolis-hastings generative adversarial networks. In Proceedings of International Conference on Machine Learning (ICML). 6345-6353.
Stéfan van der Walt, Johannes L. Schönberger, Juan Nunez-Iglesias, François Boulogne, Joshua D. Warner, Neil Yager, Emmanuelle Gouillart, Tony Yu, and the scikit-image contributors. 2014. scikit-image: image processing in Python. PeerJ 2 (6 2014), e453.
N Venkatanath, D Praneeth, Maruthi Chandrasekhar Bh, Sumohana S Channappayya, and Swarup S Medasani. 2015. Blind image quality evaluation using perception based features. In 2015 Twenty First National Conference on Communications. IEEE, 1-6.
Binghui Wang and Neil Zhenqiang Gong. 2018. Stealing hyperparameters in machine learning. In Proceedings of IEEE Symposium on Security and Privacy (S&P). IEEE, 36-52.
Wenqi Xian, Patsorn Sangkloy, Varun Agrawal, Amit Raj, Jingwan Lu, Chen Fang, Fisher Yu, and James Hays. 2018. Texturegan: Controlling deep image synthesis with texture patches. In Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 8456-8465.
Pan Xudong, Zhang Mi, Ji Shouling, and Yang Min. 2020. Privacy Risks of General-Purpose Language Models. In Proceedings of IEEE Symposium on Security and Privacy (S&P). IEEE, 1471-1488.
Fisher Yu, Ari Seff, Yinda Zhang, Shuran Song, Thomas Funkhouser, and Jianxiong Xiao. 2015. LSUN: Construction of a Large-scale Image Dataset using Deep Learning with Humans in the Loop. arXiv preprint arXiv:1506.03365 (2015).
Han Zhang, Tao Xu, Hongsheng Li, Shaoting Zhang, Xiaogang Wang, Xiaolei Huang, and Dimitris N Metaxas. 2017. StackGAN: Text to photo-realistic image synthesis with stacked generative adversarial networks. In Proceedings of IEEE International Conference on Computer Vision (ICCV). IEEE, 5907-5915.
Jun-Yan Zhu, Philipp Krähenbühl, Eli Shechtman, and Alexei A Efros. 2016. Generative visual manipulation on the natural image manifold. In Proceedings of European conference on computer vision (ECCV). Springer, 597-613.