Killing four birds with one Gaussian process: the relation between different test-time attacks

TL;DR

This paper explores how Gaussian Process classifiers' decision surface curvature influences their robustness against various test-time attacks, revealing that security measures against one attack can inadvertently enable others, emphasizing the interconnectedness of attack vulnerabilities.

Contribution

It introduces a formal analysis of the relationship between decision surface curvature and attack success in Gaussian Process classifiers, highlighting the trade-offs in security configurations.

Findings

Adjusting GPC curvature affects attack success rates.

Securing GPCs against membership inference can leak model information.

Attacks on classifiers are interconnected and should be studied jointly.

Abstract

In machine learning (ML) security, attacks like evasion, model stealing or membership inference are generally studied in individually. Previous work has also shown a relationship between some attacks and decision function curvature of the targeted model. Consequently, we study an ML model allowing direct control over the decision surface curvature: Gaussian Process classifiers (GPCs). For evasion, we find that changing GPC's curvature to be robust against one attack algorithm boils down to enabling a different norm or attack algorithm to succeed. This is backed up by our formal analysis showing that static security guarantees are opposed to learning. Concerning intellectual property, we show formally that lazy learning does not necessarily leak all information when applied. In practice, often a seemingly secure curvature can be found. For example, we are able to secure GPC against empirical membership inference by proper configuration. In this configuration, however, the GPC's hyper-parameters are leaked, e.g. model reverse engineering succeeds. We conclude that attacks on classification should not be studied in isolation, but in relation to each other.