Quantifying (Hyper) Parameter Leakage in Machine Learning

TL;DR

This paper introduces Airavata, a probabilistic framework using Bayesian Networks to quantify information leakage during machine learning model extraction attacks, addressing the gap between empirical methods and theoretical understanding.

Contribution

The work presents a novel probabilistic framework, Airavata, to measure information leakage in blackbox model extraction attacks, incorporating uncertainty and stochastic training effects.

Findings

Airavata effectively estimates information leakage under various attack scenarios.

The framework captures uncertainty in model extraction, providing actionable insights.

Validation shows accurate assessment of attack efficacy and leakage levels.

Abstract

Machine Learning models, extensively used for various multimedia applications, are offered to users as a blackbox service on the Cloud on a pay-per-query basis. Such blackbox models are commercially valuable to adversaries, making them vulnerable to extraction attacks to reverse engineer the proprietary model thereby violating the model privacy and Intellectual Property. Here, the adversary first extracts the model architecture or hyperparameters through side channel leakage, followed by stealing the functionality of the target model by training the reconstructed architecture on a synthetic dataset. While the attacks proposed in literature are empirical, there is a need for a theoretical framework to measure the information leaked under such extraction attacks. To this extent, in this work, we propose a novel probabilistic framework, Airavata, to estimate the information leakage in such model extraction attacks. This framework captures the fact that extracting the exact target model is difficult due to experimental uncertainty while inferring model hyperparameters and stochastic nature of training to steal the target model functionality. Specifically, we use Bayesian Networks to capture uncertainty in estimating the target model under various extraction attacks based on the subjective notion of probability. We validate the proposed framework under different adversary assumptions commonly adopted in literature to reason about the attack efficacy. This provides a practical tool to infer actionable details about extracting blackbox models and help identify the best attack combination which maximises the knowledge extracted (or information leaked) from the target model.