Defending against Model Stealing via Verifying Embedded External Features

TL;DR

This paper proposes a novel method to detect stolen models by verifying the presence of external features embedded through style transfer, effectively identifying various types of model stealing on CIFAR-10 and ImageNet.

Contribution

It introduces a new verification approach using external feature embedding and a meta-classifier to detect stolen models, even in multi-stage stealing scenarios.

Findings

Effective detection on CIFAR-10 and ImageNet datasets.

Detects multiple types of model stealing simultaneously.

Works against multi-stage stealing processes.

Abstract

Obtaining a well-trained model involves expensive data collection and training procedures, therefore the model is a valuable intellectual property. Recent studies revealed that adversaries can `steal' deployed models even when they have no training samples and can not get access to the model parameters or structures. Currently, there were some defense methods to alleviate this threat, mostly by increasing the cost of model stealing. In this paper, we explore the defense from another angle by verifying whether a suspicious model contains the knowledge of defender-specified \emph{external features}. Specifically, we embed the external features by tempering a few training samples with style transfer. We then train a meta-classifier to determine whether a model is stolen from the victim. This approach is inspired by the understanding that the stolen models should contain the knowledge of features learned by the victim model. We examine our method on both CIFAR-10 and ImageNet datasets. Experimental results demonstrate that our method is effective in detecting different types of model stealing simultaneously, even if the stolen model is obtained via a multi-stage stealing process. The codes for reproducing main results are available at Github (https://github.com/zlh-thu/StealingVerification).