Stateful Detection of Adversarial Reprogramming

TL;DR

This paper introduces a stateful detection method for adversarial reprogramming attacks on machine learning models, effectively identifying malicious queries and reducing attack feasibility even with adaptive strategies.

Contribution

The paper demonstrates for the first time that stateful defenses can detect adversarial reprogramming attacks, including adaptive ones, in black-box scenarios.

Findings

Stateful defenses can detect adversarial reprogramming attacks.

Detection remains effective even when attackers fine-tune adversarial programs.

Blocking malicious users reduces attack success.

Abstract

Adversarial reprogramming allows stealing computational resources by repurposing machine learning models to perform a different task chosen by the attacker. For example, a model trained to recognize images of animals can be reprogrammed to recognize medical images by embedding an adversarial program in the images provided as inputs. This attack can be perpetrated even if the target model is a black box, supposed that the machine-learning model is provided as a service and the attacker can query the model and collect its outputs. So far, no defense has been demonstrated effective in this scenario. We show for the first time that this attack is detectable using stateful defenses, which store the queries made to the classifier and detect the abnormal cases in which they are similar. Once a malicious query is detected, the account of the user who made it can be blocked. Thus, the attacker must create many accounts to perpetrate the attack. To decrease this number, the attacker could create the adversarial program against a surrogate classifier and then fine-tune it by making few queries to the target model. In this scenario, the effectiveness of the stateful defense is reduced, but we show that it is still effective.