A Plot is Worth a Thousand Words: Model Information Stealing Attacks via Scientific Plots

TL;DR

This paper uncovers a new side channel attack that uses scientific plots to steal information about machine learning models, demonstrating the attack's effectiveness and proposing potential defenses.

Contribution

It introduces a novel attack method leveraging scientific plots for model information theft and evaluates its effectiveness across multiple datasets.

Findings

The attack accurately infers model architecture and hyperparameters from plots.

Scientific plots' shape is the main factor enabling the attack.

Proposed defenses can reduce attack success but are still bypassable.

Abstract

Building advanced machine learning (ML) models requires expert knowledge and many trials to discover the best architecture and hyperparameter settings. Previous work demonstrates that model information can be leveraged to assist other attacks, such as membership inference, generating adversarial examples. Therefore, such information, e.g., hyperparameters, should be kept confidential. It is well known that an adversary can leverage a target ML model's output to steal the model's information. In this paper, we discover a new side channel for model information stealing attacks, i.e., models' scientific plots which are extensively used to demonstrate model performance and are easily accessible. Our attack is simple and straightforward. We leverage the shadow model training techniques to generate training data for the attack model which is essentially an image classifier. Extensive evaluation on three benchmark datasets shows that our proposed attack can effectively infer the architecture/hyperparameters of image classifiers based on convolutional neural network (CNN) given the scientific plot generated from it. We also reveal that the attack's success is mainly caused by the shape of the scientific plots, and further demonstrate that the attacks are robust in various scenarios. Given the simplicity and effectiveness of the attack method, our study indicates scientific plots indeed constitute a valid side channel for model information stealing attacks. To mitigate the attacks, we propose several defense mechanisms that can reduce the original attacks' accuracy while maintaining the plot utility. However, such defenses can still be bypassed by adaptive attacks.