FDINet: Protecting against DNN Model Extraction via Feature Distortion Index

TL;DR

FDINET is a novel defense mechanism that detects model extraction attacks by analyzing feature distribution deviations in adversary queries, achieving high accuracy and efficiency across multiple datasets and attack types.

Contribution

Introduces Feature Distortion Index (FDI) and FDINET, a new method for detecting and identifying colluding adversaries in DNN model extraction attacks.

Findings

Achieves 100% detection accuracy on certain attacks

Detects extraction with just 50 queries at 96.08% confidence

Identifies colluding adversaries with over 91% accuracy

Abstract

Machine Learning as a Service (MLaaS) platforms have gained popularity due to their accessibility, cost-efficiency, scalability, and rapid development capabilities. However, recent research has highlighted the vulnerability of cloud-based models in MLaaS to model extraction attacks. In this paper, we introduce FDINET, a novel defense mechanism that leverages the feature distribution of deep neural network (DNN) models. Concretely, by analyzing the feature distribution from the adversary's queries, we reveal that the feature distribution of these queries deviates from that of the model's training set. Based on this key observation, we propose Feature Distortion Index (FDI), a metric designed to quantitatively measure the feature distribution deviation of received queries. The proposed FDINET utilizes FDI to train a binary detector and exploits FDI similarity to identify colluding adversaries from distributed extraction attacks. We conduct extensive experiments to evaluate FDINET against six state-of-the-art extraction attacks on four benchmark datasets and four popular model architectures. Empirical results demonstrate the following findings FDINET proves to be highly effective in detecting model extraction, achieving a 100% detection accuracy on DFME and DaST. FDINET is highly efficient, using just 50 queries to raise an extraction alarm with an average confidence of 96.08% for GTSRB. FDINET exhibits the capability to identify colluding adversaries with an accuracy exceeding 91%. Additionally, it demonstrates the ability to detect two types of adaptive attacks.