SnatchML: Hijacking ML models without Training Access

TL;DR

SnatchML demonstrates a training-free inference-time model hijacking attack exploiting over-parameterization, enabling hijacking of models for more classes than the original task, with proposed mitigation strategies.

Contribution

Introduces SnatchML, a novel inference-time hijacking attack that leverages model over-parameterization without training access, and proposes mitigation techniques like meta-unlearning and model compression.

Findings

SnatchML achieves high accuracy in hijacking models on AWS Sagemaker.

It can hijack models for tasks with more classes than the original.

Proposed countermeasures can mitigate the hijacking risk.

Abstract

Model hijacking can cause significant accountability and security risks since the owner of a hijacked model can be framed for having their model offer illegal or unethical services. Prior works consider model hijacking as a training time attack, whereby an adversary requires full access to the ML model training. In this paper, we consider a stronger threat model for an inference-time hijacking attack, where the adversary has no access to the training phase of the victim model. Our intuition is that ML models, which are typically over-parameterized, might have the capacity to (unintentionally) learn more than the intended task they are trained for. We propose SnatchML, a new training-free model hijacking attack, that leverages the extra capacity learnt by the victim model to infer different tasks that can be semantically related or unrelated to the original one. Our results on models deployed on AWS Sagemaker showed that SnatchML can deliver high accuracy on hijacking tasks. Interestingly, while all previous approaches are limited by the number of classes in the benign task, SnatchML can hijack models for tasks that contain more classes than the original. We explore different methods to mitigate this risk; We propose meta-unlearning, which is designed to help the model unlearn a potentially malicious task while training for the original task. We also provide insights on over-parametrization as a possible inherent factor that facilitates model hijacking, and accordingly, we propose a compression-based countermeasure to counteract this attack. We believe this work offers a previously overlooked perspective on model hijacking attacks, presenting a stronger threat model and higher applicability in real-world contexts.