Model Privacy: A Unified Framework for Understanding Model Stealing Attacks and Defenses

TL;DR

This paper introduces a comprehensive framework called 'Model Privacy' to analyze and improve defenses against model stealing attacks in machine learning, emphasizing theoretical foundations and tradeoffs.

Contribution

It provides a rigorous threat model, quantifies attack and defense strategies, and analyzes utility-privacy tradeoffs, advancing understanding of model security.

Findings

Framework offers a unified way to analyze model stealing attacks and defenses.

Tradeoffs between model utility and privacy are fundamental and quantifiable.

Experimental results validate the effectiveness of proposed defense mechanisms.

Abstract

The use of machine learning (ML) has become increasingly prevalent in various domains, highlighting the importance of understanding and ensuring its safety. One pressing concern is the vulnerability of ML applications to model stealing attacks. These attacks involve adversaries attempting to recover a learned model through limited query-response interactions, such as those found in cloud-based services or on-chip artificial intelligence interfaces. While existing literature proposes various attack and defense strategies, these often lack a theoretical foundation and standardized evaluation criteria. In response, this work presents a framework called ``Model Privacy'', providing a foundation for comprehensively analyzing model stealing attacks and defenses. We establish a rigorous formulation for the threat model and objectives, propose methods to quantify the goodness of attack and defense strategies, and analyze the fundamental tradeoffs between utility and privacy in ML models. Our developed theory offers valuable insights into enhancing the security of ML models, especially highlighting the importance of the attack-specific structure of perturbations for effective defenses. We demonstrate the application of model privacy from the defender's perspective through various learning scenarios. Extensive experiments corroborate the insights and the effectiveness of defense mechanisms developed under the proposed framework.