【论文阅读】PRADA: Protecting Against DNN Model Stealing Attacks(2019)
摘要
Machine learning (ML) applications(应用) are increasingly prevalent(越来越普遍). Protecting the confidentiality(机密性) of ML models becomes paramount(重要) for two reasons: (a) a model can be a business advan tage(商业优势) to its owner, and (b) an adversary may use a stolen model to find transferable adversarial examples(寻找可转移的对抗示例) that can evade(逃避) classification by the original model. Access to the model(模型的访问权限) can be restricted(限制在) to be only via well-defined prediction APIs(只能通过定义良好的预测APIs). Nevertheless(尽管如此), prediction APIs still provide enough information(提供足够多的信息) to allow an adversary to mount model extraction attacks(模型提取攻击) by sending repeated queries(发生重复的查询) via the prediction API.
In this paper, we describe(描述) new model extraction attacks using novel approaches(新的方法) for generating synthetic queries(生产合成查询), and optimizing training hyperparameters(优化训练超参数). Our attacks outperform(优于) state-of-the art (最先进)model extraction in terms of transferability(可转移性) of both targeted and non-targeted adversarial examples(目标和非目标的对抗示例) (up to +29-44 percentage points 百分点, pp), and prediction accuracy(预测准确度&