Yanjiao Chen,Rui Guan,Xueluan Gong,Jianshuo Dong,Meng Xue

DOI: https://doi.org/10.1109/sp46215.2023.10179406

2023-01-01

Abstract:Recent studies show that machine learning models are vulnerable to model extraction attacks, where the adversary builds a substitute model that achieves almost the same performance of a black-box victim model simply via querying the victim model. To defend against such attacks, a series of methods have been proposed to disrupt the query results before returning them to potential attackers, greatly degrading the performance of existing model extraction attacks. In this paper, we make the first attempt to develop a defensepenetrating model extraction attack framework, named D- DAE, which aims to break disruption-based defenses. The linchpins of D- DAE are the design of two modules, i.e., disruption detection and disruption recovery, which can be integrated with generic model extraction attacks. More specifically, after obtaining query results from the victim model, the disruption detection module infers the defense mechanism adopted by the defender. We design a meta-learning-based disruption detection algorithm for learning the fundamental differences between the distributions of disrupted and undisrupted query results. The algorithm features a good generalization property even if we have no access to the original training dataset of the victim model. Given the detected defense mechanism, the disruption recovery module tries to restore a clean query result from the disrupted query result with well-designed generative models. Our extensive evaluations on MNIST, FashionMNIST, CIFAR-10, GTSRB, and ImageNette datasets demonstrate that D- DAE can enhance the substitute model accuracy of the existing model extraction attacks by as much as 82.24% in the face of 4 state-of-the-art defenses and combinations of multiple defenses. We also verify the effectiveness of D-DAE in penetrating unknown defenses in real-world APIs hosted by Microsoft Azure and Face++.

Xuefang Wang,Wenbin Zhang,Yuchun Chu,Peishun Liu,Qilin Yin,Qi Li

DOI: https://doi.org/10.1109/pic53636.2021.9687066

2021-01-01

Abstract:The Algorithms of object detection are usually difficult to deploy on low-end devices due to the large amount of computation, but knowledge distillation can solve this problem by training small models to learn the already trained complex network models, realizing model compression, and effectively reducing the amount of computation. How to transfer rich knowledge from teachers to students is a key step in the knowledge distillation. To solve this problem, this paper uses the knowledge of the teacher to guide the student network training in feature extraction, target classification and frame prediction, and proposes a distillation algorithm based on multi-scale attention mechanism, which uses attention mechanism to integrate different scale features. The correlation of features between different channels is learned by assigning weights to the features of each channel. The distillation algorithm proposed in this paper is based on YOLOv4, so it can strengthen the student network to learn the key knowledge of the teacher network, and make the knowledge of the teacher network How to the student network better. Experimental analysis shows that it can effectively improve the detection accuracy of the student network. The size of the model is only 6.4% of the teacher network, but the speed is increased by 3 times, and mAP is 5.7% higher than the original student network and 2.1% lower than the teacher network.

Tao Wang,Li Yuan,Xiaopeng Zhang,Jiashi Feng

DOI: https://doi.org/10.1109/cvpr.2019.00507

2019-06-01

Abstract:State-of-the-art CNN based recognition models are often computationally prohibitive to deploy on low-end devices. A promising high level approach tackling this limitation is knowledge distillation, which let small student model mimic cumbersome teacher model’s output to get improved generalization. However, related methods mainly focus on simple task of classification while do not consider complex tasks like object detection. We show applying the vanilla knowledge distillation to detection model gets minor gain. To address the challenge of distilling knowledge in detection model, we propose a fine-grained feature imitation method exploiting the cross-location discrepancy of feature response. Our intuition is that detectors care more about local near object regions. Thus the discrepancy of feature response on the near object anchor locations reveals important information of how teacher model tends to generalize. We design a novel mechanism to estimate those locations and let student model imitate the teacher on them to get enhanced performance. We first validate the idea on a developed lightweight toy detector which carries simplest notion of current state-of-the-art anchor based detection models on challenging KITTI dataset, our method generates up to 15% boost of mAP for the student model compared to the non-imitated counterpart. We then extensively evaluate the method with Faster R-CNN model under various scenarios with common object detection benchmark of Pascal VOC and COCO, imitation alleviates up to 74% performance drop of student model compared to teacher. Codes released at https://github.com/twangnh/Distilling-Object-Detectors

Qiongkai Xu,Xuanli He,Lingjuan Lyu,Lizhen Qu,Gholamreza Haffari

DOI: https://doi.org/10.48550/arXiv.2108.13873

2021-08-29

Cryptography and Security

Abstract:Machine-learning-as-a-service (MLaaS) has attracted millions of users to their splendid large-scale models. Although published as black-box APIs, the valuable models behind these services are still vulnerable to imitation attacks. Recently, a series of works have demonstrated that attackers manage to steal or extract the victim models. Nonetheless, none of the previous stolen models can outperform the original black-box APIs. In this work, we conduct unsupervised domain adaptation and multi-victim ensemble to showing that attackers could potentially surpass victims, which is beyond previous understanding of model extraction. Extensive experiments on both benchmark datasets and real-world APIs validate that the imitators can succeed in outperforming the original black-box models on transferred domains. We consider our work as a milestone in the research of imitation attack, especially on NLP APIs, as the superior performance could influence the defense or even publishing strategy of API providers.

Gang Li,Xiang Li,Yujie Wang,Shanshan Zhang,Yichao Wu,Ding Liang

DOI: https://doi.org/10.1609/aaai.v36i2.20018

2022-06-28

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Knowledge Distillation (KD) is a widely-used technology to inherit information from cumbersome teacher models to compact student models, consequently realizing model compression and acceleration. Compared with image classification, object detection is a more complex task, and designing specific KD methods for object detection is non-trivial. In this work, we elaborately study the behaviour difference between the teacher and student detection models, and obtain two intriguing observations: First, the teacher and student rank their detected candidate boxes quite differently, which results in their precision discrepancy. Second, there is a considerable gap between the feature response differences and prediction differences between teacher and student, indicating that equally imitating all the feature maps of the teacher is the sub-optimal choice for improving the student's accuracy. Based on the two observations, we propose Rank Mimicking (RM) and Prediction-guided Feature Imitation (PFI) for distilling one-stage detectors, respectively. RM takes the rank of candidate boxes from teachers as a new form of knowledge to distill, which consistently outperforms the traditional soft label distillation. PFI attempts to correlate feature differences with prediction differences, making feature imitation directly help to improve the student's accuracy. On MS COCO and PASCAL VOC benchmarks, extensive experiments are conducted on various detectors with different backbones to validate the effectiveness of our method. Specifically, RetinaNet with ResNet50 achieves 40.4% mAP on MS COCO, which is 3.5% higher than its baseline, and also outperforms previous KD methods.

English Else

Jun Guo,Aishan Liu,Xingyu Zheng,Siyuan Liang,Yisong Xiao,Yichao Wu,Xianglong Liu

2023-08-03

Abstract:Despite the broad application of Machine Learning models as a Service (MLaaS), they are vulnerable to model stealing attacks. These attacks can replicate the model functionality by using the black-box query process without any prior knowledge of the target victim model. Existing stealing defenses add deceptive perturbations to the victim's posterior probabilities to mislead the attackers. However, these defenses are now suffering problems of high inference computational overheads and unfavorable trade-offs between benign accuracy and stealing robustness, which challenges the feasibility of deployed models in practice. To address the problems, this paper proposes Isolation and Induction (InI), a novel and effective training framework for model stealing defenses. Instead of deploying auxiliary defense modules that introduce redundant inference time, InI directly trains a defensive model by isolating the adversary's training gradient from the expected gradient, which can effectively reduce the inference computational cost. In contrast to adding perturbations over model predictions that harm the benign accuracy, we train models to produce uninformative outputs against stealing queries, which can induce the adversary to extract little useful knowledge from victim models with minimal impact on the benign performance. Extensive experiments on several visual classification datasets (e.g., MNIST and CIFAR10) demonstrate the superior robustness (up to 48% reduction on stealing accuracy) and speed (up to 25.4x faster) of our InI over other state-of-the-art methods. Our codes can be found in <a class="link-external link-https" href="https://github.com/DIG-Beihang/InI-Model-Stealing-Defense" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Artificial Intelligence

Xiang Li,Yuchen Jiang,Chenglin Liu,Shaochong Liu,Hao Luo,Shen Yin

DOI: https://doi.org/10.1109/tai.2021.3107807

2022-02-01

IEEE Transactions on Artificial Intelligence

Abstract:In the fields of deep learning and computer vision, the security of object detection models has received extensive attention. Revealing the security vulnerabilities resulting from adversarial attacks has become one of the most important research directions. Existing studies show that object detection models can also be threatened by adversarial examples, just like other deep-neural-network-based models, e.g., those for classification. In this article, we propose a bidirectional adversarial attack method. First, the added perturbation pushes the prediction results given by the object detectors far away from the ground-truth class while getting close to the background class. Second, a confidence loss function is designed for the region proposal network to reduce the foreground scores. Third, the adversarial examples are generated by a pretrained autoencoder, and the model is trained using an adversarial approach, which can enhance the similarity between the adversarial examples and the original image and speed up algorithm convergence. The proposed method was verified on the most popular two-stage detection framework (Faster R-CNN), and 55.1 drop in the mean average precision (mAP-drop) was obtained. In addition, the adversarial examples have superior transferability, migrating which to the common one-stage detection framework (YOLOv3) gets a 39.5 mAP-drop.

English Else

Itay Mosafi,Eli David,Yaniv Altshuler,Nathan S. Netanyahu,Eli (Omid) David

DOI: https://doi.org/10.3390/e24030349

IF: 2.738

2022-02-28

Entropy

Abstract:As state-of-the-art deep neural networks are being deployed at the core level of increasingly large numbers of AI-based products and services, the incentive for “copying them” (i.e., their intellectual property, manifested through the knowledge that is encapsulated in them) either by adversaries or commercial competitors is expected to considerably increase over time. The most efficient way to extract or steal knowledge from such networks is by querying them using a large dataset of random samples and recording their output, which is followed by the training of a student network, aiming to eventually mimic these outputs, without making any assumption about the original networks. The most effective way to protect against such a mimicking attack is to answer queries with the classification result only, omitting confidence values associated with the softmax layer. In this paper, we present a novel method for generating composite images for attacking a mentor neural network using a student model. Our method assumes no information regarding the mentor’s training dataset, architecture, or weights. Furthermore, assuming no information regarding the mentor’s softmax output values, our method successfully mimics the given neural network and is capable of stealing large portions (and sometimes all) of its encapsulated knowledge. Our student model achieved 99% relative accuracy to the protected mentor model on the Cifar-10 test set. In addition, we demonstrate that our student network (which copies the mentor) is impervious to watermarking protection methods and thus would evade being detected as a stolen model by existing dedicated techniques. Our results imply that all current neural networks are vulnerable to mimicking attacks, even if they do not divulge anything but the most basic required output, and that the student model that mimics them cannot be easily detected using currently available techniques.

physics, multidisciplinary

Mingyi Zhou,Jing Wu,Yipeng Liu,Xiaolin Huang,Shuaicheng Liu,Xiang Zhang,Ce Zhu

DOI: https://doi.org/10.48550/arXiv.2003.12760

2020-03-28

Cryptography and Security

Abstract:Deep learning models are known to be vulnerable to adversarial examples. A practical adversarial attack should require as little as possible knowledge of attacked models. Current substitute attacks need pre-trained models to generate adversarial examples and their attack success rates heavily rely on the transferability of adversarial examples. Current score-based and decision-based attacks require lots of queries for the attacked models. In this study, we propose a novel adversarial imitation attack. First, it produces a replica of the attacked model by a two-player game like the generative adversarial networks (GANs). The objective of the generative model is to generate examples that lead the imitation model returning different outputs with the attacked model. The objective of the imitation model is to output the same labels with the attacked model under the same inputs. Then, the adversarial examples generated by the imitation model are utilized to fool the attacked model. Compared with the current substitute attacks, imitation attacks can use less training data to produce a replica of the attacked model and improve the transferability of adversarial examples. Experiments demonstrate that our imitation attack requires less training data than the black-box substitute attacks, but achieves an attack success rate close to the white-box attack on unseen data with no query.

Jian Liu,Yubo Chen,Kang Liu

DOI: https://doi.org/10.1609/aaai.v33i01.33016754

2019-01-01

Abstract:The ambiguity in language expressions poses a great challenge for event detection. To disambiguate event types, current approaches rely on external NLP toolkits to build knowledge representations. Unfortunately, these approaches work in a pipeline paradigm and suffer from error propagation problem. In this paper, we propose an adversarial imitation based knowledge distillation approach, for the first time, to tackle the challenge of acquiring knowledge from raw-sentences for event detection. In our approach, a teacher module is first devised to learn the knowledge representations from the ground-truth annotations. Then, we set up a student module that only takes the raw-sentences as the input. The student module is taught to imitate the behavior of the teacher under the guidance of an adversarial discriminator. By this way, the process of knowledge distillation from raw-sentence has been implicitly integrated into the feature encoding stage of the student module. To the end, the enhanced student is used for event detection, which processes raw texts and requires no extra toolkits, naturally eliminating the error propagation problem faced by pipeline approaches. We conduct extensive experiments on the ACE 2005 datasets, and the experimental results justify the effectiveness of our approach.

Xinqiao Zhang,Huili Chen,Ke Huang,Farinaz Koushanfar

DOI: https://doi.org/10.48550/arXiv.2204.04329

2022-04-09

Abstract:With the surge of Machine Learning (ML), An emerging amount of intelligent applications have been developed. Deep Neural Networks (DNNs) have demonstrated unprecedented performance across various fields such as medical diagnosis and autonomous driving. While DNNs are widely employed in security-sensitive fields, they are identified to be vulnerable to Neural Trojan (NT) attacks that are controlled and activated by stealthy triggers. In this paper, we target to design a robust and adaptive Trojan detection scheme that inspects whether a pre-trained model has been Trojaned before its deployment. Prior works are oblivious of the intrinsic property of trigger distribution and try to reconstruct the trigger pattern using simple heuristics, i.e., stimulating the given model to incorrect outputs. As a result, their detection time and effectiveness are limited. We leverage the observation that the pixel trigger typically features spatial dependency and propose the first trigger approximation based black-box Trojan detection framework that enables a fast and scalable search of the trigger in the input space. Furthermore, our approach can also detect Trojans embedded in the feature space where certain filter transformations are used to activate the Trojan. We perform extensive experiments to investigate the performance of our approach across various datasets and ML models. Empirical results show that our approach achieves a ROC-AUC score of 0.93 on the public TrojAI dataset. Our code can be found at <a class="link-external link-https" href="https://github.com/xinqiaozhang/adatrojan" rel="external noopener nofollow">this https URL</a>

Cryptography and Security,Machine Learning

Zeyu Li,Chenghui Shi,Yuwen Pu,Xuhong Zhang,Yu Li,Jinbao Li,Shouling Ji

2023-01-01

Abstract:The widespread use of deep learning technology across various industries has made deep neural network models highly valuable and, as a result, attractive targets for potential attackers. Model extraction attacks, particularly query-based model extraction attacks, allow attackers to replicate a substitute model with comparable functionality to the victim model and present a significant threat to the confidentiality and security of MLaaS platforms. While many studies have explored threats of model extraction attacks against classification models in recent years, object detection models, which are more frequently used in real-world scenarios, have received less attention. In this paper, we investigate the challenges and feasibility of query-based model extraction attacks against object detection models and propose an effective attack method called MEAOD. It selects samples from the attacker-possessed dataset to construct an efficient query dataset using active learning and enhances the categories with insufficient objects. We additionally improve the extraction effectiveness by updating the annotations of the query dataset. According to our gray-box and black-box scenarios experiments, we achieve an extraction performance of over 70% under the given condition of a 10k query budget.

Ahmed Shafee,Mohamed Baza,Douglas A. Talbert,Mostafa M. Fouda,Mahmoud Nabil,Mohamed Mahmoud

DOI: https://doi.org/10.48550/arXiv.1905.00919

2020-02-19

Abstract:Purveyors of malicious network attacks continue to increase the complexity and the sophistication of their techniques, and their ability to evade detection continues to improve as well. Hence, intrusion detection systems must also evolve to meet these increasingly challenging threats. Machine learning is often used to support this needed improvement. However, training a good prediction model can require a large set of labelled training data. Such datasets are difficult to obtain because privacy concerns prevent the majority of intrusion detection agencies from sharing their sensitive data. In this paper, we propose the use of mimic learning to enable the transfer of intrusion detection knowledge through a teacher model trained on private data to a student model. This student model provides a mean of publicly sharing knowledge extracted from private data without sharing the data itself. Our results confirm that the proposed scheme can produce a student intrusion detection model that mimics the teacher model without requiring access to the original dataset.

Cryptography and Security,Machine Learning

Kirill Lukyanov,Andrew Perminov,Denis Turdakov,Mikhail Pautov

2024-10-21

Abstract:The vulnerability of artificial neural networks to adversarial perturbations in the black-box setting is widely studied in the literature. The majority of attack methods to construct these perturbations suffer from an impractically large number of queries required to find an adversarial example. In this work, we focus on knowledge distillation as an approach to conduct transfer-based black-box adversarial attacks and propose an iterative training of the surrogate model on an expanding dataset. This work is the first, to our knowledge, to provide provable guarantees on the success of knowledge distillation-based attack on classification neural networks: we prove that if the student model has enough learning capabilities, the attack on the teacher model is guaranteed to be found within the finite number of distillation iterations.

Machine Learning,Artificial Intelligence

Chengxiao Luo,Yiming Li,Yong Jiang,Shu-Tao Xia

DOI: https://doi.org/10.1109/icassp49357.2023.10095980

2022-01-01

Abstract:Recent studies revealed that deep neural networks (DNNs) are exposed to backdoor threats when training with third-party resources (such as training samples or backbones). The back-doored model has promising performance in predicting benign samples, whereas its predictions can be maliciously manipulated by adversaries based on activating its backdoors with pre-defined trigger patterns. Currently, most of the existing backdoor attacks were conducted on the image classification under the targeted manner. In this paper, we reveal that these threats could also happen in object detection, posing threatening risks to many mission-critical applications (e.g., pedestrian detection and intelligent surveillance systems). Specifically, we design a simple yet effective poison-only backdoor attack in an untargeted manner, based on task characteristics. We show that, once the backdoor is embedded into the target model by our attack, it can trick the model to lose detection of any object stamped with our trigger patterns. We conduct extensive experiments on the benchmark dataset, showing its effectiveness in both digital and physical-world settings and its resistance to potential defenses.

Jacson Rodrigues Correia-Silva,Rodrigo F. Berriel,Claudine Badue,Alberto F. de Souza,Thiago Oliveira-Santos

DOI: https://doi.org/10.1109/IJCNN.2018.8489592

2018-06-14

Abstract:In the past few years, Convolutional Neural Networks (CNNs) have been achieving state-of-the-art performance on a variety of problems. Many companies employ resources and money to generate these models and provide them as an API, therefore it is in their best interest to protect them, i.e., to avoid that someone else copies them. Recent studies revealed that state-of-the-art CNNs are vulnerable to adversarial examples attacks, and this weakness indicates that CNNs do not need to operate in the problem domain (PD). Therefore, we hypothesize that they also do not need to be trained with examples of the PD in order to operate in it. Given these facts, in this paper, we investigate if a target black-box CNN can be copied by persuading it to confess its knowledge through random non-labeled data. The copy is two-fold: i) the target network is queried with random data and its predictions are used to create a fake dataset with the knowledge of the network; and ii) a copycat network is trained with the fake dataset and should be able to achieve similar performance as the target network. This hypothesis was evaluated locally in three problems (facial expression, object, and crosswalk classification) and against a cloud-based API. In the copy attacks, images from both non-problem domain and PD were used. All copycat networks achieved at least 93.7% of the performance of the original models with non-problem domain data, and at least 98.6% using additional data from the PD. Additionally, the copycat CNN successfully copied at least 97.3% of the performance of the Microsoft Azure Emotion API. Our results show that it is possible to create a copycat CNN by simply querying a target network as black-box with random non-labeled data.

Computer Vision and Pattern Recognition,Machine Learning

Zhuo Leng,Zesen Cheng,Pengxu Wei,Jie Chen

DOI: https://doi.org/10.1007/978-981-99-8555-5_22

2024-01-01

Abstract:Deep neural networks have been demonstrated to be vulnerable to adversarial noise from attacks. Compared with white-box attacks, black-box attacks fool deep neural networks to yield erroneous predictions without knowing the model parameters. Black-box attacks include query-based attacks and transfer-based attacks; the former rely on querying the model while the latter just rely on the transferability of adversarial examples, thus challenging. Existing transfer-based black-box adversarial attack methods focus on the image classification task. Especially, we empirically verify that those methods struggle to balance the attack on objects with different classes and sizes, and thus they perform poorly in the attack on object detectors. In this work, we propose an Object-Aware mechanism to address this issue. It includes Object-Wise Gradient (OWG) calculation to balance the attack on multiple objects and a Domain-Division Map (DDM) to weigh the attack in size. Incorporating our method with seminal baselines (e.g., I-FGSM, MI-FGSM), we achieve superior attack performance on multiple object detectors (e.g., Faster R-CNN, DETR, SSD), which justifies the effectiveness and generality of our method.

Shuai Zhou,Tianqing Zhu,Dayong Ye,Wanlei Zhou,Wei Zhao

DOI: https://doi.org/10.1109/tifs.2024.3376190

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Model stealing attacks involve creating copies of machine learning models that have similar functionalities to the original model without proper authorization. Such attacks raise significant concerns about the intellectual property of the machine learning models. Nonetheless, current defense mechanisms against such attacks tend to exhibit certain drawbacks, notably in terms of utility, and robustness. For example, watermarking-based defenses require victim models to be retrained for embedding watermarks, which can potentially impact the main task performance. Moreover, other defenses, especially fingerprinting-based methods, often rely on specific samples like adversarial examples to verify ownership of the target model. These approaches might prove less robust against adaptive attacks, such as model stealing with adversarial training. It remains unclear whether normal examples, as opposed to adversarial ones, can effectively reflect the characteristics of stolen models. To tackle these challenges, we propose a novel method that leverages a neural network as a decoder to inverse the suspicious model’s outputs. Inspired by model inversion attacks, we argue that this decoding process will unveil hidden patterns inherent in the original outputs of the suspicious model. Drawing from these decoding outcomes, we calculate specific metrics to determine the legitimacy of the suspicious models. We validate the efficacy of our defense technique against diverse model stealing attacks, specifically within the domain of classification tasks based on deep neural networks.

computer science, theory & methods,engineering, electrical & electronic

Fangzhen Zhao,Chenyi Zhang,Naipeng Dong,Ming Li

DOI: https://doi.org/10.1142/s0218001423500313

IF: 1.261

2024-01-01

International Journal of Pattern Recognition and Artificial Intelligence

Abstract:International Journal of Pattern Recognition and Artificial Intelligence, Ahead of Print. Deep Neural Networks (DNNs) can be easily fooled by inputs that are crafted by adversaries. For example, an adversarial image can be forged by adding to an image a tiny perturbation which is often unnoticeable by human eyes, though the semantic interpretations of the original image and the adversarial image, which are represented as outputs of a DNN, may be drastically different. This weakness can potentially lead to serious consequences in security-critical applications such as medical diagnostic tests and self-driving vehicles. Most existing approaches for adversarial detection only have satisfactory performance for specific types of attacks. These methods do not generalize their performances when applied to a broad range of attacks, models or datasets. In this work, we propose a new adversarial detection method called Adversarial Detection from Derived Models (ADDM), which applies derived models to "simulate" the functionality of a DNN, and analyzes the distribution for the neuron activation values in the derived models as indicators for adversarial inputs. In order to further enhance performance, we propose a heuristic that selects neurons from the derived models that are sensitive to perturbations. We compare our approach with six existing adversarial detection approaches of different methodologies, and the experimental result confirms that the proposed approach has generally better performance regarding stability over different types of adversarial attacks on a variety of tested DNN models and datasets.

computer science, artificial intelligence