Model privacy: a unified framework for understanding model stealing attacks and defences

Abstract

The use of machine learning (ML) has become increasingly prevalent in various domains, highlighting the importance of understanding and ensuring its safety. One pressing concern is the vulnerability of ML applications to model stealing attacks. These attacks involve adversaries attempting to recover a learned model through limited query-response interactions, such as those found in cloud-based services or on-chip artificial intelligence interfaces. While existing literature proposes various attack and defence strategies, these often lack a theoretical foundation and standardized evaluation criteria. In response, this work presents a framework called ‘Model Privacy’, providing a foundation for comprehensively analyzing model stealing attacks and defences. We establish a rigorous formulation for the threat model and objectives, propose methods to quantify the goodness of attack and defence strategies, and analyse the fundamental tradeoffs between utility and privacy in ML models. Our developed theory offers valuable insights into enhancing the security of ML models, especially highlighting the importance of the query-dependent structure of perturbations for effective defences. We demonstrate the application of model privacy from the defender’s perspective through various learning scenarios. Extensive experiments corroborate the insights and the effectiveness of defence mechanisms developed under the proposed framework.