Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

QUEEN: Query Unlearning against Model Extraction

Huajie Chen, Tianqing Zhu, Lefeng Zhang, Bo Liu, Derui Wang, Wanlei Zhou, Minhui Xue

TL;DR

QUEEN (QUEry unlEarNing) is proposed that proactively launches counterattacks on potential model extraction attacks from the very beginning and outperforms the state-of-the-art defenses against various model extraction attacks with a relatively low cost to the model accuracy.

Abstract

Model extraction attacks currently pose a non-negligible threat to the security and privacy of deep learning models. By querying the model with a small dataset and usingthe query results as the ground-truth labels, an adversary can steal a piracy model with performance comparable to the original model. Two key issues that cause the threat are, on the one hand, accurate and unlimited queries can be obtained by the adversary; on the other hand, the adversary can aggregate the query results to train the model step by step. The existing defenses usually employ model watermarking or fingerprinting to protect the ownership. However, these methods cannot proactively prevent the violation from happening. To mitigate the threat, we propose QUEEN (QUEry unlEarNing) that proactively launches counterattacks on potential model extraction attacks from the very beginning. To limit the potential threat, QUEEN has sensitivity measurement and outputs perturbation that prevents the adversary from training a piracy model with high performance. In sensitivity measurement, QUEEN measures the single query sensitivity by its distance from the center of its cluster in the feature space. To reduce the learning accuracy of attacks, for the highly sensitive query batch, QUEEN applies query unlearning, which is implemented by gradient reverse to perturb the softmax output such that the piracy model will generate reverse gradients to worsen its performance unconsciously. Experiments show that QUEEN outperforms the state-of-the-art defenses against various model extraction attacks with a relatively low cost to the model accuracy. The artifact is publicly available at https://anonymous.4open.science/r/queen implementation-5408/.

QUEEN: Query Unlearning against Model Extraction

TL;DR

QUEEN (QUEry unlEarNing) is proposed that proactively launches counterattacks on potential model extraction attacks from the very beginning and outperforms the state-of-the-art defenses against various model extraction attacks with a relatively low cost to the model accuracy.

Abstract

Model extraction attacks currently pose a non-negligible threat to the security and privacy of deep learning models. By querying the model with a small dataset and usingthe query results as the ground-truth labels, an adversary can steal a piracy model with performance comparable to the original model. Two key issues that cause the threat are, on the one hand, accurate and unlimited queries can be obtained by the adversary; on the other hand, the adversary can aggregate the query results to train the model step by step. The existing defenses usually employ model watermarking or fingerprinting to protect the ownership. However, these methods cannot proactively prevent the violation from happening. To mitigate the threat, we propose QUEEN (QUEry unlEarNing) that proactively launches counterattacks on potential model extraction attacks from the very beginning. To limit the potential threat, QUEEN has sensitivity measurement and outputs perturbation that prevents the adversary from training a piracy model with high performance. In sensitivity measurement, QUEEN measures the single query sensitivity by its distance from the center of its cluster in the feature space. To reduce the learning accuracy of attacks, for the highly sensitive query batch, QUEEN applies query unlearning, which is implemented by gradient reverse to perturb the softmax output such that the piracy model will generate reverse gradients to worsen its performance unconsciously. Experiments show that QUEEN outperforms the state-of-the-art defenses against various model extraction attacks with a relatively low cost to the model accuracy. The artifact is publicly available at https://anonymous.4open.science/r/queen implementation-5408/.
Paper Structure (27 sections, 36 equations, 8 figures, 12 tables, 4 algorithms)

This paper contains 27 sections, 36 equations, 8 figures, 12 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries and Related Work
  3. Model Extraction Attacks
  4. Defenses against Model Extraction Attacks
  5. Problem Definition
  6. Threat Model
  7. Concepts of Defense Mechanism
  8. QUEEN Method
  9. Overview of QUEEN
  10. Sensitivity Analysis
  11. Sensitivity Measurement
  12. Output Perturbation
  13. Theoretical Analysis
  14. Feasibility of Gradient Reverse
  15. Certifiability
  16. ...and 12 more sections

Figures (8)

  • Figure 1: The overview of QUEEN. For any sequence of queries, QUEEN first measures the sensitivity of each query, and then performs output perturbation accordingly to create perturbed softmax outputs. The piracy network trained with such queries and perturbed outputs will not have comparable performance to the original model.
  • Figure 2: Sensitivity Measurement. The CQS is the sum of the red/queried area over the gray/sensitive area.
  • Figure 3: The workflow of QUEEN. After sensitivity measurement, there are four conditions where the output is either honestly returned or perturbed with gradient reverse or feature perturbation.
  • Figure 4: The results of KS test on the outputs of the piracy models.
  • Figure 5: The impact of selection of the threshold $t$ on CIFAR-10.
  • ...and 3 more figures