Moshi Moshi? A Model Selection Hijacking Adversarial Attack

TL;DR

This work addresses the security of model selection in ML systems by introducing MOSHI, the first adversarial attack that hijacks the model selection phase through validation-set poisoning. The authors develop a Hijacking Variational Autoencoder (HVAE) that crafts validation samples optimizing a hijack metric (generalization, latency, energy, or $\ell_0$ activations) while preserving the victim’s loss metric and code, causing the selection to favor attacker-aligned configurations. Across MNIST, CIFAR10, and Speech Commands benchmarks, MOSHI achieves an average Attack Success Rate of $75.42\%$, with substantial practical impact including an $88.30\%$ drop in generalization, an $83.33\%$ increase in latency, and energy increases up to $105.85\%$. The study demonstrates strong transferability between white-box and black-box settings and discusses potential defenses, underscoring the need for securing the model selection phase in MLaaS and resource-constrained deployments.

Abstract

Model selection is a fundamental task in Machine Learning~(ML), focusing on selecting the most suitable model from a pool of candidates by evaluating their performance on specific metrics. This process ensures optimal performance, computational efficiency, and adaptability to diverse tasks and environments. Despite its critical role, its security from the perspective of adversarial ML remains unexplored. This risk is heightened in the Machine-Learning-as-a-Service model, where users delegate the training phase and the model selection process to third-party providers, supplying data and training strategies. Therefore, attacks on model selection could harm both the user and the provider, undermining model performance and driving up operational costs. In this work, we present MOSHI (MOdel Selection HIjacking adversarial attack), the first adversarial attack specifically targeting model selection. Our novel approach manipulates model selection data to favor the adversary, even without prior knowledge of the system. Utilizing a framework based on Variational Auto Encoders, we provide evidence that an attacker can induce inefficiencies in ML deployment. We test our attack on diverse computer vision and speech recognition benchmark tasks and different settings, obtaining an average attack success rate of 75.42%. In particular, our attack causes an average 88.30% decrease in generalization capabilities, an 83.33% increase in latency, and an increase of up to 105.85% in energy consumption. These results highlight the significant vulnerabilities in model selection processes and their potential impact on real-world applications.

Figures (7)

• Figure 1: Schematic representation of the MOSHI threat model.
• Figure 2: Schematic representation of the generation process of $\mathcal{S}^{Val}_{pois}$. For simplicity, we reported samples from the MNIST dataset lecun2010mnist.
• Figure 3: Histogram comparing $\ell_0$ norm and energy consumption per layer on FFNNs from 1 to 10 layers of 32 neurons, trained on MNIST dataset with a learning rate of 0.001.
• Figure 4: Illustration of samples from $\mathcal{S}^{Val}$.
• Figure 5: White-Box (WB) and Black-Box (BB) poisoning rate impact.