Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CREDIT: Certified Ownership Verification of Deep Neural Networks Against Model Extraction Attacks

Bolin Shen, Zhan Cheng, Neil Zhenqiang Gong, Fan Yao, Yushun Dong

TL;DR

This work employs mutual information to quantify the similarity between DNN models, proposes a practical verification threshold, and provides rigorous theoretical guarantees for ownership verification based on this threshold, achieving state-of-the-art performance.

Abstract

Machine Learning as a Service (MLaaS) has emerged as a widely adopted paradigm for providing access to deep neural network (DNN) models, enabling users to conveniently leverage these models through standardized APIs. However, such services are highly vulnerable to Model Extraction Attacks (MEAs), where an adversary repeatedly queries a target model to collect input-output pairs and uses them to train a surrogate model that closely replicates its functionality. While numerous defense strategies have been proposed, verifying the ownership of a suspicious model with strict theoretical guarantees remains a challenging task. To address this gap, we introduce CREDIT, a certified ownership verification against MEAs. Specifically, we employ mutual information to quantify the similarity between DNN models, propose a practical verification threshold, and provide rigorous theoretical guarantees for ownership verification based on this threshold. We extensively evaluate our approach on several mainstream datasets across different domains and tasks, achieving state-of-the-art performance. Our implementation is publicly available at: https://github.com/LabRAI/CREDIT.

CREDIT: Certified Ownership Verification of Deep Neural Networks Against Model Extraction Attacks

TL;DR

This work employs mutual information to quantify the similarity between DNN models, proposes a practical verification threshold, and provides rigorous theoretical guarantees for ownership verification based on this threshold, achieving state-of-the-art performance.

Abstract

Machine Learning as a Service (MLaaS) has emerged as a widely adopted paradigm for providing access to deep neural network (DNN) models, enabling users to conveniently leverage these models through standardized APIs. However, such services are highly vulnerable to Model Extraction Attacks (MEAs), where an adversary repeatedly queries a target model to collect input-output pairs and uses them to train a surrogate model that closely replicates its functionality. While numerous defense strategies have been proposed, verifying the ownership of a suspicious model with strict theoretical guarantees remains a challenging task. To address this gap, we introduce CREDIT, a certified ownership verification against MEAs. Specifically, we employ mutual information to quantify the similarity between DNN models, propose a practical verification threshold, and provide rigorous theoretical guarantees for ownership verification based on this threshold. We extensively evaluate our approach on several mainstream datasets across different domains and tasks, achieving state-of-the-art performance. Our implementation is publicly available at: https://github.com/LabRAI/CREDIT.
Paper Structure (41 sections, 6 theorems, 41 equations, 1 figure, 9 tables)

This paper contains 41 sections, 6 theorems, 41 equations, 1 figure, 9 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Problem Formulation
  4. Methodology
  5. Building Defense Model via a Gaussian Mechanism
  6. Certified Verification Threshold
  7. Practical Trade-off: Utility vs. Verification Effectiveness
  8. Utility Performance.
  9. Verification Effectiveness.
  10. Sigma Selection.
  11. Experiment
  12. Experimental Setup
  13. Model Utility & Verification Effectiveness
  14. Evaluation of Model Efficiency
  15. Certification Reliability: Impact of Parameter Choices
  16. ...and 26 more sections

Key Result

Theorem 3.1

Let $X=(X_1,\dots,X_n)\sim P_X^n$ be a collection of $n$ independent entries, and let $f:\mathcal{X} \to \mathbb{R}^d$ be a function with global $\ell_2$ sensitivity $\Delta = \sup_{x,x'} \|e_f(x)-e_f(x')\|_2,$ where $x$ and $x'$ denote neighboring datapoints. Consider the Gaussian mechanism defined

Figures (1)

  • Figure 1: Analysis of the reliability of certification under different choices of $\sigma$.

Theorems & Definitions (15)

  • Definition 2.1: Certified Ownership Verification Against MEA
  • Theorem 3.1: Mutual Information Bound
  • Theorem 3.2: Tightness
  • Definition 3.3: CREDIT Threshold for Ownership Verification
  • Theorem 3.4: Certified Ownership Verification Guarantee
  • Definition 2.1: Gaussian Mechanism
  • Theorem 2.2: Mutual Information Bound for the Gaussian Mechanism
  • Definition 2.3: Data Processing Inequality, DPI
  • Lemma 2.4: Markov Chain from a Common Ancestor
  • proof : Proof of Lemma \ref{['lem:markov-chain']}
  • ...and 5 more