CISPA
Browse
Two-in-One A Model Hijacking Attack Against Text Generation Models.pdf (598.03 kB)

A Plot is Worth a Thousand Words: Model Information Stealing Attacks via Scientific Plots

Download (598.03 kB)
conference contribution
posted on 2024-02-09, 09:21 authored by Boyang ZhangBoyang Zhang, X He, Yun Shen, Tianhao Wang, Yang ZhangYang Zhang
Building advanced machine learning (ML) models requires expert knowledge and many trials to discover the best architecture and hyperparameter settings. Previous work demonstrates that model information can be leveraged to assist other attacks, such as membership inference, generating adversarial examples. Therefore, such information, e.g., hyperparameters, should be kept confidential. It is well known that an adversary can leverage a target ML model's output to steal the model's information. In this paper, we discover a new side channel for model information stealing attacks, i.e., models' scientific plots which are extensively used to demonstrate model performance and are easily accessible. Our attack is simple and straightforward. We leverage the shadow model training techniques to generate training data for the attack model which is essentially an image classifier. Extensive evaluation on three benchmark datasets shows that our proposed attack can effectively infer the architecture/hyperparameters of image classifiers based on convolutional neural network (CNN) given the scientific plot generated from it. We also reveal that the attack's success is mainly caused by the shape of the scientific plots, and further demonstrate that the attacks are robust in various scenarios. Given the simplicity and effectiveness of the attack method, our study indicates scientific plots indeed constitute a valid side channel for model information stealing attacks. To mitigate the attacks, we propose several defense mechanisms that can reduce the original attacks' accuracy while maintaining the plot utility. However, such defenses can still be bypassed by adaptive attacks.

History

Primary Research Area

  • Trustworthy Information Processing

Name of Conference

Usenix Security Symposium (USENIX-Security)

Journal

USENIX Security Symposium (USENIX Security)

Page Range

5289-5306

Publisher

USENIX

BibTeX

@conference{Zhang:He:Shen:Wang:Zhang:2023, title = "A Plot is Worth a Thousand Words: Model Information Stealing Attacks via Scientific Plots", author = "Zhang, B" AND "He, X" AND "Shen, Yun" AND "Wang, Tianhao" AND "Zhang, Y", year = 2023, month = 2, journal = "USENIX Security Symposium (USENIX Security)", pages = "5289--5306", publisher = "USENIX" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC