Stateful Detection of Adversarial Reprogramming

11/05/2022
by   Yang Zheng, et al.
0

Adversarial reprogramming allows stealing computational resources by repurposing machine learning models to perform a different task chosen by the attacker. For example, a model trained to recognize images of animals can be reprogrammed to recognize medical images by embedding an adversarial program in the images provided as inputs. This attack can be perpetrated even if the target model is a black box, supposed that the machine-learning model is provided as a service and the attacker can query the model and collect its outputs. So far, no defense has been demonstrated effective in this scenario. We show for the first time that this attack is detectable using stateful defenses, which store the queries made to the classifier and detect the abnormal cases in which they are similar. Once a malicious query is detected, the account of the user who made it can be blocked. Thus, the attacker must create many accounts to perpetrate the attack. To decrease this number, the attacker could create the adversarial program against a surrogate classifier and then fine-tune it by making few queries to the target model. In this scenario, the effectiveness of the stateful defense is reduced, but we show that it is still effective.

READ FULL TEXT
research
11/15/2017

The best defense is a good offense: Countering black box attacks by predicting slightly wrong labels

Black-Box attacks on machine learning models occur when an attacker, des...
research
08/26/2021

Why Adversarial Reprogramming Works, When It Fails, and How to Tell the Difference

Adversarial reprogramming allows repurposing a machine-learning model to...
research
04/03/2022

Breaking the De-Pois Poisoning Defense

Attacks on machine learning models have been, since their conception, a ...
research
06/02/2023

Adaptive Attractors: A Defense Strategy against ML Adversarial Collusion Attacks

In the seller-buyer setting on machine learning models, the seller gener...
research
07/26/2022

Generative Extraction of Audio Classifiers for Speaker Identification

It is perhaps no longer surprising that machine learning models, especia...
research
03/11/2021

BODAME: Bilevel Optimization for Defense Against Model Extraction

Model extraction attacks have become serious issues for service provider...
research
04/07/2022

Defending Active Directory by Combining Neural Network based Dynamic Program and Evolutionary Diversity Optimisation

Active Directory (AD) is the default security management system for Wind...

Please sign up or login with your details

Forgot password? Click here to reset