Upload
isao-takaesu
View
1.296
Download
0
Embed Size (px)
Citation preview
2016.12.06
AISECjp #7
Presented by Isao Takaesu
่ซๆ็ดนไป
Stealing Machine Learning Models
via Prediction APIsPart. 1
About the speaker
โข ่ทๆฅญ : Webใปใญใฅใชใใฃใจใณใธใใข
โข ๆๅฑ : ไธไบ็ฉ็ฃใปใญใฅใขใใฃใฌใฏใทใงใณ
โข ่ถฃๅณ : ่ๅผฑๆงในใญใฃใไฝใใๆฉๆขฐๅญฆ็ฟ
โข ใใญใฐ: http://www.mbsd.jp/blog/
โข Black Hat Asia Arsenal, CODE BLUE / 2016
โข AISECjpใไธปๅฌ
้ซๆฑๆดฒ ๅฒ
Paper
ใฟใซใจใน ใคใตใช
AISECjp
็ดนไปใใ่ซๆ
Paper
Stealing Machine Learning Models via Prediction APIs
AISECjp
Author : Florian Tramรจr (EPFL)
Fan Zhang (Cornell University)
Ari Juels (Cornell Tech, Jacobs Institute )
Michael K Reiter (UNC Chapel Hill)
Thomas Ristenpart (Cornell Tech )
Post Date: 9 Sep 2016
Proceedings of USENIX Security 2016
Source : https://arxiv.org/abs/1609.02943
่ซๆใฎๆฆ่ฆ
Paper
ๆฉๆขฐๅญฆ็ฟ(ML)ใขใใซใ่ค่ฃฝใใโmodel extraction attacksโใฎๆๆก
AISECjp
D B
ML service
Data owner
Train model
Extraction
adversaryf ๐๐
๐๐
ใปใปใป
f ๐๐
๐๐
๐
LR
MLP
Decision tree
ใใฉใใฏใใใฏในใขใฏใปในใฎใฟใงMLใขใใซใ่ค่ฃฝ
ใขใใซ่ค่ฃฝใซใใใชในใฏ
Paper
่ชฒ้ๅ้ฟ
MLใขใใซใธใฎใฏใจใชๅไฝใง่ชฒ้ใใใใธใในใขใใซใฎๅ ดๅใ
ๅ็ใฎๆชๅ(่ชฒ้ <่จ็ทดใณในใ)ใๆใใ
่จ็ทดใใผใฟใใใฎๆ ๅ ฑๆผใใ
ใขใใซใซ็ตใฟ่พผใพใใ่จ็ทดใใผใฟ(ๆฉๅฏๆ ๅ ฑใๅซใ)ใใใ
ๆฉๅฏๆ ๅ ฑใๆผใใใ
ๆฏใ่ใๆค็ฅใฎๅ้ฟ
MLใขใใซใในใใ ๆค็ฅใใใซใฆใจใขๆค็ฅใN/W็ฐๅธธๆค็ฅใซไฝฟ็จใใใๅ ดๅใ
ๆปๆ่ ใฏไธ่จใฎๆค็ฅๆฉ่ฝใๅ้ฟๅฏ่ฝใ
AISECjp
ใขใใซ่ค่ฃฝใฎๆๆณไธ่ฆง
Paper
Extraction with Confidence Values
MLใขใใซใClassใจConfidence Valuesใๅฟ็ญใใๅ ดๅใ
ใปEquation-Solving Attacks
ใปDecision Tree Path-Finding Attacks
ใปOnline Model Extraction Attacks (against BigML, Amazon ML)
Extraction Given Class Labels Only
MLใขใใซใClassใฎใฟๅฟ็ญใใๅ ดๅใ
ใปThe Lowd-Meek attack
ใปThe retraining approach
AISECjp
ไปๅ็ดนไปใใๆๆณ
Paper
Extraction with Confidence Values
MLใขใใซใClassใจConfidence Valuesใๅฟ็ญใใๅ ดๅใ
ใปEquation-Solving Attacks โใณใณ
ใปDecision Tree Path-Finding Attacks
ใปOnline Model Extraction Attacks (against BigML, Amazon ML)
Extraction Given Class Labels Only
MLใขใใซใClassใฎใฟๅฟ็ญใใๅ ดๅใ
ใปThe Lowd-Meek attack
ใปThe retraining approach
AISECjp
Paper
Equation-Solving Attacks
AISECjp
โEquation-Solving Attacksโใจใฏ ?
Paper AISECjp
MLใขใใซใธใฎๅ ฅๅใ ใใจใๅบๅใ ใใๅบใซใ
(ๆปๆ่ ใซใจใฃใฆ)ๆช็ฅใฎๆน็จๅผใ ใใๅพฉๅ (่ค่ฃฝ)ใ
ไพ๏ผโBinary logistic regressionโใฎๅ ดๅ
MLใขใใซ๏ผ
ๆปๆ่ ๏ผ
ๆปๆ่ ใ็ฅใๅพใใ ใใจใ ใใๅบใซๆน็จๅผใ่งฃใใ
ๆช็ฅใฎใใฉใกใผใฟใ ใใ็นๅฎ(ๆน็จๅผใฎๅพฉๅ )ใ
f ๐, ๐๐, ๐
f ๐, ๐ = โ?????โ
f ๐, ๐ = 1.4150971 + 3.3421481 โ ๐ + 3.0892439โ ๐
f ๐, ๐ = ๐๐ + ๐๐๐ + ๐๐๐
f ๐, ๐๐, ๐
๐๐ , ๐๐, ๐๐
โEquation-Solving Attacksโใฎๆค่จผ
Paper AISECjp
MLใขใใซใฎ่ค่ฃฝ
ใปBinary logistic regression
ใปMulticlass LR and Multilayer Perceptron
่จ็ทดใใผใฟใใใฎๆ ๅ ฑๆผใใ
ใปTraining Data Leakage for Kernel LR
ใปModel Inversion Attacks on Extracted Models
ไปๅๆค่จผใใโEquation-Solving Attacksโ
Paper AISECjp
MLใขใใซใฎ่ค่ฃฝ
ใปBinary logistic regression โใณใณ
ใปMulticlass LR and Multilayer Perceptron
่จ็ทดใใผใฟใใใฎๆ ๅ ฑๆผใใ
ใปTraining Data Leakage for Kernel LR
ใปModel Inversion Attacks on Extracted Models
Paper
Binary logistic regression
AISECjp
ใใผใฟใฎใฏใฉในๅ้ก(c=2)ใจ(ใฏใฉในใซๅฑใใ)็ขบ็ใๆฑใใ
decision boundary :
Paper AISECjp
f ๐๐, ๐๐ = ๐๐ + ๐๐๐๐ + ๐๐๐๐
โBinary logistic regressionโใจใฏ ?๏ผใใใใ๏ผ
f(x1,x2)=0
f(x1,x2)>0
f(x1,x2)<0
positive
negative
Paper AISECjp
โpositiveโใฎ็ขบ็ ๏ผ
โnegativeโใฎ็ขบ็๏ผ
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
-1 -0.9 -0.8 -0.7 -0.6 -0.5 -0.4 -0.3 -0.2 -0.1 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
๐
๐ ๐ =1
1 + ๐โ๐
ใญใธในใใฃใใฏ้ขๆฐ
โBinary logistic regressionโใจใฏ ?
P ๐๐, ๐๐ = ๐(๐๐ + ๐๐๐๐ + ๐๐๐๐)
1-P ๐๐, ๐๐
positive
negative
Paper AISECjp
ๆค่จผใขใใซใฎๆง็ฏ
่จ็ทดใใผใฟ(ex2data1) : ่ตค = positive, ้ = negative
โ decision boundaryใๆฑใใ
Paper AISECjp
ๆค่จผใขใใซใฎๆง็ฏ
่จ็ทด็ตๆ
decision boundary : f ๐๐, ๐๐ = 1.415 + 3.342 โ ๐๐ + 3.089โ ๐๐
f(x1,x2)=0
f(x1,x2)>0
f(x1,x2)<0
positive
negative
Paper AISECjp
ๆค่จผใขใใซใฎๅฉ็จใคใกใผใธ
D B
LR model
UserP=0.055, neg
๐๐, ๐๐
ใปใปใป
๐๐๐, ๐๐๐
P=0.996, pos
ๅ้กใใใใใใผใฟ(x1, x2)ใๅ ฅๅใใ
ๅ้ก็ตๆ(c=pos or neg)ใจ(ใฏใฉในใซๆๅฑใใ)็ขบ็(P)ใๅพใใ
Paper AISECjp
ๆค่จผใขใใซใฎๆช็จใคใกใผใธ
D B
LR model
adversaryP=0.055, neg
๐๐, ๐๐
ใปใปใป
๐๐๐, ๐๐๐
P=0.996, pos
ๅ ฅๅใใผใฟ(x1, x2)ใจๅบๅใใใ็ขบ็(P)ใๅฉ็จใใ
decision boundaryใ็นๅฎใใใ
f ๐๐, ๐๐ = 1.42 + 3.34 โ ๐๐ + 3.09โ ๐๐
Paper
ใฉใใใฃใฆใใใฎใ๏ผ
AISECjp
Paper AISECjp
ๆ้ ๏ผ๏ผๆ ๅ ฑใฎๅ้
ใฆใผใถใฎๅ ฅๅ ใขใใซใฎๅบๅ
ใใผใฟ(x1, x2) ใฏใฉใน ็ขบ็(P)
-1.602 0.638 negative 0.123
-1.062 -0.536 negative 0.022
-1.539 0.361 negative 0.068
-0.282 1.086 positive 0.979
ใปใปใป ใปใปใป ใปใปใป ใปใปใป
ใปใขใใซใฎๅฉ็จ็ตๆ
f ๐๐, ๐๐ = ๐๐ โ ๐๐๐. ๐๐๐ + ๐๐๐. ๐๐๐
f ๐๐, ๐๐ = ๐๐ โ ๐๐๐. ๐๐๐ โ ๐๐๐. ๐๐๐
f ๐๐, ๐๐ = ๐๐ โ ๐๐๐. ๐๐๐ + ๐๐๐. ๐๐๐
f ๐๐, ๐๐ = ๐๐ โ ๐๐๐. ๐๐๐ + ๐๐๐. ๐๐๐
็ฎ็ๅคๆฐใ ใใฏ๏ผ
โ็ขบ็(P)ใใญใธใใ้ขๆฐใ ใใซ้ใ
f ๐๐, ๐๐
๐๐๐๐๐ ๐ท = ๐๐๐๐ท
๐ โ ๐ท
Paper AISECjp
ใฆใผใถใฎๅ ฅๅ ใขใใซใฎๅบๅ
ใใผใฟ(x1, x2) ใฏใฉใน ็ขบ็(P)
-1.602 0.638 negative 0.123
-1.062 -0.536 negative 0.022
-1.539 0.361 negative 0.068
-0.282 1.086 positive 0.979
ใปใปใป ใปใปใป ใปใปใป ใปใปใป
ใปใขใใซใฎๅฉ็จ็ตๆ
โ๐. ๐๐๐ = ๐๐ โ ๐๐๐. ๐๐๐ + ๐๐๐. ๐๐๐
โ๐. ๐๐๐ = ๐๐ โ ๐๐๐. ๐๐๐ โ ๐๐๐. ๐๐๐
โ๐. ๐๐๐ = ๐๐ โ ๐๐๐. ๐๐๐ + ๐๐๐. ๐๐๐
๐. ๐๐๐ = ๐๐ โ ๐๐๐. ๐๐๐ + ๐๐๐. ๐๐๐
ๆ้ ๏ผ๏ผๆน็จๅผใ่งฃใ(Equation-Solving)
ใป Equation-Solving ใฎ็ตๆ
็นๅฎใใไฟๆฐ๏ผ
่ค่ฃฝใใ้ขๆฐ๏ผ
๐๐ = 2.042 ๐๐ = 4.822 ๐๐ = 4.457
๐ ๐๐, ๐๐ = 2.042 + 4.822 โ ๐ฅ1 + 4.457 โ ๐ฅ2
Equation-Solving
Paper AISECjp
ใปใชใชใธใใซใฎใขใใซ
โEquation-Solving Attacksโใฎ็ตๆ
f ๐๐, ๐๐ = 1.415 + 3.342 โ ๐๐ + 3.089 โ ๐๐
ใป่ค่ฃฝใใใขใใซ
๐ ๐๐, ๐๐ = 2.042 + 4.822 โ ๐๐ + 4.457 โ ๐๐
่ค่ฃฝใขใใซใงๆญฃใใๅ้กใงใใใฎใ๏ผ
Paper AISECjp
ใชใชใธใใซใจ่ค่ฃฝใขใใซใฎๆฏ่ผ็ตๆ
ใฆใผใถใฎๅ ฅๅ ใชใชใธใใซใขใใซ ่ค่ฃฝใขใใซ
ใใผใฟ(x1, x2) ใฏใฉใน ็ขบ็(P) ใฏใฉใน ็ขบ็(P)
-1.602 0.638 negative 0.123 negative 0.055
-1.062 -0.536 negative 0.022 negative 0.004
-1.539 0.361 negative 0.068 negative 0.023
-0.282 1.086 positive 0.979 positive 0.996
0.692 0.493 positive 0.995 positive 0.999
-0.234 1.638 positive 0.997 positive 0.999
0.485 -1.064 negative 0.437 negative 0.410
0.585 -1.008 positive 0.564 positive 0.591
0.177 -0.729 negative 0.439 negative 0.412
ใปใปใป ใปใปใป ใปใปใป ใปใปใป ใปใปใป ใปใปใป
ใชใชใธใใซใจ่ค่ฃฝใขใใซใฎๅ้ก็ตๆใฏๅฎๅ จไธ่ด๏ผn=100๏ผ
Paper AISECjp
ใปRounding confidences
ใขใใซใ่ฟใConfidence Valuesใไธธใใใใจใง่ค่ฃฝ็ฒพๅบฆใไธใใ
ไพ๏ผP= 0.437401116 โ P= 0.43
โEquation-Solving Attacksโใฎๅฏพ็ญ
Effect of rounding on model extraction(็ดนไป่ซๆใใใฎๅผ็จ).
ๆฌกๅใฎไบๅฎ (Equation-Solving Attacks)
Paper AISECjp
MLใขใใซใฎ่ค่ฃฝ
ใปBinary logistic regression๏ผโ๏ผ
ใปMulticlass LR and Multilayer Perceptron
่จ็ทดใใผใฟใใใฎๆ ๅ ฑๆผใใ
ใปTraining Data Leakage for Kernel LR
ใปModel Inversion Attacks on Extracted Models
Download โ.PDFโ version of this document:
โซ https://aisecjp.connpass.com/event/44600/