TY - GEN
T1 - BDPL: A Boundary Differentially Private Layer Against Machine Learning Model Extraction Attacks
AU - Zheng, Huadi
AU - Ye, Qingqing
AU - Hu, Haibo
AU - Fang, Chengfang
AU - Shi, Jie
PY - 2019/9/23
Y1 - 2019/9/23
N2 - Machine learning models trained by large volume of proprietary data and intensive computational resources are valuable assets of their owners, who merchandise these models to third-party users through prediction service API. However, existing literature shows that model parameters are vulnerable to extraction attacks which accumulate a large number of prediction queries and their responses to train a replica model. As countermeasures, researchers have proposed to reduce the rich API output, such as hiding the precise confidence level of the prediction response. Nonetheless, even with response being only one bit, an adversary can still exploit fine-tuned queries with differential property to infer the decision boundary of the underlying model. In this paper, we propose boundary differential privacy (ϵ -BDP) as a solution to protect against such attacks by obfuscating the prediction responses near the decision boundary. ϵ -BDP guarantees an adversary cannot learn the decision boundary by a predefined precision no matter how many queries are issued to the prediction API. We design and prove a perturbation algorithm called boundary randomized response that can achieve ϵ -BDP. The effectiveness and high utility of our solution against model extraction attacks are verified by extensive experiments on both linear and non-linear models.
AB - Machine learning models trained by large volume of proprietary data and intensive computational resources are valuable assets of their owners, who merchandise these models to third-party users through prediction service API. However, existing literature shows that model parameters are vulnerable to extraction attacks which accumulate a large number of prediction queries and their responses to train a replica model. As countermeasures, researchers have proposed to reduce the rich API output, such as hiding the precise confidence level of the prediction response. Nonetheless, even with response being only one bit, an adversary can still exploit fine-tuned queries with differential property to infer the decision boundary of the underlying model. In this paper, we propose boundary differential privacy (ϵ -BDP) as a solution to protect against such attacks by obfuscating the prediction responses near the decision boundary. ϵ -BDP guarantees an adversary cannot learn the decision boundary by a predefined precision no matter how many queries are issued to the prediction API. We design and prove a perturbation algorithm called boundary randomized response that can achieve ϵ -BDP. The effectiveness and high utility of our solution against model extraction attacks are verified by extensive experiments on both linear and non-linear models.
UR - http://www.scopus.com/inward/record.url?scp=85075625864&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-29959-0_4
DO - 10.1007/978-3-030-29959-0_4
M3 - Conference article published in proceeding or book
AN - SCOPUS:85075625864
SN - 9783030299583
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 66
EP - 83
BT - Computer Security – ESORICS 2019 - 24th European Symposium on Research in Computer Security, Proceedings
A2 - Sako, Kazue
A2 - Schneider, Steve
A2 - Ryan, Peter Y.A.
PB - Springer
T2 - 24th European Symposium on Research in Computer Security, ESORICS 2019
Y2 - 23 September 2019 through 27 September 2019
ER -