Model Extraction Attack on Neural Networks
Adi Shamir and his colleagues have presented a fresh method for extracting neural network models, known as model extraction attack. The research, entitled “Polynomial Time Cryptanalytic Extraction of Neural Network Models,” delves into the challenge of obtaining parameters from complex neural networks.
Abstract: The training of Deep Neural Networks (DNNs) involves significant investments in terms of time and resources. Understanding the difficulty of extracting parameters from black-box neural network implementations is crucial. In this paper, the authors present an improved attack on ReLU-based DNNs, building upon previous work by Carlini, Jagielski, and Mironov. The attack requires a polynomial number of queries and time, enabling the extraction of real-valued parameters with high precision.
The authors demonstrate the practical efficiency of their attack by applying it to a full-sized neural network used for classifying the CIFAR10 dataset. The network has 3072 inputs, 8 hidden layers with 256 neurons each, and approximately 1.2 million neuronal parameters. Compared to the exhaustive search approach, which requires exploring 2^256 possibilities, the new techniques developed by the authors reduce the extraction time to just 30 minutes on a 256-core computer.
Sidebar photo of Bruce Schneier by Joe MacInnis.
Key Points:
– Adi Shamir et al. have introduced a new model extraction attack on neural networks.
– The attack focuses on extracting parameters from ReLU-based DNNs.
– The improved attack requires a polynomial number of queries and time.
– It enables the extraction of real-valued parameters with high precision.
– The attack’s practical efficiency is demonstrated on a full-sized neural network used for classifying the CIFAR10 dataset.
– The new techniques reduce the extraction time to just 30 minutes on a 256-core computer.