Ownership and Confidentiality in Machine Learning
dc.contributor | Aalto-yliopisto | fi |
dc.contributor | Aalto University | en |
dc.contributor.advisor | Marchal, Samuel, Dr., WithSecure, Finland | |
dc.contributor.author | Szyller, Sebastian | |
dc.contributor.department | Tietotekniikan laitos | fi |
dc.contributor.department | Department of Computer Science | en |
dc.contributor.lab | Secure Systems Group | en |
dc.contributor.school | Perustieteiden korkeakoulu | fi |
dc.contributor.school | School of Science | en |
dc.contributor.supervisor | Asokan, N., Adj. Prof., Aalto University, Department of Computer Science, Finland | |
dc.date.accessioned | 2023-08-02T09:00:06Z | |
dc.date.available | 2023-08-02T09:00:06Z | |
dc.date.defence | 2023-08-18 | |
dc.date.issued | 2023 | |
dc.description.abstract | Statistical and machine learning (ML) models have been the primary tools for data-driven analysis for decades. Recent theoretical progress in deep neural networks (DNNs) coupled with computational advances put DNNs at the forefront of ML in the domains of vision, audio and language understanding. Alas, this has made DNNs targets for a wide array of attacks. Their complexity revealed a wider range of vulnerabilities compared to the much simpler models of the past. As of now, attacks have been proposed against every single step of the ML pipeline: gathering and preparation of data, model training, model serving and inference. In order to effectively build and deploy ML models, model builders invest vast resources into gathering, sanitising and labelling the data, designing and training the models, as well as serving them effectively to their customers. ML models embody valuable intellectual property (IP), and thus business advantage that needs to be protected. Model extraction attacks aim to mimic the functionality of ML models, or even compromise their confidentiality. An adversary who extracts the model can leverage it for other attacks, continuously use the model without paying, or even undercut the original owner by providing a competing service at a lower cost. All research questions investigated in this dissertation share the common theme of the theft of ML models or their functionality. The dissertation is divided into four parts. In the first part, I explore the feasibility of model extraction attacks. In the publications discussed in this part, my coauthors and I design novel black- box extraction attacks against classification and image-translation deep neural networks. Our attacks result in surrogate models that rival the victim models at their tasks. In the second part, we investigate ways of addressing the threat of model extraction; I propose two detection mechanisms able to identify ongoing extraction attacks in certain settings with the following caveat: detection and prevention cannot stop a well-equipped adversary from extracting the model. Hence, in the third part, I focus on reliable ownership verification. By identifying extracted models and tracing them back to the victim, ownership verification can deter model extraction. In the publications discussed in this part, I demonstrate it by introducing the first watermarking scheme designed specifically against extraction attacks. Crucially, I critically evaluate the reliability of my approach w.r.t. the capabilities of an adaptive adversary. Further, I empirically evaluate a promising model fingerprinting scheme, and show that well-equipped adaptive adversaries remain a threat to model confidentiality. In the fourth part, I identify the problem of conflicting interactions among protection mechanisms. ML models are vulnerable to various attacks, and thus, may need to be deployed with multiple protection mechanisms at once. I show that combining ownership verification with protection mechanisms against other security/privacy concerns can result in conflicts. The dissertation concludes, with my observations about model confidentiality, the feasibility of ownership verification, and potential directions for future work. | en |
dc.format.extent | 72 + app. 96 | |
dc.format.mimetype | application/pdf | en |
dc.identifier.isbn | 978-952-64-1352-5 (electronic) | |
dc.identifier.isbn | 978-952-64-1351-8 (printed) | |
dc.identifier.issn | 1799-4942 (electronic) | |
dc.identifier.issn | 1799-4934 (printed) | |
dc.identifier.issn | 1799-4934 (ISSN-L) | |
dc.identifier.uri | https://aaltodoc.aalto.fi/handle/123456789/122309 | |
dc.identifier.urn | URN:ISBN:978-952-64-1352-5 | |
dc.language.iso | en | en |
dc.opn | Gambs, Sébastien, Prof., Université du Québec à Montréal, Canada | |
dc.publisher | Aalto University | en |
dc.publisher | Aalto-yliopisto | fi |
dc.relation.haspart | [Publication 1]: Mika Juuti, Sebastian Szyller, Samuel Marchal, N. Asokan. PRADA: Protecting Against DNN Model Stealing Attacks. In IEEE European Symposium on Security and Privacy, Stockholm, Sweden, June 2019. Full text in Acris/Aaltodoc: http://urn.fi/URN:NBN:fi:aalto-201909205383. DOI: 10.1109/EuroSP.2019.00044 | |
dc.relation.haspart | [Publication 2]: Buse Gül Atli Tekgül, Sebastian Szyller, Mika Juuti, Samuel Marchal, N. Asokan. Extraction of Complex DNN Models: Real Threat or Boogeyman?. In International Workshop on Engineering Dependable and Secure Machine Learning Systems, New York, USA, February 2020. DOI: 10.1007/978-3-030-62144-5_4 | |
dc.relation.haspart | [Publication 3]: Sebastian Szyller, Vasisht Duddu, Tommi Buder-Gröndahl, N. Asokan. Good Artists Copy, Great Artists Steal: Model Extraction Attacks Against Image Translation Models. In submission, October 2022 | |
dc.relation.haspart | [Publication 4]: Sebastian Szyller, Buse Gül Atli Tekgül, Samuel Marchal, N. Asokan. DAWN: Dynamic Adversarial Watermarking of Neural Networks. In ACM International Conference on Multimedia, China, Virtual, October 2021. DOI: 10.1145/3474085.3475591 | |
dc.relation.haspart | [Publication 5]: Sebastian Szyller, Rui Zhang, Jian Liu, N. Asokan. On the Robustness of Dataset Inference. Accepted for publication in Transactions on Machine Learning Research, June 2023 | |
dc.relation.haspart | [Publication 6]: Sebastian Szyller, N. Asokan. Conflicting Interactions Among Protection Mechanisms for Machine Learning Models. Accepted for publication in AAAI Conference on Artificial Intelligence, Washington, USA, February 2023 | |
dc.relation.ispartofseries | Aalto University publication series DOCTORAL THESES | en |
dc.relation.ispartofseries | 110/2023 | |
dc.rev | Viswanath, Bimal, Asst. Prof., Virginia Tech, USA | |
dc.rev | Oprea, Alina, Assoc. Prof., Northeastern University, USA | |
dc.subject.keyword | adversarial machine learning | en |
dc.subject.keyword | model extraction | en |
dc.subject.keyword | ownership verification | en |
dc.subject.other | Computer science | en |
dc.title | Ownership and Confidentiality in Machine Learning | en |
dc.type | G5 Artikkeliväitöskirja | fi |
dc.type.dcmitype | text | en |
dc.type.ontasot | Doctoral dissertation (article-based) | en |
dc.type.ontasot | Väitöskirja (artikkeli) | fi |
local.aalto.acrisexportstatus | checked 2023-08-18_0822 | |
local.aalto.archive | yes | |
local.aalto.formfolder | 2023_08_01_klo_13_02 |