Ownership and Confidentiality in Machine Learning

dc.contributorAalto-yliopistofi
dc.contributorAalto Universityen
dc.contributor.advisorMarchal, Samuel, Dr., WithSecure, Finland
dc.contributor.authorSzyller, Sebastian
dc.contributor.departmentTietotekniikan laitosfi
dc.contributor.departmentDepartment of Computer Scienceen
dc.contributor.labSecure Systems Groupen
dc.contributor.schoolPerustieteiden korkeakoulufi
dc.contributor.schoolSchool of Scienceen
dc.contributor.supervisorAsokan, N., Adj. Prof., Aalto University, Department of Computer Science, Finland
dc.date.accessioned2023-08-02T09:00:06Z
dc.date.available2023-08-02T09:00:06Z
dc.date.defence2023-08-18
dc.date.issued2023
dc.description.abstractStatistical and machine learning (ML) models have been the primary tools for data-driven analysis for decades. Recent theoretical progress in deep neural networks (DNNs) coupled with computational advances put DNNs at the forefront of ML in the domains of vision, audio and language understanding. Alas, this has made DNNs targets for a wide array of attacks. Their complexity revealed a wider range of vulnerabilities compared to the much simpler models of the past. As of now, attacks have been proposed against every single step of the ML pipeline: gathering and preparation of data, model training, model serving and inference. In order to effectively build and deploy ML models, model builders invest vast resources into gathering, sanitising and labelling the data, designing and training the models, as well as serving them effectively to their customers. ML models embody valuable intellectual property (IP), and thus business advantage that needs to be protected. Model extraction attacks aim to mimic the functionality of ML models, or even compromise their confidentiality. An adversary who extracts the model can leverage it for other attacks, continuously use the model without paying, or even undercut the original owner by providing a competing service at a lower cost. All research questions investigated in this dissertation share the common theme of the theft of ML models or their functionality. The dissertation is divided into four parts. In the first part, I explore the feasibility of model extraction attacks. In the publications discussed in this part, my coauthors and I design novel black- box extraction attacks against classification and image-translation deep neural networks. Our attacks result in surrogate models that rival the victim models at their tasks. In the second part, we investigate ways of addressing the threat of model extraction; I propose two detection mechanisms able to identify ongoing extraction attacks in certain settings with the following caveat: detection and prevention cannot stop a well-equipped adversary from extracting the model. Hence, in the third part, I focus on reliable ownership verification. By identifying extracted models and tracing them back to the victim, ownership verification can deter model extraction. In the publications discussed in this part, I demonstrate it by introducing the first watermarking scheme designed specifically against extraction attacks. Crucially, I critically evaluate the reliability of my approach w.r.t. the capabilities of an adaptive adversary. Further, I empirically evaluate a promising model fingerprinting scheme, and show that well-equipped adaptive adversaries remain a threat to model confidentiality. In the fourth part, I identify the problem of conflicting interactions among protection mechanisms. ML models are vulnerable to various attacks, and thus, may need to be deployed with multiple protection mechanisms at once. I show that combining ownership verification with protection mechanisms against other security/privacy concerns can result in conflicts. The dissertation concludes, with my observations about model confidentiality, the feasibility of ownership verification, and potential directions for future work.en
dc.format.extent72 + app. 96
dc.format.mimetypeapplication/pdfen
dc.identifier.isbn978-952-64-1352-5 (electronic)
dc.identifier.isbn978-952-64-1351-8 (printed)
dc.identifier.issn1799-4942 (electronic)
dc.identifier.issn1799-4934 (printed)
dc.identifier.issn1799-4934 (ISSN-L)
dc.identifier.urihttps://aaltodoc.aalto.fi/handle/123456789/122309
dc.identifier.urnURN:ISBN:978-952-64-1352-5
dc.language.isoenen
dc.opnGambs, Sébastien, Prof., Université du Québec à Montréal, Canada
dc.publisherAalto Universityen
dc.publisherAalto-yliopistofi
dc.relation.haspart[Publication 1]: Mika Juuti, Sebastian Szyller, Samuel Marchal, N. Asokan. PRADA: Protecting Against DNN Model Stealing Attacks. In IEEE European Symposium on Security and Privacy, Stockholm, Sweden, June 2019. Full text in Acris/Aaltodoc: http://urn.fi/URN:NBN:fi:aalto-201909205383. DOI: 10.1109/EuroSP.2019.00044
dc.relation.haspart[Publication 2]: Buse Gül Atli Tekgül, Sebastian Szyller, Mika Juuti, Samuel Marchal, N. Asokan. Extraction of Complex DNN Models: Real Threat or Boogeyman?. In International Workshop on Engineering Dependable and Secure Machine Learning Systems, New York, USA, February 2020. DOI: 10.1007/978-3-030-62144-5_4
dc.relation.haspart[Publication 3]: Sebastian Szyller, Vasisht Duddu, Tommi Buder-Gröndahl, N. Asokan. Good Artists Copy, Great Artists Steal: Model Extraction Attacks Against Image Translation Models. In submission, October 2022
dc.relation.haspart[Publication 4]: Sebastian Szyller, Buse Gül Atli Tekgül, Samuel Marchal, N. Asokan. DAWN: Dynamic Adversarial Watermarking of Neural Networks. In ACM International Conference on Multimedia, China, Virtual, October 2021. DOI: 10.1145/3474085.3475591
dc.relation.haspart[Publication 5]: Sebastian Szyller, Rui Zhang, Jian Liu, N. Asokan. On the Robustness of Dataset Inference. Accepted for publication in Transactions on Machine Learning Research, June 2023
dc.relation.haspart[Publication 6]: Sebastian Szyller, N. Asokan. Conflicting Interactions Among Protection Mechanisms for Machine Learning Models. Accepted for publication in AAAI Conference on Artificial Intelligence, Washington, USA, February 2023
dc.relation.ispartofseriesAalto University publication series DOCTORAL THESESen
dc.relation.ispartofseries110/2023
dc.revViswanath, Bimal, Asst. Prof., Virginia Tech, USA
dc.revOprea, Alina, Assoc. Prof., Northeastern University, USA
dc.subject.keywordadversarial machine learningen
dc.subject.keywordmodel extractionen
dc.subject.keywordownership verificationen
dc.subject.otherComputer scienceen
dc.titleOwnership and Confidentiality in Machine Learningen
dc.typeG5 Artikkeliväitöskirjafi
dc.type.dcmitypetexten
dc.type.ontasotDoctoral dissertation (article-based)en
dc.type.ontasotVäitöskirja (artikkeli)fi
local.aalto.acrisexportstatuschecked 2023-08-18_0822
local.aalto.archiveyes
local.aalto.formfolder2023_08_01_klo_13_02
Files