Model Extraction Attacks in Machine Learning

Questions and Answers

What is a characteristic of machine learning models that allows adversarial examples to be effective against multiple models?

• Transferability (correct)
• Overfitting
• Underfitting
• Non-linearity

What type of attack involves extracting a model and then generating adversarial examples?

• Model extraction attack (correct)
• Model inversion attack
• Model evasion attack
• Data poisoning attack

What is the goal of generating adversarial examples?

• To improve the accuracy of a model
• To cause misclassification of a model (correct)
• To reduce the memory usage of a model
• To increase the computational cost of a model

Why are defenses against adversarial examples difficult to discuss?

Because they are dependent on the definition of machine learning (D)

What is the term for the ability of adversarial examples to be effective against multiple models?

Transferability (B)

What type of attack involves manipulating the training data to affect the model's performance?

Data poisoning attack (B)

What is the term for the process of extracting a model to generate adversarial examples?

Model extraction (C)

What is the goal of generating adversarial examples for a model?

To discover vulnerabilities in the model (B)

What is a motivation behind model extraction attacks?

To bypass monetization and use a duplicate model offline (A)

What is a characteristic of equation-solving model extraction attacks?

They involve using random input data to build a linear system of equations (B)

What is a category of model extraction attacks besides equation-solving and path finding attacks?

Not mentioned in the text (A)

What is the goal of model extraction attacks?

To replicate a machine learning model and use it offline (A)

What is the assumption behind path finding attacks?

Each leaf in the decision tree has a unique distribution (D)

What is a benefit of replicating a machine learning model using model extraction attacks?

The ability to use the model offline without paying for queries (C)

What is a characteristic of MLaaS services?

They provide a prediction API for users to query (A)

What is a motivation behind the popularity of cloud computing?

The availability of Machine Learning as a Service (MLaaS) (B)

What is the primary goal of an attacker using adversarial examples?

To cause the model to make a mistake (C)

How can an attacker rebuild the model using membership queries?

By assuming a model and training it in an adaptive learning manner (C)

What is the property that enables an attacker to automate the process of crafting adversarial examples?

Transferability (C)

What is the purpose of model extraction attacks?

To extract the model's architecture (B)

What is the goal of an attacker using data poisoning attacks?

To ruin the model's performance on a specific problem (D)

How can an attacker craft adversarial examples using the gradient?

By using the gradient to change the image to a misclassified image with the lowest cost (B)

What is the primary assumption of machine learning algorithms?

That the model is generalizable (A)

What is the purpose of membership queries?

To determine which leaf the data in the query falls into (C)

Study Notes

Model Extraction Attacks

• Model extraction attacks are becoming more prominent due to the popularity of cloud computing and machine learning as a service (MLaaS).
• These attacks involve building a machine that produces the same results as the target model, allowing the attacker to bypass monetization and use the duplicate model offline.
• There are three main categories of model extraction attacks: equation-solving, path finding, and membership queries.

Equation-Solving Model Extraction Attacks

• This type of attack involves tailoring input data to build a linear system of variables and solving it for unknown weights and bias.
• Simple models like logistic regression can be easily recreated with 100% accuracy using this method.
• Even complex models like neural networks can be recreated, although it may be more difficult.

Path Finding Attacks

• This method assumes that each leaf in the decision tree has a unique distribution, allowing the attacker to rebuild the tree by querying the model and tracking which leaf the data falls into.
• By changing the input data one feature at a time, the attacker can figure out the different branches of the tree.

Membership Queries Attacks

• This type of attack involves training a local model, querying the target model, and retraining the local model to adapt to the target model's responses.
• The attacker can assume a model, train it, and then query the points where the local confidence is low.

Adversarial Examples

• Adversarial examples are inputs tailored to cause machine learning models to make mistakes.
• These examples can be crafted using model extraction attacks and the property of transferability.
• Transferability means that an adversarial example for a model in a specific domain will likely be adversarial to any other model trained in that domain.
• Adversarial examples can be used to cause misclassification in machine learning models.

Crafting Adversarial Examples

• Adversarial examples can be crafted by adding a perturbation to the input data based on the gradient and changing the image to a misclassified image with the lowest cost.
• This process can be automated using model extraction attacks and transferability.

Description

This quiz covers the types of model extraction attacks, including equation-solving attacks, and their relevance to machine learning as a service (MLaaS) and cloud computing.