Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
skip to main content
10.1145/3326285.3329042acmotherconferencesArticle/Chapter ViewAbstractPublication PagesiwqosConference Proceedingsconference-collections
research-article
Public Access

ML defense: against prediction API threats in cloud-based machine learning service

Published: 24 June 2019 Publication History
  • Get Citation Alerts
  • Abstract

    Machine learning (ML) has shown its impressive performance in the modern world, and many corporations leverage the technique of machine learning to improve their service quality, e.g., Facebook's DeepFace. Machine learning models with a collection of private data being processed by a training algorithm are deemed to be increasingly confidential. Confidential models are typically trained in a centralized cloud server but publicly accessible. ML-as-a-service (MLaaS) system is one of running examples, where users are allowed to access trained models and are charged on a pay-per-query basis.
    Unfortunately, recent researchers have shown the tension between public access and confidential models, where adversarial access to a model is abused to duplicate the functionality of the model or even learn sensitive information about individuals (known to be in the training dataset). We conclude these attacks as prediction API threats for simplicity.
    In this work, we propose ML defense, a framework to defend against prediction API threats, which works as an add-on to existing MLaaS systems. To the best of our knowledge, this is the first work to propose a technical countermeasure to attacks trumped by excessive query accesses. Our methodology neither modifies any classifier nor degrades the model functionality (e.g., rounds results). The framework consists of one or more simulators and one auditor. The simulator learns the hidden knowledge of adversaries. The auditor then detects whether there exists a privacy breach. We discuss the intrinsic difficulties and empirically state the efficiency and feasibility of our mechanisms in different models and datasets.

    References

    [1]
    Agrawal, R., and Srikant, R. Privacy-preserving data mining. In ACM Sigmod Record (2000), vol. 29, ACM, pp. 439--450.
    [2]
    Ateniese, G., Mancini, L., Spognardi, A., et al. Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers. IJSN 10, 3 (2015), 137--150.
    [3]
    Borji, A. Pros and cons of gan evaluation measures. arXiv preprint arXiv:1802.03446 (2018).
    [4]
    Bost, R., Popa, R., Tu, S., and Goldwasser, S. Machine learning classification over encrypted data. In NDSS (2015), vol. 4324, p. 4325.
    [5]
    Cayton, L. Algorithms for manifold learning. Univ. of California at San Diego Tech. Rep 12, 1--17 (2005), 1.
    [6]
    Chen, L., Jung, T., Du, H., Qian, J., Hou, J., and Li, X.-Y. Crowdlearning: Crowded deep learning with data privacy. In 2018 15th Annual IEEE International Conference on Sensing, Communication, and Networking (SECON) (2018), IEEE, pp. 1--9.
    [7]
    Cruz, J. A., and Wishart, D. S. Applications of machine learning in cancer prediction and prognosis. Cancer informatics 2 (2006), 117693510600200030.
    [8]
    Erickson, B., Korfiatis, P., Akkus, Z., and Kline, T. Machine learning for medical imaging. Radiographics 37, 2 (2017), 505--515.
    [9]
    Fredrikson, M., Jha, S., and Ristenpart, T. Model inversion attacks that exploit confidence information and basic countermeasures. In CCS (2015), ACM, pp. 1322--1333.
    [10]
    Fukunaga, K. Introduction to statistical pattern recognition. Elsevier, 2013.
    [11]
    Ghrist, R. Barcodes: the persistent topology of data. Bulletin of the AMS 45, 1 (2008), 61--75.
    [12]
    Gilad-Bachrach, R., Dowlin, N., Laine, K., Lauter, K., Naehrig, M., and Wernsing, J. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In ICML (2016), pp. 201--210.
    [13]
    Hotelling, H. Analysis of a complex of statistical variables into principal components. IJEP 24, 6 (1933), 417.
    [14]
    Hou, J., Li, X.-Y., Jung, T., Wang, Y., and Zheng, D. Castle: Enhancing the utility of inequality query auditing without denial threats. IEEE Transactions on Information Forensics and Security 13, 7 (2018), 1656--1669.
    [15]
    Jung, T., Li, X.-Y., Wan, Z., and Wan, M. Privacy preserving cloud data access with multi-authorities. In 2013 Proceedings IEEE INFOCOM (2013), IEEE, pp. 2625--2633.
    [16]
    Jung, T., Li, X.-Y., Wan, Z., and Wan, M. Control cloud data access privilege and anonymity with fully anonymous attribute-based encryption. IEEE transactions on information forensics and security 10, 1 (2015), 190--199.
    [17]
    Khrulkov, V., and Oseledets, I. Geometry score: A method for comparing generative adversarial networks. arXiv preprint arXiv:1802.02664 (2018).
    [18]
    Lin, W.-Y., Hu, Y.-H., and Tsai, C.-F. Machine learning in financial crisis prediction: a survey. IEEE SMC 42, 4 (2012), 421--436.
    [19]
    McInnes, L., and Healy, J. Umap: Uniform manifold approximation and projection for dimension reduction. arXiv preprint arXiv:1802.03426 (2018).
    [20]
    McMahan, H. B., Moore, E., Ramage, D., and Y Arcas, B. A. Federated learning of deep networks using model averaging.
    [21]
    Nabar, S. U., Kenthapadi, K., Mishra, N., and Motwani, R. A survey of query auditing techniques for data privacy. In Privacy-Preserving Data Mining. Springer, 2008, pp. 415--431.
    [22]
    Nabar, S. U., Marthi, B., Kenthapadi, K., Mishra, N., and Motwani, R. Towards robustness in query auditing. In Proceedings of the 32nd international conference on Very large data bases (2006), VLDB Endowment, pp. 151--162.
    [23]
    Narayanan, H., and Mitter, S. Sample complexity of testing the manifold hypothesis. In Advances in Neural Information Processing Systems (2010), pp. 1786--1794.
    [24]
    Shokri, R., and Shmatikov, V. Privacy-preserving deep learning. In CCS (2015), ACM, pp. 1310--1321.
    [25]
    Shokri, R., Stronati, M., Song, C., and Shmatikov, V. Membership inference attacks against machine learning models. In SP (2017), IEEE, pp. 3--18.
    [26]
    Switzer, R. M. Algebraic topology-homotopy and homology. Springer, 2017.
    [27]
    Taigman, Y., Yang, M., Ranzato, M., and Wolf, L. Deepface: Closing the gap to human-level performance in face verification. In CVRP (2014), pp. 1701--1708.
    [28]
    Theis, L., Oord, A., and Bethge, M. A note on the evaluation of generative models. arXiv preprint arXiv:1511.01844 (2015).
    [29]
    Tramèr, F., Zhang, F., Juels, A., Reiter, M., and Ristenpart, T. Stealing machine learning models via prediction apis. In USENIX (2016), pp. 601--618.
    [30]
    Vanhaesebrouck, P., Bellet, A., and Tommasi, M. Decentralized collaborative learning of personalized models over networks. In AISTATS (2017).
    [31]
    Zhang, Q., Yang, L. T., and Chen, Z. Privacy preserving deep computation model on cloud for big data feature learning. IEEE TC 65, 5 (2016), 1351--1362.

    Cited By

    View all
    • (2024)Cloud computing security: a taxonomy, threat detection and mitigation techniquesInternational Journal of Computers and Applications10.1080/1206212X.2024.2319937(1-14)Online publication date: 26-Feb-2024
    • (2024)A survey on membership inference attacks and defenses in Machine LearningJournal of Information and Intelligence10.1016/j.jiixd.2024.02.001Online publication date: Mar-2024
    • (2024)Privacy-preserving inference resistant to model extraction attacksExpert Systems with Applications10.1016/j.eswa.2024.124830(124830)Online publication date: Jul-2024
    • Show More Cited By

    Index Terms

    1. ML defense: against prediction API threats in cloud-based machine learning service

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Other conferences
        IWQoS '19: Proceedings of the International Symposium on Quality of Service
        June 2019
        420 pages
        ISBN:9781450367783
        DOI:10.1145/3326285
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 24 June 2019

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. machine learning as a service
        2. privacy and security

        Qualifiers

        • Research-article

        Funding Sources

        Conference

        IWQoS '19

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)113
        • Downloads (Last 6 weeks)13
        Reflects downloads up to 27 Jul 2024

        Other Metrics

        Citations

        Cited By

        View all
        • (2024)Cloud computing security: a taxonomy, threat detection and mitigation techniquesInternational Journal of Computers and Applications10.1080/1206212X.2024.2319937(1-14)Online publication date: 26-Feb-2024
        • (2024)A survey on membership inference attacks and defenses in Machine LearningJournal of Information and Intelligence10.1016/j.jiixd.2024.02.001Online publication date: Mar-2024
        • (2024)Privacy-preserving inference resistant to model extraction attacksExpert Systems with Applications10.1016/j.eswa.2024.124830(124830)Online publication date: Jul-2024
        • (2023)Run-Time Prevention of Software Integration Failures of Machine Learning APIsProceedings of the ACM on Programming Languages10.1145/36228067:OOPSLA2(264-291)Online publication date: 16-Oct-2023
        • (2022)Model Protection: Real-Time Privacy-Preserving Inference Service for Model Privacy at the EdgeIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.312631519:6(4270-4284)Online publication date: 1-Nov-2022
        • (2020)Machine Learning as a ServiceProceedings of the 22nd International Conference on Information Integration and Web-based Applications & Services10.1145/3428757.3429152(396-406)Online publication date: 30-Nov-2020
        • (2020)Remote explainability faces the bouncer problemNature Machine Intelligence10.1038/s42256-020-0216-z2:9(529-539)Online publication date: 24-Aug-2020

        View Options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Get Access

        Login options

        Media

        Figures

        Other

        Tables

        Share

        Share

        Share this Publication link

        Share on social media