Scribd Logo
Upload

Welcome to Scribd!

  • Stealing Hyperparameters in Machine Learning: Binghui Wang and Neil Zhenqiang Gong

    Uploaded by

    kbkkr
    20 views30 pages
    This document proposes a new privacy attack called a hyperparameter stealing attack on machine learning as a service (MLaaS) platforms. It presents a framework for estimating hyperparameters used by MLaaS models by setting the gradient of the objective function equal to zero and solving a system of linear equations. The attack is evaluated on various machine learning algorithms like regression, classification, neural networks and is shown to accurately estimate hyperparameters. Defenses like rounding model parameters are discussed but found to be insufficient for some algorithms. Overall, the document introduces a new privacy risk to MLaaS platforms from hyperparameter estimation.

    Original Description:

    Deep Learning Talk

    Original Title

    Oakland18---stealing-hyper-parameter

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document proposes a new privacy attack called a hyperparameter stealing attack on machine learning as a service (MLaaS) platforms. It presents a framework for estimating hyperparameters used by MLaaS models by setting the gradient of the objective function equal to zero and solving a system of linear equations. The attack is evaluated on various machine learning algorithms like regression, classification, neural networks and is shown to accurately estimate hyperparameters. Defenses like rounding model parameters are discussed but found to be insufficient for some algorithms. Overall, the document introduces a new privacy risk to MLaaS platforms from hyperparameter estimation.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views30 pages

    Stealing Hyperparameters in Machine Learning: Binghui Wang and Neil Zhenqiang Gong

    Uploaded by

    kbkkr
    This document proposes a new privacy attack called a hyperparameter stealing attack on machine learning as a service (MLaaS) platforms. It presents a framework for estimating hyperparameters used by MLaaS models by setting the gradient of the objective function equal to zero and solving a system of linear equations. The attack is evaluated on various machine learning algorithms like regression, classification, neural networks and is shown to accurately estimate hyperparameters. Defenses like rounding model parameters are discussed but found to be insufficient for some algorithms. Overall, the document introduces a new privacy risk to MLaaS platforms from hyperparameter estimation.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 30

    Stealing Hyperparameters in

    Machine Learning
    Binghui Wang and Neil Zhenqiang Gong
    ECE Department, Iowa State University
    Machine Learning As A Service (MLaaS)
    • Emerging technology to aid users with limited computing power or
    limited ML expertise to learn ML models

    • MLaaS platforms
    How MLaaS is Used?

    Training
    dataset
    ML
    Model

    Testing
    dataset
    Prediction API
    Privacy: A Big Challenge for MLaaS
    • Model Inversion Attack
    • Fredrikson et al. CCS’15

    • Membership Inference Attack


    • Shokri et al. IEEE S&P’17

    • Model Extraction Attack


    • Tramèr et al. Usenix Security’16
    Our Work: A New Privacy Attack
    • Hyperparameter Stealing Attack
    • Hyperparameters are confidential for certain MLaaS
    • Stealing hyperparameter values used by MLaaS

    • Application Scenario
    • A user can be an attacker
    • Attacker can learn an ML model via MLaaS with much less computational
    costs (or economical costs) without sacrificing testing performance
    Outline
    • Machine Learning Background
    • Hyperparameter Stealing Attack
    • Evaluation
    • Defense
    • Conclusion
    Outline
    • Machine Learning Background
    • Hyperparameter Stealing Attack
    • Evaluation
    • Defense
    • Conclusion
    Machine Learning Concepts
    • Objective function

    • L: Loss function; E.g., Least square loss: L(X,y,w) = |y - <X, w>|^2


    • R: Regularization; E.g., L2-norm : R(w) = |w|^2
    • X: Training instances; Each instance is a feature vector
    • y: Label; Continuous (i.e., regression) or categorical (i.e., classification)
    • w: Model parameters
    • 𝝀: Hyperparameter; Balancing between the loss function and regularization
    Machine Learning Tasks
    • Hyperparameter learning
    • Cross-validation
    • Time-consuming

    • Model parameter learning


    • Minimizing the objective function of an ML algorithm with a specified
    hyperparameter
    • Different ML algorithms use different loss functions and regularizations
    Machine Learning System

    Algorithms for
    learning Hyperparameters
    hyperparameters

    Algorithms for
    Training Model
    learning model
    dataset parameters
    parameters
    Outline
    • Machine Learning Background
    • Hyperparameter Stealing Attack
    • Evaluation
    • Defense
    • Conclusion
    Motivation
    • Existing privacy attacks on ML systems focus on
    • inferring training dataset
    • stealing model parameters

    • Hyperparameters are critical for ML algorithms

    • Learning hyperparameters is time-consuming

    • Motivated by emerging MLaaS, an attacker could be the user who aims to steal
    the hyperparameters for saving economical costs
    Threat Model
    • Attacker’s Goal
    • Stealing the hyperparameters of an ML algorithm

    • Attacker’s Knowledge
    • Knowing the training dataset
    • Easy to satisfy
    • Knowing the ML algorithm
    • Certain MLaaS platforms publish the ML algorithms, e.g., Amazon ML, Microsoft Azure
    • (Optionally) knowing the model parameters
    • If unknown, using model extraction attack first
    Attack Framework
    • Observation
    • Learnt model parameters of an ML algorithm are often (near) a minimum of
    the objective function

    • Gradient of the objective function at learnt model parameters are (about) 0

    • Encoding relationships between the model parameters and hyperparameters


    Attack Procedure
    • Step I: Setting the gradient of the objective function at the model
    parameters to be 0

    A system of linear equations about the hyperparameter and overdetemined

    • Step II: Estimating the hyperparameter via least square


    Applicable to Various ML Algorithms
    Attacking Ridge Regression
    • Objective Function: Least square loss + L2 regularization
    Outline
    • Machine Learning Background
    • Hyperparameter Stealing Attack
    • Evaluation
    • Defense
    • Conclusion
    Theoretical Evaluation
    • Theorem 1 (Exact Estimation): If the learnt model parameters w are
    an exact minimum w⋆ of the objective function, then

    • Theorem 2 (Approximate Estimation): If w⋆ is the minimum closet to


    w, then the estimation error is bounded by
    Empirical Evaluation
    • Datasets

    • Evaluated Methods
    • Regression algorithms: RR, LASSO, KRR, neural network
    • Classification algorithms: LR, SVM, KLR, KSVM, neural network

    • Evaluation Metric
    Results for Known Model Parameters

    Our attack can accurately estimate the hyperparameter for all our studied ML algorithms

    Our attack can more accurately estimate the hyperparameter for ML algorithms that have
    analytical solutions of model parameters
    Results for Unknown Model Parameters

    Our attack can also accurately estimate the hyperparameter when model parameters are unknown
    Attacking Amazon ML
    • Method 1 (M1) Accurate but inefficient
    1. Upload entire training dataset
    2. Learn hyperparameters
    3. Evaluate the testing dataset & model parameters

    • Method 2 (M2) Efficient but inaccurate


    1. Upload p% training dataset
    2. Learn hyperparameters
    3. Evaluate the testing dataset & model parameters
    Attacking Amazon ML
    • Method 3 (M3): Train-Steal-Retrain Strategy

    1. Upload q% training dataset


    2. Learn hyperparameters
    & model parameters
    3. Steal the hyperparameter

    4. Upload entire training dataset &


    Specify the stealed hyperparameter 5. Re-learn model
    parameters
    6. Evaluate the testing dataset

    Accurate and efficient


    Attacking Amazon ML
    • One half for training and one half for testing on the Bank dataset

    • M2 and M3 sample 15% and 3% of the training dataset

    • Training cost
    • M1: $1.02 vs M3: $0.16
    • M2: $0.15 vs M3: $0.16

    • Relative error
    • M3 over M1: 0.92%
    • M2 over M1: 5.1%
    Outline
    • Machine Learning Background
    • Hyperparameter Stealing Attack
    • Evaluation
    • Defense
    • Conclusion
    Rounding As a Defense
    • Rounding the learnt model parameters before sharing them to users

    • For instance, rounding a parameter 0.8765


    • With one decimal, 0.9
    • With two decimals, 0.88

    • Rounding technique was also used by other work


    • Fredrikson et al. CCS’15
    • Tramèr et al. Usenix Security’16
    Defense Results

    Rounding is not effective enough for certain ML algorithms


    L2 regularization is more secure than L1 regularization
    Outline
    • Machine Learning Background
    • Hyperparameter Stealing Attack
    • Evaluation
    • Defense
    • Conclusion
    Conclusion
    • ML algorithms are vulnerable to hyperparameter stealing attacks

    • Our attack can help users save economical costs on MLaaS platforms


    without sacrificing testing performance

    • We need new defenses for our hyperparameter stealing attacks

    You might also like