Professional Documents
Culture Documents
Machine Learning
Binghui Wang and Neil Zhenqiang Gong
ECE Department, Iowa State University
Machine Learning As A Service (MLaaS)
• Emerging technology to aid users with limited computing power or
limited ML expertise to learn ML models
• MLaaS platforms
How MLaaS is Used?
Training
dataset
ML
Model
Testing
dataset
Prediction API
Privacy: A Big Challenge for MLaaS
• Model Inversion Attack
• Fredrikson et al. CCS’15
• Application Scenario
• A user can be an attacker
• Attacker can learn an ML model via MLaaS with much less computational
costs (or economical costs) without sacrificing testing performance
Outline
• Machine Learning Background
• Hyperparameter Stealing Attack
• Evaluation
• Defense
• Conclusion
Outline
• Machine Learning Background
• Hyperparameter Stealing Attack
• Evaluation
• Defense
• Conclusion
Machine Learning Concepts
• Objective function
Algorithms for
learning Hyperparameters
hyperparameters
Algorithms for
Training Model
learning model
dataset parameters
parameters
Outline
• Machine Learning Background
• Hyperparameter Stealing Attack
• Evaluation
• Defense
• Conclusion
Motivation
• Existing privacy attacks on ML systems focus on
• inferring training dataset
• stealing model parameters
• Motivated by emerging MLaaS, an attacker could be the user who aims to steal
the hyperparameters for saving economical costs
Threat Model
• Attacker’s Goal
• Stealing the hyperparameters of an ML algorithm
• Attacker’s Knowledge
• Knowing the training dataset
• Easy to satisfy
• Knowing the ML algorithm
• Certain MLaaS platforms publish the ML algorithms, e.g., Amazon ML, Microsoft Azure
• (Optionally) knowing the model parameters
• If unknown, using model extraction attack first
Attack Framework
• Observation
• Learnt model parameters of an ML algorithm are often (near) a minimum of
the objective function
• Evaluated Methods
• Regression algorithms: RR, LASSO, KRR, neural network
• Classification algorithms: LR, SVM, KLR, KSVM, neural network
• Evaluation Metric
Results for Known Model Parameters
Our attack can accurately estimate the hyperparameter for all our studied ML algorithms
Our attack can more accurately estimate the hyperparameter for ML algorithms that have
analytical solutions of model parameters
Results for Unknown Model Parameters
Our attack can also accurately estimate the hyperparameter when model parameters are unknown
Attacking Amazon ML
• Method 1 (M1) Accurate but inefficient
1. Upload entire training dataset
2. Learn hyperparameters
3. Evaluate the testing dataset & model parameters
• Training cost
• M1: $1.02 vs M3: $0.16
• M2: $0.15 vs M3: $0.16
• Relative error
• M3 over M1: 0.92%
• M2 over M1: 5.1%
Outline
• Machine Learning Background
• Hyperparameter Stealing Attack
• Evaluation
• Defense
• Conclusion
Rounding As a Defense
• Rounding the learnt model parameters before sharing them to users