MEW: Evading Ownership Detection Against Deep Learning Models

Wenxuan Yin; Haifeng Qian

doi:10.1007/978-981-99-1645-0_11

MEW: Evading Ownership Detection Against Deep Learning Models

Wenxuan Yin
, Haifeng Qian^*

^*Corresponding author for this work

Software Engineering Institute

East China Normal University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Training deep neural network (DNNs) requires massive computing resources and data, hence the trained models belong to the model owners’ Intellectual Property (IP), and it is very important to defend against the model stealing attack. Recently, a well-known approach named Dataset Inference (DI) claimed that by measuring the distance from the sample to the decision boundary, it can be determined whether the theft has occurred. In this paper, we show that DI is not enough for IP protection. To demonstrate this, we propose a new system called MEW, which combines the Model Inversion (MI) attack and Elastic Weight Consolidation (EWC) to evade the detection of DI. We first use the pre-trained adversary model to generate a data pool and adaptively select samples to approximate the Fisher Information Matrix of the adversary model. Then we use an adaptation of EWC to slightly fine-tune the adversary model which moves it decision boundary slightly. Our empirical results demonstrate that the adversary model evaded the DI detection with 40 samples. We also lay out the limitations of MEW and discuss them at last.

Original language	English
Title of host publication	Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings
Editors	Mohammad Tanveer, Sonali Agarwal, Seiichi Ozawa, Asif Ekbal, Adam Jatowt
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	127-136
Number of pages	10
ISBN (Print)	9789819916443
DOIs	https://doi.org/10.1007/978-981-99-1645-0_11
State	Published - 2023
Event	29th International Conference on Neural Information Processing, ICONIP 2022 - Virtual, Online Duration: 22 Nov 2022 → 26 Nov 2022

Publication series

Name	Communications in Computer and Information Science
Volume	1793 CCIS
ISSN (Print)	1865-0929
ISSN (Electronic)	1865-0937

Conference

Conference	29th International Conference on Neural Information Processing, ICONIP 2022
City	Virtual, Online
Period	22/11/22 → 26/11/22

Keywords

Dataset inference
Deep learning
Model Stealing attack

Access to Document

10.1007/978-981-99-1645-0_11

Cite this

Yin, W., & Qian, H. (2023). MEW: Evading Ownership Detection Against Deep Learning Models. In M. Tanveer, S. Agarwal, S. Ozawa, A. Ekbal, & A. Jatowt (Eds.), Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings (pp. 127-136). (Communications in Computer and Information Science; Vol. 1793 CCIS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-981-99-1645-0_11

Yin, Wenxuan ; Qian, Haifeng. / MEW : Evading Ownership Detection Against Deep Learning Models. Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings. editor / Mohammad Tanveer ; Sonali Agarwal ; Seiichi Ozawa ; Asif Ekbal ; Adam Jatowt. Springer Science and Business Media Deutschland GmbH, 2023. pp. 127-136 (Communications in Computer and Information Science).

@inproceedings{ff0b4bfdab9d4c5183b682af441fe15a,

title = "MEW: Evading Ownership Detection Against Deep Learning Models",

abstract = "Training deep neural network (DNNs) requires massive computing resources and data, hence the trained models belong to the model owners{\textquoteright} Intellectual Property (IP), and it is very important to defend against the model stealing attack. Recently, a well-known approach named Dataset Inference (DI) claimed that by measuring the distance from the sample to the decision boundary, it can be determined whether the theft has occurred. In this paper, we show that DI is not enough for IP protection. To demonstrate this, we propose a new system called MEW, which combines the Model Inversion (MI) attack and Elastic Weight Consolidation (EWC) to evade the detection of DI. We first use the pre-trained adversary model to generate a data pool and adaptively select samples to approximate the Fisher Information Matrix of the adversary model. Then we use an adaptation of EWC to slightly fine-tune the adversary model which moves it decision boundary slightly. Our empirical results demonstrate that the adversary model evaded the DI detection with 40 samples. We also lay out the limitations of MEW and discuss them at last.",

keywords = "Dataset inference, Deep learning, Model Stealing attack",

author = "Wenxuan Yin and Haifeng Qian",

note = "Publisher Copyright: {\textcopyright} 2023, The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.; 29th International Conference on Neural Information Processing, ICONIP 2022 ; Conference date: 22-11-2022 Through 26-11-2022",

year = "2023",

doi = "10.1007/978-981-99-1645-0\_11",

language = "英语",

isbn = "9789819916443",

series = "Communications in Computer and Information Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "127--136",

editor = "Mohammad Tanveer and Sonali Agarwal and Seiichi Ozawa and Asif Ekbal and Adam Jatowt",

booktitle = "Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings",

address = "德国",

}

Yin, W & Qian, H 2023, MEW: Evading Ownership Detection Against Deep Learning Models. in M Tanveer, S Agarwal, S Ozawa, A Ekbal & A Jatowt (eds), Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings. Communications in Computer and Information Science, vol. 1793 CCIS, Springer Science and Business Media Deutschland GmbH, pp. 127-136, 29th International Conference on Neural Information Processing, ICONIP 2022, Virtual, Online, 22/11/22. https://doi.org/10.1007/978-981-99-1645-0_11

MEW: Evading Ownership Detection Against Deep Learning Models. / Yin, Wenxuan; Qian, Haifeng.
Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings. ed. / Mohammad Tanveer; Sonali Agarwal; Seiichi Ozawa; Asif Ekbal; Adam Jatowt. Springer Science and Business Media Deutschland GmbH, 2023. p. 127-136 (Communications in Computer and Information Science; Vol. 1793 CCIS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - MEW

T2 - 29th International Conference on Neural Information Processing, ICONIP 2022

AU - Yin, Wenxuan

AU - Qian, Haifeng

PY - 2023

Y1 - 2023

N2 - Training deep neural network (DNNs) requires massive computing resources and data, hence the trained models belong to the model owners’ Intellectual Property (IP), and it is very important to defend against the model stealing attack. Recently, a well-known approach named Dataset Inference (DI) claimed that by measuring the distance from the sample to the decision boundary, it can be determined whether the theft has occurred. In this paper, we show that DI is not enough for IP protection. To demonstrate this, we propose a new system called MEW, which combines the Model Inversion (MI) attack and Elastic Weight Consolidation (EWC) to evade the detection of DI. We first use the pre-trained adversary model to generate a data pool and adaptively select samples to approximate the Fisher Information Matrix of the adversary model. Then we use an adaptation of EWC to slightly fine-tune the adversary model which moves it decision boundary slightly. Our empirical results demonstrate that the adversary model evaded the DI detection with 40 samples. We also lay out the limitations of MEW and discuss them at last.

AB - Training deep neural network (DNNs) requires massive computing resources and data, hence the trained models belong to the model owners’ Intellectual Property (IP), and it is very important to defend against the model stealing attack. Recently, a well-known approach named Dataset Inference (DI) claimed that by measuring the distance from the sample to the decision boundary, it can be determined whether the theft has occurred. In this paper, we show that DI is not enough for IP protection. To demonstrate this, we propose a new system called MEW, which combines the Model Inversion (MI) attack and Elastic Weight Consolidation (EWC) to evade the detection of DI. We first use the pre-trained adversary model to generate a data pool and adaptively select samples to approximate the Fisher Information Matrix of the adversary model. Then we use an adaptation of EWC to slightly fine-tune the adversary model which moves it decision boundary slightly. Our empirical results demonstrate that the adversary model evaded the DI detection with 40 samples. We also lay out the limitations of MEW and discuss them at last.

KW - Dataset inference

KW - Deep learning

KW - Model Stealing attack

UR - https://www.scopus.com/pages/publications/85161659751

U2 - 10.1007/978-981-99-1645-0_11

DO - 10.1007/978-981-99-1645-0_11

M3 - 会议稿件

AN - SCOPUS:85161659751

SN - 9789819916443

T3 - Communications in Computer and Information Science

SP - 127

EP - 136

BT - Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings

A2 - Tanveer, Mohammad

A2 - Agarwal, Sonali

A2 - Ozawa, Seiichi

A2 - Ekbal, Asif

A2 - Jatowt, Adam

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 22 November 2022 through 26 November 2022

ER -

Yin W, Qian H. MEW: Evading Ownership Detection Against Deep Learning Models. In Tanveer M, Agarwal S, Ozawa S, Ekbal A, Jatowt A, editors, Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings. Springer Science and Business Media Deutschland GmbH. 2023. p. 127-136. (Communications in Computer and Information Science). doi: 10.1007/978-981-99-1645-0_11

MEW: Evading Ownership Detection Against Deep Learning Models

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this