Projects per year
Abstract
Transfer learning has become a common solution to address training data scarcity in practice. It trains a specified student model by reusing or fine-tuning early layers of a well-trained teacher model that is usually publicly available. However, besides utility improvement, the transferred public knowledge also brings potential threats to model confidentiality, and even further raises other security and privacy issues.
In this paper, we present the first comprehensive investigation of the teacher model exposure threat in the transfer learning context, aiming to gain a deeper insight into the tension between public knowledge and model confidentiality. To this end, we propose a teacher model fingerprinting attack to infer the origin of a student model, i.e., the teacher model it transfers from. Specifically, we propose a novel optimizationbased method to carefully generate queries to probe the student model to realize our attack. Unlike existing model reverse engineering approaches, our proposed fingerprinting method neither relies on fine-grained model outputs, e.g., posteriors, nor auxiliary information of the model architecture or training dataset. We systematically evaluate the effectiveness of our proposed attack. The empirical results demonstrate that our attack can accurately identify the model origin with few probing queries. Moreover, we show that the proposed attack can serve as a stepping stone to facilitating other attacks against machine learning models, such as model stealing.1
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 31st USENIX Security Symposium |
| Publisher | USENIX Association |
| Pages | 3593-3610 |
| Number of pages | 18 |
| ISBN (Electronic) | 978-1-939133-31-1 |
| Publication status | Published - Aug 2022 |
| Event | 31st USENIX Security Symposium (USENIX Security '22) - Boston Marriott Copley Place, Boston, United States Duration: 10 Aug 2022 → 12 Aug 2022 https://www.usenix.org/conference/usenixsecurity22 |
Publication series
| Name | Proceedings of the USENIX Security Symposium, Security |
|---|
Conference
| Conference | 31st USENIX Security Symposium (USENIX Security '22) |
|---|---|
| Place | United States |
| City | Boston |
| Period | 10/08/22 → 12/08/22 |
| Internet address |
Bibliographical note
Research Unit(s) information for this publication is provided by the author(s) concerned.Funding
This work is supported by the National Key Research and Development Program of China (2020AAA0107702), National Natural Science Foundation of China (U21B2018, 62161160337, 62132011), Shaanxi Province Key Industry Innovation Program (2021ZDLGY01-02), the Research Grants Council of Hong Kong under Grants N_CityU139/21, R6021- 20F, R1012-21, and the Helmholtz Association within the project “Trustworthy Federated Data Analytics” (TFDA) (funding number ZT-I-OO1 4).
RGC Funding Information
- RGC-funded
Fingerprint
Dive into the research topics of 'Teacher Model Fingerprinting Attacks Against Transfer Learning'. Together they form a unique fingerprint.-
RIF: Secure and Incentivized Data Sharing with Enhanced Ownership for Decentralized Networks
JIA, X. (Principal Investigator / Project Coordinator), Li, B. (Co-Principal Investigator), PANG, Z. (Co-Principal Investigator), WANG, C. (Co-Principal Investigator), WANG, J. (Co-Principal Investigator) & Yiu, S. M. (Co-Principal Investigator)
30/06/22 → …
Project: Research
-
RIF-ExtU-Lead: Enabling Secure and Efficient Cross-Silo Federated Learning at Scale
Li, B. (Main Project Coordinator [External]) & WANG, C. (Principal Investigator / Project Coordinator)
1/02/21 → …
Project: Research
-
NSFC: Towards Secure and Privacy-enhanced Machine Learning as a Service
WANG, C. (Principal Investigator / Project Coordinator) & Shen, C. (Co-Investigator)
1/01/22 → 31/12/25
Project: Research