Stateful Detection of Model Extraction Attacks
This addresses security vulnerabilities for ML service providers, but it is incremental as it builds on existing detection methods.
The paper tackles the problem of model extraction attacks on Machine-Learning-as-a-Service APIs by proposing VarDetect, a stateful monitor that detects such attacks by tracking query distributions, resulting in successful detection of attackers and poor performance of extracted models.
Machine-Learning-as-a-Service providers expose machine learning (ML) models through application programming interfaces (APIs) to developers. Recent work has shown that attackers can exploit these APIs to extract good approximations of such ML models, by querying them with samples of their choosing. We propose VarDetect, a stateful monitor that tracks the distribution of queries made by users of such a service, to detect model extraction attacks. Harnessing the latent distributions learned by a modified variational autoencoder, VarDetect robustly separates three types of attacker samples from benign samples, and successfully raises an alarm for each. Further, with VarDetect deployed as an automated defense mechanism, the extracted substitute models are found to exhibit poor performance and transferability, as intended. Finally, we demonstrate that even adaptive attackers with prior knowledge of the deployment of VarDetect, are detected by it.