Towards Provable (In)Secure Model Weight Release Schemes
This work addresses the lack of rigorous security foundations in open-source model distribution, which is crucial for protecting model ownership and preventing misuse in the ML and security communities.
The paper formalizes security definitions for model weight release schemes and analyzes TaylorMLP, revealing vulnerabilities that allow parameter extraction, showing it fails to achieve its security goals.
Recent secure weight release schemes claim to enable open-source model distribution while protecting model ownership and preventing misuse. However, these approaches lack rigorous security foundations and provide only informal security guarantees. Inspired by established works in cryptography, we formalize the security of weight release schemes by introducing several concrete security definitions. We then demonstrate our definition's utility through a case study of TaylorMLP, a prominent secure weight release scheme. Our analysis reveals vulnerabilities that allow parameter extraction thus showing that TaylorMLP fails to achieve its informal security goals. We hope this work will advocate for rigorous research at the intersection of machine learning and security communities and provide a blueprint for how future weight release schemes should be designed and evaluated.