摘要
深度学习即服务(DLaaS)的服务模式容易受到模型推理攻击影响。现有的推理攻击要求攻击者拥有足够的辅助信息来进行推理,这并不能完全展示出推理攻击的潜在威胁,因此,提出了MC-infer,一种零知识、无真实数据的黑盒模型推理攻击。MC-infer将从不同随机分布获得的随机噪声输入给目标模型,并根据其输出估计相应的目标分布进行模型推理。使用了蒙特卡洛对MC-infer进行了理论分析,证明了其在理论层面的可行性。实验表明MCinfer可以有效地推断目标模型。此外,研究了MC-infer的局限性和复杂性,最后讨论了几种防止攻击的策略。
The service pattern of Deep Learning as a Service(DLaaS)is susceptible to model inference attacks.Existing inference attacks require attackers to have sufficient auxiliary information for inference,which cannot fully present the potential threat of inference attacks.Therefore,a black box model inference attack with zero knowledge and real-data-free(MC-infer)is proposed.The MC-infer inputs the random noise obtained from different random distributions to the target model,estimates the corresponding target distribution according to its output,and con-ducts the model inference.The Monte Carlo method is used to conduct the theoretical analysis on the MC-infer,which demonstrates its theoretical feasibility.The experimental results show that the MC-infer can effectively infer the target model.In addition,the limitations and complexity of the MC-infer are also investigated.Finally,it dis-cusses several strategies to prevent attacks.
作者
吴峰
杨家勋
WU Feng;YANG Jiaxun(Engineering Research Center of Cyberspace,Yunnan University,Kunming 650504,China;School of Information,Yunnan University,Kunming 650504,China)
基金
国家自然科学基金(61863036)
云南省“放管服”基础研究计划(202001BB050076)
云南省重点领域科技计划(202202AD080002)
中央高校基本科研业务费专项资金(2042022kf0021)。
关键词
蒙特卡洛
模型推理攻击
深度学习即服务
模型隐私保护
分布拟合
Monte Carlo
model inference attacks
deep learning as a service(DLaaS)
model privacy protec-tion
distribution fitting