Cryptanalytic Extraction of Neural Network Models

March 10, 2020 · Entered Twilight · 🏛 Annual International Cryptology Conference

"Last commit was 5.0 years ago (≥5 year threshold)"

Evidence collected by the PWNC Scanner

Repo contents: CONTRIBUTING, LICENSE, README, check_solution_milp.py, check_solution_svd.py, extract.py, models, src, train_models.py

Authors Nicholas Carlini, Matthew Jagielski, Ilya Mironov arXiv ID 2003.04884 Category cs.LG: Machine Learning Cross-listed cs.CR Citations 159 Venue Annual International Cryptology Conference Repository https://github.com/google-research/cryptanalytic-model-extraction ⭐ 55 Last Checked 1 month ago

Abstract

We argue that the machine learning problem of model extraction is actually a cryptanalytic problem in disguise, and should be studied as such. Given oracle access to a neural network, we introduce a differential attack that can efficiently steal the parameters of the remote model up to floating point precision. Our attack relies on the fact that ReLU neural networks are piecewise linear functions, and thus queries at the critical points reveal information about the model parameters. We evaluate our attack on multiple neural network models and extract models that are 2^20 times more precise and require 100x fewer queries than prior work. For example, we extract a 100,000 parameter neural network trained on the MNIST digit recognition task with 2^21.5 queries in under an hour, such that the extracted model agrees with the oracle on all inputs up to a worst-case error of 2^-25, or a model with 4,000 parameters in 2^18.5 queries with worst-case error of 2^-40.4. Code is available at https://github.com/google-research/cryptanalytic-model-extraction.