Adversarial reprogramming allows stealing computational resources by repurposing machine learning models to perform a different task chosen by the attacker. For example, a model trained to recognize images of animals can be reprogrammed to recognize medical images by embedding an adversarial program in the images provided as inputs. This attack can be perpetrated even if the target model is a black box, supposed that the machine-learning model is provided as a service and the attacker can query the model and collect its outputs. So far, no defense has been demonstrated effective in this scenario. We show for the first time that this attack is detectable using stateful defenses, which store the queries made to the classifier and detect the abnormal cases in which they are similar. Once a malicious query is detected, the account of the user who made it can be blocked. Thus, the attacker must create many accounts to perpetrate the attack. To decrease this number, the attacker could create the adversarial program against a surrogate classifier and then fine-tune it by making few queries to the target model. In this scenario, the effectiveness of the stateful defense is reduced, but we show that it is still effective.
翻译:Adversarial 重新编程允许通过重新定位机器学习模型来执行攻击者选择的不同任务来窃取计算资源。 例如, 一个经过训练的识别动物图像的模型可以通过在作为投入提供的图像中嵌入一个对抗程序来重新编程来识别医疗图像。 即使目标模型是一个黑盒, 也可以进行这种攻击, 假设机器学习模型是作为一种服务提供的, 攻击者可以查询模型并收集其输出结果。 到目前为止, 目前还没有在这种假设中证明任何防御是有效的。 我们第一次显示, 这次攻击是可用状态防御来检测的, 它储存了向分类者提出的询问, 并检测了它们相似的异常情况。 一旦检测了恶意的查询, 用户的账户就可以被屏蔽。 因此, 攻击者必须创建许多账户来进行攻击。 为了减少这个数字, 攻击者可以针对一个代孕分类器进行对抗, 然后通过对目标模型做很少的查询来微调它。 在这个假设中, 状态防御的有效性会降低, 但是我们显示它仍然有效。