Model Extraction from Neural Networks

2024-07-01 11:05

A new paper, "Polynomial Time Cryptanalytic Extraction of Neural Network Models," by Adi Shamir and others, uses ideas from differential cryptanalysis to extract the weights inside a neural network using specific queries and their results.

Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks for a variety of tasks.

Thus, it is essential to determine the difficulty of extracting all the parameters of such neural networks when given access to their black-box implementations.

Many versions of this problem have been studied over the last 30 years, and the best current attack on ReLU-based deep neural networks was presented at Crypto'20 by Carlini, Jagielski, and Mironov.

In this paper, we improve this attack by developing several new techniques that enable us to extract with arbitrarily high precision all the real-valued parameters of a ReLU-based DNN using a polynomial number of queries and a polynomial amount of time.

We demonstrate its practical efficiency by applying it to a full-sized neural network for classifying the CIFAR10 dataset, which has 3072 inputs, 8 hidden layers with 256 neurons each, and about 1.2 million neuronal parameters.

News URL

https://www.schneier.com/blog/archives/2024/07/model-extraction-from-neural-networks.html

#neuralnetwork