Paper 2022/1200

SEEK: model extraction attack against hybrid secure inference protocols

Si Chen, Open Security Research
Junfeng Fan, Open Security Research
Abstract

Security concerns about a machine learning model used in a prediction-as-a-service include the privacy of the model, the query and the result. Secure inference solutions based on homomorphic encryption (HE) and/or multiparty computation (MPC) have been developed to protect all the sensitive information. One of the most efficient type of solution utilizes HE for linear layers, and MPC for non-linear layers. However, for such hybrid protocols with semi-honest security, an adversary can malleate the intermediate features in the inference process, and extract model information more effectively than methods against inference service in plaintext. In this paper, we propose SEEK, a general extraction method for hybrid secure inference services outputing only class labels. This method can extract each layer of the target model independently, and is not affected by the depth of the model. For ResNet-18, SEEK can extract a parameter with less than 50 queries on average, with average error less than $0.03\%$.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
model extraction secure inference protocol homomorphic encryption multiparty computation
Contact author(s)
si chen @ osr-tech com
fan @ osr-tech com
History
2022-09-12: approved
2022-09-11: received
See all versions
Short URL
https://ia.cr/2022/1200
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/1200,
      author = {Si Chen and Junfeng Fan},
      title = {{SEEK}: model extraction attack against hybrid secure inference protocols},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1200},
      year = {2022},
      url = {https://eprint.iacr.org/2022/1200}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.