Stealing Hyperparameters in Machine Learning Binghui Wang and
Stealing Hyperparameters in Machine Learning Binghui Wang and Neil Zhenqiang Gong ECE Department, Iowa State University
Machine Learning As A Service (MLaa. S) • Emerging technology to aid users with limited computing power or limited ML expertise to learn ML models • MLaa. S platforms
How MLaa. S is Used? Training dataset Testing dataset ML Model Prediction API
Privacy: A Big Challenge for MLaa. S • Model Inversion Attack • Fredrikson et al. CCS’ 15 • Membership Inference Attack • Shokri et al. IEEE S&P’ 17 • Model Extraction Attack • Trame r et al. Usenix Security’ 16
Our Work: A New Privacy Attack • Hyperparameter Stealing Attack • Hyperparameters are confidential for certain MLaa. S • Stealing hyperparameter values used by MLaa. S • Application Scenario • A user can be an attacker • Attacker can learn an ML model via MLaa. S with much less computational costs (or economical costs) without sacrificing testing performance
Outline • Machine Learning Background • Hyperparameter Stealing Attack • Evaluation • Defense • Conclusion
Outline • Machine Learning Background • Hyperparameter Stealing Attack • Evaluation • Defense • Conclusion
Machine Learning Concepts • Objective function • • • L: Loss function; E. g. , Least square loss: L(X, y, w) = |y - <X, w>|^2 R: Regularization; E. g. , L 2 -norm : R(w) = |w|^2 X: Training instances; Each instance is a feature vector y: Label; Continuous (i. e. , regression) or categorical (i. e. , classification) w: Model parameters �� : Hyperparameter; Balancing between the loss function and regularization
Machine Learning Tasks • Hyperparameter learning • Cross-validation • Time-consuming • Model parameter learning • Minimizing the objective function of an ML algorithm with a specified hyperparameter • Different ML algorithms use different loss functions and regularizations
Machine Learning System Algorithms for learning hyperparameters Training dataset Hyperparameters Algorithms for learning model parameters Model parameters
Outline • Machine Learning Background • Hyperparameter Stealing Attack • Evaluation • Defense • Conclusion
Motivation • Existing privacy attacks on ML systems focus on • inferring training dataset • stealing model parameters • Hyperparameters are critical for ML algorithms • Learning hyperparameters is time-consuming • Motivated by emerging MLaa. S, an attacker could be the user who aims to steal the hyperparameters for saving economical costs
Threat Model • Attacker’s Goal • Stealing the hyperparameters of an ML algorithm • Attacker’s Knowledge • Knowing the training dataset • Easy to satisfy • Knowing the ML algorithm • Certain MLaa. S platforms publish the ML algorithms, e. g. , Amazon ML, Microsoft Azure • (Optionally) knowing the model parameters • If unknown, using model extraction attack first
Attack Framework • Observation • Learnt model parameters of an ML algorithm are often (near) a minimum of the objective function • Gradient of the objective function at learnt model parameters are (about) 0 • Encoding relationships between the model parameters and hyperparameters
Attack Procedure • Step I: Setting the gradient of the objective function at the model parameters to be 0 A system of linear equations about the hyperparameter and overdetemined • Step II: Estimating the hyperparameter via least square
Applicable to Various ML Algorithms
Attacking Ridge Regression • Objective Function: Least square loss + L 2 regularization
Outline • Machine Learning Background • Hyperparameter Stealing Attack • Evaluation • Defense • Conclusion
Theoretical Evaluation • Theorem 1 (Exact Estimation): If the learnt model parameters w are an exact minimum w⋆ of the objective function, then • Theorem 2 (Approximate Estimation): If w⋆ is the minimum closet to w, then the estimation error is bounded by
Empirical Evaluation • Datasets • Evaluated Methods • Regression algorithms: RR, LASSO, KRR, neural network • Classification algorithms: LR, SVM, KLR, KSVM, neural network • Evaluation Metric
Results for Known Model Parameters Our attack can accurately estimate the hyperparameter for all our studied ML algorithms Our attack can more accurately estimate the hyperparameter for ML algorithms that have analytical solutions of model parameters
Results for Unknown Model Parameters Our attack can also accurately estimate the hyperparameter when model parameters are unknown
Attacking Amazon ML Accurate but inefficient • Method 1 (M 1) 1. Upload entire training dataset 3. Evaluate the testing dataset • Method 2 (M 2) 2. Learn hyperparameters & model parameters Efficient but inaccurate 1. Upload p% training dataset 3. Evaluate the testing dataset 2. Learn hyperparameters & model parameters
Attacking Amazon ML • Method 3 (M 3): Train-Steal-Retrain Strategy 1. Upload q% training dataset 3. Steal the hyperparameter 4. Upload entire training dataset & Specify the stealed hyperparameter 6. Evaluate the testing dataset Accurate and efficient 2. Learn hyperparameters & model parameters 5. Re-learn model parameters
Attacking Amazon ML • One half for training and one half for testing on the Bank dataset • M 2 and M 3 sample 15% and 3% of the training dataset • Training cost • M 1: $1. 02 vs M 3: $0. 16 • M 2: $0. 15 vs M 3: $0. 16 • Relative error • M 3 over M 1: 0. 92% • M 2 over M 1: 5. 1%
Outline • Machine Learning Background • Hyperparameter Stealing Attack • Evaluation • Defense • Conclusion
Rounding As a Defense • Rounding the learnt model parameters before sharing them to users • For instance, rounding a parameter 0. 8765 • With one decimal, 0. 9 • With two decimals, 0. 88 • Rounding technique was also used by other work • Fredrikson et al. CCS’ 15 • Trame r et al. Usenix Security’ 16
Defense Results Rounding is not effective enough for certain ML algorithms L 2 regularization is more secure than L 1 regularization
Outline • Machine Learning Background • Hyperparameter Stealing Attack • Evaluation • Defense • Conclusion
Conclusion • ML algorithms are vulnerable to hyperparameter stealing attacks • Our attack can help users save economical costs on MLaa. S platforms without sacrificing testing performance • We need new defenses for our hyperparameter stealing attacks
- Slides: 30