Defending Model Extraction Attacks with Probabilistic Isolation

Baxter, Hunter Christian

Defending Model Extraction Attacks with Probabilistic Isolation

dc.contributor.advisor	Leach, Kevin
dc.contributor.advisor	Huang, Yu
dc.creator	Baxter, Hunter Christian
dc.date.accessioned	2024-01-26T20:22:04Z
dc.date.available	2024-01-26T20:22:04Z
dc.date.created	2023-12
dc.date.issued	2023-12-01
dc.date.submitted	December 2023
dc.identifier.uri	http://hdl.handle.net/1803/18554
dc.description.abstract	Deep Neural Networks (DNNs) are an essential intellectual property for companies providing Machine Learning as a Service (MLaaS) due to their exceptional capabilities in domains such as text generation, generative graphics, image recognition, and robotics. Due to their often-proprietary nature, the training datasets and model architectures are lucrative targets for malicious actors looking to violate user privacy, gain a competitive market advantage, or generate adversarial examples. This thesis presents Jigsaw, a deep learning defense framework that partitions computation of a DNN to different nodes in a datacenter to provide a moving target defense against model extraction attacks. The defense is based on the insight that partitioning DNN computation can improve latency, that modern large language models require operator parallelism to scale, and that side-channel attacks are already computationally demanding on a singular target, let alone multiple. Jigsaw employs a moving target defense strategy that uses probabilistic pseudo-isolation to decrease the time value of information necessary to launch a model extraction attack. By trading the strong privacy guarantees of trusted execution environments or data-oblivious computation for probabilistic pseudo-isolation, we can secure larger models with less performance sacrifices. We show that with Jigsaw, there is an increase in the resources and time required to successfully complete an attack, which allows time to detect malicious behavior through well-studied anomaly detection systems. To bound the performance impact within the large random partitioning space of a DNN, we use a genetic algorithm to identify candidate partition plans that maintain reasonably strong performance while also providing a sufficient reduction in the attacker's window of opportunity. By balancing security with performance, Jigsaw aims to provide MLaaS providers with a practical security solution that scales to current large models and anticipates the needs of tomorrow's technologies.
dc.format.mimetype	application/pdf
dc.language.iso	en
dc.subject	Computer Security
dc.subject	Deep Learning
dc.title	Defending Model Extraction Attacks with Probabilistic Isolation
dc.type	Thesis
dc.date.updated	2024-01-26T20:22:04Z
dc.type.material	text
thesis.degree.name	MS
thesis.degree.level	Masters
thesis.degree.discipline	Computer Science
thesis.degree.grantor	Vanderbilt University Graduate School
dc.creator.orcid	0009-0006-4390-2364

Files in this item

Name:: BAXTER-THESIS-2023.pdf
Size:: 1.130Mb
Format:: PDF

View/Open

This item appears in the following Collection(s)

Electronic Theses and Dissertations
Electronic theses and dissertations of masters and doctoral students submitted to the Graduate School.

Show simple item record