SoK: Unintended Interactions among Machine Learning Defenses and Risks

1 code implementation • 7 Dec 2023 • Vasisht Duddu, Sebastian Szyller, N. Asokan

We survey existing literature on unintended interactions, accommodating them within our framework.

Fairness Memorization

LLM Self Defense: By Self Examination, LLMs Know They Are Being Tricked

no code implementations • 14 Aug 2023 • Mansi Phute, Alec Helbling, Matthew Hull, Shengyun Peng, Sebastian Szyller, Cory Cornelius, Duen Horng Chau

We test LLM Self Defense on GPT 3. 5 and Llama 2, two of the current most prominent LLMs against various types of attacks, such as forcefully inducing affirmative responses to prompts and prompt engineering attacks.

Language Modelling Large Language Model +2

False Claims against Model Ownership Resolution

1 code implementation • 13 Apr 2023 • Jian Liu, Rui Zhang, Sebastian Szyller, Kui Ren, N. Asokan

Our core idea is that a malicious accuser can deviate (without detection) from the specified MOR process by finding (transferable) adversarial examples that successfully serve as evidence against independent suspect models.

On the Robustness of Dataset Inference

no code implementations • 24 Oct 2022 • Sebastian Szyller, Rui Zhang, Jian Liu, N. Asokan

However, in a subspace of the same setting, we prove that DI suffers from high false positives (FPs) -- it can incorrectly identify an independent model trained with non-overlapping data from the same distribution as stolen.

Conflicting Interactions Among Protection Mechanisms for Machine Learning Models

1 code implementation • 5 Jul 2022 • Sebastian Szyller, N. Asokan

We then focus on systematically analyzing pairwise interactions between protection mechanisms for one concern, model and data ownership verification, with two other classes of ML protection mechanisms: differentially private training, and robustness against model evasion.

BIG-bench Machine Learning

SHAPr: An Efficient and Versatile Membership Privacy Risk Metric for Machine Learning

no code implementations • 4 Dec 2021 • Vasisht Duddu, Sebastian Szyller, N. Asokan

Using ten benchmark datasets, we show that SHAPr is indeed effective in estimating susceptibility of training data records to MIAs.

BIG-bench Machine Learning Data Valuation +2

Good Artists Copy, Great Artists Steal: Model Extraction Attacks Against Image Translation Models

no code implementations • 26 Apr 2021 • Sebastian Szyller, Vasisht Duddu, Tommi Gröndahl, N. Asokan

We present a framework for conducting such attacks, and show that an adversary can successfully extract functional surrogate models by querying $F_V$ using data from the same domain as the training data for $F_V$.

Generative Adversarial Network Image Classification +5

Extraction of Complex DNN Models: Real Threat or Boogeyman?

no code implementations • 11 Oct 2019 • Buse Gul Atli, Sebastian Szyller, Mika Juuti, Samuel Marchal, N. Asokan

However, model extraction attacks can steal the functionality of ML models using the information leaked to clients through the results returned via the API.

Model extraction

Detecting organized eCommerce fraud using scalable categorical clustering

1 code implementation • 10 Oct 2019 • Samuel Marchal, Sebastian Szyller

Our approach is based on clustering and aims to group together fraudulent orders placed by the same group of fraudsters.

Clustering Fraud Detection

DAWN: Dynamic Adversarial Watermarking of Neural Networks

1 code implementation • 3 Jun 2019 • Sebastian Szyller, Buse Gul Atli, Samuel Marchal, N. Asokan

Existing watermarking schemes are ineffective against IP theft via model extraction since it is the adversary who trains the surrogate model.

Model extraction

PRADA: Protecting against DNN Model Stealing Attacks

2 code implementations • 7 May 2018 • Mika Juuti, Sebastian Szyller, Samuel Marchal, N. Asokan

Access to the model can be restricted to be only via well-defined prediction APIs.

Cryptography and Security