Consider a model extraction attack. Assuming that the model is a simple deep neural network, the attacker can use the returned score from the server and solve a linear equation to compute the weights. Assume the server applies a defense technique that limits the number of queries that the attacker can submit, e.g., set the limit m = 4. The attacker submits the following queries. [1, 0, 1, 1, 5, 3, 6, 3] -> received feedback score [8] [9, 3, 10, 0, 2, 3, 4, 8] -> received feedback score [2] [12, 0, -4, 1, 8, 3, 6, 15] -> received feedback score [0] [1, 0, -2, -4, -2, 8, 9, 12] -> received feedback score [3] Now in order to solve Ax = b (x is the weights of the model), the attacker needs to submit 4 more queries, but it is limited by the server to 4. Thus, what the attacker can do is to approximate x with least square approximation: A^T A x^{hat} = A^T b, and solve for x^{hat}. Show your step of calculating x^{hat}. Question gives a 8*8 matrix when applying the A^T•A
Consider a model extraction attack. Assuming that the model is a simple deep neural network, the attacker can use the returned score from the server and solve a linear equation to compute the weights. Assume the server applies a defense technique that limits the number of queries that the attacker can submit, e.g., set the limit m = 4. The attacker submits the following queries.
[1, 0, 1, 1, 5, 3, 6, 3] -> received feedback score [8]
[9, 3, 10, 0, 2, 3, 4, 8] -> received feedback score [2]
[12, 0, -4, 1, 8, 3, 6, 15] -> received feedback score [0]
[1, 0, -2, -4, -2, 8, 9, 12] -> received feedback score [3]
Now in order to solve Ax = b (x is the weights of the model), the attacker needs to submit 4 more queries, but it is limited by the server to 4. Thus, what the attacker can do is to approximate x with least square approximation: A^T A x^{hat} = A^T b, and solve for x^{hat}. Show your step of calculating x^{hat}. Question gives a 8*8 matrix when applying the A^T•A
Trending now
This is a popular solution!
Step by step
Solved in 2 steps
