Beowulf: Mitigating Model Extraction Attacks Via Reshaping Decision Regions

Machine Learning as a Service (MLaaS) enables resource-constrained users to access well-trained models through a publicly accessible Application Programming Interface (API) on a pay-per-query basis.Nevertheless, model owners may face the potential threats of model extraction attacks where malicious users replicate valuable commercial models based on query results.Existing defenses against model extraction attacks, however, either sacrifice prediction accuracy or fail to thwart more advanced attacks.In this paper, we propose a novel model extraction defense, dubbed Beowulf 1 , which draws inspiration from theoretical findings that models with complex and narrow decision regions are difficult to be reproduced.Rather than arbitrarily altering decision regions, which may jeopardize the predictive capacity of the victim model, we introduce a dummy class, carefully synthesized using both random and adversarial noises.The random noise broadens the coverage of the dummy class, and the adversarial noise impacts decision regions near decision boundaries with normal classes.To further improve the model utility, we propose to employ data augmentation methods to seamlessly integrate the dummy class and the normal classes.Extensive evaluations on CIFAR-10, GTSRB, CIFAR-100, and ImageNette datasets * Yanjiao Chen and Qian Wang are corresponding authors. 1 In Anglo-Saxon literature and mythology, "Beowulf" is a heroic figure known for his strength and bravery, defending the kingdom against monsters in an epic tale.