题目：A framework to Understand Model Stealing Attacks and Defenses

报告人：Yuhong Yang 

会议时间：2025年7月18日(周五)  16: 00

地点：综合楼644会议室

报告人简介：

Dr. Yuhong Yang is Professor at Yau Mathematical Sciences Center. He received his Ph.D. in statistics from Yale University in 1996. His research interests include model selection, model averaging, multi-armed bandit problems, causal inference, high-dimensional data analysis, and machine learning. He has published in journals in several fields including Annals of Statistics, JASA, IEEE Transactions on Information Theory, IEEE Signal Processing Magazine, Journal of Econometrics, Journal of Machine Learning Research, and International Journal of Forecasting. He is a recipient of the US NSF CAREER Award and a fellow of the Institute of Mathematical Statistics also the American Statistical Association. He has been included in the list of top 2% of the world's most cited scientists by Stanford University.

报告摘要：

The use of machine learning (ML) has become increasingly prevalent in various domains, highlighting the importance of understanding and ensuring its safety. One pressing concern is the vulnerability of ML applications to model stealing attacks. These attacks involve adversaries attempting to recover a learned model through limited query-response interactions, such
as those found in cloud-based services or on-chip artificial intelligence interfaces. While existing literature proposes various attack and defense strategies, these often lack a theoretical foundation and standardized evaluation criteria. In response, this work presents a framework called “Model Privacy”, providing a foundation for comprehensively analyzing model stealing attacks and defenses. We establish a rigorous formulation for the threat model and objectives, propose methods to quantify the goodness of attack and defense strategies, and analyze the fundamental tradeoffs between utility and privacy in ML models.

Our developed theory offers valuable insights into enhancing the security of ML models, especially highlighting the importance of the attack-specific structure of perturbations for effective defenses. We demonstrate the application of model privacy from the defender’s perspective through various regression learning scenarios, including defending against attackers using known learning algorithms such as k-nearest neighbors, polynomials, reproducing kernels, and neural networks, as well as attackers with unknown algorithms. Extensive experiments on both simulated and real-world datasets corroborate the insights and the effectiveness of defense mechanisms developed under the proposed framework. Notably, our methods significantly improve the robustness of ML models against stealing attacks, ensuring greater security and reliability in practical applications.