Increasing the Cost of Model Extraction with Calibrated Proof of Work
Authors: Adam Dziedzic, Muhammad Ahmad Kaleem, Yu Shen Lu, Nicolas Papernot
ICLR 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Our rigorous evaluation on four datasets and eight attacks validates that adversaries attempting to steal a model issue queries whose privacy cost accumulates up to 7x faster than for benign queries |
| Researcher Affiliation | Academia | Adam Dziedzic University of Toronto and Vector Institute adam.dziedzic@utoronto.ca Muhammad Ahmad Kaleem University of Toronto and Vector Institute ahmad.kaleem@mail.utoronto.ca Yu Shen Lu Stanford University yushenlu@stanford.edu Nicolas Papernot University of Toronto and Vector Institute nicolas.papernot@utoronto.ca |
| Pseudocode | No | The paper does not contain any clearly labeled 'Pseudocode' or 'Algorithm' block, nor does it present structured steps formatted like code. |
| Open Source Code | Yes | We submit our code in the supplementary material. In the README.md file we provide the main commands needed to run our code. |
| Open Datasets | Yes | We use MNIST, Fashion MNIST (in the Appendix), SVHN, and CIFAR10 datasets to test our defense. |
| Dataset Splits | Yes | The test accuracy corresponding to the epoch with the maximum validation accuracy is used for these plots. |
| Hardware Specification | Yes | Our experiments were performed on machines with Intel Xeon Silver 4210 processor, 128 GB of RAM, and four NVIDIA Ge Force RTX 2080 graphics cards, running Ubuntu 18.04. |
| Software Dependencies | No | The paper mentions porting the Hash Cash function to 'Python 3.8' but does not specify version numbers for other key software libraries or frameworks like PyTorch or torchsummary, which are implied to be used. |
| Experiment Setup | Yes | Jacobian and Jacobian-TR (targeted) attacks use 150 samples from the respective test sets for the initial substitute training set. A value of λ = 0.1 is used for the dataset augmentation step and the attacker model is trained for 20 epochs with a learning rate of 0.01 and momentum of 0.9 after each augmentation step. |