Learning Model with Error -- Exposing the Hidden Model of BAYHENN
Authors: Harry W. H. Wong, Jack P. K. Ma, Donald P. H. Wong, Lucien K. L. Ng, Sherman S. M. Chow
IJCAI 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | This paper refutes the security claim of BAYHENN via both theoretical and empirical analyses. We conduct experiments to extract the BNN model on different real-world datasets to validate our claim. Figure 1 illustrates the effect of S and m. Our results show that the similarity between the testing results of our extracted model converges to the testing results of the victim model when m increases. We thus showed empirically that our attack can effectively extract a model as good as the one that was supposed to be protected by BAYHENN. |
| Researcher Affiliation | Academia | Harry W. H. Wong , Jack P. K. Ma , Donald P. H. Wong , Lucien K. L. Ng and Sherman S. M. Chow Department of Information Engineering, The Chinese University of Hong Kong, Hong Kong {wwh016, mpk016, wph019, nkl018, sherman}@ie.cuhk.edu.hk |
| Pseudocode | Yes | The paper includes multiple algorithm blocks, e.g., 'Algorithm 1: BNN or DNN (S = 1, Σ = ) Inference', 'Algorithm 2: BAYHENN', 'Algorithm 3: Experiment Exp A BAYHENN-mode-type', 'Algorithm 4: Oracle OBAYHENN-semi-honest', 'Algorithm 5: Oracle OBAYHENN-malicious', 'Algorithm 6: Procedure of AOBAYHENN-semi-honest()', 'Algorithm 7: Procedure of AOBAYHENN-malicious()'. |
| Open Source Code | No | The paper does not include an unambiguous statement that the authors are releasing the code for their methodology, nor does it provide a direct link to a source-code repository. |
| Open Datasets | Yes | We simulate an attacker to recover a single (fully-connected) layer BAYHENN (with 91.45% testing accuracy on the MNIST dataset) |
| Dataset Splits | No | The paper mentions 'The test dataset consists of 10, 000 samples.' but does not specify training, validation, or other explicit split percentages or methodologies for creating splits needed to reproduce the data partitioning. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., CPU/GPU models, memory) used for running its experiments. It mentions 'graphic processing units' generally in the introduction but not for the experimental setup. |
| Software Dependencies | No | The paper does not specify any software components with version numbers (e.g., Python, PyTorch, specific libraries or solvers) needed to replicate the experiment. |
| Experiment Setup | Yes | Parameter Choices. The model parameter W and b of the victim model is of dimension 784 10 and 1 10, respectively. The entries in ai are integers, while the entries in W and result matrix Z are floating-point numbers. As HE only works over Zq, we need to quantize all the values of ai, W, and b (added by noises). We did that by first scaling up the values of each ai, W, and b by 28 and then rounding them to Zq for matching the HE computation. We chose q = 219 3 as BAYHENN limits the bit-length to 20. To sample Gaussian noises used by in BAYHENN, we use 0 mean and different standard deviation σ (values provided are before scaled up) for different S. The test dataset consists of 10, 000 samples. |