Model-serving systems have become increasingly popular, especially in real-time web applications. In such systems, users send queries to the server and specify the desired performance metrics (e.g., desired accuracy, latency). The server maintains a set of models (model zoo) in the back-end and serves the queries based on the specified metrics. This paper examines the security, specifically robustness against model extraction attacks, of such systems. Existing black-box attacks assume a single model can be repeatedly selected for serving inference requests. Modern inference serving systems break this assumption. Thus, they cannot be directly applied to extract a victim model, as models are hidden behind a layer of abstraction exposed by the serving system. An attacker can no longer identify which model she is interacting with. To this end, we first propose a query-efficient fingerprinting algorithm to enable the attacker to trigger any desired model consistently. We show that by using our fingerprinting algorithm, model extraction can have fidelity and accuracy scores within $1\%$ of the scores obtained when attacking a single, explicitly specified model, as well as up to $14.6\%$ gain in accuracy and up to $7.7\%$ gain in fidelity compared to the naive attack. Second, we counter the proposed attack with a noise-based defense mechanism that thwarts fingerprinting by adding noise to the specified performance metrics. The proposed defense strategy reduces the attack's accuracy and fidelity by up to $9.8\%$ and $4.8\%$, respectively (on medium-sized model extraction). Third, we show that the proposed defense induces a fundamental trade-off between the level of protection and system goodput, achieving configurable and significant victim model extraction protection while maintaining acceptable goodput ($>80\%$). We implement the proposed defense in a real system with plans to open source.

翻译：模型服务系统已日益普及，尤其在实时网络应用中。在此类系统中，用户向服务器发送查询并指定期望的性能指标（如期望的准确率、延迟）。服务器在后端维护一组模型（模型库），并基于指定指标提供查询服务。本文研究了此类系统的安全性，特别是针对模型窃取攻击的鲁棒性。现有的黑盒攻击假设可重复选择单个模型来执行推理请求，而现代推理服务系统打破了这一假设。因此，这些攻击无法直接用于提取目标模型，因为模型隐藏在服务系统提供的抽象层之后，攻击者无法识别其正在交互的具体模型。为此，我们首先提出一种查询高效的指纹识别算法，使攻击者能够一致地触发任意目标模型。实验表明，使用我们的指纹识别算法，模型提取的保真度和准确率与攻击单个明确指定模型时的得分差距在1%以内，且相比朴素攻击，准确率提升高达14.6%，保真度提升高达7.7%。其次，我们提出一种基于噪声的防御机制来抵御上述攻击，该机制通过向指定性能指标添加噪声来阻止指纹识别。所提出的防御策略将攻击的准确率和保真度分别降低高达9.8%和4.8%（针对中等规模模型提取）。第三，我们证明所提出的防御机制在保护水平与系统有效吞吐量之间存在根本性权衡，可在保持可接受有效吞吐量（>80%）的同时，实现可配置且显著的目标模型提取防护。我们已在真实系统中实现该防御机制，并计划开源。