Building advanced machine learning (ML) models requires expert knowledge and many trials to discover the best architecture and hyperparameter settings. Previous work demonstrates that model information can be leveraged to assist other attacks, such as membership inference, generating adversarial examples. Therefore, such information, e.g., hyperparameters, should be kept confidential. It is well known that an adversary can leverage a target ML model's output to steal the model's information. In this paper, we discover a new side channel for model information stealing attacks, i.e., models' scientific plots which are extensively used to demonstrate model performance and are easily accessible. Our attack is simple and straightforward. We leverage the shadow model training techniques to generate training data for the attack model which is essentially an image classifier. Extensive evaluation on three benchmark datasets shows that our proposed attack can effectively infer the architecture/hyperparameters of image classifiers based on convolutional neural network (CNN) given the scientific plot generated from it. We also reveal that the attack's success is mainly caused by the shape of the scientific plots, and further demonstrate that the attacks are robust in various scenarios. Given the simplicity and effectiveness of the attack method, our study indicates scientific plots indeed constitute a valid side channel for model information stealing attacks. To mitigate the attacks, we propose several defense mechanisms that can reduce the original attacks' accuracy while maintaining the plot utility. However, such defenses can still be bypassed by adaptive attacks.

翻译：构建先进的机器学习模型需要专业知识，并通过大量试验才能发现最优架构和超参数设置。先前研究表明，模型信息可被用于辅助其他攻击（如成员推理、生成对抗样本）。因此，此类信息（如超参数）应予以保密。众所周知，攻击者可利用目标机器学习模型的输出来窃取模型信息。本文发现了一种针对模型信息窃取攻击的新侧信道——模型的科学图表（这些图表广泛用于展示模型性能且易于获取）。我们的攻击方法简单直接，通过利用影子模型训练技术为攻击模型（本质上是图像分类器）生成训练数据。在三个基准数据集上的大量评估表明，给定卷积神经网络（CNN）生成的科学图表后，我们提出的攻击能够有效推断图像分类器的架构/超参数。进一步研究发现，攻击成功主要源于科学图表的形状特征，且该攻击在多种场景下具有鲁棒性。鉴于攻击方法的简单性与有效性，本研究证实科学图表确实构成了模型信息窃取攻击的有效侧信道。为缓解此类攻击，我们提出了多种防御机制，这些机制能在保持图表可用性的同时降低原始攻击准确率，但自适应攻击仍可绕过此类防御。