Machine learning (ML) models are overparameterized to support generality and avoid overfitting. Prior works have shown that these additional parameters can be used for both malicious (e.g., hiding a model covertly within a trained model) and beneficial purposes (e.g., watermarking a model). In this paper, we propose a novel information theoretic perspective of the problem; we consider the ML model as a storage channel with a capacity that increases with overparameterization. Specifically, we consider a sender that embeds arbitrary information in the model at training time, which can be extracted by a receiver with a black-box access to the deployed model. We derive an upper bound on the capacity of the channel based on the number of available parameters. We then explore black-box write and read primitives that allow the attacker to: (i) store data in an optimized way within the model by augmenting the training data at the transmitter side, and (ii) to read it by querying the model after it is deployed. We also analyze the detectability of the writing primitive and consider a new version of the problem which takes information storage covertness into account. Specifically, to obtain storage covertness, we introduce a new constraint such that the data augmentation used for the write primitives minimizes the distribution shift with the initial (baseline task) distribution. This constraint introduces a level of "interference" with the initial task, thereby limiting the channel's effective capacity. Therefore, we develop optimizations to improve the capacity in this case, including a novel ML-specific substitution based error correction protocol. We believe that the proposed modeling of the problem offers new tools to better understand and mitigate potential vulnerabilities of ML, especially in the context of increasingly large models.

翻译：机器学习模型因过度参数化以支持通用性并避免过拟合。已有研究表明，这些额外参数既可用于恶意目的（例如，在已训练模型中隐密地隐藏另一个模型），也可用于有益用途（例如，为模型添加水印）。本文提出了一种全新的信息论视角：将机器学习模型视为存储通道，其容量随过度参数化程度增加。具体而言，我们考虑发送方在训练时向模型中嵌入任意信息，而接收方可通过黑盒访问已部署模型提取该信息。基于可用参数数量，我们推导出该通道容量的上限。随后，我们探索了允许攻击者实现以下功能的黑盒写入与读取原语：（i）在发送端通过扩充训练数据，以优化方式在模型中存储数据；（ii）在模型部署后通过查询模型读取数据。此外，我们分析了写入原语的可检测性，并考虑了信息存储隐蔽性问题的新版本。具体而言，为实现存储隐蔽性，我们引入新约束，要求写入原语所用的数据扩充尽可能减少与初始（基线任务）数据分布的偏移。该约束会与初始任务产生一定程度的“干扰”，从而限制通道的有效容量。为此，我们开发了优化方法以提升此场景下的容量，包括一种基于机器学习特定替换的纠错协议。我们认为，本文提出的问题建模方法为更好理解并缓解机器学习潜在脆弱性提供了新工具，尤其在模型规模日益增大的背景下。