Machine learning (ML) models are overparameterized to support generality and avoid overfitting. Prior works have shown that these additional parameters can be used for both malicious (e.g., hiding a model covertly within a trained model) and beneficial purposes (e.g., watermarking a model). In this paper, we propose a novel information theoretic perspective of the problem; we consider the ML model as a storage channel with a capacity that increases with overparameterization. Specifically, we consider a sender that embeds arbitrary information in the model at training time, which can be extracted by a receiver with a black-box access to the deployed model. We derive an upper bound on the capacity of the channel based on the number of available parameters. We then explore black-box write and read primitives that allow the attacker to: (i) store data in an optimized way within the model by augmenting the training data at the transmitter side, and (ii) to read it by querying the model after it is deployed. We also analyze the detectability of the writing primitive and consider a new version of the problem which takes information storage covertness into account. Specifically, to obtain storage covertness, we introduce a new constraint such that the data augmentation used for the write primitives minimizes the distribution shift with the initial (baseline task) distribution. This constraint introduces a level of "interference" with the initial task, thereby limiting the channel's effective capacity. Therefore, we develop optimizations to improve the capacity in this case, including a novel ML-specific substitution based error correction protocol. We believe that the proposed modeling of the problem offers new tools to better understand and mitigate potential vulnerabilities of ML, especially in the context of increasingly large models.

翻译：机器学习（ML）模型为支持通用性和避免过拟合而采用过度参数化。已有研究表明，这些额外参数既可被用于恶意目的（例如将模型秘密隐藏于已训练模型之中），也可用于有益目的（如为模型添加水印）。在本文中，我们提出了一种基于信息论的新视角：将ML模型视为存储信道，其容量随过度参数化程度而增加。具体而言，我们考虑发送方在训练时向模型中嵌入任意信息，接收方可通过黑盒访问已部署模型来提取该信息。基于可用参数数量，我们推导了该信道容量的上界。进一步，我们探索了黑盒写入与读取原语，使攻击者能够：（i）在发送端通过增扩训练数据，以优化方式将数据存储于模型中；（ii）在模型部署后通过查询来读取数据。同时，我们分析了写入原语的可检测性，并考虑了一种新增信息存储隐秘性的问题版本。具体而言，为达成存储隐秘性，我们引入新约束：用于写入原语的数据增扩应最小化其与初始（基准任务）分布的偏移。该约束引入了对初始任务的"干扰"程度，从而限制了信道的有效容量。为此，我们开发了优化方法以提升此情形下的信道容量，包括一种新颖的、基于ML特定替代的纠错协议。我们认为，所提出的问题建模为理解与缓解ML潜在漏洞提供了新工具，尤其在模型规模持续增长的背景下。