Machine Learning as a Service (MLaaS) APIs provide ready-to-use and high-utility encoders that generate vector representations for given inputs. Since these encoders are very costly to train, they become lucrative targets for model stealing attacks during which an adversary leverages query access to the API to replicate the encoder locally at a fraction of the original training costs. We propose Bucks for Buckets (B4B), the first active defense that prevents stealing while the attack is happening without degrading representation quality for legitimate API users. Our defense relies on the observation that the representations returned to adversaries who try to steal the encoder's functionality cover a significantly larger fraction of the embedding space than representations of legitimate users who utilize the encoder to solve a particular downstream task.vB4B leverages this to adaptively adjust the utility of the returned representations according to a user's coverage of the embedding space. To prevent adaptive adversaries from eluding our defense by simply creating multiple user accounts (sybils), B4B also individually transforms each user's representations. This prevents the adversary from directly aggregating representations over multiple accounts to create their stolen encoder copy. Our active defense opens a new path towards securely sharing and democratizing encoders over public APIs.

翻译：机器学习即服务（MLaaS）API 提供即用且高实用性的编码器，可为给定输入生成向量表示。由于这些编码器的训练成本极高，它们成为模型窃取攻击的有利可图目标——攻击者通过利用对API的查询访问权限，以原始训练成本的一小部分在本地复制编码器。我们提出“桶换桶”（B4B）这一首个主动防御机制，该机制在攻击发生时即可阻止窃取行为，且不会降低合法API用户的表征质量。我们的防御基于以下观察：试图窃取编码器功能的攻击者所获得的表征，其覆盖嵌入空间的比例显著大于利用编码器解决特定下游任务的合法用户。B4B据此根据用户对嵌入空间的覆盖率自适应调整返回表征的实用性。为防止适应性攻击者通过创建多个用户账户（女巫攻击）规避防御，B4B还独立转换每个用户的表征，阻止攻击者直接聚合多账户表征以创建窃取的编码器副本。本主动防御为通过公共API安全共享和民主化编码器开辟了新路径。