Intrusion-Resilient Classifier Approximation: From Wildcard Matching to Range Membership

摘要

We study the problem of securing machine learning classifiers against intrusion attacks (i.e., attacks that somehow retrieve the classifier model parameters). We show that efficient cryptographic program obfuscation techniques turn out to be a very useful tool to transform a (matching-type) classifier into one that is intrusion-resilient. Since not many efficient cryptographic program obfuscators exist in the literature, we investigate the task of classifier approximation. By proposing classifier approximations of conjunction of range membership classifiers based on wildcard matching, we construct non-trivial classifiers for image recognition tasks. The resulting classifiers, although limited in that they have to be selected within the small class of functions that have an efficient cryptographic obfuscator in the literature, can be used to achieve more than 90% quality of approximation (i.e., the ratio between the machine learning metric in the approximating classifier to the same metric for the original classifier), and keep their parameters obfuscated against an intruder when combined with known cryptographic program obfuscators.