Model Stealing Defenses with Gradient Redirection

This is the official repository for "How to Steer Your Adversary: Targeted and Efficient Model Stealing Defenses with Gradient Redirection" (ICML 2022)

How To Use

First, clone the repository, then clone the Outlier Exposure repository into the model-stealing-defenses folder. This is used to provide a strong anomaly detector for the Adaptive Misinformation baseline on CIFAR experiments. Next, follow the instructions in batch_training/condor_scripts/data/README.md to setup the distribution-aware datasets. Optionally download and untar the outputs and condor_outputs folders from here, replacing the empty folders by the same name with the respective untarred folders. These contain perturbed posteriors and trained models, which can be used to replicate results from the paper, but this requires around 60GB of space.

The GRAD² method from the paper can be run using the models currently in the outputs folder. The functions for running GRAD² are in defenses.py, and example usage from the experiments in the paper is in get_queries.py and makebatches.sh.

To regenerate results from the paper, rerun the experiments in makebatches.sh in the specified order. The experiments were run on an HTCondor system, so the script would need to be adjusted for slurm. Results and figures can be generated in batch_training/condor_scripts/parse_results.ipynb using either the regenerated results or the results in outputs.tar (see download link above).

Citation

If you find this useful in your research, please consider citing:

@article{mazeika2022defense,
  title={How to Steer Your Adversary: Targeted and Efficient Model Stealing Defenses with Gradient Redirection},
  author={Mazeika, Mantas and Li, Bo and Forsyth, David},
  journal={Proceedings of the International Conference on Machine Learning},
  year={2022}
}