[AIP Seminar] Talk by Prof. Adi Shamir (Weizmann Institute of Science) on "Can You Recover a Deep Neural Network From Its Answers?"
This lecture will be held both in person at AIP open space and online by Zoom.
Title: Can You Recover a Deep Neural Network From Its Answers?
Speaker: Prof. Adi Shamir
Abstract. Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks (DNNs) for a variety of tasks. Such networks are typically made available as “black boxes” with which the public can interact. Thus, it is essential to determine the difficulty of extracting all the parameters of such neural networks when given access only to their inputs and outputs. In this talk I will use cryptographic ideas and techniques to show that for ReLU-based DNN’s, this can be done in polynomial time (as a function of the number of neurons). This attack was practically demonstrated by applying it successfully to extract all the 1.2 million parameters of an 8-layer network for classifying CIFAR10 images. In the last part of the talk I will show that it is possible to extract all the weights in polynomial time even in the hard label scenario, where instead of getting the probabilities produced by the classifier the attacker gets only the label of the most likely class.
