Hacker News

So wubetumi ayɛ yɛn ntini ahorow no reverse engineer?

Nsɛm a wɔka

17 min read Via blog.janestreet.com

Mewayz Team

Editorial Team

Hacker News

Ahunahuna a Ɛrekɔ soro wɔ Neural Network Reverse Engineering mu — Ne Nea Ɛkyerɛ Ma W’adwuma

Wɔ afe 2024 mu no, nhwehwɛmufoɔ a wɔwɔ sukuupɔn kɛseɛ bi mu kyerɛɛ sɛ wɔbɛtumi asan ayɛ kasa kɛseɛ nhwɛsoɔ a ɛyɛ wɔn dea no mu nhyehyɛɛ a wɔmfa biribiara nni dwuma gye ne API mmuaeɛ ne kɔmputa a ne boɔ bɛyɛ $2,000. Sɔhwɛ no maa AI adwuma no mu yɛɛ basaa, nanso nea ɛkyerɛ no kɔ akyiri sen Silicon Valley koraa. Adwuma biara a ɛde mfiri adesua nhwɛso ahorow di dwuma — efi nsisi a wohu nhyehyɛe so kosi adetɔfo nyansahyɛ engine so — mprempren hyia asɛmmisa bi a ɛnyɛ dɛ: so obi betumi awia nyansa a wode asram pii sii no? Neural network reverse engineering nyɛ asiane a ɛwɔ nsusuwii mu bio. Ɛyɛ ntua vector a mfaso wɔ so, a ɛrenya nkɔanim a ɛsɛ sɛ ahyehyɛde biara a mfiridwuma di so te ase.

Nea Neural Network Reverse Engineering Te Ankasa

Reverse engineering a neural network nhia honam fam kwan a wobɛfa so akɔ server a ɛreyɛ adwuma no so. Mpɛn pii no, ntuafo de ɔkwan bi a wɔfrɛ no model extraction di dwuma, baabi a wɔde nhyehyɛe bi bisa model bi API denam inputs a wɔayɛ no yiye so, afei wɔde outputs no tete copy a ɛkame ayɛ sɛ ɛyɛ pɛ. Nhwehwɛmu bi a wɔyɛe wɔ afe 2023 mu a wotintimii wɔ USENIX Security mu no kyerɛɛ sɛ ntuafoɔ bɛtumi ayɛ gyinaesie hyeɛ a ɛwɔ aguadi mfonini nkyekyɛmu mu no de bɛboro 95% nokwaredi a wɔde nsɛmmisa a ɛnnu 100,000 adi dwuma — adeyɛ a ɛho ka nnu dɔla ɔhaha kakraa bi wɔ API ho ka mu.

Wɔ extraction akyi no, model inversion attacks wɔ hɔ, a ɛyɛ adwuma wɔ ɔkwan a ɛne no bɔ abira so. Sɛ́ anka ntuafo bɛsuasua nhwɛsode no, wɔsan yɛ ntetee ho nsɛm no ankasa. Sɛ wɔtetee wo neural network no wɔ customer records, proprietary pricing strategies, anaa emu adwumayɛ metrics so a, inversion ntua a edi mu no nwia wo model no kɛkɛ — ɛda data a ɛyɛ mmerɛw a wɔatow wɔ ne weights mu no adi. Ɔfã a ɛtɔ so mmiɛnsa, asɔremma nsusuwii ntua, ma atamfo kwan ma wohu sɛ ebia na data beae pɔtee bi ka ntetee nhyehyɛe no ho, na ɛma kokoamsɛm ho haw a emu yɛ den sɔre wɔ mmara te sɛ GDPR ne CCPA ase.

Asaawa a wɔtaa de di dwuma ne sɛ "adaka tuntum" adwene — adwene a ɛne sɛ sɛ wode model bi di dwuma wɔ API akyi a, ɛma ɛyɛ dwoodwoo — no abubu titiriw. Nkɔmhyɛ biara a wo model no bɛsan de aba no yɛ data point a attacker betumi de adi dwuma atia wo.

Nea Enti a Ɛsɛ sɛ Nnwumayɛ Dwen Ho Sen Nea Wɔyɛ Mprempren

Ahyehyɛdeɛ dodoɔ no ara de wɔn cybersecurity sikasɛm nhyehyɛeɛ si network perimeters, endpoint ahobanbɔ, ne data encryption so. Nanso adwene mu agyapade a wɔde ahyɛ ntini a wɔatete mu no betumi agyina hɔ ama asram pii a wɔde bɛyɛ nhwehwɛmu ne nkɔso ne ɔpepem pii a wɔbɔ wɔ nkɔso ho. Sɛ akansifo anaa odiyifo bi a ɔwɔ adwemmɔne yi wo mfonini no fi mu a, wonya wo nhwehwɛmu no bo nyinaa a ɛho ka biara nka ho. Sɛnea IBM 2024 Cost of a Data Breach amanneɛbɔ kyerɛ no, sɛ wɔkyekyɛ mu a, mmara sobu a ɛfa AI nhyehyɛe ho no hwere ahyehyɛde ahorow dɔla ɔpepem 5.2 — ɛboro 13% sen mmara sobu a ɛnyɛ AI agyapade ho.

Asiane no mu yɛ den titiriw ma nnwuma nketewa ne akɛse. Nnwumakuw nnwumakuw betumi atɔ ML ahobammɔ akuw a wɔatu wɔn ho ama ne nhyehyɛe a wɔahyɛ da ayɛ. Nanso SMB dodow a ɛrenya nkɔanim a ɛde mfiri adesua ka wɔn dwumadi ho — sɛ́ ɛyɛ nea wɔde ma nkontaahyɛde a edi kan, ahwehwɛde ho nkɔmhyɛ, anaasɛ adetɔfo mmoa a wɔde wɔn ankasa yɛ — taa de nhwɛso ahorow a ahobammɔ a ɛyɛ den kakraa bi na ɛyɛ adwuma. Wɔde wɔn ho to nnipa a wɔto so abiɛsa platform ahorow a ebia wɔde ahobammɔ a ɛfata bedi dwuma anaasɛ wɔremfa nni dwuma so.

Adwene a ɛyɛ hu sen biara wɔ AI ahobanbɔ mu ne sɛ nsɛnnennen yɛ pɛ ahobammɔ. Neural network a ɛwɔ parameters ɔpepem 100 no nyɛ nea ahobammɔ wom fi awosu mu sen nea ɛwɔ ɔpepem 1 — nea ɛho hia ne sɛnea wohwɛ kwan a wobɛfa so akɔ ne inputs ne outputs so.

Ahobammɔ Anum a Ɛyɛ Mfaso a Ɛko Tia Model Theft

Wo neural networks a wobɛbɔ ho ban no nhwehwɛ sɛ wunya PhD wɔ adversarial machine learning mu, nanso ɛhwehwɛ sɛ wohyɛ da si gyinae wɔ adansi ho. Akwan a edidi so yi gyina hɔ ma mprempren nneyɛe pa a ahyehyɛde ahorow te sɛ NIST ne OWASP kamfo kyerɛ sɛ wɔmfa mmɔ ML nhwɛso ahorow a wɔde adi dwuma no ho ban.

  • Rate limiting ne query budgeting: Cap API frɛ dodow a ɔdefo anaa safoa biako biara betumi ayɛ wɔ bere mfɛnsere bi mu. Model extraction ntua hwehwɛ sɛ wɔbisabisa mpempem du du — aggressive rate limiting ma extraction akɛseɛ nyɛ adwuma a ɛmma alarm nkɔ soro.
  • Output perturbation: Fa dede a wɔahyɛ so ka model nkɔmhyɛ ahorow ho. Sɛ anka wobɛsan de ahotoso nkontabuo a ɛyɛ pɛpɛɛpɛ (e.g., 0.9237), twa kurukuruwa kɔ ntam a ɛyɛ mmerɛw (e.g., 0.92). Wei kora dwumadie so berɛ a ɛma nsɛmmisa dodoɔ a ntuafoɔ hia na wasan ayɛ wo nhwɛsoɔ no kɔ soro kɛseɛ.
  • Nsuo agyiraeɛhyɛdeɛ: Fa nsaano nkyerɛwee a wontumi nhunu hyɛ wo model no suban mu — input-output mmienu pɔtee a ɛyɛ nsateaa nkyerɛwee. Sɛ wo model no bi a wɔawia ba a, nsuo agyiraeɛhyɛdeɛ ma forensic adanseɛ a ɛkyerɛ sɛ wɔawia.
  • Nsonsonoeɛ a ɛfa kokoamsɛm ho wɔ nteteeɛ mu: Fa akontabuo dede hyɛ mu wɔ nteteeɛ nhyehyɛeɛ no ankasa mu. Eyi yɛ nea ɛda adi sɛ ɛto sɛnea nsɛm dodow a ɛfa ankorankoro ntetee nhwɛso biara ho no twetwe denam model no nkɔmhyɛ ahorow so, a ɛbɔ ho ban fi inversion ne membership inference ntua nyinaa ho.
  • Nhwɛsoɔ ne anomaly detection: Di API dwumadie nhyehyɛeɛ akyi ma nsɛnkyerɛnneɛ a ɛkyerɛ sɛ wɔreyɛ nhwehwɛmu wɔ nhyehyɛeɛ mu. Extraction ntua ma asɛmmisa nkyekyɛmu soronko a ɛnte sɛ ɔdefoɔ akwantuo a ɛfata — kɔkɔbɔ a wɔde afiri yɛ no tumi de frankaa kyerɛ nneyɛeɛ a ɛyɛ adwenem naayɛ ansa na ntua bi adi nkonim.

Sɛ wɔde saa nneɛma yi mu abien anaa abiɛsa mpo di dwuma a, ɛma ɛka ne ɔhaw a ɛwɔ ntua ho no kɔ soro mpɛn dodow a ɛyɛ kɛse. Botae no nyɛ ahobammɔ a edi mũ — ɛrema extraction ayɛ nea ntease nnim wɔ sikasɛm mu sɛ wɔde toto model a wɔkyekye fi mfiase ho a.

Dwuma a Adwumayɛ ho nhyehyɛe di wɔ AI Ahobammɔ mu

Adeɛ baako a wɔbu ani gu so wɔ nkɔmmɔdie a ɛfa model ahobanbɔ ho ne adwumayɛ tebea a ɛtrɛ. Neural network nni hɔ wɔ baabi a ɛyɛ soronko — ɛne databases, CRM systems, billing platforms, adwumayɛfoɔ kyerɛwtohɔ, ne adetɔfoɔ nkitahodiɛ nnwinnadeɛ di nkitaho. ɔtowhyɛfo a ontumi nsakra wo model no tẽẽ no betumi de n’ani asi data pipelines a ɛma no aduan, API ahorow a ɛredi nea efi mu ba, anaa adwumayɛ nhyehyɛe ahorow a ɛkora ne nkɔmhyɛ ahorow so no so mmom.

Eha ne baabi a sɛ wowɔ adwumayɛ kwan a ɛyɛ biako a, ɛbɛyɛ ahobammɔ mu mfaso ankasa sen sɛ ɛbɛyɛ nea ɛyɛ mmerɛw ara kwa. Sɛ nnwuma pam SaaS nnwinnade du du pii a wɔatwa mu a, nkabom beae biara bɛyɛ ntua a ebetumi aba. Mewayz di eyi ho dwuma denam adwumayɛ module 207 a ɛka bom — efi CRM ne invoicing so kosi HR ne analytics so — ma ɛyɛ platform biako a ɛwɔ centralized access controls ne audit logging. Sɛ anka wɔbɛbɔ nnwinnadeɛ ahodoɔ dunum a ɛwɔ tumi krataa ahodoɔ dunum ho ban no, akuo ahodoɔ no di biribiara ho dwuma firi dashboard baako so.

Wɔ ahyehyɛdeɛ a wɔde AI tumi di dwuma no, saa nkabom yi kyerɛ sɛ data a wɔde ma kakraa bi wɔ nhyehyɛeɛ ntam, API safoa kakraa bi a ɛsensɛn nhyehyɛɛ fael mu, ne beaeɛ baako a wɔde hyɛ mu ma kwan a wɔfa so kɔ nhyehyɛɛ. Sɛ wo adetɔfoɔ data, adwumayɛ metrics, ne adwumayɛ mu nteaseɛ nyinaa te tebea baako a wɔdi so mu a, ntua no ani ma data exfiltration — raw material of model inversion attacks — twetwe kɛseɛ.

💡 DID YOU KNOW?

Mewayz replaces 8+ business tools in one platform

CRM · Invoicing · HR · Projects · Booking · eCommerce · POS · Analytics. Free forever plan available.

Start Free →

Wiase Ankasa Nsɛm a Ɛsesaa Nkɔmmɔbɔ

Wɔ afe 2022 mu no, fintech startup bi hunuu sɛ akansifoɔ bi de credit scoring product a ɛkame ayɛ sɛ ɛyɛ pɛ aba wɔ asram awotwe pɛ wɔ startup no ankasa a wɔde sii hɔ akyi. Nhwehwɛmu a ɛwɔ mu no daa no adi sɛ akansifoɔ no ayɛ nhyehyɛeɛ abisabisa startup no scoring API asram pii, de mmuaeɛ no adi dwuma de atete replica model. Na startup no nni rate limiting biara, ɛsan de probability distributions a edi mũ bae, na enkuraa query logs biara a ebetumi aboa mmara kwan so adeyɛ biara. Ɔkansifoɔ no anhyia biribiara a ɛbɛfiri mu aba.

Nnansa yi ara, wɔ afe 2024 awieeɛ mu no, ahobanbɔ nhwehwɛmufoɔ daa ɔkwan bi a wɔfrɛ no "side-channel model extraction" a ɛde berɛ mu nsonsonoeɛ dii dwuma wɔ API mmuaeɛ mu — berɛ tenten a server no gyee de sane aba maa input ahodoɔ — de kyerɛɛ model no mu nhyehyɛɛ a wɔanhwehwɛ nkɔmhyɛ no ankasa mpo mu. Ntuo no yɛɛ adwuma tiaa models a wɔde ahyɛ cloud provider atitiriw abiɛsa no nyinaa so na na enhia sɛ wonya kwan titiriw biara a ɛboro API safoa a wɔahyɛ da ayɛ so.

Saa nsɛm a esisi yi si asɛm titiriw bi so dua: ahunahuna no rekɔ so ntɛmntɛm sen ahyehyɛde dodow no ara ahobammɔ. Akwan a wɔbuu no sɛ ɛyɛ nhwehwɛmu a ɛyɛ nwonwa mfeɛ mmiɛnsa a atwam no, seesei ɛwɔ hɔ sɛ nnwinnadeɛ a wɔabue ano wɔ GitHub so. Nnwuma a ɛfa model security sɛ daakye dadwen no aka akyi dedaw.

AI Amammerɛ a Ɛdi Ahobanbɔ a Edi Kan a Wɔbɛkyekyere

Mfiridwuma nkutoo ntumi nni ɔhaw yi ho dwuma. Ɛsɛ sɛ ahyehyɛde ahorow kyekye amammerɛ a wɔde aniberesɛm di AI agyapade ho dwuma te sɛ source code, aguadi ahintasɛm, ne adetɔfo databea ahorow. Eyi fi ase wɔ inventory — nnwumakuw pii mpo nkura list a edi mũ a ɛkyerɛ model ahorow a wɔde di dwuma, baabi a wobetumi anya, ne nea ɔwɔ API kwan. Worentumi mmɔ nea wunnim sɛ ɛwɔ hɔ ho ban.

Cross-functional adwumayɛ ho hia. Ɛsɛ sɛ data ho nyansahufo te ahunahuna a efi atamfo mu ase. Ɛsɛ sɛ ahobammɔ akuw te sɛnea mfiri a wɔde sua ade ho nhama yɛ adwuma no ase. Ɛsɛ sɛ nneɛma so ahwɛfoɔ si gyinaeɛ a ɛfata wɔ nsɛm a ɛyɛ nhwɛsoɔ API ahodoɔ a ɛda adi no ho. "Kuw kɔkɔɔ" apɔw-mu-teɛteɛ a wɔyɛ no daa — baabi a emu akuw bɔ mmɔden sɛ wobeyi anaa wɔbɛdan w'ankasa mfonini ahorow — da mmerɛwyɛ ahorow adi ansa na abɔnten so ntuafo ayɛ. Nnwumakuw te sɛ Google ne Microsoft yɛ saa apɔw-mu-teɛteɛ yi asram abiɛsa biara; biribiara nni hɔ a enti ahyehyɛde nketewa ntumi nnye nkyerɛase a wɔayɛ no mmerɛw ntom.

Platforms te sɛ Mewayz a ɛde adwumayɛ data ba ɔdan biako ase nso ma ɛyɛ mmerɛw sɛ wɔde data nniso nhyehyɛe a ɛka AI ahobammɔ tẽẽ no bedi dwuma. Sɛ wobɛtumi ahwɛ deɛ ɔkɔɔ adetɔfoɔ afã bɛn mu, berɛ a wɔyɛɛ analytics amanneɛbɔ, ne sɛdeɛ data sen wɔ module ahodoɔ ntam a, wokyekyere observability a ɛma data a wɔmma ho kwan a wɔyi ne model theft nyinaa yɛ den kɛseɛ sɛ wɔbɛyɛ a wɔanhunu.

Nea Ɛba Akyi: Mmara, Gyinapɛn, ne Ahosiesie

Mmarahyɛ tebea no rekyere. EU AI Mmara a ɛhyɛn mu de dii dwuma wɔ akwan horow so fi afe 2025 no, de nhyehyɛe ahorow a ɛfa nhwɛsode a ɛda adi pefee ne ahobammɔ ho a ɛbɛhwehwɛ sɛ ahyehyɛde ahorow kyerɛ sɛ wɔatu anammɔn a ntease wom de abɔ AI nhyehyɛe ahorow ho ban afi nsakrae ne korɔnbɔ ho ka ho. Wɔ United States no, mprempren NIST AI Asiane Ho Nhyehyɛe (AI RMF) no di nhwɛsode a woyi fi mu ho dwuma pefee sɛ ahunahuna kuw. Nnwumakuw a wɔde nsiyɛ gye saa nhyehyɛe ahorow yi tom no behu sɛ ɛyɛ mmerɛw sɛ wobedi mmara so — na wobenya gyinabea pa a wɔde bɛbɔ wɔn AI sika a wɔde asie no ho ban.

Asɛm no mu asɛm no yɛ tẽẽ: neural network reverse engineering nyɛ ahunahuna a wɔde susuw nneɛma ho a wɔde asie ama ɔman-man agoruyɛfo. Ɛyɛ ɔkwan a wotumi nya, a wɔakyerɛw ho asɛm yiye a akansifo anaa odiyifo biara a ɔwɔ ɔpɛ betumi adi dwuma atia nhyehyɛe ahorow a wɔmmɔ ho ban yiye. Nnwuma a ɛrenya nkɔso wɔ AI bere no mu no renyɛ wɔn a wɔyɛ mfonini a eye sen biara kɛkɛ — wɔbɛyɛ wɔn a wɔbɔ wɔn ho ban. Fi ase de access controls, output perturbation, ne dwumadie a wɔhwɛ so. Fa si adwumayɛ fapem a ɛyɛ biako a ɛma data trɛw so tew so. Na fa wo models a wɔatete wɔn no sɛ agyapadeɛ a ɛsom boɔ a wɔyɛ, ɛfiri sɛ akyinnyeɛ biara nni ho sɛ w’akansifoɔ bɛyɛ.

Nsɛmmisa a Wɔtaa Bisa

Dɛn ne neural network reverse engineering?

Neural network reverse engineering yɛ ɔkwan a wɔfa so hwehwɛ mfiri adesua nhwɛsoɔ bi mu nsunsuansoɔ, API mmuaeɛ, anaa suban nhyehyɛeɛ mu de san yɛ ne mu nhyehyɛɛ, ne mu duru, anaa nteteeɛ data. Attackers betumi de akwan te sɛ model extraction, membership inference, ne adversarial probing adi dwuma de awia proprietary algorithms. Wɔ nnwuma a wɔde wɔn ho to nnwinnade a AI di so no fam no, eyi de adwene mu agyapade a emu yɛ den ne akansi mu asiane ahorow a ɛhwehwɛ sɛ wɔyɛ ahobammɔ ho nhyehyɛe a edi kan ba.

Ɛbɛyɛ dɛn na nnwuma atumi abɔ wɔn AI mfonini ahorow ho ban na wɔamfa wɔn ho anhyɛ mu?

Ahobanbɔ titire bi ne API abisadeɛ a ɛto rate-limiting, dede a wɔahyɛ so a wɔde bɛka model outputs ho, hwɛ a wɔbɛhwɛ kwan a wɔfa so kɔ hɔ a ɛyɛ adwenem naayɛ, ne kokoamsɛm a ɛsono a wɔde bedi dwuma wɔ nteteeɛ mu. Platforms te sɛ Mewayz, 207-module business OS, boa nnwumakuw ma wɔde adwumayɛ kɔ baabiara na ɛtew nea wɔda no adi so denam AI adwumayɛ nhyehyɛe a ɛyɛ mmerɛw a wɔde sie wɔ tebea a ahobammɔ wom, biakoyɛ mu sen sɛ wɔbɛpete wɔ nnipa a wɔto so abiɛsa nkabom a ɛyɛ mmerɛw mu.

So nnwuma nketewa wɔ asiane mu sɛ wɔbɛwia AI model?

Ɛyɛ saa koraa. Nhwehwɛmufo ada model extraction ntua a ɛho ka sua te sɛ $2,000 adi wɔ kɔmputa mu, na ɛkame ayɛ sɛ obiara tumi nya bi. Nnwuma nketewa a wɔde mfiri a wɔde kamfo nneɛma a wɔahyɛ da ayɛ, bo a wɔbɔ ho nhyehyɛe, anaa nsisi a wohu ho nhyehyɛe di dwuma no yɛ wɔn a wɔde wɔn ani si wɔn so a ɛyɛ anigye esiane sɛ mpɛn pii no wonni ahobammɔ a ɛte sɛ adwumayɛbea nti pɛpɛɛpɛ. Platform ahorow a ne bo yɛ den te sɛ Mewayz, a efi ase fi $19/mo wɔ app.mewayz.com, boa akuw nketewa ma wɔde adwumayɛ mu ahobammɔ a emu yɛ den di dwuma.

Sɛ mesusu sɛ wɔasɛe me AI model no a, dɛn na ɛsɛ sɛ meyɛ?

Fi ase denam API kwan so nsɛm a wobɛhwɛ so ama asɛmmisa dodow a ɛyɛ soronko anaa nhyehyɛe a wɔde hyɛ mu a ɛkyerɛ sɛ wɔbɔ mmɔden sɛ wobeyi mu. Dannan API safoa ntɛm ara na fa rate anohyeto a emu yɛ den di dwuma. Hwɛ sɛ ebia nhwɛsode a efi mu ba no ada adi wɔ akansifo nneɛma mu anaa. Susuw ho sɛ wode nsuo bɛhyɛ daakye model versions no agyiraeɛ de ahwehwɛ dwumadie a wɔmma ho kwan, na kɔ kɔmputa so ahobanbɔ ho ɔbenfoɔ nkyɛn nkɔhwɛ sɛdeɛ mmara sobuo no nyinaa teɛ na ɔhyɛ wo ho banbɔ mu den.