Machine Learning as a Service (MLaaS) has gained important attraction as a means for deploying powerful predictive models, ofering ease of use that enables organizations to leverage advanced analytics without substantial investments in specialized infrastructure or expertise. However, MLaaS platforms must be safeguarded against security and privacy attacks, such as model extraction (MEA) attacks. The increasing integration of explainable AI (XAI) within MLaaS has introduced an additional privacy challenge, as attackers can exploit model explanations-particularly counterfactual explanations (CFs) to facilitate MEA. In this paper, we investigate the trade-ofs among model performance, privacy, and explainability when employing Diferential Privacy (DP), a promising technique for mitigating CF-facilitated MEA. We evaluate two distinct DP strategies: implemented during the classification model training and at the explainer during CF generation.
Machine Learning (ML) as a Service (MLaaS) is becoming increasingly popular for deploying powerful
predictive models as it facilitates access to ML training and deployment tools, while eliminating the
need for extensive computational resources [
Recently, with the increasing demand for transparency in automated decision-making, MLaaS
platforms are starting to incorporate Explainable Artificial Intelligence (XAI) [
To perform the attack, we employ a recently proposed MEA technique based on Knowledge Distillation
(KD) due to its proven performance and practicality [
MEA facilitated by CFs? • RQ2: How does noise level in DP influence the efectiveness of MEAs that leverage CFs? • RQ3: In what ways does the quality of CF explanations difer when DP is applied at the model compared to the explainer?
Several studies have explores leveraging XAI techniques and exploiting model explanations to perform
privacy attacks. In [
Several approaches have been proposed to prevent adversaries from exploiting model explanations
for privacy attacks. In [
Similar to these works, we focus on identifying a mitigation strategy against attacks that exploit the model’s explanations. Specifically, we explore the application of DP to the ML model, the explainer, and both simultaneously. Despite the numerous studies utilizing DP for mitigation strategies, our work is, to the best of our knowledge, the first to explore the application of DP in both the ML model and the explainer and to investigate their efectiveness in countering MEA and examine their influence on the quality of explanations. Additionally, our work explores the interplay between preserving model privacy and generating privacy-preserving CFs, as well as the implications for defending against MEA.
employed at the model or at the explainer to counter potential attacks.
Given a dataset = {(, )}=1, where are feature vectors and are corresponding labels. A
target model (; ) trained and optimized to achieve high performance on is deployed as MLaaS
and is queryable through an API (as shown in Fig. 1). An (adversary) attempts to extract an
approximation of (; ) using queries and the provided CFs. The attacker conducts MEA by exploiting
CFs and varying the number of queries. To perform our analysis, we proceed as follows:
• Step 1: Train target models as baseline models baseline(; base).
• Step 2: Generate CFs by training a CounterGAN to generate CFs ^ = (; ) for baseline.
• Step 3: Simulate MEA, where the adversary queries the models with random points and collects
pairs of predictions and CFs. The adversary trains an extracted model using the KD-based method
proposed in [
The efectiveness of the MEA is measured using similarity metrics such as agreement. In prac︁) ︁( tice, this agreement expectation is estimated empirically using a set of test inputs {1, 2, . . . , }. = 1 ∑︀ =1 () = ^ ^() . Where counts the number of times the extracted
model’s predictions match the target model’s predictions.
As a mitigation against MEA, we employ two strategies: 1) DP-Model with DP-SGD: where we apply
DP-SGD during model training on (; ). 2) DP-Explainer (DP in CounterGAN): We inject DP noise
at the generator (; ) that outputs private CFs ([
We perform an evaluation on 2 datasets: Housing [
The target model is a DNN with 16 hidden layers of 64, 32, 16, 32, 64, 128, 64, 32, 128, 64, 128, 64, 128, 64, 32, and 16 neurons per layer with a GELU activation function and a the softmax activation function in the output layer. We employ Adam optmizer for the cases where DP is not used and TensorFlow Privacy’s DPKerasAdamOptimizer for the cases where DP applied. The model is trained without DP and with noise levels of 0.1, 0.5 and 0.9 for DP cases and with varying learning rates (0.001, 0.002, and 0.01), and we vary the l2_norm_clip to between 1, and 1.5 (l2_norm_clip bounds the sensitivity of the gradients by limiting the influence of any single training example on the overall gradient update, which is a crucial step before adding noise). Note that the more noise, the higher the privacy. The target models are trained using 80% of the corresponding dataset, and the best-performing model in term of accuracy was chosen.
To simulate a realistic attack scenario, we assume that the attacker has no prior knowledge of the training data distribution and does not know the architecture of the target model, but can build a simple threat model ϒ. The ϒ consists of 5 layers, with 32, 64, 128, and 64 neurons with ReLU activation, followed by a softmax output layer. Attacker generate random diferent data points to query the model, within a range of -3 to 3 for each feature and extract CFs to feed as input to the KD-based MEA. Our evaluation involves performing MEA while varying the number of queries from 50 to 1000 and therefore the input to KD. For optimization, we utilize both Adam for the cases where DP is not used and TensorFlow Privacy’s DPKerasAdamOptimizer for the cases where DP is used to assess model performance under three diferent noise levels, 0.1, 0.5, and 0.9. We tune diferent KD-based approach hyperparameters, specifically, alpha within the range of 0.1 and 0.5, temperature within the range of 1 and 10. We compute the MEA agreement over the 20% test set and report average results of 5 runs.
The generator of CounterGAN takes an input feature vector and processes it through 4 layers with 64, 32, and 64 neurons, with ReLU as an activation function and a final layer with Tanh activation. The discriminator follows a simple feedforward design, consisting of 128, 128, 64 neurons with ReLU activation, and the final output layer with Sigmoid activation. In the No-DP scenario, we used the standard Adam optimizer. For the scenarios where DP is employed, we applied DP using noise levels of 0.1, 0.5, and 0.9, respectively on the generator, with TensorFlow Privacy’s DPKerasAdamOptimizer. We varied the learning rate where we used 0.05, 0.005, 0.01, and 0.001, and l2_norm_clip to between 1, 1.5, and 3. We report the results of the average of 5 runs. We consider the following metrics to assess the influence of employing privacy on the CFs.
• Prediction Gain: quantifies how the explainer modifies the input to influence the model’s decision
by measuring the change in the classifier’s confidence score for a specific target class when
replacing the original data point with its CFs: Δ = (, ) − (, ) Where: (, ) is
the probability score for the target class of the CF and (, ) is for initial point.
• Realism: quantifies how a data instance fits within a data distribution to evaluate how well CFs
and private CFs with diferent noise applied match the original training data distribution. It is
defined as: Realism = 1 ∑︀=1 ‖input − reconstruction‖2 Where: input represents the original
data point, reconstruction is the corresponding autoencoder reconstruction and is the total
number of instances ([
No DP
Fig 2 reports the predictive performance metrics of the models while varying the noise level across the two datasets used in our evaluations. As previously mentioned, we consider three noise levels when applying DP, 0.1, 0.5 and 0.9, and we refer to each case as DP-Model-noise level. As expected, the results across the two datasets indicate a decline in predictive performance metrics as the noise level increases. For instance, in the EEG dataset, accuracy, precision, recall, and F1-score are 0.94, 0.92, 0.9, and 0.91, respectively, when no DP is applied. However, at the highest noise level considered (0.9), these metrics drop to 0.85, 0.78, 0.66, and 0.72, respectively. Similar results are seen across the Housing dataset, where predictive performance metrics show a declining trend as the noise level applied increases.
We considering the 3 scenarios of application of DP, namely, DP-Model, DP-Explainer and DP-ModelExplainer, and the baseline No DP scenario. Additionally, when we incorporate DP at explainer, we refer to each case as DP-Explainer-noise level (i.e., DP-Explainer-0.1). This evaluation will allow us to address RQ1 and RQ2. Figures 3 show the agreement observed by MEA across the various combinations of applying DP for varying noise levels and number of queries across the Housing dataset. We start with No DP (Fig. 3(a)), which allows us to quantify solely the impact of employing diferent levels of noise at the explainer on the success of the MEA. Results show a general trend where the MEA is more successful as the number of queries used increases across all cases (i.e., independent of the noise level applied). Comparing the agreement when employing diferent noise levels, results show that employing more noise, as expected, provides more defense against MEA. Specifically, with a noise level of 0.9, agreement ranges between 50 and 72 when the number of queries increases up to 1000. In contrast, when employing noise levels of 0.5 and 0.1, agreement falls within the ranges of 62–75 and 60–78, respectively. In the absence of DP at the explainer, agreement starts at 70 with 50 queries and 50010 020 030 500 ,000
1 Queries Number (a) No DP 50010 020 030 500 ,000
1 Queries Number reaches 80 when 1000 queries are used. We now focus on the cases where DP is employed at the model level (Fig. 3(b), (c) and (d)). Generally, results show a similar trend across all cases, where agreement increases with the number of queries used to perform the MEA. Comparing the agreement achieved when employing diferent noise levels in each case, results show, as expected, that employing higher noise levels at the explainer implies better protection against MEA. For instance, when employing DP-Model with a noise level of 0.1 (Fig. 3(b)), the highest agreement observed is 70 when DP-Explainer is employed (which is a DP-Model-Explainer case), compared to 76 without DP-Explainer. Similarly, with a noise level of 0.5 at the model (Fig. 3(c)), the agreement consistently remains lower than in the No DP case, reaching a maximum of 70.63 versus 75 to when DP is only applied at the model. Similar trends were observed to DP-Model-0.9. Figure 4 show the agreement observed by MEA on the EEG dataset across the various cases. The results show similar trends to the one observed with the Housing Dataset. When no DP is applied to the model (Fig. 4(a)), the agreement improves with more queries ranging between 68% and 96%, with the highest agreement observed when DP is not applied at all.
Figure 5 shows the prediction gain achieved by explainer across the Housing and EEG datasets for varying noise level. In the Housing dataset, a clear trend emerges as the DP-Explainer noise increases the prediction gain decreases, which means that employing more noise decreases the CF probability toward the desired class. For example, for No DP, the prediction gain starts at 0.488. However, for DP-Explainer with noise level of 0.9 is applied, it drops dramatically to 0.055. This decline is observed consistently across all model noise levels. Moreover, for DP-Model noise levels (0.5 and 0.9) are introduced, the prediction gain prediction observed is less than that of no DP and DP-model 0.1, regardless of the DP-Explainer noise. Similarly, the EEG dataset follows a comparable pattern. In scenarios without DP applied to the model, the prediction gain is lower and ranges from 0.568 to 0.222 as the DP-Explainer n i aG0.4 n o i itc0.2 d e r
P a) Housing noise is higher. When the model is subjected to DP noise at levels of 0.1, 0.5, and 0.9, the prediction gains are consistently lower. We now focus on analyzing the impact of incorporating DP on realism. Across both datasets, increasing the DP-Explainer noise consistently results in higher realism scores, indicating less realistic CFs and degradation in CF quality. In the Housing dataset, even without any DP-model noise, the realism score ranges from 0.113 to 1.116 at a DP-explainer noise of 0.9. This degradation is further amplified when additional DP-Model noise is introduced, e.g. with a DP-Model noise of 0.1, the realism score ranges from 0.356 to 3.289 as DP-explainer noise is higher, and similar patterns are observed for DP-Model-0.5 and 0.9. The EEG dataset exhibits a comparable pattern, although the No DP realism scores are generally higher.
Discussion on Performance-Privacy-Explanations Interplay: Results indicate that introducing DP mechanisms afects model performance, although the extent of this impact varies according to the specific use case and dataset. Similarly, the quality of the generated CF explanations is influenced by the privacy parameters applied. Experiments reveal that even slight amounts of noise, whether introduced at DP-Model or within the DP-Explainer, can alter CF quality. In terms of the efectiveness of DP interventions in the context of MEA. Analysis shows that introducing minimal noise at the model level generally ofers resistance to MEA. In contrast, higher noise levels provide a more robust defense, albeit at the cost of reduced model performance. When examining the impact of noise on the CFs, we observe that small increments in noise can slightly reduce the success rate of MEA, but further increases yield a more pronounced protective efect. Notably, when both the model and the explainer are simultaneously subjected to DP, a synergistic improvement in resistance to MEA is observed.
In this work, we investigate the impact of diferential privacy (DP) in mitigating model extraction attacks (MEAs) that leverage counterfactual explanations (CFs) within Machine Learning as a Service (MLaaS) environments. We evaluate employing DP implemented at the ML model level via DP-Stochastic Gradient Descent and at the explanation level, and at both simultaneously, to investigate their respective impacts on MEA resilience. Our analysis, conducted across two datasets, demonstrates and quantifies a fundamental trade-of between privacy protection and utility. The introduction of DP noise presents a clear trade-of, as it efectively hinders an adversary’s ability to reconstruct the target model, yet it simultaneously compromises both model performance and the quality of generated CF. Further research will include testing other DP-based methods to generate CFs, MEA methods and more datasets.
The author has not employed any Generative AI tools.