2019 Volume 37 Issue 4 Pages 188-193
With the development of machine learning technologies and the spread of mobile terminals, cloud-based image recognition services are getting popular in recent years. However, these services might suffer from a new type of attacks called retraining attack (RA), in which an attacker sends a lot of images to a recognition server and receives their recognition results to train a recognizer that mimics the serverʼs recognizer. We refer to the recognizers trained by RA as recognizer clones and aim to develop a defending method against them in our ongoing research project, whose current status is reported in this paper. Specifically, we consider the following two approaches: One is a method for preventing attackers from training recognizer clones by intentional misrecognition, where the server intentionally misrecognizes the images sent from the attackers. The other is a method for detecting already trained recognizer clones by checking the characteristics of their recognition results. While these two methods are still under development, we obtained some interesting knowledge through our experimental results.
