Analyzing the Confidentiality of Undistillable Teachers in Knowledge Distillation

Souvik Kundu; Qirui Sun; Yao Fu; Massoud Pedram; Peter Anthony Beerel

Analyzing the Confidentiality of Undistillable Teachers in Knowledge Distillation

Souvik Kundu, Qirui Sun, Yao Fu, Massoud Pedram, Peter Anthony Beerel

Published: 09 Nov 2021, Last Modified: 05 May 2023NeurIPS 2021 PosterReaders: Everyone

Keywords: Model confidentiality, Data Privacy, DNN Poisoning, Knowledge Distillation, Model IP protection, Data-free distillation

TL;DR: We analyze the limitations of undistillable teachers in the context of model IP protection and propose an effective solution to distill knowledge from even a nasty teacher raising a fundamental question about feasibility of model IP protection.

Abstract: Knowledge distillation (KD) has recently been identified as a method that can unintentionally leak private information regarding the details of a teacher model to an unauthorized student. Recent research in developing undistillable nasty teachers that can protect model confidentiality has gained significant attention. However, the level of protection these nasty models offer has been largely untested. In this paper, we show that transferring knowledge to a shallow sub-section of a student can largely reduce a teacher’s influence. By exploring the depth of the shallow subsection, we then present a distillation technique that enables a skeptical student model to learn even from a nasty teacher. To evaluate the efficacy of our skeptical students, we conducted experiments with several models with KD on both training data-available and data-free scenarios for various datasets. While distilling from nasty teachers, compared to the normal student models, skeptical students consistently provide superior classification performance of up to ∼59.5%. Moreover, similar to normal students, skeptical students maintain high classification accuracy when distilled from a normal teacher, showing their efficacy irrespective of the teacher being nasty or not. We believe the ability of skeptical students to largely diminish the KD-immunity of potentially nasty teachers will motivate the research community to create more robust mechanisms for model confidentiality. We have open-sourced the code at https://github.com/ksouvik52/Skeptical2021

Supplementary Material: pdf

Code Of Conduct: I certify that all co-authors of this work have read and commit to adhering to the NeurIPS Statement on Ethics, Fairness, Inclusivity, and Code of Conduct.

Code: https://github.com/ksouvik52/Skeptical2021

19 Replies

Loading