Decepticon: Attacking Secrets of Transformers

With the growing burden of training deep learning models with huge datasets, transfer learning has been widely adopted (e.g., Transformers like BERT, GPT). Transfer learning significantly reduces the time and effort of model training. However, the security impact of using shared pre-trained models has not been evaluated. In this paper, we provide in-depth characterizations of the fine-tuning process and reveal the security vulnerabilities of transfer-learned models. Then, we show a novel two-level model extraction attack; 1) identifying the pre-trained model of a victim transfer-learned model through model fingerprint collected from off-the-shelf GPUs and 2) extracting the entire weights of the victim blackbox model based on the hints in the pre-trained model. The extracted model shows almost alike prediction accuracy with over 94% matching prediction outputs with the victim model. The two-level model extraction enables large model weight extraction that is considered as challenging if not impossible through significantly reduced extraction effort.