{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2018:SKNKCXPVUF52JEL2ZIM36RX272","short_pith_number":"pith:SKNKCXPV","canonical_record":{"source":{"id":"1806.00054","kind":"arxiv","version":4},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.LG","submitted_at":"2018-05-31T19:09:15Z","cross_cats_sorted":["cs.AI","cs.CR","stat.ML"],"title_canon_sha256":"3960ab5630e1a1d2277217b8f3a11ba3ef2266b31efea4f370d88138d4dbc30c","abstract_canon_sha256":"eda42d0a7e3abbbaebabbd765ada5102045eb01e15f224f08da9df9ebc50fa85"},"schema_version":"1.0"},"canonical_sha256":"929aa15df5a17ba4917aca19bf46fafe9b10ceaf393ce43113ca7eb0632ac377","source":{"kind":"arxiv","id":"1806.00054","version":4},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1806.00054","created_at":"2026-05-17T23:58:22Z"},{"alias_kind":"arxiv_version","alias_value":"1806.00054v4","created_at":"2026-05-17T23:58:22Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1806.00054","created_at":"2026-05-17T23:58:22Z"},{"alias_kind":"pith_short_12","alias_value":"SKNKCXPVUF52","created_at":"2026-05-18T12:32:53Z"},{"alias_kind":"pith_short_16","alias_value":"SKNKCXPVUF52JEL2","created_at":"2026-05-18T12:32:53Z"},{"alias_kind":"pith_short_8","alias_value":"SKNKCXPV","created_at":"2026-05-18T12:32:53Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2018:SKNKCXPVUF52JEL2ZIM36RX272","target":"record","payload":{"canonical_record":{"source":{"id":"1806.00054","kind":"arxiv","version":4},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.LG","submitted_at":"2018-05-31T19:09:15Z","cross_cats_sorted":["cs.AI","cs.CR","stat.ML"],"title_canon_sha256":"3960ab5630e1a1d2277217b8f3a11ba3ef2266b31efea4f370d88138d4dbc30c","abstract_canon_sha256":"eda42d0a7e3abbbaebabbd765ada5102045eb01e15f224f08da9df9ebc50fa85"},"schema_version":"1.0"},"canonical_sha256":"929aa15df5a17ba4917aca19bf46fafe9b10ceaf393ce43113ca7eb0632ac377","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:58:22.983848Z","signature_b64":"BHSFBkj+YFcqCFedYWTpK4JNQbk4JZM9AURYV+TYLrHTHDccI6S6F/KfUSgORlFKY2e0tymsinMpsqrqVIBFAg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"929aa15df5a17ba4917aca19bf46fafe9b10ceaf393ce43113ca7eb0632ac377","last_reissued_at":"2026-05-17T23:58:22.983106Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:58:22.983106Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"1806.00054","source_version":4,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:58:22Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"U/hGdaUSgKUbF6yJdfBgk/y85SKOmqslojNjL+yMTbkDGnq/Uk6pMdpe1E8vOm5uPzcEZtxYpMLyB2RYU7IpBw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-05T02:17:50.809677Z"},"content_sha256":"6fb1c7342a2ec4f3e2e69ea558add8d2e331ffe9eb1c341281e28c2da65bd0ea","schema_version":"1.0","event_id":"sha256:6fb1c7342a2ec4f3e2e69ea558add8d2e331ffe9eb1c341281e28c2da65bd0ea"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2018:SKNKCXPVUF52JEL2ZIM36RX272","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Defending Against Machine Learning Model Stealing Attacks Using Deceptive Perturbations","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.AI","cs.CR","stat.ML"],"primary_cat":"cs.LG","authors_text":"Benjamin Edwards, Dong Su, Ian Molloy, Taesung Lee","submitted_at":"2018-05-31T19:09:15Z","abstract_excerpt":"Machine learning models are vulnerable to simple model stealing attacks if the adversary can obtain output labels for chosen inputs. To protect against these attacks, it has been proposed to limit the information provided to the adversary by omitting probability scores, significantly impacting the utility of the provided service. In this work, we illustrate how a service provider can still provide useful, albeit misleading, class probability information, while significantly limiting the success of the attack. Our defense forces the adversary to discard the class probabilities, requiring signif"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1806.00054","kind":"arxiv","version":4},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:58:22Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"5S9XldR2nIUkxae+a5+Y/2GZud936zbyjKgtHb0ymMb9Gpwk67fMB/iB4+uTpG23/ryxnjWC0D761xy4jjSdDg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-05T02:17:50.810228Z"},"content_sha256":"5138ab8bf1e65b7ac31ef74fc113085b997279e2cc212133eb0c903c6bd6c987","schema_version":"1.0","event_id":"sha256:5138ab8bf1e65b7ac31ef74fc113085b997279e2cc212133eb0c903c6bd6c987"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/SKNKCXPVUF52JEL2ZIM36RX272/bundle.json","state_url":"https://pith.science/pith/SKNKCXPVUF52JEL2ZIM36RX272/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/SKNKCXPVUF52JEL2ZIM36RX272/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-05T02:17:50Z","links":{"resolver":"https://pith.science/pith/SKNKCXPVUF52JEL2ZIM36RX272","bundle":"https://pith.science/pith/SKNKCXPVUF52JEL2ZIM36RX272/bundle.json","state":"https://pith.science/pith/SKNKCXPVUF52JEL2ZIM36RX272/state.json","well_known_bundle":"https://pith.science/.well-known/pith/SKNKCXPVUF52JEL2ZIM36RX272/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2018:SKNKCXPVUF52JEL2ZIM36RX272","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"eda42d0a7e3abbbaebabbd765ada5102045eb01e15f224f08da9df9ebc50fa85","cross_cats_sorted":["cs.AI","cs.CR","stat.ML"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.LG","submitted_at":"2018-05-31T19:09:15Z","title_canon_sha256":"3960ab5630e1a1d2277217b8f3a11ba3ef2266b31efea4f370d88138d4dbc30c"},"schema_version":"1.0","source":{"id":"1806.00054","kind":"arxiv","version":4}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1806.00054","created_at":"2026-05-17T23:58:22Z"},{"alias_kind":"arxiv_version","alias_value":"1806.00054v4","created_at":"2026-05-17T23:58:22Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1806.00054","created_at":"2026-05-17T23:58:22Z"},{"alias_kind":"pith_short_12","alias_value":"SKNKCXPVUF52","created_at":"2026-05-18T12:32:53Z"},{"alias_kind":"pith_short_16","alias_value":"SKNKCXPVUF52JEL2","created_at":"2026-05-18T12:32:53Z"},{"alias_kind":"pith_short_8","alias_value":"SKNKCXPV","created_at":"2026-05-18T12:32:53Z"}],"graph_snapshots":[{"event_id":"sha256:5138ab8bf1e65b7ac31ef74fc113085b997279e2cc212133eb0c903c6bd6c987","target":"graph","created_at":"2026-05-17T23:58:22Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"Machine learning models are vulnerable to simple model stealing attacks if the adversary can obtain output labels for chosen inputs. To protect against these attacks, it has been proposed to limit the information provided to the adversary by omitting probability scores, significantly impacting the utility of the provided service. In this work, we illustrate how a service provider can still provide useful, albeit misleading, class probability information, while significantly limiting the success of the attack. Our defense forces the adversary to discard the class probabilities, requiring signif","authors_text":"Benjamin Edwards, Dong Su, Ian Molloy, Taesung Lee","cross_cats":["cs.AI","cs.CR","stat.ML"],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.LG","submitted_at":"2018-05-31T19:09:15Z","title":"Defending Against Machine Learning Model Stealing Attacks Using Deceptive Perturbations"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1806.00054","kind":"arxiv","version":4},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:6fb1c7342a2ec4f3e2e69ea558add8d2e331ffe9eb1c341281e28c2da65bd0ea","target":"record","created_at":"2026-05-17T23:58:22Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"eda42d0a7e3abbbaebabbd765ada5102045eb01e15f224f08da9df9ebc50fa85","cross_cats_sorted":["cs.AI","cs.CR","stat.ML"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.LG","submitted_at":"2018-05-31T19:09:15Z","title_canon_sha256":"3960ab5630e1a1d2277217b8f3a11ba3ef2266b31efea4f370d88138d4dbc30c"},"schema_version":"1.0","source":{"id":"1806.00054","kind":"arxiv","version":4}},"canonical_sha256":"929aa15df5a17ba4917aca19bf46fafe9b10ceaf393ce43113ca7eb0632ac377","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"929aa15df5a17ba4917aca19bf46fafe9b10ceaf393ce43113ca7eb0632ac377","first_computed_at":"2026-05-17T23:58:22.983106Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:58:22.983106Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"BHSFBkj+YFcqCFedYWTpK4JNQbk4JZM9AURYV+TYLrHTHDccI6S6F/KfUSgORlFKY2e0tymsinMpsqrqVIBFAg==","signature_status":"signed_v1","signed_at":"2026-05-17T23:58:22.983848Z","signed_message":"canonical_sha256_bytes"},"source_id":"1806.00054","source_kind":"arxiv","source_version":4}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:6fb1c7342a2ec4f3e2e69ea558add8d2e331ffe9eb1c341281e28c2da65bd0ea","sha256:5138ab8bf1e65b7ac31ef74fc113085b997279e2cc212133eb0c903c6bd6c987"],"state_sha256":"41f87820a27cb7a1d26597a870c4fa98767e4a075d20fe6e1b28238c5df51f1d"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"hoMOXYSA5yUvi19ssljlvA0Z6QPri9BT6ZZIhe6tWVH2IEn3FiOkaGNsZHN8VLNznps2iZ/b+YcRIDOQmNG3BA==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-05T02:17:50.813256Z","bundle_sha256":"8af631dccee6a42b18e1cd5a7b7b3eb46d1a683a04e53dc0d27e85c80f58e972"}}