0

I am trying to understand the security implications of serializing a scikit-learn/keras fitted model (using pickle/joblib etc).

Specifically, if I work on data that I don't want to be revealed, would there be anyway for someone to reverse engineer what data a model was fitted on? Or is the data, just a way for the algorithm to update the relevant coefficients/weights for the algorithm? (If I train the model against "This movie is great" and store it as a foo.pkl file, would I also be able to load the foo.pkl and say it was trained on "This movie is great" if all I have access to is the pkl file and not the data)

sbnukala
  • 33
  • 3
  • Need more details. Depends on the specific algorithm. In most cases, no but some estimators save part or full data in addition to learned coeffs (weights, params etc), which can be accessed easily. Some estimators may store some central tendencies (mean, mode, or similar) which again can be used for getting the idea about data. – Vivek Kumar Nov 15 '18 at 08:30
  • Also depend upon the preprocessing. You need to convert the strings in your example to some numbers, which should be consistent between train and test. So you will have to send the preprocessing algorithms also, which will definitely store the mapping of features that is going to the model. – Vivek Kumar Nov 15 '18 at 08:33

1 Answers1

-1

No, you cant (in principle, anyway) reverse engineer the data based on a model. You can obviously derive the trained model weights/etc and start to get a good understanding of what it might have been trained over, but directly deriving the data, I'm not aware of any possible way of doing that, providing you're pickling the trained model.

Henry
  • 1,646
  • 12
  • 28