A Statistical Framework for Analyzing Specification Resistance to Learnware-Inversion Risks

The learnware paradigm aims to enable users to leverage numerous existing high-performing models instead of building machine learning models from scratch. A learnware consists of a submitted model together with a specification derived from the developer’s training data. As the key component, a specification should characterize the capabilities of the model, enabling it to be adequately identified and reused, while preserving the developer's original data. In this paper, we present the first formal study of the risks that arise when a specification is attached to a model, as opposed to releasing the model alone. We develop a game-theoretic framework and, by combining variational inference with geometry analysis, provide quantitative estimates of the resulting risk of specification. Our analysis provides theoretical guarantees on the data protection ability for the commonly adopted RKME specification. Finally, we prove that with a properly chosen size of specification, releasing the specification alongside the model introduces almost no additional risk of exposing the raw data, while still retaining sufficient information for effective learnware identification.