Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
169 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Towards Few-Call Model Stealing via Active Self-Paced Knowledge Distillation and Diffusion-Based Image Generation (2310.00096v1)

Published 29 Sep 2023 in cs.CV and cs.LG

Abstract: Diffusion models showcased strong capabilities in image synthesis, being used in many computer vision tasks with great success. To this end, we propose to explore a new use case, namely to copy black-box classification models without having access to the original training data, the architecture, and the weights of the model, \ie~the model is only exposed through an inference API. More specifically, we can only observe the (soft or hard) labels for some image samples passed as input to the model. Furthermore, we consider an additional constraint limiting the number of model calls, mostly focusing our research on few-call model stealing. In order to solve the model extraction task given the applied restrictions, we propose the following framework. As training data, we create a synthetic data set (called proxy data set) by leveraging the ability of diffusion models to generate realistic and diverse images. Given a maximum number of allowed API calls, we pass the respective number of samples through the black-box model to collect labels. Finally, we distill the knowledge of the black-box teacher (attacked model) into a student model (copy of the attacked model), harnessing both labeled and unlabeled data generated by the diffusion model. We employ a novel active self-paced learning framework to make the most of the proxy data during distillation. Our empirical results on two data sets confirm the superiority of our framework over two state-of-the-art methods in the few-call model extraction scenario.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (54)
  1. DeGAN : Data-Enriching GAN for Retrieving Representative Samples from a Trained Classifier. In Proceedings of AAAI, Vol. 34. 3130–3137.
  2. SegDiff: Image Segmentation with Diffusion Probabilistic Models. arXiv preprint arXiv:2112.00390 (2021).
  3. Blended diffusion for text-driven editing of natural images. In Proceedings of CVPR. 18208–18218.
  4. Label-Efficient Semantic Segmentation with Diffusion Models. In Proceedings of ICLR.
  5. Evasion attacks against machine learning at test time. In Proceedings of PKDD. Springer, 387–402.
  6. Food-101 – Mining Discriminative Components with Random Forests. In Proceedings of ECCV. 446–461.
  7. Black-Box Ripper: Copying black-box models using generative evolutionary algorithms. In Proceedings of NeurIPS, Vol. 33. 20120–20129.
  8. Exploring connections between active learning and model extraction. In Proceedings of USENIX. 1309–1326.
  9. Copycat CNN: Stealing Knowledge by Persuading Confession with Random Non-Labeled Data. In Proceedings of IJCNN. 1–8.
  10. Diffusion models in vision: A survey. IEEE Transactions on Pattern Analysis and Machine Intelligence 45, 9 (2023), 10850–10869.
  11. Prafulla Dhariwal and Alexander Nichol. 2021. Diffusion models beat GANs on image synthesis. In Proceedings of NeurIPS, Vol. 34. 8780–8794.
  12. An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale. In Proceedings of ICLR.
  13. Xavier Glorot and Yoshua Bengio. 2010. Understanding the difficulty of training deep feedforward neural networks. In Proceedings of AISTATS. 249–256.
  14. Generative adversarial nets. In Proceedings of NeurIPS, Vol. 27. 2672–2680.
  15. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
  16. Deep residual learning for image recognition. In Proceedings of CVPR. 770–778.
  17. Denoising diffusion probabilistic models. In Proceedings of NeurIPS, Vol. 33. 6840–6851.
  18. High accuracy and high fidelity extraction of neural networks. In Proceedings of USENIX. 1345–1362.
  19. PRADA: protecting against DNN model stealing attacks. In Proceedings of EuroS&P. 512–527.
  20. MAZE: Data-Free Model Stealing Attack Using Zeroth-Order Gradient Estimation. In Proceedings of CVPR. 13814–13823.
  21. Model Extraction Warning in MLaaS Paradigm. In Proceedings of ACSAC. 371–380.
  22. Diederik P. Kingma and Jimmy Lei Ba. 2015. Adam: A method for stochastic gradient descent. In Proceedings of ICLR.
  23. Alex Krizhevsky. 2009. Learning multiple layers of features from tiny images. Technical Report. University of Toronto.
  24. ImageNet Classification with Deep Convolutional Neural Networks. In Proceedings of NeurIPS, Vol. 25.
  25. SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection. In Proceedings of ESORICS. 610–630.
  26. RePaint: Inpainting using Denoising Diffusion Probabilistic Models. In Proceedings of CVPR. 11461–11471.
  27. Paul Micaelli and Amos J. Storkey. 2019. Zero-shot knowledge transfer via adversarial belief matching. In Proceedings of NeurIPS, Vol. 32. 9551–9561.
  28. Stealing knowledge from protected deep neural networks using composite unlabeled data. In Proceedings of IJCNN. 1–8.
  29. Zero-shot knowledge distillation in deep networks. In Proceedings of ICML. 4743–4751.
  30. GLIDE: Towards Photorealistic Image Generation and Editing with Text-Guided Diffusion Models. In Proceedings of ICML. 16784–16804.
  31. Alexander Quinn Nichol and Prafulla Dhariwal. 2021. Improved denoising diffusion probabilistic models. In Proceedings of ICML. 8162–8171.
  32. Towards reverse-engineering black-box neural networks. Explainable AI: Interpreting, Explaining and Visualizing Deep Learning (2019), 121–144.
  33. I know what you trained last summer: A survey on stealing machine learning models and defences. Comput. Surveys 55, 14s, Article 324 (2023).
  34. OpenAI. 2022. ChatGPT: A Conversational Language Model. https://openai.com/research/chatgpt.
  35. Knockoff Nets: Stealing functionality of black-box models. In Proceedings of CVPR. 4954–4963.
  36. A framework for the extraction of deep neural networks by leveraging public data. arXiv preprint arXiv:1905.09165 (2019).
  37. Practical black-box attacks against machine learning. In Proceedings of ASIACCS. 506–519.
  38. Query-Efficient Black-Box Attack by Active Learning. In Proceedings of ICDM. 1200–1205.
  39. Learning transferable visual models from natural language supervision. In Proceedings of ICML. 8748–8763.
  40. High-Resolution Image Synthesis with Latent Diffusion Models. In Proceedings of CVPR. 10684–10695.
  41. ImageNet Large Scale Visual Recognition Challenge. International Journal of Computer Vision 115, 3 (2015), 211–252.
  42. Photorealistic Text-to-Image Diffusion Models with Deep Language Understanding. In Proceedings of NeurIPS, Vol. 35. 36479–36494.
  43. Towards data-free model stealing in a hard label setting. In Proceedings of CVPR. 15284–15293.
  44. How to steal a machine learning classifier with deep learning. In Proceedings of HST. 1–5.
  45. Active deep learning attacks under strict rate limitations for online API calls. In Proceedings of HST. 1–6.
  46. Deep unsupervised learning using nonequilibrium thermodynamics. In Proceedings of ICML. 2256–2265.
  47. Denoising Diffusion Implicit Models. In Proceedings of ICLR.
  48. Stealing machine learning models via prediction APIs. In Proceedings of USENIX. 601–618.
  49. Binghui Wang and Neil Zhenqiang Gong. 2018. Stealing hyperparameters in machine learning. In Proceedings of SP. IEEE, 36–52.
  50. Diffusion Models for Medical Anomaly Detection. In Proceedings of MICCAI. 35–45.
  51. GAME: Generative-Based Adaptive Model Extraction Attack. In Proceedings of ESORICS. 570–588.
  52. Monitoring-Based Differential Privacy Mechanism Against Query Flooding-Based Model Extraction Attack. IEEE Transactions on Dependable and Secure Computing 19, 4 (2022), 2680–2694.
  53. Dreaming to Distill: Data-free Knowledge Transfer via DeepInversion. In Proceedings of CVPR. 8715–8724.
  54. SEAT: Similarity Encoder by Adversarial Training for Detecting Model Extraction Attack Queries. In Proceedings of AISec. 37–48.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now