Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
129 tokens/sec
GPT-4o
28 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Data-Free Hard-Label Robustness Stealing Attack (2312.05924v2)

Published 10 Dec 2023 in cs.CV, cs.CR, and cs.LG

Abstract: The popularity of Machine Learning as a Service (MLaaS) has led to increased concerns about Model Stealing Attacks (MSA), which aim to craft a clone model by querying MLaaS. Currently, most research on MSA assumes that MLaaS can provide soft labels and that the attacker has a proxy dataset with a similar distribution. However, this fails to encapsulate the more practical scenario where only hard labels are returned by MLaaS and the data distribution remains elusive. Furthermore, most existing work focuses solely on stealing the model accuracy, neglecting the model robustness, while robustness is essential in security-sensitive scenarios, e.g., face-scan payment. Notably, improving model robustness often necessitates the use of expensive techniques such as adversarial training, thereby further making stealing robustness a more lucrative prospect. In response to these identified gaps, we introduce a novel Data-Free Hard-Label Robustness Stealing (DFHL-RS) attack in this paper, which enables the stealing of both model accuracy and robustness by simply querying hard labels of the target model without the help of any natural data. Comprehensive experiments demonstrate the effectiveness of our method. The clone model achieves a clean accuracy of 77.86% and a robust accuracy of 39.51% against AutoAttack, which are only 4.71% and 8.40% lower than the target model on the CIFAR-10 dataset, significantly exceeding the baselines. Our code is available at: https://github.com/LetheSec/DFHL-RS-Attack.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (50)
  1. Degan: Data-enriching gan for retrieving representative samples from a trained classifier. Proceedings of the AAAI Conference on Artificial Intelligence, 34(04): 3130–3137.
  2. Black-Box Ripper: Copying black-box models using generative evolutionary algorithms. Advances in Neural Information Processing Systems, 33: 20120–20129.
  3. Dual Student Networks for Data-Free Model Stealing. In International Conference on Learning Representations.
  4. Robust and resource-efficient data-free knowledge distillation by generative pseudo replay. Proceedings of the AAAI Conference on Artificial Intelligence, 36(6): 6089–6096.
  5. Preventing catastrophic forgetting and distribution mismatch in knowledge distillation via synthetic data. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision, 663–671.
  6. Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy (SP), 39–57. IEEE.
  7. Data-free learning of student networks. In Proceedings of the IEEE/CVF International Conference on Computer Vision, 3514–3522.
  8. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International Conference on Machine Learning, 2206–2216. PMLR.
  9. Momentum Adversarial Distillation: Handling Large Distribution Shifts in Data-Free Knowledge Distillation. Advances in Neural Information Processing Systems, 35: 10055–10067.
  10. Benchmarking Adversarial Robustness on Image Classification. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.
  11. Evading defenses to transferable adversarial examples by translation-invariant attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 4312–4321.
  12. Up to 100x faster data-free knowledge distillation. Proceedings of the AAAI Conference on Artificial Intelligence, 36(6): 6597–6604.
  13. Contrastive Model Inversion for Data-Free Knolwedge Distillation. In Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence, IJCAI-21, 2374–2380.
  14. Patch-wise attack for fooling deep neural network. In Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XXVIII 16, 307–322. Springer.
  15. Adversarially robust distillation. Proceedings of the AAAI Conference on Artificial Intelligence, 34(04): 3996–4003.
  16. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572.
  17. Attacking and defending machine learning applications of public cloud. arXiv preprint arXiv:2008.02076.
  18. Improving robustness using generated data. Advances in Neural Information Processing Systems, 34: 4218–4233.
  19. Deep residual learning for image recognition. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 770–778.
  20. Decision boundary analysis of adversarial examples. In International Conference on Learning Representations.
  21. Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531.
  22. High accuracy and high fidelity extraction of neural networks. In USENIX Security Symposium, 1345–1362.
  23. Maze: Data-free model stealing attack using zeroth-order gradient estimation. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 13814–13823.
  24. Learning multiple layers of features from tiny images. Tech Report.
  25. Extracting Robust Models with Uncertain Examples. In The Eleventh International Conference on Learning Representations.
  26. Squeeze Training for Adversarial Robustness. In International Conference on Learning Representations.
  27. Data-free knowledge distillation for deep neural networks. arXiv preprint arXiv:1710.07535.
  28. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations.
  29. Zero-shot knowledge transfer via adversarial belief matching. Advances in Neural Information Processing Systems, 32.
  30. Zero-shot knowledge distillation in deep networks. In International Conference on Machine Learning, 4743–4751. PMLR.
  31. Knockoff nets: Stealing functionality of black-box models. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 4954–4963.
  32. Mobilenetv2: Inverted residuals and linear bottlenecks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 4510–4520.
  33. Towards data-free model stealing in a hard label setting. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 15284–15293.
  34. Adversarially robust generalization requires more data. Advances in Neural Information Processing Systems, 31.
  35. Robust machine learning systems: Challenges, current trends, perspectives, and the road ahead. IEEE Design & Test, 37(2): 30–57.
  36. Membership inference attacks against machine learning models. In 2017 IEEE Symposium on Security and Privacy (SP), 3–18. IEEE.
  37. Rethinking the inception architecture for computer vision. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2818–2826.
  38. Stealing Machine Learning Models via Prediction APIs. In USENIX Security Symposium, volume 16, 601–618.
  39. Data-free model extraction. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 4771–4780.
  40. Model Robustness Meets Data Privacy: Adversarial Robustness Distillation without Original Data. arXiv preprint arXiv:2303.11611.
  41. Black-box dissector: Towards erasing-based hard-label model stealing attack. In Computer Vision–ECCV 2022: 17th European Conference, Tel Aviv, Israel, October 23–27, 2022, Proceedings, Part V, 192–208. Springer.
  42. Wang, Z. 2021. Zero-shot knowledge distillation from a decision-based black-box model. In International Conference on Machine Learning, 10675–10685. PMLR.
  43. Pseudo Label-Guided Model Inversion Attack via Conditional Generative Adversarial Network. Proceedings of the AAAI Conference on Artificial Intelligence, 37(3): 3349–3357.
  44. Es attack: Model stealing against deep neural networks without data hurdles. IEEE Transactions on Emerging Topics in Computational Intelligence, 6(5): 1258–1270.
  45. Wide residual networks. arXiv preprint arXiv:1605.07146.
  46. Theoretically principled trade-off between robustness and accuracy. In International Conference on Machine Learning, 7472–7482. PMLR.
  47. QEKD: query-efficient and data-free knowledge distillation from black-box models. arXiv preprint arXiv:2205.11158.
  48. Towards Efficient Data Free Black-Box Adversarial Attack. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 15115–15125.
  49. Reliable adversarial distillation with unreliable teachers. In International Conference on Learning Representations.
  50. Revisiting adversarial robustness distillation: Robust soft labels make student better. In Proceedings of the IEEE/CVF International Conference on Computer Vision, 16443–16452.
Citations (4)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Github Logo Streamline Icon: https://streamlinehq.com

GitHub

  1. GitHub - LetheSec/DFHL-RS-Attack: [AAAI 2024] Data-Free Hard-Label Robustness Stealing Attack (14 stars)