Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
125 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Towards Model Extraction Attacks in GAN-Based Image Translation via Domain Shift Mitigation (2403.07673v3)

Published 12 Mar 2024 in cs.CR

Abstract: Model extraction attacks (MEAs) enable an attacker to replicate the functionality of a victim deep neural network (DNN) model by only querying its API service remotely, posing a severe threat to the security and integrity of pay-per-query DNN-based services. Although the majority of current research on MEAs has primarily concentrated on neural classifiers, there is a growing prevalence of image-to-image translation (I2IT) tasks in our everyday activities. However, techniques developed for MEA of DNN classifiers cannot be directly transferred to the case of I2IT, rendering the vulnerability of I2IT models to MEA attacks often underestimated. This paper unveils the threat of MEA in I2IT tasks from a new perspective. Diverging from the traditional approach of bridging the distribution gap between attacker queries and victim training samples, we opt to mitigate the effect caused by the different distributions, known as the domain shift. This is achieved by introducing a new regularization term that penalizes high-frequency noise, and seeking a flatter minimum to avoid overfitting to the shifted distribution. Extensive experiments on different image translation tasks, including image super-resolution and style transfer, are performed on different backbone victim models, and the new design consistently outperforms the baseline by a large margin across all metrics. A few real-life I2IT APIs are also verified to be extremely vulnerable to our attack, emphasizing the need for enhanced defenses and potentially revised API publishing policies.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (38)
  1. Ntire 2017 challenge on single image super-resolution: Dataset and study. In Proceedings of the IEEE conference on computer vision and pattern recognition workshops, 126–135.
  2. Black-Box Ripper: Copying black-box models using generative evolutionary algorithms. Advances in Neural Information Processing Systems, 33: 20120–20129.
  3. Demystifying mmd gans. arXiv preprint arXiv:1801.01401.
  4. Chen, X. 2020. Hayao and Shinkai datasets. https://github.com/TachibanaYoshino/AnimeGANv2/releases. Online; accessed 1 May 2023.
  5. Triple descent and the two kinds of overfitting: Where & why do they appear? Advances in Neural Information Processing Systems, 33: 3058–3069.
  6. Sharpness-aware minimization for efficiently improving generalization. arXiv preprint arXiv:2010.01412.
  7. Domain adaptation for large-scale sentiment classification: A deep learning approach. In Proceedings of the 28th International Conference on Machine Learning, 513–520.
  8. GANs trained by a two time-scale update rule converge to a local Nash equilibrium. Advances in Neural Information Processing Systems, 30.
  9. Stealing machine learning models: Attacks and countermeasures for generative adversarial networks. In ACSAC, 1–16.
  10. Image-to-image translation with conditional adversarial networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 1125–1134.
  11. High accuracy and high fidelity extraction of neural networks. In Proceedings of the 29th USENIX Conference on Security Symposium, 1345–1362.
  12. U-gat-it: Unsupervised generative attentional networks with adaptive layer-instance normalization for image-to-image translation. arXiv preprint arXiv:1907.10830.
  13. Thieves on sesame street! model extraction of BERT-based APIs. arXiv preprint arXiv:1910.12366.
  14. Unsupervised image-to-image translation networks. Advances in neural information processing systems, 30.
  15. LoDen: Making Every Client in Federated Learning a Defender Against the Poisoning Membership Inference Attacks. In ACM AsiaCCS, 122–135.
  16. Marinez, H. 2020. FFHQ datasets. https://www.kaggle.com/datasets/arnaud58/flickrfaceshq-dataset-ffhq. Online; accessed 1 May 2023.
  17. Knockoff nets: Stealing functionality of black-box models. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 4954–4963.
  18. ACTIVETHIEF: Model extraction using active learning and unannotated public data. In AAAI 2020-34th AAAI Conference on Artificial Intelligence, 865–872. AAAI press.
  19. Image-to-image translation: Methods and applications. IEEE Transactions on Multimedia, 24: 3859–3881.
  20. Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, 506–519.
  21. A survey on deep learning: Algorithms, techniques, and applications. ACM Computing Surveys (CSUR), 51(5): 1–36.
  22. Rougetet, A. 2020. Landscape datasets. https://www.kaggle.com/datasets/arnaud58/landscape-pictures. Accessed 1 May 2023.
  23. Model stealing attacks against inductive graph neural networks. In SP, 1175–1192. IEEE.
  24. Good artists copy, great artists steal: Model extraction attacks against image translation generative adversarial networks. arXiv preprint arXiv:2104.12623.
  25. NTIRE 2017 Challenge on Single Image Super-Resolution: Methods and Results, volume 2, 6. IEEE.
  26. Stealing machine learning models via prediction APIs. In USENIX Security 16, 601–618.
  27. High-resolution image synthesis and semantic manipulation with conditional GANs. In Proceedings of the IEEE Conference on computer Vision and Pattern Recognition, 8798–8807.
  28. Real-esrgan: Training real-world blind super-resolution with pure synthetic data. In Proceedings of the IEEE/CVF International Conference on Computer Vision, 1905–1914.
  29. Recovering realistic texture in image super-resolution by deep spatial feature transform. In Proceedings of the IEEE conference on computer vision and pattern recognition, 606–615.
  30. Model Extraction Attacks on Graph Neural Networks: Taxonomy and Realisation. In Asia CCS, 337–350.
  31. Student Surpasses Teacher: Imitation attack for black-box NLP APIs. arXiv preprint arXiv:2108.13873.
  32. Enhanced membership inference attacks against machine learning models. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 3093–3106.
  33. ES attack: Model stealing against deep neural networks without hurdles. IEEE Transactions on Emerging Topics in Computational Intelligence.
  34. Wavelet knowledge distillation: Towards efficient image-to-image translation. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 12464–12474.
  35. The unreasonable effectiveness of deep features as a perceptual metric. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 586–595.
  36. Evaluating Membership Inference Through Adversarial Robustness. The Computer Journal, 65(11): 2969–2978.
  37. CycleGAN datasets. http://efrosgans.eecs.berkeley.edu/cyclegan/datasets/. Accessed 1 May 2023.
  38. Horse datasets. https://www.kaggle.com/datasets/alessiocorrado99/animals10. Accessed 1 May 2023.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now