Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
194 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Efficient Data-Free Model Stealing with Label Diversity (2404.00108v1)

Published 29 Mar 2024 in cs.CR

Abstract: Machine learning as a Service (MLaaS) allows users to query the machine learning model in an API manner, which provides an opportunity for users to enjoy the benefits brought by the high-performance model trained on valuable data. This interface boosts the proliferation of machine learning based applications, while on the other hand, it introduces the attack surface for model stealing attacks. Existing model stealing attacks have relaxed their attack assumptions to the data-free setting, while keeping the effectiveness. However, these methods are complex and consist of several components, which obscure the core on which the attack really depends. In this paper, we revisit the model stealing problem from a diversity perspective and demonstrate that keeping the generated data samples more diverse across all the classes is the critical point for improving the attack performance. Based on this conjecture, we provide a simplified attack framework. We empirically signify our conjecture by evaluating the effectiveness of our attack, and experimental results show that our approach is able to achieve comparable or even better performance compared with the state-of-the-art method. Furthermore, benefiting from the absence of redundant components, our method demonstrates its advantages in attack efficiency and query budget.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (29)
  1. https://www.cs.toronto.edu/~kriz/cifar.html.
  2. Wasserstein Generative Adversarial Networks. In International Conference on Machine Learning (ICML), pages 214–223. PMLR, 2017.
  3. Data-Free Learning of Student Networks. In IEEE International Conference on Computer Vision (ICCV), pages 3513–3521. IEEE, 2019.
  4. On the Efficacy of Knowledge Distillation. In IEEE International Conference on Computer Vision (ICCV), pages 4793–4801. IEEE, 2019.
  5. Data-Free Network Quantization With Adversarial Knowledge Distillation. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 3047–3057. IEEE, 2020.
  6. Generative Adversarial Nets. In Annual Conference on Neural Information Processing Systems (NIPS), pages 2672–2680. NIPS, 2014.
  7. Deep Residual Learning for Image Recognition. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 770–778. IEEE, 2016.
  8. Distilling the Knowledge in a Neural Network. CoRR abs/1503.02531, 2015.
  9. Densely Connected Convolutional Networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 2261–2269. IEEE, 2017.
  10. MAZE: Data-Free Model Stealing Attack Using Zeroth-Order Gradient Estimation. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 13814–13823. IEEE, 2021.
  11. A Style-Based Generator Architecture for Generative Adversarial Networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 4401–4410. IEEE, 2019.
  12. Deep Learning Face Attributes in the Wild. In IEEE International Conference on Computer Vision (ICCV), pages 3730–3738. IEEE, 2015.
  13. Zero-shot Knowledge Transfer via Adversarial Belief Matching. In Annual Conference on Neural Information Processing Systems (NeurIPS), pages 9547–9557. NeurIPS, 2019.
  14. Zero-Shot Knowledge Distillation in Deep Networks. In International Conference on Machine Learning (ICML), pages 4743–4751. PMLR, 2019.
  15. Knockoff Nets: Stealing Functionality of Black-Box Models. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 4954–4963. IEEE, 2019.
  16. Practical Black-Box Attacks Against Machine Learning. In ACM Asia Conference on Computer and Communications Security (ASIACCS), pages 506–519. ACM, 2017.
  17. Model Weight Theft With Just Noise Inputs: The Curious Case of the Petulant Attacker. CoRR abs/1912.08987, 2019.
  18. MobileNetV2: Inverted Residuals and Linear Bottlenecks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 4510–4520. IEEE, 2018.
  19. Towards Data-Free Model Stealing in a Hard Label Setting. CoRR abs/2204.11022, 2022.
  20. Grad-CAM: Visual Explanations from Deep Networks via Gradient-Based Localization. In IEEE International Conference on Computer Vision (ICCV), pages 618–626. IEEE, 2017.
  21. Membership Inference Attacks Against Machine Learning Models. In IEEE Symposium on Security and Privacy (S&P), pages 3–18. IEEE, 2017.
  22. Very Deep Convolutional Networks for Large-Scale Image Recognition. In International Conference on Learning Representations (ICLR), 2015.
  23. Stealing Machine Learning Models via Prediction APIs. In USENIX Security Symposium (USENIX Security), pages 601–618. USENIX, 2016.
  24. Data-Free Model Extraction. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 4771–4780. IEEE, 2021.
  25. Laurens van der Maaten and Geoffrey Hinton. Visualizing Data using t-SNE. Journal of Machine Learning Research, 2008.
  26. Latent Backdoor Attacks on Deep Neural Networks. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 2041–2055. ACM, 2019.
  27. Wide Residual Networks. In Proceedings of the British Machine Vision Conference (BMVC). BMVA Press, 2016.
  28. Self-Attention Generative Adversarial Networks. CoRR abs/1805.08318, 2018.
  29. The Secret Revealer: Generative Model-Inversion Attacks Against Deep Neural Networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 250–258. IEEE, 2020.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now