Stealix: Model Stealing via Prompt Evolution (2506.05867v1)

Abstract: Model stealing poses a significant security risk in machine learning by enabling attackers to replicate a black-box model without access to its training data, thus jeopardizing intellectual property and exposing sensitive information. Recent methods that use pre-trained diffusion models for data synthesis improve efficiency and performance but rely heavily on manually crafted prompts, limiting automation and scalability, especially for attackers with little expertise. To assess the risks posed by open-source pre-trained models, we propose a more realistic threat model that eliminates the need for prompt design skills or knowledge of class names. In this context, we introduce Stealix, the first approach to perform model stealing without predefined prompts. Stealix uses two open-source pre-trained models to infer the victim model's data distribution, and iteratively refines prompts through a genetic algorithm, progressively improving the precision and diversity of synthetic images. Our experimental results demonstrate that Stealix significantly outperforms other methods, even those with access to class names or fine-grained prompts, while operating under the same query budget. These findings highlight the scalability of our approach and suggest that the risks posed by pre-trained generative models in model stealing may be greater than previously recognized.

• The paper introduces a novel model stealing method that evolves prompts using genetic algorithms to mimic a victim model’s data distribution.
• It employs prompt refinement, consistency metrics, and reproduction techniques to significantly improve surrogate model accuracy by up to 22.2%.
• The work highlights critical vulnerabilities in model extraction, urging the development of robust defenses to protect proprietary AI models.

Model Stealing via Prompt Evolution: An Analysis of "Stealix"

The paper "Stealix: Model Stealing via Prompt Evolution" provides a novel approach to model stealing threats through a detailed examination of how pre-trained generative models can be leveraged in a more automated and efficient manner. The authors address the security risks introduced by black-box access to machine learning models and propose a new method that circumvents the need for human-crafted prompts, a significant limitation of prior model stealing approaches. By refining prompts through a genetic algorithm, the proposed method, Stealix, enables attackers to synthesize data that closely resembles the victim model's data distribution, effectively bypassing the constraint of requiring specialist knowledge for prompt design.

Key Contributions and Methodology

Stealix introduces a sophisticated threat model that reflects practical attack scenarios where attackers lack prompt design expertise or detailed knowledge of class names—an assumption more representative of real-world conditions. The method utilizes two pre-trained generative models to infer the victim model's data distribution by iteratively refining prompts, thereby achieving high precision and diversity in synthetic image generation. This is done through a mechanism that integrates contrastive learning and evolutionary algorithms, making the method scalable and less reliant on manual input.

The proposed technique can be broken down into three main components:

1. Prompt Refinement: This step involves optimizing randomly initialized prompts based on image triplets to capture relevant features of the target class learned by the victim model. The process leverages the predictions of the victim model to refine the prompts, thereby enhancing query complexities and model extraction efficiency.
2. Prompt Consistency: Here, the authors propose a proxy metric for evaluating how well a generated prompt synthesizes images that align with the target class of the victim model. This step is crucial for measuring the likelihood of a prompt's success in mirroring the victim model's data distribution.
3. Prompt Reproduction: Through a genetic algorithm-based next-generation synthesis, this component focuses on evolving a pool of refined prompts, enabling the attacker to systematically explore various prompts and improve the overall performance of the surrogate model.

Experimental Findings

The paper's empirical results underscore Stealix's superior performance compared to existing methods. For instance, it achieves a marked improvement in attacker model accuracy—up to 22.2% better than traditional methods—with a limited query budget. The authors illustrate that their approach significantly improves upon methods reliant on class names or manual prompt generation, as evident from the reported results across diverse datasets like EuroSAT and CIFAR10. Moreover, the incorporation of a proxy metric for prompt optimization demonstrates a high correlation with the victim model's data distribution, thus validating the efficacy of the proposed method.

Theoretical and Practical Implications

From a theoretical standpoint, this research broadens the understanding of the vulnerabilities in existing model theft defenses, particularly those based on pre-trained generative models. The paper highlights the need for robust security measures against automated model extraction techniques that do not depend on extensive domain expertise.

Practically, the work suggests a heightened risk for model proprietary and intellectual property, urging the AI community to develop more sophisticated defenses. This may include implementing harder-to-infer internal model representations or more stringent access controls on model querying capabilities.

Future Directions

Stealix provides a framework that could be enhanced by integrating advanced generative models as they become available, potentially increasing the effectiveness of model stealing. Additionally, future research might explore adaptive defenses that can dynamically respond to such advanced attack methodologies. This work opens avenues for examining the extent to which generative model sophistication correlates with model stealing success, which could further inform the development of countermeasures.

In summary, the paper presents a comprehensive advance in model stealing literature, underscoring the need for continued vigilance and innovation in safeguarding AI models against such evolving threats.