ActiveThief: Model Extraction Using Active Learning and Unannotated Public Data

Abstract: Machine learning models are increasingly being deployed in practice. Machine Learning as a Service (MLaaS) providers expose such models to queries by third-party developers through application programming interfaces (APIs). Prior work has developed model extraction attacks, in which an attacker extracts an approximation of an MLaaS model by making black-box queries to it. We design ActiveThief – a model extraction framework for deep neural networks that makes use of active learning techniques and unannotated p… Show more

“…In the classic attack (Tramer's [1]) of Section 5.2-5.5, training set sample are used for the construction of victim model, whereas test set samples and uniformly sampled points are applied in the evaluation of utility and extraction rate respectively. In the advanced attack (ActiveThief [8]) of Section 5.6, the configuration is similar, except that the extraction rate is evaluated against test set samples.…”

“…Due to space limitation, we select state-of-the-art Ac-tiveThief [8] as the attack scheme for evaluation because it is the most recent and advanced attack. Activethief is a model extraction framework for neural networks using nonproblem domain datasets and pool-based active learning strategies.…”

“…With regards to the model architecture, we adopt the same CNN design in [8] for evaluation, which has 3 blocks of convolution. In each block, there are 2 repeated units of 2 convolution layers using a 3 × 3 kernel, followed by 1 pooling layer using 2 × 2 kernel.…”

“…In each iteration, the replica model is retrained from all accumulated query-response pairs. Strategy hyperparameters such as number of seed samples and iteration numbers are the same in [8]. Previous evaluation metrics are adopted, that is, extraction rate R and utility U .…”

“…Our key observation is that many model extraction attacks exploit fine-tuned queries near the decision boundary of a machine learning model achieve optimal extraction performance [8], [9]. We treat decision boundary probing as an abstract and necessary condition of high-quality extraction attacks.…”

Protecting Decision Boundary of Machine Learning Model With Differentially Private Perturbation

“…In the classic attack (Tramer's [1]) of Section 5.2-5.5, training set sample are used for the construction of victim model, whereas test set samples and uniformly sampled points are applied in the evaluation of utility and extraction rate respectively. In the advanced attack (ActiveThief [8]) of Section 5.6, the configuration is similar, except that the extraction rate is evaluated against test set samples.…”

“…Due to space limitation, we select state-of-the-art Ac-tiveThief [8] as the attack scheme for evaluation because it is the most recent and advanced attack. Activethief is a model extraction framework for neural networks using nonproblem domain datasets and pool-based active learning strategies.…”

“…With regards to the model architecture, we adopt the same CNN design in [8] for evaluation, which has 3 blocks of convolution. In each block, there are 2 repeated units of 2 convolution layers using a 3 × 3 kernel, followed by 1 pooling layer using 2 × 2 kernel.…”

“…In each iteration, the replica model is retrained from all accumulated query-response pairs. Strategy hyperparameters such as number of seed samples and iteration numbers are the same in [8]. Previous evaluation metrics are adopted, that is, extraction rate R and utility U .…”

“…Our key observation is that many model extraction attacks exploit fine-tuned queries near the decision boundary of a machine learning model achieve optimal extraction performance [8], [9]. We treat decision boundary probing as an abstract and necessary condition of high-quality extraction attacks.…”

Protecting Decision Boundary of Machine Learning Model With Differentially Private Perturbation

Towards explainable model extraction attacks

GAME: Generative-Based Adaptive Model Extraction Attack