Copycat CNN: Are random non-Labeled data enough to steal knowledge from black-box models?

Correia-Silva, Jacson Rodrigues; Berriel, Rodrigo F.; Badué, Claudine; Souza, Alberto F. De; Oliveira-Santos, Thiago

doi:10.1016/j.patcog.2021.107830

Cited by 12 publications

(7 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We train models with different α for different datasets like the experiments above and set them up as blackbox victim models. Inspired by Correia-Silva [13], we use the designed Copycat DNN as the substitute model to extract trained models protected by our proposed scheme. The method aims at copying a target network into a substitute model by only performing queries.…”

Section: D) Model Extraction Attacksmentioning

confidence: 99%

“…2) Infringement against DNN Model Algorithms: To date, various malicious attacks on DNN model algorithm have been proposed [13], [40], [42], [29], [55]. In these model illegitimate reproducing attacks, the attacker A aims to steal a DNN model F V of a victim set V or extract the targeted model parameters by making a series of unauthorized queries Q to F V and obtaining corresponding predictions F V (Q) in a black-box setting.…”

Section: B Infringement On Dnn Servicesmentioning

confidence: 99%

“…The Q and F V (Q) are used by A to train a pirated model F A , and A can get Accuracy(F A ) as close as possible to Accuracy(F V ). Correia-Silva et al [13] propose that A has access to a prediction API, and A uses the set {Q, F V (Q)} to iteratively refine the accuracy of F A . They assume that the data for queries come from the same domain as V's training data but from a different distribution.…”

Section: B Infringement On Dnn Servicesmentioning

confidence: 99%

“…Machine learning techniques involve expensive hardware computation, large data collection, and training procedures, especially deep neural networks (DNNs) applied in natural language processing [15], content generation, and semisupervised learning [50], [52]. Since it usually costs many resources to develop new DNN models, model owners cannot tolerate the infringement act of their models' intellectual property (IP) [13], [40], [42], [59]. The IP protection problem of DNN models becomes more severe with the commercial Corresponding author.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

ActiveDaemon: Unconscious DNN Dormancy and Waking Up via User-specific Invisible Token

Ren,

Li,

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Well-trained deep neural network (DNN) models can be treated as commodities for commercial transactions and generate significant revenues, raising the urgent need for intellectual property (IP) protection against illegitimate reproducing. Emerging studies on IP protection often aim at inserting watermarks into DNNs, allowing owners to passively verify the ownership of target models after counterfeit models appear and commercial benefits are infringed, while active authentication against unauthorized queries of DNN-based applications is still neglected. In this paper, we propose a novel approach to protect model intellectual property, called ActiveDaemon, which incorporates a built-in access control function in DNNs to safeguard against commercial piracy. Specifically, our approach enables DNNs to predict correct outputs only for authorized users with user-specific tokens while producing poor accuracy for unauthorized users. In ActiveDaemon, the user-specific tokens are generated by a specially designed U-Net style encoder-decoder network, which can map strings and input images into numerous noise images to address identity management with large-scale user capacity. Compared to existing studies, these user-specific tokens are invisible, dynamic and more perceptually concealed, enhancing the stealthiness and reliability of model IP protection. To automatically wake up the model accuracy, we utilize the data poisoning-based training technique to unconsciously embed the ActiveDaemon into the neuron's function. We conduct experiments to compare the protection performance of ActiveDaemon with four state-of-the-art approaches over four datasets. The experimental results show that ActiveDaemon can reduce the accuracy of unauthorized queries by as much as 81% with less than a 1.4% decrease in that of authorized queries. Meanwhile, our approach can also reduce the LPIPS scores of the authorized tokens to 0.0027 on CIFAR10 and 0.0368 on ImageNet 1 .

show abstract

Section: D) Model Extraction Attacksmentioning

confidence: 99%

Section: B Infringement On Dnn Servicesmentioning

confidence: 99%

Section: B Infringement On Dnn Servicesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

ActiveDaemon: Unconscious DNN Dormancy and Waking Up via User-specific Invisible Token

Ren,

Li,

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Although the CNNs and their variants have been successfully applied in numerous tasks, they contribute little to the understanding of the principle of neuronal computation because they are black-box models [29,30]. It is worth mentioning that the impressive results of CNNs are highly dependent on intensive pools of data, which indicates that their major strength is contributed by the availability of massive datasets [31]. However, the cost of accessing and annotating data is undoubtedly high due to the need for a large amount of data to increase the reliability of the computational results.…”

Section: Introductionmentioning

confidence: 99%

A Hardware-Based Orientation Detection System Using Dendritic Computation

Nomura,

Chen,

Tang

et al. 2024

Electronics

View full text Add to dashboard Cite

Studying how objects are positioned is vital for improving technologies like robots, cameras, and virtual reality. In our earlier papers, we introduced a bio-inspired artificial visual system for orientation detection, demonstrating its superiority over traditional systems with higher recognition rates, greater biological resemblance, and increased resistance to noise. In this paper, we propose a hardware-based orientation detection system (ODS). The ODS is implemented by a multiple dendritic neuron model (DNM), and a neuronal pruning scheme for the DNM is proposed. After performing the neuronal pruning, only the synapses in the direct and inverse connections states are retained. The former can be realized by a comparator, and the latter can be replaced by a combination of a comparator and a logic NOT gate. For the dendritic function, the connection of synapses on dendrites can be realized with logic AND gates. Then, the output of the neuron is equivalent to a logic OR gate. Compared with other machine learning methods, this logic circuit circumvents floating-point arithmetic and therefore requires very little computing resources to perform complex classification. Furthermore, the ODS can be designed based on experience, so no learning process is required. The superiority of ODS is verified by experiments on binary, grayscale, and color image datasets. The ability to process data rapidly owing to advantages such as parallel computation and simple hardware implementation allows the ODS to be desirable in the era of big data. It is worth mentioning that the experimental results are corroborated with anatomical, physiological, and neuroscientific studies, which may provide us with a new insight for understanding the complex functions in the human brain.

show abstract

Few-Shot Copycat: Improving Performance of Black-Box Attack with Random Natural Images and Few Examples of Problem Domain

Leão,

Correia-Silva,

de Souza

et al. 2024

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Copycat CNN: Are random non-Labeled data enough to steal knowledge from black-box models?

Cited by 12 publications

References 20 publications

ActiveDaemon: Unconscious DNN Dormancy and Waking Up via User-specific Invisible Token

ActiveDaemon: Unconscious DNN Dormancy and Waking Up via User-specific Invisible Token

A Hardware-Based Orientation Detection System Using Dendritic Computation

Few-Shot Copycat: Improving Performance of Black-Box Attack with Random Natural Images and Few Examples of Problem Domain

Contact Info

Product

Resources

About