Detecting Compromised Architecture/Weights of a Deep Model

Beetham, James; Kardan, Navid; Mian, Ajmal; Shah, Mubarak

doi:10.1109/icpr56361.2022.9956280

Cited by 1 publication

(2 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, it still needs to use a proxy dataset or a synthetic dataset of random shapes generated on colored backgrounds, which breaks the truly datafree setting. To address this issue, DS (Beetham et al 2023) proposed to train two student models simultaneously, which allows the generator to use one of the students as a proxy for the target model. However, these methods only achieved accuracy stealing, but cannot obtain the model's robustness.…”

Section: Related Workmentioning

confidence: 99%

“…Unlike previous work (Sanyal, Addepalli, and Babu 2022;Beetham et al 2023), which uses M T as a discriminator and plays a min-max game, we decouple the training process of the generator and the training process of M C into two stages: 1) Substitute Data Generation and 2) Clone Model Training. In the first stage, we train a generator to synthesize substitute data to approximate the distribution of the target data and store them in a memory bank.…”

Section: Overviewmentioning

confidence: 99%

See 1 more Smart Citation

Data-Free Hard-Label Robustness Stealing Attack

Yuan,

Chen,

Huang

et al. 2024

AAAI

View full text Add to dashboard Cite

The popularity of Machine Learning as a Service (MLaaS) has led to increased concerns about Model Stealing Attacks (MSA), which aim to craft a clone model by querying MLaaS. Currently, most research on MSA assumes that MLaaS can provide soft labels and that the attacker has a proxy dataset with a similar distribution. However, this fails to encapsulate the more practical scenario where only hard labels are returned by MLaaS and the data distribution remains elusive. Furthermore, most existing work focuses solely on stealing the model accuracy, neglecting the model robustness, while robustness is essential in security-sensitive scenarios, e.g, face-scan payment. Notably, improving model robustness often necessitates the use of expensive techniques such as adversarial training, thereby further making stealing robustness a more lucrative prospect. In response to these identified gaps, we introduce a novel Data-Free Hard-Label Robustness Stealing (DFHL-RS) attack in this paper, which enables the stealing of both model accuracy and robustness by simply querying hard labels of the target model without the help of any natural data. Comprehensive experiments demonstrate the effectiveness of our method. The clone model achieves a clean accuracy of 77.86% and a robust accuracy of 39.51% against AutoAttack, which are only 4.71% and 8.40% lower than the target model on the CIFAR-10 dataset, significantly exceeding the baselines. Our code is available at: https://github.com/LetheSec/DFHL-RS-Attack.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Overviewmentioning

confidence: 99%