Towards Data-Free Model Stealing in a Hard Label Setting

Sunandini, Sanyal,; Addepalli, Sravanti; Babu, R. Venkatesh

doi:10.1109/cvpr52688.2022.01485

Cited by 46 publications

(19 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Based on Adversarial DFKD, recent works MAZE (Kariyappa, Prakash, and Qureshi 2021) and DFME (Truong et al 2021) utilized gradient estimation techniques to achieve DFMS, which require the target model to return soft labels. Therefore, DFMS-HL (Sanyal, Addepalli, and Babu 2022) extended the problem to the hard-label setting. However, it still needs to use a proxy dataset or a synthetic dataset of random shapes generated on colored backgrounds, which breaks the truly datafree setting.…”

Section: Related Workmentioning

confidence: 99%

“…Unlike previous work (Sanyal, Addepalli, and Babu 2022;Beetham et al 2023), which uses M T as a discriminator and plays a min-max game, we decouple the training process of the generator and the training process of M C into two stages: 1) Substitute Data Generation and 2) Clone Model Training. In the first stage, we train a generator to synthesize substitute data to approximate the distribution of the target data and store them in a memory bank.…”

Section: Overviewmentioning

confidence: 99%

“…Moreover, merely ensuring the generator produces images from the desired distribution is inadequate, as it may still encounter issues such as mode collapse and insufficient diversity (Chen et al 2019;Sanyal, Addepalli, and Babu 2022). In a hard-label setting, a lack of diversity among classes can significantly hamper the learning process of M C , particularly for the less represented classes.…”

Section: Substitute Data Generationmentioning

confidence: 99%

“…We consider two benchmark datasets commonly used in AT research (Madry et al 2018;Zhang et al 2019;Li et al 2023b), CIFAR-10 and CIFAR-100 (Krizhevsky, Hinton et al 2009), as target datasets. Prior work requires a proxy dataset with samples from the same distribution (Tramèr et al 2016;Jagielski et al 2020;Orekondy, Schiele, and Fritz 2019) or the same task domain (Sanyal, Addepalli, and Babu 2022;Li et al 2023a) as the target dataset. However, we avoid using any natural data.…”

Section: Experimental Settingsmentioning

confidence: 99%

See 3 more Smart Citations

Data-Free Hard-Label Robustness Stealing Attack

Yuan,

Chen,

Huang

et al. 2024

AAAI

View full text Add to dashboard Cite

The popularity of Machine Learning as a Service (MLaaS) has led to increased concerns about Model Stealing Attacks (MSA), which aim to craft a clone model by querying MLaaS. Currently, most research on MSA assumes that MLaaS can provide soft labels and that the attacker has a proxy dataset with a similar distribution. However, this fails to encapsulate the more practical scenario where only hard labels are returned by MLaaS and the data distribution remains elusive. Furthermore, most existing work focuses solely on stealing the model accuracy, neglecting the model robustness, while robustness is essential in security-sensitive scenarios, e.g, face-scan payment. Notably, improving model robustness often necessitates the use of expensive techniques such as adversarial training, thereby further making stealing robustness a more lucrative prospect. In response to these identified gaps, we introduce a novel Data-Free Hard-Label Robustness Stealing (DFHL-RS) attack in this paper, which enables the stealing of both model accuracy and robustness by simply querying hard labels of the target model without the help of any natural data. Comprehensive experiments demonstrate the effectiveness of our method. The clone model achieves a clean accuracy of 77.86% and a robust accuracy of 39.51% against AutoAttack, which are only 4.71% and 8.40% lower than the target model on the CIFAR-10 dataset, significantly exceeding the baselines. Our code is available at: https://github.com/LetheSec/DFHL-RS-Attack.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Overviewmentioning

confidence: 99%

Section: Substitute Data Generationmentioning

confidence: 99%

Section: Experimental Settingsmentioning

confidence: 99%

See 2 more Smart Citations

Data-Free Hard-Label Robustness Stealing Attack

Yuan,

Chen,

Huang

et al. 2024

AAAI

View full text Add to dashboard Cite

show abstract

“…Additionally, not all models deployed on MLaaS systems possess the capability to furnish comprehensive predictive results. Most MLaaS systems [57,78] merely offer categorical labels for samples (e.g., the image depicts a cat or a dog, rather than the probabilities of the image belonging to various categories). These challenges force us to urgently study more practical model stealing attacks for graph classification.…”

Section: Introductionmentioning

confidence: 99%

Membership Inference Attacks Against Sequential Recommender Systems

Zhu

Fan

et al. 2023

Proceedings of the ACM Web Conference 2023

View full text Add to dashboard Cite

Recent research demonstrates that GNNs are vulnerable to the model stealing attack, a nefarious endeavor geared towards duplicating the target model via query permissions. However, they mainly focus on node classification tasks, neglecting the potential threats entailed within the domain of graph classification tasks. Furthermore, their practicality is questionable due to unreasonable assumptions, specifically concerning the large data requirements and extensive model knowledge. To this end, we advocate following strict settings with limited real data and hard-label awareness to generate synthetic data, thereby facilitating the stealing of the target model. Specifically, following important data generation principles, we introduce three model stealing attacks to adapt to different actual scenarios: MSA-AU is inspired by active learning and emphasizes the uncertainty to enhance query value of generated samples; MSA-AD introduces diversity based on Mixup augmentation strategy to alleviate the query inefficiency issue caused by over-similar samples generated by MSA-AU; MSA-AUD combines the above two strategies to seamlessly integrate the authenticity, uncertainty, and diversity of the generated samples. Finally, extensive experiments consistently demonstrate the superiority of the proposed methods in terms of concealment, query efficiency, and stealing performance.

show abstract