Efficient Model Extraction via Boundary Sampling

Maor Biton Dor; Yisroel Mirsky

doi:https://doi.org/10.1145/3689932.3694756

Efficient Model Extraction via Boundary Sampling

Maor Biton Dor, Yisroel Mirsky

Department of Software and Information Systems Engineering

Ben-Gurion University of the Negev

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

This paper introduces a novel data-free model extraction attack that significantly advances the current state-of-the-art in terms of efficiency, accuracy, and effectiveness. Traditional black-box methods rely on using the victim’s model as an oracle to label a vast number of samples within high-confidence areas. This approach not only requires an extensive number of queries but also results in a less accurate and less transferable model. In contrast, our method innovates by focusing on sampling low-confidence areas (along the decision boundaries) and employing an evolutionary algorithm to optimize the sampling process. These novel contributions allow for a dramatic reduction in the number of queries needed by the attacker by a factor of 10x to 600x while simultaneously improving the accuracy of the stolen model. Moreover, our approach improves boundary alignment, resulting in better transferability of adversarial examples from the stolen model to the victim’s model (increasing the attack success rate from 60% to 82% on average). Finally, we accomplish all of this with a strict black-box assumption on the victim, with no knowledge of the target’s architecture or dataset. We demonstrate our attack on three datasets with increasingly larger resolutions and compare our performance to four state-of-the-art model extraction attacks.

Original language	American English
Title of host publication	AISec 2024 - Proceedings of the 2024 Workshop on Artificial Intelligence and Security, Co-Located with
Subtitle of host publication	CCS 2024
Pages	1-11
Number of pages	11
ISBN (Electronic)	9798400712289
DOIs	https://doi.org/10.1145/3689932.3694756
State	Published - 22 Nov 2024
Event	16th ACM Workshop on Artificial Intelligence and Security, AISec 2024, co-located with CCS 2024 - Salt Lake City, United States Duration: 14 Oct 2024 → 18 Oct 2024

Publication series

Name	AISec 2024 - Proceedings of the 2024 Workshop on Artificial Intelligence and Security, Co-Located with: CCS 2024

Conference

Conference	16th ACM Workshop on Artificial Intelligence and Security, AISec 2024, co-located with CCS 2024
Country/Territory	United States
City	Salt Lake City
Period	14/10/24 → 18/10/24

Keywords

Black Box
Data Free
Evolutionary Algorithms
Model Extraction
Substitute Models
Transfer Attacks

All Science Journal Classification (ASJC) codes

Artificial Intelligence
Computer Networks and Communications
Software

Access to Document

https://doi.org/10.1145/3689932.3694756

Cite this

@inproceedings{b713c3da16c041928f9ae558c54a66c5,

title = "Efficient Model Extraction via Boundary Sampling",

abstract = "This paper introduces a novel data-free model extraction attack that significantly advances the current state-of-the-art in terms of efficiency, accuracy, and effectiveness. Traditional black-box methods rely on using the victim{\textquoteright}s model as an oracle to label a vast number of samples within high-confidence areas. This approach not only requires an extensive number of queries but also results in a less accurate and less transferable model. In contrast, our method innovates by focusing on sampling low-confidence areas (along the decision boundaries) and employing an evolutionary algorithm to optimize the sampling process. These novel contributions allow for a dramatic reduction in the number of queries needed by the attacker by a factor of 10x to 600x while simultaneously improving the accuracy of the stolen model. Moreover, our approach improves boundary alignment, resulting in better transferability of adversarial examples from the stolen model to the victim{\textquoteright}s model (increasing the attack success rate from 60% to 82% on average). Finally, we accomplish all of this with a strict black-box assumption on the victim, with no knowledge of the target{\textquoteright}s architecture or dataset. We demonstrate our attack on three datasets with increasingly larger resolutions and compare our performance to four state-of-the-art model extraction attacks.",

keywords = "Black Box, Data Free, Evolutionary Algorithms, Model Extraction, Substitute Models, Transfer Attacks",

author = "{Biton Dor}, Maor and Yisroel Mirsky",

note = "Publisher Copyright: {\textcopyright} 2024 Copyright held by the owner/author(s).; 16th ACM Workshop on Artificial Intelligence and Security, AISec 2024, co-located with CCS 2024 ; Conference date: 14-10-2024 Through 18-10-2024",

year = "2024",

month = nov,

day = "22",

doi = "https://doi.org/10.1145/3689932.3694756",

language = "American English",

series = "AISec 2024 - Proceedings of the 2024 Workshop on Artificial Intelligence and Security, Co-Located with: CCS 2024",

pages = "1--11",

booktitle = "AISec 2024 - Proceedings of the 2024 Workshop on Artificial Intelligence and Security, Co-Located with",

}

Biton Dor, M & Mirsky, Y 2024, Efficient Model Extraction via Boundary Sampling. in AISec 2024 - Proceedings of the 2024 Workshop on Artificial Intelligence and Security, Co-Located with: CCS 2024. AISec 2024 - Proceedings of the 2024 Workshop on Artificial Intelligence and Security, Co-Located with: CCS 2024, pp. 1-11, 16th ACM Workshop on Artificial Intelligence and Security, AISec 2024, co-located with CCS 2024, Salt Lake City, United States, 14/10/24. https://doi.org/10.1145/3689932.3694756

Efficient Model Extraction via Boundary Sampling. / Biton Dor, Maor; Mirsky, Yisroel.
AISec 2024 - Proceedings of the 2024 Workshop on Artificial Intelligence and Security, Co-Located with: CCS 2024. 2024. p. 1-11 (AISec 2024 - Proceedings of the 2024 Workshop on Artificial Intelligence and Security, Co-Located with: CCS 2024).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Efficient Model Extraction via Boundary Sampling

AU - Biton Dor, Maor

AU - Mirsky, Yisroel

PY - 2024/11/22

Y1 - 2024/11/22

N2 - This paper introduces a novel data-free model extraction attack that significantly advances the current state-of-the-art in terms of efficiency, accuracy, and effectiveness. Traditional black-box methods rely on using the victim’s model as an oracle to label a vast number of samples within high-confidence areas. This approach not only requires an extensive number of queries but also results in a less accurate and less transferable model. In contrast, our method innovates by focusing on sampling low-confidence areas (along the decision boundaries) and employing an evolutionary algorithm to optimize the sampling process. These novel contributions allow for a dramatic reduction in the number of queries needed by the attacker by a factor of 10x to 600x while simultaneously improving the accuracy of the stolen model. Moreover, our approach improves boundary alignment, resulting in better transferability of adversarial examples from the stolen model to the victim’s model (increasing the attack success rate from 60% to 82% on average). Finally, we accomplish all of this with a strict black-box assumption on the victim, with no knowledge of the target’s architecture or dataset. We demonstrate our attack on three datasets with increasingly larger resolutions and compare our performance to four state-of-the-art model extraction attacks.

AB - This paper introduces a novel data-free model extraction attack that significantly advances the current state-of-the-art in terms of efficiency, accuracy, and effectiveness. Traditional black-box methods rely on using the victim’s model as an oracle to label a vast number of samples within high-confidence areas. This approach not only requires an extensive number of queries but also results in a less accurate and less transferable model. In contrast, our method innovates by focusing on sampling low-confidence areas (along the decision boundaries) and employing an evolutionary algorithm to optimize the sampling process. These novel contributions allow for a dramatic reduction in the number of queries needed by the attacker by a factor of 10x to 600x while simultaneously improving the accuracy of the stolen model. Moreover, our approach improves boundary alignment, resulting in better transferability of adversarial examples from the stolen model to the victim’s model (increasing the attack success rate from 60% to 82% on average). Finally, we accomplish all of this with a strict black-box assumption on the victim, with no knowledge of the target’s architecture or dataset. We demonstrate our attack on three datasets with increasingly larger resolutions and compare our performance to four state-of-the-art model extraction attacks.

KW - Black Box

KW - Data Free

KW - Evolutionary Algorithms

KW - Model Extraction

KW - Substitute Models

KW - Transfer Attacks

UR - http://www.scopus.com/inward/record.url?scp=85216515737&partnerID=8YFLogxK

U2 - https://doi.org/10.1145/3689932.3694756

DO - https://doi.org/10.1145/3689932.3694756

M3 - Conference contribution

T3 - AISec 2024 - Proceedings of the 2024 Workshop on Artificial Intelligence and Security, Co-Located with: CCS 2024

SP - 1

EP - 11

BT - AISec 2024 - Proceedings of the 2024 Workshop on Artificial Intelligence and Security, Co-Located with

T2 - 16th ACM Workshop on Artificial Intelligence and Security, AISec 2024, co-located with CCS 2024

Y2 - 14 October 2024 through 18 October 2024

ER -

Efficient Model Extraction via Boundary Sampling

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Cite this