Jie Zhang,Bo Li,Jianghe Xu,Shuang Wu,Shouhong Ding,Lei Zhang,Chao Wu

DOI: https://doi.org/10.1109/CVPR52688.2022.01469

2022-01-01

Abstract:Classic black-box adversarial attacks can take advantage of transferable adversarial examples generated by a similar substitute model to successfully fool the target model. However, these substitute models need to be trained by target models' training data, which is hard to acquire due to privacy or transmission reasons. Recognizing the limited availability of real data for adversarial queries, recent works proposed to train substitute models in a data-free black-box scenario. However, their generative adversarial networks (GANs) based framework suffers from the convergence failure and the model collapse, resulting in low efficiency. In this paper, by rethinking the collaborative relationship between the generator and the substitute model, we design a novel black-box attack framework. The proposed method can efficiently imitate the target model through a small number of queries and achieve high attack success rate. The comprehensive experiments over six datasets demonstrate the effectiveness of our method against the state-of-the-art attacks. Especially, we conduct both label-only and probability-only attacks on the Microsoft Azure online model, and achieve a 100% attack success rate with only 0.46% query budget of the SOTA method [49].

Xiaoji Ma,Weihao Guo,Pingyuan Ge,Ying Chen,Qiuling Yue,Yuqing Zhang

DOI: https://doi.org/10.1109/ithings-greencom-cpscom-smartdata-cybermatics62450.2024.00105

2024-01-01

Abstract:With the continuous development of Machine Learning as a Service (MLaaS), model stealing has become an emerging problem in machine learning security in recent years. In model stealing, one typically obtains the soft labels of model queries and a proxy dataset as prior knowledge, but this scenario is highly idealised. How to steal models without data and hard labels is a pressing problem that needs to be solved. The current mainstream of model stealing attack methods mainly focus on stealing the accuracy of the model and overlook the robustness of the model. However, robustness is essential in security applications such as facial recognition and secure payment scenarios. Moreover, building robust models usually requires costly adversarial training and fine-tuning, making these models the primary targets for theft. To address these issues, in this paper, we propose a new data-free robustness stealing method under data-free conditions from the perspective of data generation, thereby better shaping the classification boundary data to optimise the accuracy and robustness of the models. Through testing, our method achieved clean accuracy and robust accuracy of 53.69% and 21.0%, respectively, under the more complex CIFAR-100 dataset classification. These results are only 3.06% and 3.94% different from the target model, respectively, showing a significant improvement over recent research.

Jianping He,Haichang Gao,Yunyi Zhou

DOI: https://doi.org/10.1109/ijcnn60899.2024.10650742

2024-01-01

Abstract:Machine Learning Model Deployment as a Service (MLaaS) has surged in popularity, offering substantial business value. However, the significant resources and costs required to train models have raised concerns about Model Stealing Attacks (MSAs), where attackers create a clone model to replicate the knowledge of a victim model without access to its parameters. In data-free MSA, attackers also lack access to the training data for the victim model. In this setting, existing MSA methods rely on Generative Adversarial Networks (GANs) to generate images to query the victim model. However, GANs are known to suffer from model collapse, resulting in limited diversity in generated images. The lack of diversity in generated images will significantly impact the accuracy of the clone model, especially in stealing robust models trained with adversarial training. Recent studies have demonstrated that Denoising Diffusion Probabilistic Models (DDPMs) outperform GANs in generating images with greater diversity. In our data-free MSA framework, using DDPM as the generator to steal robust models significantly increases the effectiveness, improving the accuracy of the clone model from 21.34% to 60.23% compared to the GANs-based approach DFME, and requires fewer queries. We further use denoise diffusion GANs to address the problem of low sampling speed of DDPM, while retaining the advantage of its high sample diversity and obtaining better results.

Gaozheng Pei,Shaojie lyu,Ke Ma,Pinci Yang,Qianqian Xu,Yingfei Sun

2024-12-18

Abstract:Data-free model stealing involves replicating the functionality of a target model into a substitute model without accessing the target model's structure, parameters, or training data. The adversary can only access the target model's predictions for generated samples. Once the substitute model closely approximates the behavior of the target model, attackers can exploit its white-box characteristics for subsequent malicious activities, such as adversarial attacks. Existing methods within cooperative game frameworks often produce samples with high confidence for the prediction of the substitute model, which makes it difficult for the substitute model to replicate the behavior of the target model. This paper presents a new data-free model stealing approach called Query Efficient Data Generation (\textbf{QEDG}). We introduce two distinct loss functions to ensure the generation of sufficient samples that closely and uniformly align with the target model's decision boundary across multiple classes. Building on the limitation of current methods, which typically yield only one piece of supervised information per query, we propose the query-free sample augmentation that enables the acquisition of additional supervised information without increasing the number of queries. Motivated by theoretical analysis, we adopt the consistency rate metric, which more accurately evaluates the similarity between the substitute and target models. We conducted extensive experiments to verify the effectiveness of our proposed method, which achieved better performance with fewer queries compared to the state-of-the-art methods on the real \textbf{MLaaS} scenario and five datasets.

Cryptography and Security,Artificial Intelligence,Machine Learning

Xiaojian Yuan,Kejiang Chen,Wen Huang,Jie Zhang,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1609/aaai.v38i7.28510

2024-01-01

Abstract:The popularity of Machine Learning as a Service (MLaaS) has led to increased concerns about Model Stealing Attacks (MSA), which aim to craft a clone model by querying MLaaS. Currently, most research on MSA assumes that MLaaS can provide soft labels and that the attacker has a proxy dataset with a similar distribution. However, this fails to encapsulate the more practical scenario where only hard labels are returned by MLaaS and the data distribution remains elusive. Furthermore, most existing work focuses solely on stealing the model accuracy, neglecting the model robustness, while robustness is essential in security-sensitive scenarios, e.g., face-scan payment. Notably, improving model robustness often necessitates the use of expensive techniques such as adversarial training, thereby further making stealing robustness a more lucrative prospect. In response to these identified gaps, we introduce a novel Data-Free Hard-Label Robustness Stealing (DFHL-RS) attack in this paper, which enables the stealing of both model accuracy and robustness by simply querying hard labels of the target model without the help of any natural data. Comprehensive experiments demonstrate the effectiveness of our method. The clone model achieves a clean accuracy of 77.86% and a robust accuracy of 39.51% against AutoAttack, which are only 4.71% and 8.40% lower than the target model on the CIFAR-10 dataset, significantly exceeding the baselines. Our code is available at: https://github.com/LetheSec/DFHL-RS-Attack.

Daryna Oliynyk,Rudolf Mayer,Andreas Rauber

DOI: https://doi.org/10.1145/3595292

IF: 16.6

2023-04-29

ACM Computing Surveys

Abstract:Machine-Learning-as-a-Service (MLaaS) has become a widespread paradigm, making even the most complex Machine Learning models available for clients via e.g. a pay-per-query principle. This allows users to avoid time-consuming processes of data collection, hyperparameter tuning, and model training. However, by giving their customers access to the (predictions of their) models, MLaaS providers endanger their intellectual property such as sensitive training data, optimised hyperparameters, or learned model parameters. In some cases, adversaries can create a copy of the model with (almost) identical behaviour using the the prediction labels only. While many variants of this attack have been described, only scattered defence strategies that address isolated threats have been proposed. To arrive at a comprehensive understanding why these attacks are successful and how they could be holistically defended against, a thorough systematisation of the field of model stealing is necessary. We address this by categorising and comparing model stealing attacks, assessing their performance, and exploring corresponding defence techniques in different settings. We propose a taxonomy for attack and defence approaches and provide guidelines on how to select the right attack- or defence strategy based on the goal and available resources. Finally, we analyse which defences are rendered less effective by current attack strategies.

computer science, theory & methods

Zhihao Zhu,Chenwang Wu,Rui Fan,Yi Yang,Zhen Wang,Defu Lian,Enhong Chen

2024-08-20

Abstract:Recent research demonstrates that GNNs are vulnerable to the model stealing attack, a nefarious endeavor geared towards duplicating the target model via query permissions. However, they mainly focus on node classification tasks, neglecting the potential threats entailed within the domain of graph classification tasks. Furthermore, their practicality is questionable due to unreasonable assumptions, specifically concerning the large data requirements and extensive model knowledge. To this end, we advocate following strict settings with limited real data and hard-label awareness to generate synthetic data, thereby facilitating the stealing of the target model. Specifically, following important data generation principles, we introduce three model stealing attacks to adapt to different actual scenarios: MSA-AU is inspired by active learning and emphasizes the uncertainty to enhance query value of generated samples; MSA-AD introduces diversity based on Mixup augmentation strategy to alleviate the query inefficiency issue caused by over-similar samples generated by MSA-AU; MSA-AUD combines the above two strategies to seamlessly integrate the authenticity, uncertainty, and diversity of the generated samples. Finally, extensive experiments consistently demonstrate the superiority of the proposed methods in terms of concealment, query efficiency, and stealing performance.

Machine Learning,Cryptography and Security

Avital Shafran,Ilia Shumailov,Murat A. Erdogdu,Nicolas Papernot

2024-06-13

Abstract:Model extraction attacks are designed to steal trained models with only query access, as is often provided through APIs that ML-as-a-Service providers offer. Machine Learning (ML) models are expensive to train, in part because data is hard to obtain, and a primary incentive for model extraction is to acquire a model while incurring less cost than training from scratch. Literature on model extraction commonly claims or presumes that the attacker is able to save on both data acquisition and labeling costs. We thoroughly evaluate this assumption and find that the attacker often does not. This is because current attacks implicitly rely on the adversary being able to sample from the victim model's data distribution. We thoroughly research factors influencing the success of model extraction. We discover that prior knowledge of the attacker, i.e., access to in-distribution data, dominates other factors like the attack policy the adversary follows to choose which queries to make to the victim model API. Our findings urge the community to redefine the adversarial goals of ME attacks as current evaluation methods misinterpret the ME performance.

Machine Learning,Cryptography and Security

Yixu WANG,Jie LI,Hong LIU,Yan WANG,Mingliang XU,Yongjian WU,Rongrong JI

DOI: https://doi.org/10.1360/ssi-2022-0029

2023-01-01

Abstract:A model stealing attack aims to create a substitute model that steals the task completion ability of the target victim model. Popular approaches have used data generation/selection and entropy loss to achieve promising attack performance. In this paper, we explore two overlooked yet effective components of the attack,data sampling and weighting. We propose a novel method named S＆W that provides a sampling scheme and a softlabel weighted loss function. First, we propose a data selection strategy that pays more attention to important samples for stealing more information from the victim model. Then, we introduce the k-Center algorithm to guarantee the selected subset’s diversity, aiming to make the core-set selection tractable. Second, we propose a weighted entropy loss inspired by the focal loss that mainly focuses on the difference in outputs of the victim and the stealing models, allowing the substitute model to better simulate the victim model. Extensive experiments on four widely used datasets consistently show that our proposed method outperforms state-of-the-art methods,with a maximum improvement of 5.03% over the next best method.

Yang Liu,Ji Luo,Yi Yang,Xuan Wang,Mehdi Gheisari,Feng Luo

DOI: https://doi.org/10.3390/e25020282

2023-01-01

Abstract:Machine learning as a service (MLaaS) plays an essential role in the current ecosystem. Enterprises do not need to train models by themselves separately. Instead, they can use well-trained models provided by MLaaS to support business activities. However, such an ecosystem could be threatened by model extraction attacks-an attacker steals the functionality of a trained model provided by MLaaS and builds a substitute model locally. In this paper, we proposed a model extraction method with low query costs and high accuracy. In particular, we use pre-trained models and task-relevant data to decrease the size of query data. We use instance selection to reduce query samples. In addition, we divided query data into two categories, namely low-confidence data and high-confidence data, to reduce the budget and improve accuracy. We then conducted attacks on two models provided by Microsoft Azure as our experiments. The results show that our scheme achieves high accuracy at low cost, with the substitution models achieving 96.10% and 95.24% substitution while querying only 7.32% and 5.30% of their training data on the two models, respectively. This new attack approach creates additional security challenges for models deployed on cloud platforms. It raises the need for novel mitigation strategies to secure the models. In future work, generative adversarial networks and model inversion attacks can be used to generate more diverse data to be applied to the attacks.

Florian Tramèr,Fan Zhang,Ari Juels,Michael K. Reiter,Thomas Ristenpart

DOI: https://doi.org/10.48550/arXiv.1609.02943

2016-10-03

Abstract:Machine learning (ML) models may be deemed confidential due to their sensitive training data, commercial value, or use in security applications. Increasingly often, confidential ML models are being deployed with publicly accessible query interfaces. ML-as-a-service ("predictive analytics") systems are an example: Some allow users to train models on potentially sensitive data and charge others for access on a pay-per-query basis. The tension between model confidentiality and public access motivates our investigation of model extraction attacks. In such attacks, an adversary with black-box access, but no prior knowledge of an ML model's parameters or training data, aims to duplicate the functionality of (i.e., "steal") the model. Unlike in classical learning theory settings, ML-as-a-service offerings may accept partial feature vectors as inputs and include confidence values with predictions. Given these practices, we show simple, efficient attacks that extract target ML models with near-perfect fidelity for popular model classes including logistic regression, neural networks, and decision trees. We demonstrate these attacks against the online services of BigML and Amazon Machine Learning. We further show that the natural countermeasure of omitting confidence values from model outputs still admits potentially harmful model extraction attacks. Our results highlight the need for careful ML model deployment and new model extraction countermeasures.

Cryptography and Security,Machine Learning

Gaoyang Liu,Shijie Wang,Borui Wan,Zekun Wang,Chen Wang

DOI: https://doi.org/10.1109/trustcom53373.2021.00083

2021-01-01

Abstract:Machine Learning (ML) models are progressively deployed in many real-world applications to perform a wide range of tasks, but are exposed to the security and privacy threats which aim to infer the details and even steal the functionality of the ML models. Despite extensive attacking efforts which rely on white-box or gray-box access, how to perform attacks with black-box access continues to be elusive. Aspiring to fill this gap, we move one step further and present ML-Stealer that can steal the functionality of any type of ML models with mere black-box access. With two algorithm designs, namely, synthetic data generation and replica model construction, ML-Stealer can construct a deep neural network (DNN)-based replica model which has the similar prediction functionality to the victim ML model. ML-Stealer does not require any knowledge about the victim model, nor does it enforce the access to statistical information or samples of the victim's training data. Experiment results demonstrate that ML-Stealer can achieve the consistent prediction results with the victim model of an averaged testing accuracy of 85.6%, and up to 93.6% at best.

Xueli Zhang,Jiale Chen,Qihua Li,Jianjun Zhang,Wing W. Y. Ng,Ting Wang

DOI: https://doi.org/10.1007/s13042-024-02376-0

2024-01-01

International Journal of Machine Learning and Cybernetics

Abstract:Machine learning as a service (MLaaS) has become a widely adopted approach, allowing customers to access even the most complex machine learning models through a pay-per-query model. Black-box distribution has been widely used to keep models secret in MLaaS. However, even with black-box distribution alleviating certain risks, the functionality of a model can still be compromised when customers gain access to their model’s predictions. To protect the intellectual property of model owners, we propose an effective defense method against model stealing attacks with the localized stochastic sensitivity (LSS), namely LSSMSD. First, suspicious queries are detected by employing an out-of-distribution (OOD) detector. Addressing a critical issue with many existing defense methods that overly rely on OOD detection results, thus affecting the model’s fidelity, we innovatively introduce LSS to solve this problem. By calculating the LSS of suspicious queries, we can selectively output misleading predictions for queries with high LSS using an misinformation mechanism. Extensive experiments demonstrate that LSSMSD offers robust protections for victim models against black-box proxy attacks such as Jacobian-based dataset augmentation and Knockoff Nets. It significantly reduces accuracies of attackers’ substitute models (up to 77.94 -2.72% ), thereby maintaining the fidelity of the victim model.

Xiaoyong Yuan,Leah Ding,Lan Zhang,Xiaolin Li,Dapeng Wu

DOI: https://doi.org/10.48550/arXiv.2009.09560

2022-01-26

Abstract:Deep neural networks (DNNs) have become the essential components for various commercialized machine learning services, such as Machine Learning as a Service (MLaaS). Recent studies show that machine learning services face severe privacy threats - well-trained DNNs owned by MLaaS providers can be stolen through public APIs, namely model stealing attacks. However, most existing works undervalued the impact of such attacks, where a successful attack has to acquire confidential training data or auxiliary data regarding the victim DNN. In this paper, we propose ES Attack, a novel model stealing attack without any data hurdles. By using heuristically generated synthetic data, ES Attack iteratively trains a substitute model and eventually achieves a functionally equivalent copy of the victim DNN. The experimental results reveal the severity of ES Attack: i) ES Attack successfully steals the victim model without data hurdles, and ES Attack even outperforms most existing model stealing attacks using auxiliary data in terms of model accuracy; ii) most countermeasures are ineffective in defending ES Attack; iii) ES Attack facilitates further attacks relying on the stolen model.

Computer Vision and Pattern Recognition,Cryptography and Security

Wenjian Luo,Licai Zhang,Yulin Wu,Chuanyi Liu,Peiyi Han,Rongfei Zhuang

DOI: https://doi.org/10.1109/TAI.2023.3266419

2024-01-01

Abstract:In recent years, Machine Learning (ML) models, especially deep learning models, have become commodities. In this context, data centers which hold a lot of data often buy ML models from ML model providers, train them on their data locally and use the trained models to provide intelligent services. Existing work has shown that there is a risk of data leakage, which could cause incalculable consequences. Even under the black-box condition, there are still some attacks that can steal the private data held by data centers, and the Capacity Abuse Attack (CAA) is the state-of-the-art attack method. CAA attackers steal the training data by labeling malicious samples with the data to be stolen. However, the label encodings are usually mapped into other output forms such as categories, and it is impossible for the adversary to know the mapping relationship between the form outputted by the trained model and the label encodings. Without the mapping relationship, CAA becomes invalid. Aiming at the limitation of CAA, this study proposes a novel practical attack method, i.e., Capacity Abuse Attack II (CAAII), which can find the mapping relationship between the output in the arbitrary form returned by the trained model and the values of the stolen data. Experiments are conducted on MNIST, Fashion-MNIST, and CIFAR10 datasets, and experimental results show that no matter what forms are returned by the model, our attack method can always find the mapping relationship and successfully steals the training data.

Zhihao Zhu,Rui Fan,Chenwang Wu,Yi Yang,Defu Lian,Enhong Chen

2023-12-26

Abstract:Recent studies have demonstrated the vulnerability of recommender systems to data privacy attacks. However, research on the threat to model privacy in recommender systems, such as model stealing attacks, is still in its infancy. Some adversarial attacks have achieved model stealing attacks against recommender systems, to some extent, by collecting abundant training data of the target model (target data) or making a mass of queries. In this paper, we constrain the volume of available target data and queries and utilize auxiliary data, which shares the item set with the target data, to promote model stealing attacks. Although the target model treats target and auxiliary data differently, their similar behavior patterns allow them to be fused using an attention mechanism to assist attacks. Besides, we design stealing functions to effectively extract the recommendation list obtained by querying the target model. Experimental results show that the proposed methods are applicable to most recommender systems and various scenarios and exhibit excellent attack performance on multiple datasets.

Cryptography and Security,Artificial Intelligence,Machine Learning

Jiacheng Liang,Ren Pang,Changjiang Li,Ting Wang

DOI: https://doi.org/10.48550/arXiv.2312.05386

2023-12-09

Abstract:Model extraction (ME) attacks represent one major threat to Machine-Learning-as-a-Service (MLaaS) platforms by ``stealing'' the functionality of confidential machine-learning models through querying black-box APIs. Over seven years have passed since ME attacks were first conceptualized in the seminal work. During this period, substantial advances have been made in both ME attacks and MLaaS platforms, raising the intriguing question: How has the vulnerability of MLaaS platforms to ME attacks been evolving? In this work, we conduct an in-depth study to answer this critical question. Specifically, we characterize the vulnerability of current, mainstream MLaaS platforms to ME attacks from multiple perspectives including attack strategies, learning techniques, surrogate-model design, and benchmark tasks. Many of our findings challenge previously reported results, suggesting emerging patterns of ME vulnerability. Further, by analyzing the vulnerability of the same MLaaS platforms using historical datasets from the past four years, we retrospectively characterize the evolution of ME vulnerability over time, leading to a set of interesting findings. Finally, we make suggestions about improving the current practice of MLaaS in terms of attack robustness. Our study sheds light on the current state of ME vulnerability in the wild and points to several promising directions for future research.

Machine Learning,Cryptography and Security

Guofeng Gao,Xiaodong Wang,Zhiqiang Wei,Jinghai Ai

DOI: https://doi.org/10.1109/swc57546.2023.10448559

2023-01-01

Abstract:Data-free model stealing (MS) attacks use synthetic samples to query a target model and train a substitute model to fit the target model’s predictions, avoiding strong dependence on real datasets used by model developers. However, the existing data-free MS attack methods still have a big gap in generating high-quality query samples for high-precision MS attacks. In this paper, we construct the DDPM-optimized generator to generate data, in which a residual network-like structure is designed to fuse data to synthesize query samples. Our method further improves the quantity and quality of synthetic query samples, and effectively reduces the number of queries to the target model. The results show that the proposed method achieves superior performance compared to state-of-the-art methods.

Kaisheng Fan,Weizhe Zhang,Guangrui Liu,Hui He

DOI: https://doi.org/10.1186/s42400-023-00171-y

2023-01-01

Abstract:Intrusion detection systems are increasingly using machine learning. While machine learning has shown excellent performance in identifying malicious traffic, it may increase the risk of privacy leakage. This paper focuses on implementing a model stealing attack on intrusion detection systems. Existing model stealing attacks are hard to implement in practical network environments, as they either need private data of the victim dataset or frequent access to the victim model. In this paper, we propose a novel solution called Fast Model Stealing Attack (FMSA) to address the problem in the field of model stealing attacks. We also highlight the risks of using ML-NIDS in network security. First, meta-learning frameworks are introduced into the model stealing algorithm to clone the victim model in a black-box state. Then, the number of accesses to the target model is used as an optimization term, resulting in minimal queries to achieve model stealing. Finally, adversarial training is used to simulate the data distribution of the target model and achieve the recovery of privacy data. Through experiments on multiple public datasets, compared to existing state-of-the-art algorithms, FMSA reduces the number of accesses to the target model and improves the accuracy of the clone model on the test dataset to 88.9% and the similarity with the target model to 90.1%. We can demonstrate the successful execution of model stealing attacks on the ML-NIDS system even with protective measures in place to limit the number of anomalous queries.

Yixu Wang,Jie Li,Hong Liu,Yan Wang,Yongjian Wu,Feiyue Huang,Rongrong Ji

DOI: https://doi.org/10.1007/978-3-031-20065-6_12

2022-01-01

Abstract:Previous studies have verified that the functionality of blackbox models can be stolen with full probability outputs. However, under the more practical hard-label setting, we observe that existing methods suffer from catastrophic performance degradation. We argue this is due to the lack of rich information in the probability prediction and the overfitting caused by hard labels. To this end, we propose a novel hard-label model stealing method termed black-box dissector, which consists of two erasing-based modules. One is a CAM-driven erasing strategy that is designed to increase the information capacity hidden in hard labels from the victim model. The other is a random-erasing-based self-knowledge distillation module that utilizes soft labels from the substitute model to mitigate overfitting. Extensive experiments on four widely-used datasets consistently demonstrate that our method outperforms state-of-the-art methods, with an improvement of at most 8.27%. We also validate the effectiveness and practical potential of our method on real-world APIs and defense methods. Furthermore, our method promotes other related tasks, i.e., transfer adversarial attacks.