MEGA: Model Stealing via Collaborative Generator-Substitute Networks. (arXiv:2202.00008v1 [cs.CR])

Deep machine learning models are increasingly deployedin the wild for
providing services to users. Adversaries maysteal the knowledge of these
valuable models by trainingsubstitute models according to the inference results
of thetargeted deployed models. Recent data-free model stealingmethods are
shown effective to extract the knowledge of thetarget model without using real
query examples, but they as-sume rich inference information, e.g., class
probabilities andlogits. However, they are all based on competing
generator-substitute networks and hence encounter training instability.In this
paper we propose a data-free model stealing frame-work,MEGA, which is based on
collaborative generator-substitute networks and only requires the target model
toprovide label prediction for synthetic query examples. Thecore of our method
is a model stealing optimization con-sisting of two collaborative models (i)
the substitute modelwhich imitates the target model through the synthetic
queryexamples and their inferred labels and (ii) the generatorwhich synthesizes
images such that the confidence of thesubstitute model over each query example
is maximized. Wepropose a novel coordinate descent training procedure
andanalyze its convergence. We also empirically evaluate thetrained substitute
model on three datasets and its applicationon black-box adversarial attacks.
Our results show that theaccuracy of our trained substitute model and the
adversarialattack success rate over it can be up to 33% and 40% higherthan
state-of-the-art data-free black-box attacks.

Source: https://arxiv.org/abs/2202.00008

webmaster

Related post