Related papers: Copycat CNN: Are Random Non-Labeled Data Enough to Steal Knowledge from Black-box Models?

Copycat CNN: Are Random Non-Labeled Data Enough to Steal Knowledge from Black-box Models?

URL: http://arxiv.org/abs/2101.08717v1
Date: Thu, 21 Jan 2021 16:55:14 GMT
Title: Copycat CNN: Are Random Non-Labeled Data Enough to Steal Knowledge from Black-box Models?
Authors: Jacson Rodrigues Correia-Silva, Rodrigo F. Berriel, Claudine Badue, Alberto F. De Souza, Thiago Oliveira-Santos
Abstract summary: We present a simple, yet powerful, method to copy black-box models by querying them with natural random images. Results show that natural random images are effective to generate copycats for several problems.
Score: 6.147656956482848
License: http://creativecommons.org/licenses/by-nc-nd/4.0/
Abstract: Convolutional neural networks have been successful lately enabling companies to develop neural-based products, which demand an expensive process, involving data acquisition and annotation; and model generation, usually requiring experts. With all these costs, companies are concerned about the security of their models against copies and deliver them as black-boxes accessed by APIs. Nonetheless, we argue that even black-box models still have some vulnerabilities. In a preliminary work, we presented a simple, yet powerful, method to copy black-box models by querying them with natural random images. In this work, we consolidate and extend the copycat method: (i) some constraints are waived; (ii) an extensive evaluation with several problems is performed; (iii) models are copied between different architectures; and, (iv) a deeper analysis is performed by looking at the copycat behavior. Results show that natural random images are effective to generate copycats for several problems.

Related papers

Stealing Image-to-Image Translation Models With a Single Query [24.819964498441635]
We study the possibility of stealing image-to-image models. We find that many such models can be stolen with as little as a single, small-sized, query image. Remarkably, we find that the vulnerability to stealing attacks is shared by CNNs and by models with attention mechanisms.
arXiv Detail & Related papers (2024-06-02T18:30:41Z)
Towards Few-Call Model Stealing via Active Self-Paced Knowledge Distillation and Diffusion-Based Image Generation [33.60710287553274]
We propose to copy black-box classification models without having access to the original training data, the architecture, and the weights of the model. We employ a novel active self-paced learning framework to make the most of the proxy data during distillation. Our empirical results on two data sets confirm the superiority of our framework over two state-of-the-art methods in the few-call model extraction scenario.
arXiv Detail & Related papers (2023-09-29T19:09:27Z)
DIAGNOSIS: Detecting Unauthorized Data Usages in Text-to-image Diffusion Models [79.71665540122498]
We propose a method for detecting unauthorized data usage by planting the injected content into the protected dataset. Specifically, we modify the protected images by adding unique contents on these images using stealthy image warping functions. By analyzing whether the model has memorized the injected content, we can detect models that had illegally utilized the unauthorized data.
arXiv Detail & Related papers (2023-07-06T16:27:39Z)
Are You Stealing My Model? Sample Correlation for Fingerprinting Deep Neural Networks [86.55317144826179]
Previous methods always leverage the transferable adversarial examples as the model fingerprint. We propose a novel yet simple model stealing detection method based on SAmple Correlation (SAC) SAC successfully defends against various model stealing attacks, even including adversarial training or transfer learning.
arXiv Detail & Related papers (2022-10-21T02:07:50Z)
MOVE: Effective and Harmless Ownership Verification via Embedded External Features [109.19238806106426]
We propose an effective and harmless model ownership verification (MOVE) to defend against different types of model stealing simultaneously. We conduct the ownership verification by verifying whether a suspicious model contains the knowledge of defender-specified external features. In particular, we develop our MOVE method under both white-box and black-box settings to provide comprehensive model protection.
arXiv Detail & Related papers (2022-08-04T02:22:29Z)
Defending against Model Stealing via Verifying Embedded External Features [90.29429679125508]
adversaries can steal' deployed models even when they have no training samples and can not get access to the model parameters or structures. We explore the defense from another angle by verifying whether a suspicious model contains the knowledge of defender-specified emphexternal features. Our method is effective in detecting different types of model stealing simultaneously, even if the stolen model is obtained via a multi-stage stealing process.
arXiv Detail & Related papers (2021-12-07T03:51:54Z)
Black-Box Ripper: Copying black-box models using generative evolutionary algorithms [29.243901669124515]
We study the task of replicating the functionality of black-box neural models. We assume back-propagation through the black-box model is not possible. We present a teacher-student framework that can distill the black-box (teacher) model into a student model.
arXiv Detail & Related papers (2020-10-21T17:25:23Z)
Improving Query Efficiency of Black-box Adversarial Attack [75.71530208862319]
We propose a Neural Process based black-box adversarial attack (NP-Attack) NP-Attack could greatly decrease the query counts under the black-box setting.
arXiv Detail & Related papers (2020-09-24T06:22:56Z)
Model Watermarking for Image Processing Networks [120.918532981871]
How to protect the intellectual property of deep models is a very important but seriously under-researched problem. We propose the first model watermarking framework for protecting image processing models.
arXiv Detail & Related papers (2020-02-25T18:36:18Z)

This list is automatically generated from the titles and abstracts of the papers in this site.