Related papers: Black-Box Dissector: Towards Erasing-based Hard-Label Model Stealing Attack

Black-Box Dissector: Towards Erasing-based Hard-Label Model Stealing Attack

URL: http://arxiv.org/abs/2105.00623v1
Date: Mon, 3 May 2021 04:12:31 GMT
Title: Black-Box Dissector: Towards Erasing-based Hard-Label Model Stealing Attack
Authors: Yixu Wang, Jie Li, Hong Liu, Yongjian Wu, Rongrong Ji
Abstract summary: Model stealing attack aims to create a substitute model that steals the ability of the victim target model. Most of the existing methods depend on the full probability outputs from the victim model, which is unavailable in most realistic scenarios. We propose a novel hard-label model stealing method termed emphblack-box dissector, which includes a CAM-driven erasing strategy to mine the hidden information in hard labels from the victim model.
Score: 90.6076825117532
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: Model stealing attack aims to create a substitute model that steals the ability of the victim target model. However, most of the existing methods depend on the full probability outputs from the victim model, which is unavailable in most realistic scenarios. Focusing on the more practical hard-label setting, due to the lack of rich information in the probability prediction, the existing methods suffer from catastrophic performance degradation. Inspired by knowledge distillation, we propose a novel hard-label model stealing method termed \emph{black-box dissector}, which includes a CAM-driven erasing strategy to mine the hidden information in hard labels from the victim model, and a random-erasing-based self-knowledge distillation module utilizing soft labels from substitute model to avoid overfitting and miscalibration caused by hard labels. Extensive experiments on four widely-used datasets consistently show that our method outperforms state-of-the-art methods, with an improvement of at most $9.92\%$. In addition, experiments on real-world APIs further prove the effectiveness of our method. Our method also can invalidate existing defense methods which further demonstrates the practical potential of our methods.