Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction

• URL: http://arxiv.org/abs/2109.01165v1
• Date: Wed, 1 Sep 2021 02:38:56 GMT
• Title: Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction
• Authors: Zhenrui Yue, Zhankui He, Huimin Zeng, Julian McAuley
• Abstract summary: We investigate whether model extraction can be used to "steal" the weights of sequential recommender systems. We propose an API-based model extraction method via limited-budget synthetic data generation and knowledge distillation.
• Score: 1.8065361710947978
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: We investigate whether model extraction can be used to "steal" the weights of sequential recommender systems, and the potential threats posed to victims of such attacks. This type of risk has attracted attention in image and text classification, but to our knowledge not in recommender systems. We argue that sequential recommender systems are subject to unique vulnerabilities due to the specific autoregressive regimes used to train them. Unlike many existing recommender attackers, which assume the dataset used to train the victim model is exposed to attackers, we consider a data-free setting, where training data are not accessible. Under this setting, we propose an API-based model extraction method via limited-budget synthetic data generation and knowledge distillation. We investigate state-of-the-art models for sequential recommendation and show their vulnerability under model extraction and downstream attacks. We perform attacks in two stages. (1) Model extraction: given different types of synthetic data and their labels retrieved from a black-box recommender, we extract the black-box model to a white-box model via distillation. (2) Downstream attacks: we attack the black-box model with adversarial samples generated by the white-box recommender. Experiments show the effectiveness of our data-free model extraction and downstream attacks on sequential recommenders in both profile pollution and data poisoning settings.

Related papers

• Few-shot Model Extraction Attacks against Sequential Recommender Systems [2.372285091200233]
  This study introduces a novel few-shot model extraction framework against sequential recommenders. It is designed to construct a superior surrogate model with the utilization of few-shot data. Experiments on three datasets show that the proposed few-shot model extraction framework yields superior surrogate models.
  arXiv  Detail & Related papers  (2024-11-18T15:57:14Z)
• MEAOD: Model Extraction Attack against Object Detectors [45.817537875368956]
  Model extraction attacks allow attackers to replicate a substitute model with comparable functionality to the victim model. We propose an effective attack method called MEAOD for object detection models. We achieve an extraction performance of over 70% under the given condition of a 10k query budget.
  arXiv  Detail & Related papers  (2023-12-22T13:28:50Z)
• Model Stealing Attack against Recommender System [85.1927483219819]
  Some adversarial attacks have achieved model stealing attacks against recommender systems. In this paper, we constrain the volume of available target data and queries and utilize auxiliary data, which shares the item set with the target data, to promote model stealing attacks.
  arXiv  Detail & Related papers  (2023-12-18T05:28:02Z)
• Defense Against Model Extraction Attacks on Recommender Systems [53.127820987326295]
  We introduce Gradient-based Ranking Optimization (GRO) to defend against model extraction attacks on recommender systems. GRO aims to minimize the loss of the protected target model while maximizing the loss of the attacker's surrogate model. Results show GRO's superior effectiveness in defending against model extraction attacks.
  arXiv  Detail & Related papers  (2023-10-25T03:30:42Z)
• Query Efficient Cross-Dataset Transferable Black-Box Attack on Action Recognition [99.29804193431823]
  Black-box adversarial attacks present a realistic threat to action recognition systems. We propose a new attack on action recognition that addresses these shortcomings by generating perturbations. Our method achieves 8% and higher 12% deception rates compared to state-of-the-art query-based and transfer-based attacks.
  arXiv  Detail & Related papers  (2022-11-23T17:47:49Z)
• MOVE: Effective and Harmless Ownership Verification via Embedded External Features [109.19238806106426]
  We propose an effective and harmless model ownership verification (MOVE) to defend against different types of model stealing simultaneously. We conduct the ownership verification by verifying whether a suspicious model contains the knowledge of defender-specified external features. In particular, we develop our MOVE method under both white-box and black-box settings to provide comprehensive model protection.
  arXiv  Detail & Related papers  (2022-08-04T02:22:29Z)
• Careful What You Wish For: on the Extraction of Adversarially Trained Models [2.707154152696381]
  Recent attacks on Machine Learning (ML) models pose several security and privacy threats. We propose a framework to assess extraction attacks on adversarially trained models. We show that adversarially trained models are more vulnerable to extraction attacks than models obtained under natural training circumstances.
  arXiv  Detail & Related papers  (2022-07-21T16:04:37Z)
• Delving into Data: Effectively Substitute Training for Black-box Attack [84.85798059317963]
  We propose a novel perspective substitute training that focuses on designing the distribution of data used in the knowledge stealing process. The combination of these two modules can further boost the consistency of the substitute model and target model, which greatly improves the effectiveness of adversarial attack.
  arXiv  Detail & Related papers  (2021-04-26T07:26:29Z)
• Data-Free Model Extraction [16.007030173299984]
  Current model extraction attacks assume that the adversary has access to a surrogate dataset with characteristics similar to the proprietary data used to train the victim model. We propose data-free model extraction methods that do not require a surrogate dataset. We find that the proposed data-free model extraction approach achieves high-accuracy with reasonable query complexity.
  arXiv  Detail & Related papers  (2020-11-30T13:37:47Z)
• DaST: Data-free Substitute Training for Adversarial Attacks [55.76371274622313]
  We propose a data-free substitute training method (DaST) to obtain substitute models for adversarial black-box attacks. To achieve this, DaST utilizes specially designed generative adversarial networks (GANs) to train the substitute models. Experiments demonstrate the substitute models can achieve competitive performance compared with the baseline models.
  arXiv  Detail & Related papers  (2020-03-28T04:28:13Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.