Related papers: Can't Steal? Cont-Steal! Contrastive Stealing Attacks Against Image Encoders

Can't Steal? Cont-Steal! Contrastive Stealing Attacks Against Image Encoders

URL: http://arxiv.org/abs/2201.07513v2
Date: Mon, 27 Mar 2023 11:45:43 GMT
Title: Can't Steal? Cont-Steal! Contrastive Stealing Attacks Against Image Encoders
Authors: Zeyang Sha and Xinlei He and Ning Yu and Michael Backes and Yang Zhang
Abstract summary: Self-supervised representation learning techniques encode images into rich features that are oblivious to downstream tasks. The requirements for dedicated model designs and a massive amount of resources expose image encoders to the risks of potential model stealing attacks. We propose Cont-Steal, a contrastive-learning-based attack, and validate its improved stealing effectiveness in various experiment settings.
Score: 23.2869445054295
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Self-supervised representation learning techniques have been developing rapidly to make full use of unlabeled images. They encode images into rich features that are oblivious to downstream tasks. Behind their revolutionary representation power, the requirements for dedicated model designs and a massive amount of computation resources expose image encoders to the risks of potential model stealing attacks - a cheap way to mimic the well-trained encoder performance while circumventing the demanding requirements. Yet conventional attacks only target supervised classifiers given their predicted labels and/or posteriors, which leaves the vulnerability of unsupervised encoders unexplored. In this paper, we first instantiate the conventional stealing attacks against encoders and demonstrate their severer vulnerability compared with downstream classifiers. To better leverage the rich representation of encoders, we further propose Cont-Steal, a contrastive-learning-based attack, and validate its improved stealing effectiveness in various experiment settings. As a takeaway, we appeal to our community's attention to the intellectual property protection of representation learning techniques, especially to the defenses against encoder stealing attacks like ours.

Related papers

MASKDROID: Robust Android Malware Detection with Masked Graph Representations [56.09270390096083]
We propose MASKDROID, a powerful detector with a strong discriminative ability to identify malware. We introduce a masking mechanism into the Graph Neural Network based framework, forcing MASKDROID to recover the whole input graph. This strategy enables the model to understand the malicious semantics and learn more stable representations, enhancing its robustness against adversarial attacks.
arXiv Detail & Related papers (2024-09-29T07:22:47Z)
Bucks for Buckets (B4B): Active Defenses Against Stealing Encoders [16.612182439762737]
Bucks for Buckets (B4B) is the first active defense that prevents stealing while the attack is happening. Our defense relies on the observation that the representations returned to adversaries who try to steal the encoder's functionality cover a significantly larger fraction of the embedding space.
arXiv Detail & Related papers (2023-10-12T17:56:53Z)
Downstream-agnostic Adversarial Examples [66.8606539786026]
AdvEncoder is first framework for generating downstream-agnostic universal adversarial examples based on pre-trained encoder. Unlike traditional adversarial example works, the pre-trained encoder only outputs feature vectors rather than classification labels. Our results show that an attacker can successfully attack downstream tasks without knowing either the pre-training dataset or the downstream dataset.
arXiv Detail & Related papers (2023-07-23T10:16:47Z)
Robustness of Unsupervised Representation Learning without Labels [92.90480374344777]
We propose a family of unsupervised robustness measures, which are model- and task-agnostic and label-free. We validate our results against a linear probe and show that, for MOCOv2, adversarial training results in 3 times higher certified accuracy.
arXiv Detail & Related papers (2022-10-08T18:03:28Z)
PoisonedEncoder: Poisoning the Unlabeled Pre-training Data in Contrastive Learning [69.70602220716718]
We propose PoisonedEncoder, a data poisoning attack to contrastive learning. In particular, an attacker injects carefully crafted poisoning inputs into the unlabeled pre-training data. We evaluate five defenses against PoisonedEncoder, including one pre-processing, three in-processing, and one post-processing defenses.
arXiv Detail & Related papers (2022-05-13T00:15:44Z)
SSLGuard: A Watermarking Scheme for Self-supervised Learning Pre-trained Encoders [9.070481370120905]
We propose SSLGuard, the first watermarking algorithm for pre-trained encoders. SSLGuard is effective in watermark injection and verification, and is robust against model stealing and other watermark removal attacks.
arXiv Detail & Related papers (2022-01-27T17:41:54Z)
StolenEncoder: Stealing Pre-trained Encoders [62.02156378126672]
We propose the first attack called StolenEncoder to steal pre-trained image encoders. Our results show that the encoders stolen by StolenEncoder have similar functionality with the target encoders.
arXiv Detail & Related papers (2022-01-15T17:04:38Z)
BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning [29.113263683850015]
Self-supervised learning in computer vision aims to pre-train an image encoder using a large amount of unlabeled images or (image, text) pairs. We propose BadEncoder, the first backdoor attack to self-supervised learning.
arXiv Detail & Related papers (2021-08-01T02:22:31Z)
Adversarial Attacks on Binary Image Recognition Systems [78.78811131936622]
We study adversarial attacks on models for binary (i.e. black and white) image classification. In contrast to colored and grayscale images, the search space of attacks on binary images is extremely restricted. We introduce a new attack algorithm called SCAR, designed to fool classifiers of binary images.
arXiv Detail & Related papers (2020-10-22T14:57:42Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.