On the Limitations of Model Stealing with Uncertainty Quantification Models

• URL: http://arxiv.org/abs/2305.05293v2
• Date: Fri, 18 Aug 2023 13:35:05 GMT
• Title: On the Limitations of Model Stealing with Uncertainty Quantification Models
• Authors: David Pape, Sina D\"aubener, Thorsten Eisenhofer, Antonio Emanuele Cin\`a, Lea Sch\"onherr
• Abstract summary: Model stealing aims at inferring a victim model's functionality at a fraction of the original training cost. In practice the model's architecture, weight dimension, and original training data can not be determined exactly. We generate multiple possible networks and combine their predictions to improve the quality of the stolen model.
• Score: 5.389383754665319
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Model stealing aims at inferring a victim model's functionality at a fraction of the original training cost. While the goal is clear, in practice the model's architecture, weight dimension, and original training data can not be determined exactly, leading to mutual uncertainty during stealing. In this work, we explicitly tackle this uncertainty by generating multiple possible networks and combining their predictions to improve the quality of the stolen model. For this, we compare five popular uncertainty quantification models in a model stealing task. Surprisingly, our results indicate that the considered models only lead to marginal improvements in terms of label agreement (i.e., fidelity) to the stolen model. To find the cause of this, we inspect the diversity of the model's prediction by looking at the prediction variance as a function of training iterations. We realize that during training, the models tend to have similar predictions, indicating that the network diversity we wanted to leverage using uncertainty quantification models is not (high) enough for improvements on the model stealing task.

Related papers

• Predictive Churn with the Set of Good Models [64.05949860750235]
  We study the effect of conflicting predictions over the set of near-optimal machine learning models. We present theoretical results on the expected churn between models within the Rashomon set. We show how our approach can be used to better anticipate, reduce, and avoid churn in consumer-facing applications.
  arXiv  Detail & Related papers  (2024-02-12T16:15:25Z)
• An Ambiguity Measure for Recognizing the Unknowns in Deep Learning [0.0]
  We study the understanding of deep neural networks from the scope in which they are trained on. We propose a measure for quantifying the ambiguity of inputs for any given model.
  arXiv  Detail & Related papers  (2023-12-11T02:57:12Z)
• Uncertainty Quantification for Rule-Based Models [0.03807314298073299]
  Rule-based classification models directly predict values, rather than modeling a probability and translating it into a prediction as done in statistical models. We propose an uncertainty quantification framework in the form of a meta-model that takes any binary classifier with binary output as a black box and estimates the prediction accuracy of that base model at a given input along with a level of confidence on that estimation.
  arXiv  Detail & Related papers  (2022-11-03T15:50:09Z)
• Investigating Ensemble Methods for Model Robustness Improvement of Text Classifiers [66.36045164286854]
  We analyze a set of existing bias features and demonstrate there is no single model that works best for all the cases. By choosing an appropriate bias model, we can obtain a better robustness result than baselines with a more sophisticated model design.
  arXiv  Detail & Related papers  (2022-10-28T17:52:10Z)
• Are You Stealing My Model? Sample Correlation for Fingerprinting Deep Neural Networks [86.55317144826179]
  Previous methods always leverage the transferable adversarial examples as the model fingerprint. We propose a novel yet simple model stealing detection method based on SAmple Correlation (SAC) SAC successfully defends against various model stealing attacks, even including adversarial training or transfer learning.
  arXiv  Detail & Related papers  (2022-10-21T02:07:50Z)
• MEGA: Model Stealing via Collaborative Generator-Substitute Networks [4.065949099860426]
  Recent data-free model stealingmethods are shown effective to extract the knowledge of thetarget model without using real query examples. We propose a data-free model stealing frame-work,MEGA, which is based on collaborative generator-substitute networks. Our results show that theaccuracy of our trained substitute model and the adversarialattack success rate over it can be up to 33% and 40% higherthan state-of-the-art data-free black-box attacks.
  arXiv  Detail & Related papers  (2022-01-31T09:34:28Z)
• Why Calibration Error is Wrong Given Model Uncertainty: Using Posterior Predictive Checks with Deep Learning [0.0]
  We show how calibration error and its variants are almost always incorrect to use given model uncertainty. We show how this mistake can lead to trust in bad models and mistrust in good models.
  arXiv  Detail & Related papers  (2021-12-02T18:26:30Z)
• Mismatched No More: Joint Model-Policy Optimization for Model-Based RL [172.37829823752364]
  We propose a single objective for jointly training the model and the policy, such that updates to either component increases a lower bound on expected return. Our objective is a global lower bound on expected return, and this bound becomes tight under certain assumptions. The resulting algorithm (MnM) is conceptually similar to a GAN.
  arXiv  Detail & Related papers  (2021-10-06T13:43:27Z)
• Probabilistic Modeling for Human Mesh Recovery [73.11532990173441]
  This paper focuses on the problem of 3D human reconstruction from 2D evidence. We recast the problem as learning a mapping from the input to a distribution of plausible 3D poses.
  arXiv  Detail & Related papers  (2021-08-26T17:55:11Z)
• Beyond Trivial Counterfactual Explanations with Diverse Valuable Explanations [64.85696493596821]
  In computer vision applications, generative counterfactual methods indicate how to perturb a model's input to change its prediction. We propose a counterfactual method that learns a perturbation in a disentangled latent space that is constrained using a diversity-enforcing loss. Our model improves the success rate of producing high-quality valuable explanations when compared to previous state-of-the-art methods.
  arXiv  Detail & Related papers  (2021-03-18T12:57:34Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.