Navigating the Deep: Signature Extraction on Deep Neural Networks

• URL: http://arxiv.org/abs/2506.17047v1
• Date: Fri, 20 Jun 2025 14:59:47 GMT
• Title: Navigating the Deep: Signature Extraction on Deep Neural Networks
• Authors: Haolin Liu, Adrien Siproudhis, Samuel Experton, Peter Lorenz, Christina Boura, Thomas Peyrin,
• Abstract summary: Neural network model extraction has emerged as an important security concern.<n>Prior work introduced a technique inspired by differential cryptanalysis to extract neural network parameters.<n>We revisit and refine the signature extraction process by systematically identifying and addressing for the first time critical limitations of Carlini et al.'s signature extraction method.
• Score: 7.13570508245734
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Neural network model extraction has emerged in recent years as an important security concern, as adversaries attempt to recover a network's parameters via black-box queries. A key step in this process is signature extraction, which aims to recover the absolute values of the network's weights layer by layer. Prior work, notably by Carlini et al. (2020), introduced a technique inspired by differential cryptanalysis to extract neural network parameters. However, their method suffers from several limitations that restrict its applicability to networks with a few layers only. Later works focused on improving sign extraction, but largely relied on the assumption that signature extraction itself was feasible. In this work, we revisit and refine the signature extraction process by systematically identifying and addressing for the first time critical limitations of Carlini et al.'s signature extraction method. These limitations include rank deficiency and noise propagation from deeper layers. To overcome these challenges, we propose efficient algorithmic solutions for each of the identified issues, greatly improving the efficiency of signature extraction. Our approach permits the extraction of much deeper networks than was previously possible. We validate our method through extensive experiments on ReLU-based neural networks, demonstrating significant improvements in extraction depth and accuracy. For instance, our extracted network matches the target network on at least 95% of the input space for each of the eight layers of a neural network trained on the CIFAR-10 dataset, while previous works could barely extract the first three layers. Our results represent a crucial step toward practical attacks on larger and more complex neural network architectures.

Related papers

• Robust Weight Initialization for Tanh Neural Networks with Fixed Point Analysis [5.016205338484259]
  As a neural network's depth increases, it can improve generalization performance.<n>This paper presents a novel weight initialization method for neural networks with tanh activation function.<n> Experiments on various classification datasets and physics-informed neural networks demonstrate that the proposed method outperforms Xavier methods(with or without normalization) in terms of robustness across different network sizes.
  arXiv  Detail & Related papers  (2024-10-03T06:30:27Z)
• Hard-Label Cryptanalytic Extraction of Neural Network Models [10.568722566232127]
  We propose the first attack that theoretically achieves functionally equivalent extraction under the hard-label setting. The effectiveness of our attack is validated through practical experiments on a wide range of ReLU neural networks.
  arXiv  Detail & Related papers  (2024-09-18T02:17:10Z)
• Globally Optimal Training of Neural Networks with Threshold Activation Functions [63.03759813952481]
  We study weight decay regularized training problems of deep neural networks with threshold activations. We derive a simplified convex optimization formulation when the dataset can be shattered at a certain layer of the network.
  arXiv  Detail & Related papers  (2023-03-06T18:59:13Z)
• Zonotope Domains for Lagrangian Neural Network Verification [102.13346781220383]
  We decompose the problem of verifying a deep neural network into the verification of many 2-layer neural networks. Our technique yields bounds that improve upon both linear programming and Lagrangian-based verification techniques.
  arXiv  Detail & Related papers  (2022-10-14T19:31:39Z)
• SAR Despeckling Using Overcomplete Convolutional Networks [53.99620005035804]
  despeckling is an important problem in remote sensing as speckle degrades SAR images. Recent studies show that convolutional neural networks(CNNs) outperform classical despeckling methods. This study employs an overcomplete CNN architecture to focus on learning low-level features by restricting the receptive field. We show that the proposed network improves despeckling performance compared to recent despeckling methods on synthetic and real SAR images.
  arXiv  Detail & Related papers  (2022-05-31T15:55:37Z)
• Efficiently Learning Any One Hidden Layer ReLU Network From Queries [27.428198343906352]
  We give the first-time algorithm for learning arbitrary one hidden layer neural networks activations provided black-box access to the network. Ours is the first with fully-time guarantees of efficiency even for worst-case networks.
  arXiv  Detail & Related papers  (2021-11-08T18:59:40Z)
• A Compact Deep Learning Model for Face Spoofing Detection [4.250231861415827]
  presentation attack detection (PAD) has received significant attention from research communities. We address the problem via fusing both wide and deep features in a unified neural architecture. The procedure is done on different spoofing datasets such as ROSE-Youtu, SiW and NUAA Imposter.
  arXiv  Detail & Related papers  (2021-01-12T21:20:09Z)
• ESPN: Extremely Sparse Pruned Networks [50.436905934791035]
  We show that a simple iterative mask discovery method can achieve state-of-the-art compression of very deep networks. Our algorithm represents a hybrid approach between single shot network pruning methods and Lottery-Ticket type approaches.
  arXiv  Detail & Related papers  (2020-06-28T23:09:27Z)
• Binary Neural Networks: A Survey [126.67799882857656]
  The binary neural network serves as a promising technique for deploying deep models on resource-limited devices. The binarization inevitably causes severe information loss, and even worse, its discontinuity brings difficulty to the optimization of the deep network. We present a survey of these algorithms, mainly categorized into the native solutions directly conducting binarization, and the optimized ones using techniques like minimizing the quantization error, improving the network loss function, and reducing the gradient error.
  arXiv  Detail & Related papers  (2020-03-31T16:47:20Z)
• MSE-Optimal Neural Network Initialization via Layer Fusion [68.72356718879428]
  Deep neural networks achieve state-of-the-art performance for a range of classification and inference tasks. The use of gradient combined nonvolutionity renders learning susceptible to novel problems. We propose fusing neighboring layers of deeper networks that are trained with random variables.
  arXiv  Detail & Related papers  (2020-01-28T18:25:15Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.