References & Citations
Computer Science > Computer Vision and Pattern Recognition
Title: ES Attack: Model Stealing against Deep Neural Networks without Data Hurdles
(Submitted on 21 Sep 2020 (v1), last revised 25 Jan 2022 (this version, v2))
Abstract: Deep neural networks (DNNs) have become the essential components for various commercialized machine learning services, such as Machine Learning as a Service (MLaaS). Recent studies show that machine learning services face severe privacy threats - well-trained DNNs owned by MLaaS providers can be stolen through public APIs, namely model stealing attacks. However, most existing works undervalued the impact of such attacks, where a successful attack has to acquire confidential training data or auxiliary data regarding the victim DNN. In this paper, we propose ES Attack, a novel model stealing attack without any data hurdles. By using heuristically generated synthetic data, ES Attack iteratively trains a substitute model and eventually achieves a functionally equivalent copy of the victim DNN. The experimental results reveal the severity of ES Attack: i) ES Attack successfully steals the victim model without data hurdles, and ES Attack even outperforms most existing model stealing attacks using auxiliary data in terms of model accuracy; ii) most countermeasures are ineffective in defending ES Attack; iii) ES Attack facilitates further attacks relying on the stolen model.
Submission history
From: Xiaoyong Yuan [view email][v1] Mon, 21 Sep 2020 01:26:06 GMT (4671kb,D)
[v2] Tue, 25 Jan 2022 20:36:12 GMT (8858kb,D)
Link back to: arXiv, form interface, contact.