Stealing Black-Box Functionality Using The Deep Neural Tree Architecture
This addresses the challenge of stealing functionality from complex, unknown systems like digital chips or software, with potential applications in security and explainability, though it appears incremental as it builds on prior black-box attack methods.
The paper tackles the problem of cloning black-box models by introducing Deep Neural Trees (DNTs), which learn to separate and replicate tasks from victim models using active learning for sample-efficient training, achieving functionality cloning without architectural knowledge.
This paper makes a substantial step towards cloning the functionality of black-box models by introducing a Machine learning (ML) architecture named Deep Neural Trees (DNTs). This new architecture can learn to separate different tasks of the black-box model, and clone its task-specific behavior. We propose to train the DNT using an active learning algorithm to obtain faster and more sample-efficient training. In contrast to prior work, we study a complex "victim" black-box model based solely on input-output interactions, while at the same time the attacker and the victim model may have completely different internal architectures. The attacker is a ML based algorithm whereas the victim is a generally unknown module, such as a multi-purpose digital chip, complex analog circuit, mechanical system, software logic or a hybrid of these. The trained DNT module not only can function as the attacked module, but also provides some level of explainability to the cloned model due to the tree-like nature of the proposed architecture.