Student Surpasses Teacher: Imitation Attack for Black-Box NLP APIs
This is a milestone for API providers and security researchers, as it reveals a new vulnerability where stolen models can surpass victims, potentially influencing defense strategies.
The paper tackles the problem of imitation attacks on black-box NLP APIs by showing that attackers can create imitators that outperform the original models on transferred domains, with experiments validating this on benchmark datasets and real-world APIs.
Machine-learning-as-a-service (MLaaS) has attracted millions of users to their splendid large-scale models. Although published as black-box APIs, the valuable models behind these services are still vulnerable to imitation attacks. Recently, a series of works have demonstrated that attackers manage to steal or extract the victim models. Nonetheless, none of the previous stolen models can outperform the original black-box APIs. In this work, we conduct unsupervised domain adaptation and multi-victim ensemble to showing that attackers could potentially surpass victims, which is beyond previous understanding of model extraction. Extensive experiments on both benchmark datasets and real-world APIs validate that the imitators can succeed in outperforming the original black-box models on transferred domains. We consider our work as a milestone in the research of imitation attack, especially on NLP APIs, as the superior performance could influence the defense or even publishing strategy of API providers.