Efficient Model Extraction via Boundary Sampling
This addresses security vulnerabilities in machine learning models for practitioners, offering a more efficient and effective attack method, though it is incremental as it builds on existing black-box extraction techniques.
The paper tackles the problem of data-free model extraction attacks by focusing on sampling low-confidence areas and using an evolutionary algorithm, achieving a 10x to 600x reduction in queries and improving stolen model accuracy and adversarial transferability from 60% to 82%.
This paper introduces a novel data-free model extraction attack that significantly advances the current state-of-the-art in terms of efficiency, accuracy, and effectiveness. Traditional black-box methods rely on using the victim's model as an oracle to label a vast number of samples within high-confidence areas. This approach not only requires an extensive number of queries but also results in a less accurate and less transferable model. In contrast, our method innovates by focusing on sampling low-confidence areas (along the decision boundaries) and employing an evolutionary algorithm to optimize the sampling process. These novel contributions allow for a dramatic reduction in the number of queries needed by the attacker by a factor of 10x to 600x while simultaneously improving the accuracy of the stolen model. Moreover, our approach improves boundary alignment, resulting in better transferability of adversarial examples from the stolen model to the victim's model (increasing the attack success rate from 60\% to 82\% on average). Finally, we accomplish all of this with a strict black-box assumption on the victim, with no knowledge of the target's architecture or dataset. We demonstrate our attack on three datasets with increasingly larger resolutions and compare our performance to four state-of-the-art model extraction attacks.