BESA: Boosting Encoder Stealing Attack with Perturbation Recovery
This work addresses a security vulnerability in machine learning models for service providers, but it is incremental as it builds upon existing encoder stealing attacks.
The paper tackles the problem of encoder stealing attacks being hindered by perturbation-based defenses, proposing BESA to boost attack performance by detecting and recovering from perturbations, resulting in up to 24.63% improvement in surrogate encoder accuracy against state-of-the-art defenses.
To boost the encoder stealing attack under the perturbation-based defense that hinders the attack performance, we propose a boosting encoder stealing attack with perturbation recovery named BESA. It aims to overcome perturbation-based defenses. The core of BESA consists of two modules: perturbation detection and perturbation recovery, which can be combined with canonical encoder stealing attacks. The perturbation detection module utilizes the feature vectors obtained from the target encoder to infer the defense mechanism employed by the service provider. Once the defense mechanism is detected, the perturbation recovery module leverages the well-designed generative model to restore a clean feature vector from the perturbed one. Through extensive evaluations based on various datasets, we demonstrate that BESA significantly enhances the surrogate encoder accuracy of existing encoder stealing attacks by up to 24.63\% when facing state-of-the-art defenses and combinations of multiple defenses.