Black-Box Dissector: Towards Erasing-Based Hard-Label Model Stealing Attack

Wang, Yixu; Li, Jie; Liu, Hong; Wang, Yan; Wu, Yongjian; Huang, Feiyue; Ji, Rongrong

doi:10.1007/978-3-031-20065-6_12

Cited by 15 publications

(8 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Once the attacker obtains the knowledge of the training algorithm, it can fully control the compromised client and initiate the model poisoning backdoor attack during the local model training phase. The most commonly adopted strategy is the global model replacement method [184]. The attack model becomes a white box.…”

Section: Discussionmentioning

confidence: 99%

Defense Strategies Toward Model Poisoning Attacks in Federated Learning: A Survey

Wang

Qiao

Zhang

et al. 2022

2022 IEEE Wireless Communications and Networking Conference (WCNC)

View full text Add to dashboard Cite

Due to the greatly improved capabilities of devices, massive data, and increasing concern about data privacy, Federated Learning (FL) has been increasingly considered for applications to wireless communication networks (WCNs). Wireless FL (WFL) is a distributed method of training a global deep learning model in which a large number of participants each train a local model on their training datasets and then upload the local model updates to a central server. However, in general, nonindependent and identically distributed (non-IID) data of WCNs raises concerns about robustness, as a malicious participant could potentially inject a "backdoor" into the global model by uploading poisoned data or models over WCN. This could cause the model to misclassify malicious inputs as a specific target class while behaving normally with benign inputs. This survey provides a comprehensive review of the latest backdoor attacks and defense mechanisms. It classifies them according to their targets (data poisoning or model poisoning), the attack phase (local data collection, training, or aggregation), and defense stage (local training, before aggregation, during aggregation, or after aggregation). The strengths and limitations of existing attack strategies and defense mechanisms are analyzed in detail. Comparisons of existing attack methods and defense designs are carried out, pointing to noteworthy findings, open challenges, and potential future research directions related to security and privacy of WFL.

show abstract

Section: Discussionmentioning

confidence: 99%

Defense Strategies Toward Model Poisoning Attacks in Federated Learning: A Survey

Wang

Qiao

Zhang

et al. 2022

2022 IEEE Wireless Communications and Networking Conference (WCNC)

View full text Add to dashboard Cite

show abstract

“…With query access, Tramer et al [72] proposed a model stealing attack against a machine learning model. Since then, researchers in fields like computer vision [78,89], generative adversarial networks [26], and recommendation systems [90] have explored model stealing attacks. Traditional model stealing attacks assume that the attacker can obtain sufficient data to achieve their goal.…”

Section: Related Workmentioning

confidence: 99%

“…In addition, the clone model can be used for subsequent adversarial attacks [3,18], membership inference attacks [27,31], etc. Model stealing attacks have been widely studied in fields such as images [35,40] and graphs [6,38], while received little attention in recommender systems. Yue et al [42] proposed to utilize the autoregressive nature of sequential recommender system to steal its internal information.…”

Section: Related Workmentioning

confidence: 99%

“…Additionally, not all models deployed on MLaaS systems possess the capability to furnish comprehensive predictive results. Most MLaaS systems [57,78] merely offer categorical labels for samples (e.g., the image depicts a cat or a dog, rather than the probabilities of the image belonging to various categories). These challenges force us to urgently study more practical model stealing attacks for graph classification.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Membership Inference Attacks Against Sequential Recommender Systems

Zhu

Fan

et al. 2023

Proceedings of the ACM Web Conference 2023

View full text Add to dashboard Cite

Recent research demonstrates that GNNs are vulnerable to the model stealing attack, a nefarious endeavor geared towards duplicating the target model via query permissions. However, they mainly focus on node classification tasks, neglecting the potential threats entailed within the domain of graph classification tasks. Furthermore, their practicality is questionable due to unreasonable assumptions, specifically concerning the large data requirements and extensive model knowledge. To this end, we advocate following strict settings with limited real data and hard-label awareness to generate synthetic data, thereby facilitating the stealing of the target model. Specifically, following important data generation principles, we introduce three model stealing attacks to adapt to different actual scenarios: MSA-AU is inspired by active learning and emphasizes the uncertainty to enhance query value of generated samples; MSA-AD introduces diversity based on Mixup augmentation strategy to alleviate the query inefficiency issue caused by over-similar samples generated by MSA-AU; MSA-AUD combines the above two strategies to seamlessly integrate the authenticity, uncertainty, and diversity of the generated samples. Finally, extensive experiments consistently demonstrate the superiority of the proposed methods in terms of concealment, query efficiency, and stealing performance.

show abstract

“…Machine learning as a service (MLaaS) has gained significant popularity due to its ease of deployment and costeffectiveness, which provides users with pre-trained models and APIs. Unfortunately, MLaaS is susceptible to privacy attacks, with Model Stealing Attacks (MSA) being particularly harmful (Tramèr et al 2016;Orekondy, Schiele, and Fritz 2019;Jagielski et al 2020;Yuan et al 2022;Wang et al 2022), where an attacker can train a clone model by querying its public API, without accessing its parameters or training data. This attack not only poses a threat to intellectual property but also compromises the privacy of individuals whose data was used to train the original model.…”

Section: Introductionmentioning

confidence: 99%

Data-Free Hard-Label Robustness Stealing Attack

Yuan,

Chen,

Huang

et al. 2024

AAAI

View full text Add to dashboard Cite

The popularity of Machine Learning as a Service (MLaaS) has led to increased concerns about Model Stealing Attacks (MSA), which aim to craft a clone model by querying MLaaS. Currently, most research on MSA assumes that MLaaS can provide soft labels and that the attacker has a proxy dataset with a similar distribution. However, this fails to encapsulate the more practical scenario where only hard labels are returned by MLaaS and the data distribution remains elusive. Furthermore, most existing work focuses solely on stealing the model accuracy, neglecting the model robustness, while robustness is essential in security-sensitive scenarios, e.g, face-scan payment. Notably, improving model robustness often necessitates the use of expensive techniques such as adversarial training, thereby further making stealing robustness a more lucrative prospect. In response to these identified gaps, we introduce a novel Data-Free Hard-Label Robustness Stealing (DFHL-RS) attack in this paper, which enables the stealing of both model accuracy and robustness by simply querying hard labels of the target model without the help of any natural data. Comprehensive experiments demonstrate the effectiveness of our method. The clone model achieves a clean accuracy of 77.86% and a robust accuracy of 39.51% against AutoAttack, which are only 4.71% and 8.40% lower than the target model on the CIFAR-10 dataset, significantly exceeding the baselines. Our code is available at: https://github.com/LetheSec/DFHL-RS-Attack.

show abstract

Black-Box Dissector: Towards Erasing-Based Hard-Label Model Stealing Attack

Cited by 15 publications

References 16 publications

Defense Strategies Toward Model Poisoning Attacks in Federated Learning: A Survey

Defense Strategies Toward Model Poisoning Attacks in Federated Learning: A Survey

Membership Inference Attacks Against Sequential Recommender Systems

Data-Free Hard-Label Robustness Stealing Attack

Contact Info

Product

Resources

About