MEGEX: Data-Free Model Extraction Attack against Gradient-Based Explainable AI

Miura, Takayuki; Hasegawa, Satoshi; Shibahara, Toshiki

doi:10.48550/arxiv.2107.08909

Cited by 5 publications

(13 citation statements)

References 12 publications

(32 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Unlike adversarial attacks [14,19,42], which try to undermine the performance and credibility of the target model, privacy attacks aim to violate the target model's privacy by abusing its permissions. Model stealing attack [43,67,72,88], which steals various components of a black-box machine learning(ML) model(e.g. hyperparameters [75], architecture [46]), is one of the most common privacy attacks.…”

Section: Related Workmentioning

confidence: 99%

“…For instance, Zhang et al [44] proposes to use randomized recommendation lists to resist membership inference attacks on recommender systems. Model stealing attack [14,20,32,33] aims to steal internal information of the target model, including hyperparameters [34], architecture [23], etc. Model stealing attacks can also be used to realize functional stealing attacks [11,14,24], which means building a clone model to imitate the predictions of the target model.…”

Section: Related Workmentioning

confidence: 99%

“…These methods pose serious threats to the security of recommender systems from the perspective of data privacy. However, there is still a lack of relevant research on the model privacy leakage threats faced by recommender systems, such as model stealing attacks [20,32,33]. Model stealing attacks seek to obtain a good copy of the target model, namely the clone model.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Membership Inference Attacks Against Sequential Recommender Systems

Zhu

Fan

et al. 2023

Proceedings of the ACM Web Conference 2023

View full text Add to dashboard Cite

Recent research demonstrates that GNNs are vulnerable to the model stealing attack, a nefarious endeavor geared towards duplicating the target model via query permissions. However, they mainly focus on node classification tasks, neglecting the potential threats entailed within the domain of graph classification tasks. Furthermore, their practicality is questionable due to unreasonable assumptions, specifically concerning the large data requirements and extensive model knowledge. To this end, we advocate following strict settings with limited real data and hard-label awareness to generate synthetic data, thereby facilitating the stealing of the target model. Specifically, following important data generation principles, we introduce three model stealing attacks to adapt to different actual scenarios: MSA-AU is inspired by active learning and emphasizes the uncertainty to enhance query value of generated samples; MSA-AD introduces diversity based on Mixup augmentation strategy to alleviate the query inefficiency issue caused by over-similar samples generated by MSA-AU; MSA-AUD combines the above two strategies to seamlessly integrate the authenticity, uncertainty, and diversity of the generated samples. Finally, extensive experiments consistently demonstrate the superiority of the proposed methods in terms of concealment, query efficiency, and stealing performance.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Membership Inference Attacks Against Sequential Recommender Systems

Zhu

Fan

et al. 2023

Proceedings of the ACM Web Conference 2023

View full text Add to dashboard Cite

show abstract

“…Miura et al [84] proposed a data-free model extraction (DFME) attack called MEGEX. The objective of that study was to clone a model without the initial dataset using both the prediction and explanation of the results.…”

Section: Privacymentioning

confidence: 99%

Explainable artificial intelligence for cybersecurity: a literature survey

et al. 2022

View full text Add to dashboard Cite

With the extensive application of deep learning (DL) algorithms in recent years, e.g., for detecting Android malware or vulnerable source code, artificial intelligence (AI) and machine learning (ML) are increasingly becoming essential in the development of cybersecurity solutions. However, sharing the same fundamental limitation with other DL application domains, such as computer vision (CV) and natural language processing (NLP), AI-based cybersecurity solutions are incapable of justifying the results (ranging from detection and prediction to reasoning and decision-making) and making them understandable to humans. Consequently, explainable AI (XAI) has emerged as a paramount topic addressing the related challenges of making AI models explainable or interpretable to human users. It is particularly relevant in cybersecurity domain, in that XAI may allow security operators, who are overwhelmed with tens of thousands of security alerts per day (most of which are false positives), to better assess the potential threats and reduce alert fatigue. We conduct an extensive literature review on the intersection between XAI and cybersecurity. Particularly, we investigate the existing literature from two perspectives: the applications of XAI to cybersecurity (e.g., intrusion detection, malware classification), and the security of XAI (e.g., attacks on XAI pipelines, potential countermeasures). We characterize the security of XAI with several security properties that have been discussed in the literature. We also formulate open questions that are either unanswered or insufficiently addressed in the literature, and discuss future directions of research.

show abstract

“…for each feature 𝑖. A high partial differential value indicates that a pixel significantly affects the prediction, and analysing the map these values (so-called gradient map) can explain a model's decision-making [125]. Shrikumar et al [168] suggest enhancing numerical explanations by using the input feature value multiplied by the gradient, 𝜙 𝑖 (𝑥) = 𝑥 𝑖 × 𝜕𝑓 𝜕𝑥 𝑖 (𝑥).…”

mentioning

confidence: 99%

From the Editors and Nguyen Tat Thanh University

Nguyen¹,

Nguyên²

2019

Vietnam J. Comp. Sci.

View full text Add to dashboard Cite

Let H = n 1 , n 2 , n 3 be a numerical semigroup. Let H be the interval completion of H, namely the semigroup generated by the interval n 1 , n 1 +1, . . . , n 3 . Let K be a field and K[H] the semigroup ring generated by H. Let I * H be the defining ideal of the tangent cone of K[H]. In this paper, we describe the defining equations of I * H . From that, we establish the Herzog-Stamate conjecture for monomial space curves stating that β i (I * H ) ≤ β i (I * H ) for all i, where β i (I * H ) and β i (I * H ) are the ith Betti numbers of I * H and I * H respectively.

show abstract

MEGEX: Data-Free Model Extraction Attack against Gradient-Based Explainable AI

Cited by 5 publications

References 12 publications

Membership Inference Attacks Against Sequential Recommender Systems

Membership Inference Attacks Against Sequential Recommender Systems

Explainable artificial intelligence for cybersecurity: a literature survey

From the Editors and Nguyen Tat Thanh University

Contact Info

Product

Resources

About