SEEKER: Semi-Supervised Knowledge Transfer for Query-Efficient Model Extraction

Bihe Zhao; Zhenyu Guan; Junpeng Jing; Yanting Zhang; Xianglun Leng; Song Bian

SEEKER: Semi-Supervised Knowledge Transfer for Query-Efficient Model Extraction

Bihe Zhao, Zhenyu Guan, Junpeng Jing, Yanting Zhang, Xianglun Leng, Song Bian

17 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX

Primary Area: societal considerations including fairness, safety, privacy

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Keywords: model extraction, knowledge transfer, semi-supervised learning

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.

TL;DR: The work presents a query-efficient model extraction attack that distills knowledge from publicly available data by combining self-supervised semantic alignment and aggregated query generation.

Abstract: Model extraction attacks against neural networks aim at extracting models without white-box access to model internals and training datasets. Unfortunately, most existing methods demand an excessive number of queries (up to millions) to reproduce a functional substitute model, greatly limiting their real-world applicability. In this work, we propose a query-efficient model extraction attack that effectively distills knowledge from publicly available data. To this end, we we introduce a semantic alignment approach that trains the substitute model without interacting with the victim model. The proposed approach optimizes the substitute model to learn a generalizable image encoding pattern based on semantic consistency of neural networks. We further propose a query generator that enhances the information density of generated queries by aggregating public information, thereby greatly reducing the query cost required for constructing the substitute model. Extensive experiments demonstrate that our method achieves state-of-the-art performance which improves query-efficiency by as much as 50× with higher accuracy. Additionally, our attack demonstrates the capability of bypassing most types of existing defense mechanisms.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.

Supplementary Material: zip

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 898

Loading