CaBaGe：使用 ClAss BAlanced Generator Ensemble 进行无数据模型提取

arXiv - CS - Cryptography and Security Pub Date : 2024-09-16 DOI:arxiv-2409.10643

Jonathan Rosenthal, Shanchao Liang, Kevin Zhang, Lin Tan

{"title":"CaBaGe：使用 ClAss BAlanced Generator Ensemble 进行无数据模型提取","authors":"Jonathan Rosenthal, Shanchao Liang, Kevin Zhang, Lin Tan","doi":"arxiv-2409.10643","DOIUrl":null,"url":null,"abstract":"Machine Learning as a Service (MLaaS) is often provided as a pay-per-query,\nblack-box system to clients. Such a black-box approach not only hinders open\nreplication, validation, and interpretation of model results, but also makes it\nharder for white-hat researchers to identify vulnerabilities in the MLaaS\nsystems. Model extraction is a promising technique to address these challenges\nby reverse-engineering black-box models. Since training data is typically\nunavailable for MLaaS models, this paper focuses on the realistic version of\nit: data-free model extraction. We propose a data-free model extraction\napproach, CaBaGe, to achieve higher model extraction accuracy with a small\nnumber of queries. Our innovations include (1) a novel experience replay for\nfocusing on difficult training samples; (2) an ensemble of generators for\nsteadily producing diverse synthetic data; and (3) a selective filtering\nprocess for querying the victim model with harder, more balanced samples. In\naddition, we create a more realistic setting, for the first time, where the\nattacker has no knowledge of the number of classes in the victim training data,\nand create a solution to learn the number of classes on the fly. Our evaluation\nshows that CaBaGe outperforms existing techniques on seven datasets -- MNIST,\nFMNIST, SVHN, CIFAR-10, CIFAR-100, ImageNet-subset, and Tiny ImageNet -- with\nan accuracy improvement of the extracted models by up to 43.13%. Furthermore,\nthe number of queries required to extract a clone model matching the final\naccuracy of prior work is reduced by up to 75.7%.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"89 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"CaBaGe: Data-Free Model Extraction using ClAss BAlanced Generator Ensemble\",\"authors\":\"Jonathan Rosenthal, Shanchao Liang, Kevin Zhang, Lin Tan\",\"doi\":\"arxiv-2409.10643\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Machine Learning as a Service (MLaaS) is often provided as a pay-per-query,\\nblack-box system to clients. Such a black-box approach not only hinders open\\nreplication, validation, and interpretation of model results, but also makes it\\nharder for white-hat researchers to identify vulnerabilities in the MLaaS\\nsystems. Model extraction is a promising technique to address these challenges\\nby reverse-engineering black-box models. Since training data is typically\\nunavailable for MLaaS models, this paper focuses on the realistic version of\\nit: data-free model extraction. We propose a data-free model extraction\\napproach, CaBaGe, to achieve higher model extraction accuracy with a small\\nnumber of queries. Our innovations include (1) a novel experience replay for\\nfocusing on difficult training samples; (2) an ensemble of generators for\\nsteadily producing diverse synthetic data; and (3) a selective filtering\\nprocess for querying the victim model with harder, more balanced samples. In\\naddition, we create a more realistic setting, for the first time, where the\\nattacker has no knowledge of the number of classes in the victim training data,\\nand create a solution to learn the number of classes on the fly. Our evaluation\\nshows that CaBaGe outperforms existing techniques on seven datasets -- MNIST,\\nFMNIST, SVHN, CIFAR-10, CIFAR-100, ImageNet-subset, and Tiny ImageNet -- with\\nan accuracy improvement of the extracted models by up to 43.13%. Furthermore,\\nthe number of queries required to extract a clone model matching the final\\naccuracy of prior work is reduced by up to 75.7%.\",\"PeriodicalId\":501332,\"journal\":{\"name\":\"arXiv - CS - Cryptography and Security\",\"volume\":\"89 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-09-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Cryptography and Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2409.10643\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Cryptography and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.10643","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

机器学习即服务（MLaaS）通常作为按查询付费的黑盒系统提供给客户。这种黑盒方法不仅阻碍了模型结果的公开复制、验证和解释，也使白帽研究人员更难识别 MLaaS 系统中的漏洞。模型提取是通过逆向工程黑盒模型来应对这些挑战的一种有前途的技术。由于 MLaaS 模型通常无法获得训练数据，本文将重点关注其现实版本：无数据模型提取。我们提出了一种无数据模型提取方法--CaBaGe，以便在查询次数较少的情况下实现更高的模型提取准确率。我们的创新包括：(1) 一种新颖的经验重放，用于集中处理困难的训练样本；(2) 一组生成器，用于轻松生成多样化的合成数据；(3) 一种选择性过滤过程，用于用更难、更均衡的样本查询受害者模型。此外，我们还首次创建了一个更现实的环境，即攻击者不知道受害者训练数据中的类数，并创建了一个即时学习类数的解决方案。我们的评估结果表明，CaBaGe 在七个数据集（MNIST、FMNIST、SVHN、CIFAR-10、CIFAR-100、ImageNet-subset 和 Tiny ImageNet）上的表现优于现有技术，提取模型的准确率提高了 43.13%。此外，提取与先前工作的最终准确度相匹配的克隆模型所需的查询次数最多减少了 75.7%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

CaBaGe: Data-Free Model Extraction using ClAss BAlanced Generator Ensemble

Machine Learning as a Service (MLaaS) is often provided as a pay-per-query, black-box system to clients. Such a black-box approach not only hinders open replication, validation, and interpretation of model results, but also makes it harder for white-hat researchers to identify vulnerabilities in the MLaaS systems. Model extraction is a promising technique to address these challenges by reverse-engineering black-box models. Since training data is typically unavailable for MLaaS models, this paper focuses on the realistic version of it: data-free model extraction. We propose a data-free model extraction approach, CaBaGe, to achieve higher model extraction accuracy with a small number of queries. Our innovations include (1) a novel experience replay for focusing on difficult training samples; (2) an ensemble of generators for steadily producing diverse synthetic data; and (3) a selective filtering process for querying the victim model with harder, more balanced samples. In addition, we create a more realistic setting, for the first time, where the attacker has no knowledge of the number of classes in the victim training data, and create a solution to learn the number of classes on the fly. Our evaluation shows that CaBaGe outperforms existing techniques on seven datasets -- MNIST, FMNIST, SVHN, CIFAR-10, CIFAR-100, ImageNet-subset, and Tiny ImageNet -- with an accuracy improvement of the extracted models by up to 43.13%. Furthermore, the number of queries required to extract a clone model matching the final accuracy of prior work is reduced by up to 75.7%.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

arXiv - CS - Cryptography and Security

自引率

0.00%

发文量