# Knockoff Nets: Stealing Functionality of Black-Box Models

**Authors:** Tribhuvanesh Orekondy, Bernt Schiele, Mario Fritz

arXiv: 1812.02766 · 2018-12-10

## TL;DR

This paper demonstrates that adversaries can effectively steal the functionality of black-box machine learning models through limited queries, even without knowledge of training data or model internals, using a two-step approach involving querying and training a knockoff.

## Contribution

It introduces a novel black-box model stealing method that works with minimal assumptions and shows that high-quality knockoffs can be created with few queries and different architectures.

## Key findings

- Random queries from different distributions still produce effective knockoffs.
- Different model architectures can be used to create successful knockoffs.
- Reinforcement learning enhances query efficiency and performance.

## Abstract

Machine Learning (ML) models are increasingly deployed in the wild to perform a wide range of tasks. In this work, we ask to what extent can an adversary steal functionality of such "victim" models based solely on blackbox interactions: image in, predictions out. In contrast to prior work, we present an adversary lacking knowledge of train/test data used by the model, its internals, and semantics over model outputs. We formulate model functionality stealing as a two-step approach: (i) querying a set of input images to the blackbox model to obtain predictions; and (ii) training a "knockoff" with queried image-prediction pairs. We make multiple remarkable observations: (a) querying random images from a different distribution than that of the blackbox training data results in a well-performing knockoff; (b) this is possible even when the knockoff is represented using a different architecture; and (c) our reinforcement learning approach additionally improves query sample efficiency in certain settings and provides performance gains. We validate model functionality stealing on a range of datasets and tasks, as well as on a popular image analysis API where we create a reasonable knockoff for as little as $30.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1812.02766/full.md

## Figures

26 figures with captions in the complete paper: https://tomesphere.com/paper/1812.02766/full.md

## References

51 references — full list in the complete paper: https://tomesphere.com/paper/1812.02766/full.md

---
Source: https://tomesphere.com/paper/1812.02766