A framework for the extraction of Deep Neural Networks by leveraging public data

TL;DR

This paper introduces a practical framework for extracting deep neural network models using active learning and public datasets, achieving high accuracy with limited queries across image and text domains.

Contribution

It presents a novel model extraction method that works on deep models without domain knowledge and with limited queries, outperforming baseline approaches.

Findings

Achieves 4.70x better performance on image tasks

Achieves 2.11x better performance on text tasks

Uses only 30% of public data for effective extraction

Abstract

Machine learning models trained on confidential datasets are increasingly being deployed for profit. Machine Learning as a Service (MLaaS) has made such models easily accessible to end-users. Prior work has developed model extraction attacks, in which an adversary extracts an approximation of MLaaS models by making black-box queries to it. However, none of these works is able to satisfy all the three essential criteria for practical model extraction: (1) the ability to work on deep learning models, (2) the non-requirement of domain knowledge and (3) the ability to work with a limited query budget. We design a model extraction framework that makes use of active learning and large public datasets to satisfy them. We demonstrate that it is possible to use this framework to steal deep classifiers trained on a variety of datasets from image and text domains. By querying a model via black-box access for its top prediction, our framework improves performance on an average over a uniform noise baseline by 4.70x for image tasks and 2.11x for text tasks respectively, while using only 30% (30,000 samples) of the public dataset at its disposal.