ES Attack: Model Stealing against Deep Neural Networks without Data Hurdles

TL;DR

This paper introduces ES Attack, a novel method for stealing deep neural network models without needing access to training data, demonstrating its effectiveness and highlighting the inadequacy of current defenses.

Contribution

The paper presents ES Attack, a data-free model stealing technique that uses synthetic data to replicate victim DNNs, outperforming existing methods that require auxiliary data.

Findings

ES Attack successfully steals models without data hurdles

Outperforms existing attacks using auxiliary data in accuracy

Most countermeasures are ineffective against ES Attack

Abstract

Deep neural networks (DNNs) have become the essential components for various commercialized machine learning services, such as Machine Learning as a Service (MLaaS). Recent studies show that machine learning services face severe privacy threats - well-trained DNNs owned by MLaaS providers can be stolen through public APIs, namely model stealing attacks. However, most existing works undervalued the impact of such attacks, where a successful attack has to acquire confidential training data or auxiliary data regarding the victim DNN. In this paper, we propose ES Attack, a novel model stealing attack without any data hurdles. By using heuristically generated synthetic data, ES Attack iteratively trains a substitute model and eventually achieves a functionally equivalent copy of the victim DNN. The experimental results reveal the severity of ES Attack: i) ES Attack successfully steals the victim model without data hurdles, and ES Attack even outperforms most existing model stealing attacks using auxiliary data in terms of model accuracy; ii) most countermeasures are ineffective in defending ES Attack; iii) ES Attack facilitates further attacks relying on the stolen model.