MEGA: Model Stealing via Collaborative Generator-Substitute Networks

TL;DR

This paper introduces MEGA, a data-free model stealing framework that uses collaborative generator and substitute networks to effectively replicate target models with only label predictions, improving attack success rates.

Contribution

The paper proposes a novel collaborative generator-substitute network approach for data-free model stealing, addressing training instability and enhancing attack effectiveness.

Findings

Substitute model accuracy improved by up to 33%.

Adversarial attack success rate increased by up to 40%.

Method outperforms existing data-free black-box attacks.

Abstract

Deep machine learning models are increasingly deployedin the wild for providing services to users. Adversaries maysteal the knowledge of these valuable models by trainingsubstitute models according to the inference results of thetargeted deployed models. Recent data-free model stealingmethods are shown effective to extract the knowledge of thetarget model without using real query examples, but they as-sume rich inference information, e.g., class probabilities andlogits. However, they are all based on competing generator-substitute networks and hence encounter training instability.In this paper we propose a data-free model stealing frame-work,MEGA, which is based on collaborative generator-substitute networks and only requires the target model toprovide label prediction for synthetic query examples. Thecore of our method is a model stealing optimization con-sisting of two collaborative models (i) the substitute modelwhich imitates the target model through the synthetic queryexamples and their inferred labels and (ii) the generatorwhich synthesizes images such that the confidence of thesubstitute model over each query example is maximized. Wepropose a novel coordinate descent training procedure andanalyze its convergence. We also empirically evaluate thetrained substitute model on three datasets and its applicationon black-box adversarial attacks. Our results show that theaccuracy of our trained substitute model and the adversarialattack success rate over it can be up to 33% and 40% higherthan state-of-the-art data-free black-box attacks.