Careful What You Wish For: on the Extraction of Adversarially Trained Models

TL;DR

This paper evaluates how adversarial training, intended to improve model robustness, inadvertently increases vulnerability to extraction attacks, revealing that robust models can be more easily replicated and pose privacy risks.

Contribution

First comprehensive empirical assessment of extraction attack vulnerability on adversarially trained vision models, highlighting increased risks and transferability of robustness.

Findings

Adversarially trained models are more vulnerable to extraction attacks.

Extracted models from robust training achieve higher accuracy with fewer queries.

Robustness features transfer to extracted models, enhancing adversarial resilience.

Abstract

Recent attacks on Machine Learning (ML) models such as evasion attacks with adversarial examples and models stealing through extraction attacks pose several security and privacy threats. Prior work proposes to use adversarial training to secure models from adversarial examples that can evade the classification of a model and deteriorate its performance. However, this protection technique affects the model's decision boundary and its prediction probabilities, hence it might raise model privacy risks. In fact, a malicious user using only a query access to the prediction output of a model can extract it and obtain a high-accuracy and high-fidelity surrogate model. To have a greater extraction, these attacks leverage the prediction probabilities of the victim model. Indeed, all previous work on extraction attacks do not take into consideration the changes in the training process for security purposes. In this paper, we propose a framework to assess extraction attacks on adversarially trained models with vision datasets. To the best of our knowledge, our work is the first to perform such evaluation. Through an extensive empirical study, we demonstrate that adversarially trained models are more vulnerable to extraction attacks than models obtained under natural training circumstances. They can achieve up to $\times1.2$ higher accuracy and agreement with a fraction lower than $\times0.75$ of the queries. We additionally find that the adversarial robustness capability is transferable through extraction attacks, i.e., extracted Deep Neural Networks (DNNs) from robust models show an enhanced accuracy to adversarial examples compared to extracted DNNs from naturally trained (i.e. standard) models.