PINCH: An Adversarial Extraction Attack Framework for Deep Learning Models

TL;DR

This paper introduces PINCH, a framework for adversarial extraction attacks on deep learning models, revealing insights into model vulnerabilities, attack staging, and the expressive power of stolen models through extensive experiments.

Contribution

The paper presents PINCH, a novel automated framework for designing and analyzing extraction attacks across diverse hardware, advancing understanding of model susceptibility and attack strategies.

Findings

Certain model configurations are more resilient to specific attacks.

Partial extraction can facilitate subsequent adversarial attacks.

Stolen models with similar knowledge can have different expressive capabilities.

Abstract

Adversarial extraction attacks constitute an insidious threat against Deep Learning (DL) models in-which an adversary aims to steal the architecture, parameters, and hyper-parameters of a targeted DL model. Existing extraction attack literature have observed varying levels of attack success for different DL models and datasets, yet the underlying cause(s) behind their susceptibility often remain unclear, and would help facilitate creating secure DL systems. In this paper we present PINCH: an efficient and automated extraction attack framework capable of designing, deploying, and analyzing extraction attack scenarios across heterogeneous hardware platforms. Using PINCH, we perform extensive experimental evaluation of extraction attacks against 21 model architectures to explore new extraction attack scenarios and further attack staging. Our findings show (1) key extraction characteristics whereby particular model configurations exhibit strong resilience against specific attacks, (2) even partial extraction success enables further staging for other adversarial attacks, and (3) equivalent stolen models uncover differences in expressive power, yet exhibit similar captured knowledge.