Efficient Model Extraction via Boundary Sampling

TL;DR

This paper presents a boundary sampling-based data-free model extraction attack that drastically reduces query requirements and enhances model transferability, all under strict black-box conditions.

Contribution

It introduces a novel boundary-focused sampling method combined with an evolutionary algorithm, significantly improving efficiency and accuracy over prior black-box attacks.

Findings

Reduces query count by 10x to 600x

Improves attack success rate from 60% to 82%

Enhances transferability of adversarial examples

Abstract

This paper introduces a novel data-free model extraction attack that significantly advances the current state-of-the-art in terms of efficiency, accuracy, and effectiveness. Traditional black-box methods rely on using the victim's model as an oracle to label a vast number of samples within high-confidence areas. This approach not only requires an extensive number of queries but also results in a less accurate and less transferable model. In contrast, our method innovates by focusing on sampling low-confidence areas (along the decision boundaries) and employing an evolutionary algorithm to optimize the sampling process. These novel contributions allow for a dramatic reduction in the number of queries needed by the attacker by a factor of 10x to 600x while simultaneously improving the accuracy of the stolen model. Moreover, our approach improves boundary alignment, resulting in better transferability of adversarial examples from the stolen model to the victim's model (increasing the attack success rate from 60\% to 82\% on average). Finally, we accomplish all of this with a strict black-box assumption on the victim, with no knowledge of the target's architecture or dataset. We demonstrate our attack on three datasets with increasingly larger resolutions and compare our performance to four state-of-the-art model extraction attacks.