Exploring Query Efficient Data Generation towards Data-free Model Stealing in Hard Label Setting

TL;DR

This paper introduces QEDG, a novel data-free model stealing method that efficiently generates diverse samples to closely mimic a target model's decision boundary with fewer queries, enhancing attack effectiveness.

Contribution

The paper proposes two new loss functions and a query-free augmentation technique to improve data-free model stealing, enabling better boundary approximation with fewer queries.

Findings

QEDG outperforms existing methods in accuracy and query efficiency.

It achieves better model mimicry with fewer queries in MLaaS scenarios.

Experimental results on five datasets validate its effectiveness.

Abstract

Data-free model stealing involves replicating the functionality of a target model into a substitute model without accessing the target model's structure, parameters, or training data. The adversary can only access the target model's predictions for generated samples. Once the substitute model closely approximates the behavior of the target model, attackers can exploit its white-box characteristics for subsequent malicious activities, such as adversarial attacks. Existing methods within cooperative game frameworks often produce samples with high confidence for the prediction of the substitute model, which makes it difficult for the substitute model to replicate the behavior of the target model. This paper presents a new data-free model stealing approach called Query Efficient Data Generation (\textbf{QEDG}). We introduce two distinct loss functions to ensure the generation of sufficient samples that closely and uniformly align with the target model's decision boundary across multiple classes. Building on the limitation of current methods, which typically yield only one piece of supervised information per query, we propose the query-free sample augmentation that enables the acquisition of additional supervised information without increasing the number of queries. Motivated by theoretical analysis, we adopt the consistency rate metric, which more accurately evaluates the similarity between the substitute and target models. We conducted extensive experiments to verify the effectiveness of our proposed method, which achieved better performance with fewer queries compared to the state-of-the-art methods on the real \textbf{MLaaS} scenario and five datasets.