From Counterfactuals to Trees: Competitive Analysis of Model Extraction Attacks

TL;DR

This paper analyzes the security risks of model extraction attacks on tree-based machine learning models, introducing a formal framework and algorithms that quantify the query complexity needed for faithful model reconstruction.

Contribution

It provides the first formal analysis of model extraction attacks using competitive analysis and introduces novel algorithms with provable fidelity for extracting tree-based models.

Findings

Established theoretical bounds on query complexity for model extraction.

Developed algorithms achieving perfect fidelity in model reconstruction.

Provided insights into security vulnerabilities of tree-based models.

Abstract

The advent of Machine Learning as a Service (MLaaS) has heightened the trade-off between model explainability and security. In particular, explainability techniques, such as counterfactual explanations, inadvertently increase the risk of model extraction attacks, enabling unauthorized replication of proprietary models. In this paper, we formalize and characterize the risks and inherent complexity of model reconstruction, focusing on the "oracle'' queries required for faithfully inferring the underlying prediction function. We present the first formal analysis of model extraction attacks through the lens of competitive analysis, establishing a foundational framework to evaluate their efficiency. Focusing on models based on additive decision trees (e.g., decision trees, gradient boosting, and random forests), we introduce novel reconstruction algorithms that achieve provably perfect fidelity while demonstrating strong anytime performance. Our framework provides theoretical bounds on the query complexity for extracting tree-based model, offering new insights into the security vulnerabilities of their deployment.