BESA: Boosting Encoder Stealing Attack with Perturbation Recovery

TL;DR

BESA is a novel attack method that effectively overcomes perturbation-based defenses in encoder stealing by detecting and recovering perturbed features, significantly improving attack accuracy.

Contribution

It introduces a two-module approach combining perturbation detection and recovery to enhance encoder stealing attacks against defenses.

Findings

BESA improves surrogate encoder accuracy by up to 24.63%.

It effectively bypasses state-of-the-art perturbation defenses.

The method is validated across various datasets.

Abstract

To boost the encoder stealing attack under the perturbation-based defense that hinders the attack performance, we propose a boosting encoder stealing attack with perturbation recovery named BESA. It aims to overcome perturbation-based defenses. The core of BESA consists of two modules: perturbation detection and perturbation recovery, which can be combined with canonical encoder stealing attacks. The perturbation detection module utilizes the feature vectors obtained from the target encoder to infer the defense mechanism employed by the service provider. Once the defense mechanism is detected, the perturbation recovery module leverages the well-designed generative model to restore a clean feature vector from the perturbed one. Through extensive evaluations based on various datasets, we demonstrate that BESA significantly enhances the surrogate encoder accuracy of existing encoder stealing attacks by up to 24.63\% when facing state-of-the-art defenses and combinations of multiple defenses.