Stealix: Model Stealing via Prompt Evolution

TL;DR

Stealix introduces a novel prompt evolution method using genetic algorithms to perform model stealing without predefined prompts, significantly increasing attack efficiency and scalability against open-source pre-trained models.

Contribution

This work presents the first prompt-free approach for model stealing that infers data distribution and refines synthetic data generation without prior prompt knowledge.

Findings

Stealix outperforms existing methods in accuracy and diversity of generated data.

It operates effectively without class name knowledge or manual prompt crafting.

The approach demonstrates high scalability and threat potential of pre-trained models.

Abstract

Model stealing poses a significant security risk in machine learning by enabling attackers to replicate a black-box model without access to its training data, thus jeopardizing intellectual property and exposing sensitive information. Recent methods that use pre-trained diffusion models for data synthesis improve efficiency and performance but rely heavily on manually crafted prompts, limiting automation and scalability, especially for attackers with little expertise. To assess the risks posed by open-source pre-trained models, we propose a more realistic threat model that eliminates the need for prompt design skills or knowledge of class names. In this context, we introduce Stealix, the first approach to perform model stealing without predefined prompts. Stealix uses two open-source pre-trained models to infer the victim model's data distribution, and iteratively refines prompts through a genetic algorithm, progressively improving the precision and diversity of synthetic images. Our experimental results demonstrate that Stealix significantly outperforms other methods, even those with access to class names or fine-grained prompts, while operating under the same query budget. These findings highlight the scalability of our approach and suggest that the risks posed by pre-trained generative models in model stealing may be greater than previously recognized.