Assessing Risk of Stealing Proprietary Models for Medical Imaging Tasks

TL;DR

This paper explores the vulnerability of proprietary medical imaging models to model stealing attacks, demonstrating effective cloning methods under realistic constraints and proposing a novel query-efficient attack approach called QueryWise.

Contribution

It introduces a realistic threat assessment for medical imaging models and proposes QueryWise, a new query-efficient model stealing method using unlabeled proxy data.

Findings

Adversaries can clone models effectively with limited queries.

Proposed QueryWise improves attack efficiency without additional queries.

Medical imaging models are vulnerable to model stealing attacks.

Abstract

The success of deep learning in medical imaging applications has led several companies to deploy proprietary models in diagnostic workflows, offering monetized services. Even though model weights are hidden to protect the intellectual property of the service provider, these models are exposed to model stealing (MS) attacks, where adversaries can clone the model's functionality by querying it with a proxy dataset and training a thief model on the acquired predictions. While extensively studied on general vision tasks, the susceptibility of medical imaging models to MS attacks remains inadequately explored. This paper investigates the vulnerability of black-box medical imaging models to MS attacks under realistic conditions where the adversary lacks access to the victim model's training data and operates with limited query budgets. We demonstrate that adversaries can effectively execute MS attacks by using publicly available datasets. To further enhance MS capabilities with limited query budgets, we propose a two-step model stealing approach termed QueryWise. This method capitalizes on unlabeled data obtained from a proxy distribution to train the thief model without incurring additional queries. Evaluation on two medical imaging models for Gallbladder Cancer and COVID-19 classification substantiates the effectiveness of the proposed attack. The source code is available at https://github.com/rajankita/QueryWise.