DiMEx: Breaking the Cold Start Barrier in Data-Free Model Extraction via Latent Diffusion Priors

TL;DR

DiMEx leverages latent diffusion priors and Bayesian optimization to significantly improve data-free model extraction efficiency, overcoming the cold start problem and enabling high-fidelity attacks with fewer queries.

Contribution

The paper introduces DiMEx, a novel framework that uses latent diffusion models and Bayesian optimization to bypass the cold start problem in data-free model extraction attacks.

Findings

DiMEx achieves 52.1% agreement on SVHN with only 2,000 queries.

DiMEx outperforms state-of-the-art GAN-based methods by over 16%.

HSE defense reduces attack success rate to 21.6% with minimal latency.

Abstract

Model stealing attacks pose an existential threat to Machine Learning as a Service (MLaaS), allowing adversaries to replicate proprietary models for a fraction of their training cost. While Data-Free Model Extraction (DFME) has emerged as a stealthy vector, it remains fundamentally constrained by the "Cold Start" problem: GAN-based adversaries waste thousands of queries converging from random noise to meaningful data. We propose DiMEx, a framework that weaponizes the rich semantic priors of pre-trained Latent Diffusion Models to bypass this initialization barrier entirely. By employing Random Embedding Bayesian Optimization (REMBO) within the generator's latent space, DiMEx synthesizes high-fidelity queries immediately, achieving 52.1 percent agreement on SVHN with just 2,000 queries - outperforming state-of-the-art GAN baselines by over 16 percent. To counter this highly semantic threat, we introduce the Hybrid Stateful Ensemble (HSE) defense, which identifies the unique "optimization trajectory" of latent-space attacks. Our results demonstrate that while DiMEx evades static distribution detectors, HSE exploits this temporal signature to suppress attack success rates to 21.6 percent with negligible latency.