Linear Model Extraction via Factual and Counterfactual Queries

TL;DR

This paper investigates how different types of queries, especially counterfactuals, can be used to extract linear models' parameters, revealing the influence of distance measures and robustness on query efficiency and model security.

Contribution

It introduces mathematical formulations for classification regions based on various queries and derives bounds on the number of queries needed for model extraction under different distance measures.

Findings

Single counterfactual query suffices with differentiable distances

Query complexity grows linearly with data dimension for polyhedral distances

Robust counterfactuals require twice as many queries as standard counterfactuals

Abstract

In model extraction attacks, the goal is to reveal the parameters of a black-box machine learning model by querying the model for a selected set of data points. Due to an increasing demand for explanations, this may involve counterfactual queries besides the typically considered factual queries. In this work, we consider linear models and three types of queries: factual, counterfactual, and robust counterfactual. First, for an arbitrary set of queries, we derive novel mathematical formulations for the classification regions for which the decision of the unknown model is known, without recovering any of the model parameters. Second, we derive bounds on the number of queries needed to extract the model's parameters for (robust) counterfactual queries under arbitrary norm-based distances. We show that the full model can be recovered using just a single counterfactual query when differentiable distance measures are employed. In contrast, when using polyhedral distances for instance, the number of required queries grows linearly with the dimension of the data space. For robust counterfactuals, the latter number of queries doubles. Consequently, the applied distance function and robustness of counterfactuals have a significant impact on the model's security.