Loading…
Holistic Implicit Factor Evaluation of Model Extraction Attacks
Model extraction attacks (MEAs) allow adversaries to replicate a surrogate model analogous to the target model's decision pattern. While several attacks and defenses have been studied in-depth, the underlying reasons behind our susceptibility to them often remain unclear. Analyzing these implic...
Saved in:
| Published in: | IEEE transactions on dependable and secure computing 2023-11, Vol.20 (6), p.1-12 |
|---|---|
| Main Authors: | , , , , |
| Format: | Article |
| Language: | English |
| Subjects: | |
| Citations: | Items that this one cites Items that cite this one |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| cited_by | cdi_FETCH-LOGICAL-c293t-a6e2536d21b6e444bd4fa11d4ef47fe91d31c197e41e2011257cbcb63dd7e83d3 |
|---|---|
| cites | cdi_FETCH-LOGICAL-c293t-a6e2536d21b6e444bd4fa11d4ef47fe91d31c197e41e2011257cbcb63dd7e83d3 |
| container_end_page | 12 |
| container_issue | 6 |
| container_start_page | 1 |
| container_title | IEEE transactions on dependable and secure computing |
| container_volume | 20 |
| creator | Yan, Anli Yan, Hongyang Hu, Li Liu, Xiaozhang Huang, Teng |
| description | Model extraction attacks (MEAs) allow adversaries to replicate a surrogate model analogous to the target model's decision pattern. While several attacks and defenses have been studied in-depth, the underlying reasons behind our susceptibility to them often remain unclear. Analyzing these implication influence factors helps to promote secure deep learning (DL) systems, it requires studying extraction attacks in various scenarios to determine the success of different attacks and the hallmarks of DLs. However, understanding, implementing, and evaluating even a single attack requires extremely high technical effort, making it impractical to study the vast number of unique extraction attack scenarios. To this end, we present a first-of-its-kind holistic evaluation of implication factors for MEAs which relies on the attack process abstracted from state-of-the-art MEAs. Specifically, we concentrate on four perspectives. we consider the impact of the task accuracy, model architecture, and robustness of the target model on MEAs, as well as the impact of the model architecture of the surrogate model on MEAs. Our empirical evaluation includes an ablation study over sixteen model architectures and four image datasets. Surprisingly, our study shows that improving the robustness of the target model via adversarial training is more vulnerable to model extraction attacks. |
| doi_str_mv | 10.1109/TDSC.2022.3231271 |
| format | article |
| fullrecord | <record><control><sourceid>proquest_ieee_</sourceid><recordid>TN_cdi_proquest_journals_2889731343</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9999271</ieee_id><sourcerecordid>2889731343</sourcerecordid><originalsourceid>FETCH-LOGICAL-c293t-a6e2536d21b6e444bd4fa11d4ef47fe91d31c197e41e2011257cbcb63dd7e83d3</originalsourceid><addsrcrecordid>eNo9kE9LAzEQxYMoWKsfQLwseN6aSbJ_cpJSWy1UPFjPIZvMQuq2qUkq-u3dpcW5zDDvvRn4EXILdAJA5cP66X02YZSxCWccWAVnZARSQE4p1Of9XIgiL2QFl-Qqxg2lTNRSjMjji-9cTM5ky-2-c8albKFN8iGbf-vuoJPzu8y32au32GXznxR6ddhNU9LmM16Ti1Z3EW9OfUw-FvP17CVfvT0vZ9NVbpjkKdclsoKXlkFTohCisaLVAFZgK6oWJVgOBmSFApBRAFZUpjFNya2tsOaWj8n98e4--K8DxqQ2_hB2_UvF6lpWHLjgvQuOLhN8jAFbtQ9uq8OvAqoGTmrgpAZO6sSpz9wdMw4R__2yr0H9AwXmY0w</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2889731343</pqid></control><display><type>article</type><title>Holistic Implicit Factor Evaluation of Model Extraction Attacks</title><source>IEEE Xplore (Online service)</source><creator>Yan, Anli ; Yan, Hongyang ; Hu, Li ; Liu, Xiaozhang ; Huang, Teng</creator><creatorcontrib>Yan, Anli ; Yan, Hongyang ; Hu, Li ; Liu, Xiaozhang ; Huang, Teng</creatorcontrib><description>Model extraction attacks (MEAs) allow adversaries to replicate a surrogate model analogous to the target model's decision pattern. While several attacks and defenses have been studied in-depth, the underlying reasons behind our susceptibility to them often remain unclear. Analyzing these implication influence factors helps to promote secure deep learning (DL) systems, it requires studying extraction attacks in various scenarios to determine the success of different attacks and the hallmarks of DLs. However, understanding, implementing, and evaluating even a single attack requires extremely high technical effort, making it impractical to study the vast number of unique extraction attack scenarios. To this end, we present a first-of-its-kind holistic evaluation of implication factors for MEAs which relies on the attack process abstracted from state-of-the-art MEAs. Specifically, we concentrate on four perspectives. we consider the impact of the task accuracy, model architecture, and robustness of the target model on MEAs, as well as the impact of the model architecture of the surrogate model on MEAs. Our empirical evaluation includes an ablation study over sixteen model architectures and four image datasets. Surprisingly, our study shows that improving the robustness of the target model via adversarial training is more vulnerable to model extraction attacks.</description><identifier>ISSN: 1545-5971</identifier><identifier>EISSN: 1941-0018</identifier><identifier>DOI: 10.1109/TDSC.2022.3231271</identifier><identifier>CODEN: ITDSCM</identifier><language>eng</language><publisher>Washington: IEEE</publisher><subject>Ablation ; Analytical models ; Computational modeling ; Computer architecture ; Empirical analysis ; Evaluation ; implicit factors ; Mathematical models ; Model accuracy ; model extraction attacks ; Predictive models ; Robustness ; Task analysis ; Training</subject><ispartof>IEEE transactions on dependable and secure computing, 2023-11, Vol.20 (6), p.1-12</ispartof><rights>Copyright IEEE Computer Society 2023</rights><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c293t-a6e2536d21b6e444bd4fa11d4ef47fe91d31c197e41e2011257cbcb63dd7e83d3</citedby><cites>FETCH-LOGICAL-c293t-a6e2536d21b6e444bd4fa11d4ef47fe91d31c197e41e2011257cbcb63dd7e83d3</cites><orcidid>0000-0002-7372-7345 ; 0000-0001-9858-0063 ; 0000-0002-2854-2931 ; 0000-0003-1453-0996 ; 0000-0001-7261-6398 ; 0000-0002-1493-9671</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9999271$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,27924,27925,54796</link.rule.ids></links><search><creatorcontrib>Yan, Anli</creatorcontrib><creatorcontrib>Yan, Hongyang</creatorcontrib><creatorcontrib>Hu, Li</creatorcontrib><creatorcontrib>Liu, Xiaozhang</creatorcontrib><creatorcontrib>Huang, Teng</creatorcontrib><title>Holistic Implicit Factor Evaluation of Model Extraction Attacks</title><title>IEEE transactions on dependable and secure computing</title><addtitle>TDSC</addtitle><description>Model extraction attacks (MEAs) allow adversaries to replicate a surrogate model analogous to the target model's decision pattern. While several attacks and defenses have been studied in-depth, the underlying reasons behind our susceptibility to them often remain unclear. Analyzing these implication influence factors helps to promote secure deep learning (DL) systems, it requires studying extraction attacks in various scenarios to determine the success of different attacks and the hallmarks of DLs. However, understanding, implementing, and evaluating even a single attack requires extremely high technical effort, making it impractical to study the vast number of unique extraction attack scenarios. To this end, we present a first-of-its-kind holistic evaluation of implication factors for MEAs which relies on the attack process abstracted from state-of-the-art MEAs. Specifically, we concentrate on four perspectives. we consider the impact of the task accuracy, model architecture, and robustness of the target model on MEAs, as well as the impact of the model architecture of the surrogate model on MEAs. Our empirical evaluation includes an ablation study over sixteen model architectures and four image datasets. Surprisingly, our study shows that improving the robustness of the target model via adversarial training is more vulnerable to model extraction attacks.</description><subject>Ablation</subject><subject>Analytical models</subject><subject>Computational modeling</subject><subject>Computer architecture</subject><subject>Empirical analysis</subject><subject>Evaluation</subject><subject>implicit factors</subject><subject>Mathematical models</subject><subject>Model accuracy</subject><subject>model extraction attacks</subject><subject>Predictive models</subject><subject>Robustness</subject><subject>Task analysis</subject><subject>Training</subject><issn>1545-5971</issn><issn>1941-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><recordid>eNo9kE9LAzEQxYMoWKsfQLwseN6aSbJ_cpJSWy1UPFjPIZvMQuq2qUkq-u3dpcW5zDDvvRn4EXILdAJA5cP66X02YZSxCWccWAVnZARSQE4p1Of9XIgiL2QFl-Qqxg2lTNRSjMjji-9cTM5ky-2-c8albKFN8iGbf-vuoJPzu8y32au32GXznxR6ddhNU9LmM16Ti1Z3EW9OfUw-FvP17CVfvT0vZ9NVbpjkKdclsoKXlkFTohCisaLVAFZgK6oWJVgOBmSFApBRAFZUpjFNya2tsOaWj8n98e4--K8DxqQ2_hB2_UvF6lpWHLjgvQuOLhN8jAFbtQ9uq8OvAqoGTmrgpAZO6sSpz9wdMw4R__2yr0H9AwXmY0w</recordid><startdate>20231101</startdate><enddate>20231101</enddate><creator>Yan, Anli</creator><creator>Yan, Hongyang</creator><creator>Hu, Li</creator><creator>Liu, Xiaozhang</creator><creator>Huang, Teng</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>JQ2</scope><orcidid>https://orcid.org/0000-0002-7372-7345</orcidid><orcidid>https://orcid.org/0000-0001-9858-0063</orcidid><orcidid>https://orcid.org/0000-0002-2854-2931</orcidid><orcidid>https://orcid.org/0000-0003-1453-0996</orcidid><orcidid>https://orcid.org/0000-0001-7261-6398</orcidid><orcidid>https://orcid.org/0000-0002-1493-9671</orcidid></search><sort><creationdate>20231101</creationdate><title>Holistic Implicit Factor Evaluation of Model Extraction Attacks</title><author>Yan, Anli ; Yan, Hongyang ; Hu, Li ; Liu, Xiaozhang ; Huang, Teng</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c293t-a6e2536d21b6e444bd4fa11d4ef47fe91d31c197e41e2011257cbcb63dd7e83d3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Ablation</topic><topic>Analytical models</topic><topic>Computational modeling</topic><topic>Computer architecture</topic><topic>Empirical analysis</topic><topic>Evaluation</topic><topic>implicit factors</topic><topic>Mathematical models</topic><topic>Model accuracy</topic><topic>model extraction attacks</topic><topic>Predictive models</topic><topic>Robustness</topic><topic>Task analysis</topic><topic>Training</topic><toplevel>online_resources</toplevel><creatorcontrib>Yan, Anli</creatorcontrib><creatorcontrib>Yan, Hongyang</creatorcontrib><creatorcontrib>Hu, Li</creatorcontrib><creatorcontrib>Liu, Xiaozhang</creatorcontrib><creatorcontrib>Huang, Teng</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Xplore (Online service)</collection><collection>CrossRef</collection><collection>ProQuest Computer Science Collection</collection><jtitle>IEEE transactions on dependable and secure computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Yan, Anli</au><au>Yan, Hongyang</au><au>Hu, Li</au><au>Liu, Xiaozhang</au><au>Huang, Teng</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Holistic Implicit Factor Evaluation of Model Extraction Attacks</atitle><jtitle>IEEE transactions on dependable and secure computing</jtitle><stitle>TDSC</stitle><date>2023-11-01</date><risdate>2023</risdate><volume>20</volume><issue>6</issue><spage>1</spage><epage>12</epage><pages>1-12</pages><issn>1545-5971</issn><eissn>1941-0018</eissn><coden>ITDSCM</coden><abstract>Model extraction attacks (MEAs) allow adversaries to replicate a surrogate model analogous to the target model's decision pattern. While several attacks and defenses have been studied in-depth, the underlying reasons behind our susceptibility to them often remain unclear. Analyzing these implication influence factors helps to promote secure deep learning (DL) systems, it requires studying extraction attacks in various scenarios to determine the success of different attacks and the hallmarks of DLs. However, understanding, implementing, and evaluating even a single attack requires extremely high technical effort, making it impractical to study the vast number of unique extraction attack scenarios. To this end, we present a first-of-its-kind holistic evaluation of implication factors for MEAs which relies on the attack process abstracted from state-of-the-art MEAs. Specifically, we concentrate on four perspectives. we consider the impact of the task accuracy, model architecture, and robustness of the target model on MEAs, as well as the impact of the model architecture of the surrogate model on MEAs. Our empirical evaluation includes an ablation study over sixteen model architectures and four image datasets. Surprisingly, our study shows that improving the robustness of the target model via adversarial training is more vulnerable to model extraction attacks.</abstract><cop>Washington</cop><pub>IEEE</pub><doi>10.1109/TDSC.2022.3231271</doi><tpages>12</tpages><orcidid>https://orcid.org/0000-0002-7372-7345</orcidid><orcidid>https://orcid.org/0000-0001-9858-0063</orcidid><orcidid>https://orcid.org/0000-0002-2854-2931</orcidid><orcidid>https://orcid.org/0000-0003-1453-0996</orcidid><orcidid>https://orcid.org/0000-0001-7261-6398</orcidid><orcidid>https://orcid.org/0000-0002-1493-9671</orcidid></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 1545-5971 |
| ispartof | IEEE transactions on dependable and secure computing, 2023-11, Vol.20 (6), p.1-12 |
| issn | 1545-5971 1941-0018 |
| language | eng |
| recordid | cdi_proquest_journals_2889731343 |
| source | IEEE Xplore (Online service) |
| subjects | Ablation Analytical models Computational modeling Computer architecture Empirical analysis Evaluation implicit factors Mathematical models Model accuracy model extraction attacks Predictive models Robustness Task analysis Training |
| title | Holistic Implicit Factor Evaluation of Model Extraction Attacks |
| url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-27T12%3A12%3A25IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_ieee_&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Holistic%20Implicit%20Factor%20Evaluation%20of%20Model%20Extraction%20Attacks&rft.jtitle=IEEE%20transactions%20on%20dependable%20and%20secure%20computing&rft.au=Yan,%20Anli&rft.date=2023-11-01&rft.volume=20&rft.issue=6&rft.spage=1&rft.epage=12&rft.pages=1-12&rft.issn=1545-5971&rft.eissn=1941-0018&rft.coden=ITDSCM&rft_id=info:doi/10.1109/TDSC.2022.3231271&rft_dat=%3Cproquest_ieee_%3E2889731343%3C/proquest_ieee_%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c293t-a6e2536d21b6e444bd4fa11d4ef47fe91d31c197e41e2011257cbcb63dd7e83d3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2889731343&rft_id=info:pmid/&rft_ieee_id=9999271&rfr_iscdi=true |