Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Exploring Query Efficient Data Generation towards Data-free Model Stealing in Hard Label Setting

Gaozheng Pei, Shaojie lyu, Ke Ma, Pinci Yang, Qianqian Xu, Yingfei Sun

TL;DR

This work addresses data-free model stealing under hard-label MLaaS by introducing Query Efficient Data Generation (QEDG), which steers synthetic samples toward the target model's decision boundary using harmony and diversity losses, and leverages query-free augmentation with a memory bank to extract richer supervision without increasing queries. A theoretical analysis bounds the required queries under imperfect feedback, showing a remission of query complexity via a logarithmic factor, while an empirical program on five datasets and a real MLaaS Azure scenario demonstrates superior accuracy and consistency against state-of-the-art baselines. Key components—harmony loss, diversity loss, and query-free augmentation—are validated through ablations, underscoring their complementary roles in efficiently uncovering the target decision boundary. The findings have practical implications for both attackers seeking efficient model copies and defenders evaluating MLaaS robustness against data-free stealing.

Abstract

Data-free model stealing involves replicating the functionality of a target model into a substitute model without accessing the target model's structure, parameters, or training data. The adversary can only access the target model's predictions for generated samples. Once the substitute model closely approximates the behavior of the target model, attackers can exploit its white-box characteristics for subsequent malicious activities, such as adversarial attacks. Existing methods within cooperative game frameworks often produce samples with high confidence for the prediction of the substitute model, which makes it difficult for the substitute model to replicate the behavior of the target model. This paper presents a new data-free model stealing approach called Query Efficient Data Generation (\textbf{QEDG}). We introduce two distinct loss functions to ensure the generation of sufficient samples that closely and uniformly align with the target model's decision boundary across multiple classes. Building on the limitation of current methods, which typically yield only one piece of supervised information per query, we propose the query-free sample augmentation that enables the acquisition of additional supervised information without increasing the number of queries. Motivated by theoretical analysis, we adopt the consistency rate metric, which more accurately evaluates the similarity between the substitute and target models. We conducted extensive experiments to verify the effectiveness of our proposed method, which achieved better performance with fewer queries compared to the state-of-the-art methods on the real \textbf{MLaaS} scenario and five datasets.

Exploring Query Efficient Data Generation towards Data-free Model Stealing in Hard Label Setting

TL;DR

This work addresses data-free model stealing under hard-label MLaaS by introducing Query Efficient Data Generation (QEDG), which steers synthetic samples toward the target model's decision boundary using harmony and diversity losses, and leverages query-free augmentation with a memory bank to extract richer supervision without increasing queries. A theoretical analysis bounds the required queries under imperfect feedback, showing a remission of query complexity via a logarithmic factor, while an empirical program on five datasets and a real MLaaS Azure scenario demonstrates superior accuracy and consistency against state-of-the-art baselines. Key components—harmony loss, diversity loss, and query-free augmentation—are validated through ablations, underscoring their complementary roles in efficiently uncovering the target decision boundary. The findings have practical implications for both attackers seeking efficient model copies and defenders evaluating MLaaS robustness against data-free stealing.

Abstract

Data-free model stealing involves replicating the functionality of a target model into a substitute model without accessing the target model's structure, parameters, or training data. The adversary can only access the target model's predictions for generated samples. Once the substitute model closely approximates the behavior of the target model, attackers can exploit its white-box characteristics for subsequent malicious activities, such as adversarial attacks. Existing methods within cooperative game frameworks often produce samples with high confidence for the prediction of the substitute model, which makes it difficult for the substitute model to replicate the behavior of the target model. This paper presents a new data-free model stealing approach called Query Efficient Data Generation (\textbf{QEDG}). We introduce two distinct loss functions to ensure the generation of sufficient samples that closely and uniformly align with the target model's decision boundary across multiple classes. Building on the limitation of current methods, which typically yield only one piece of supervised information per query, we propose the query-free sample augmentation that enables the acquisition of additional supervised information without increasing the number of queries. Motivated by theoretical analysis, we adopt the consistency rate metric, which more accurately evaluates the similarity between the substitute and target models. We conducted extensive experiments to verify the effectiveness of our proposed method, which achieved better performance with fewer queries compared to the state-of-the-art methods on the real \textbf{MLaaS} scenario and five datasets.

Paper Structure

This paper contains 15 sections, 2 theorems, 33 equations, 5 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Proposed Framework
  3. Threat Modelling
  4. A Parsimonious Generation Process
  5. Query-free Augmentation and Substitute Model Training
  6. Theoretical Analysis
  7. Experiments
  8. Experiment Setup
  9. Experiment Results
  10. Ablation Study
  11. Conclusion and Limitations
  12. Related Work
  13. Black-box attack
  14. Data-free Model Stealing
  15. Theoretical Analysis

Key Result

Theorem 1

Let $\boldsymbol{\mathcal{F}}$ be a hypothesis class and $(\boldsymbol{\mathcal{A}},\boldsymbol{\mathcal{T}})$ refer to an active learning algorithm as described above with the query complexity of $q(\epsilon,\delta)$. Suppose that an adversary $\boldsymbol{\mathcal{S}}$ disguises as $\boldsymbol{\m where $\boldsymbol{y}_g$ is the random variable that represents the feedback of $\boldsymbol{\mathc

Figures (5)

  • Figure 1: Compared to previous methods (top), our proposed approach (bottom) guides the generator to produce samples that are sufficiently close to the decision boundary of the substitute model. This results in more samples falling into the disputed area, thereby directing the substitute model to approach the target model in the correct direction.
  • Figure 2: The confidence vectors of the points in the shaded area are displayed above. Our goal is to ensure that the generated sample points are as close to the decision boundary as possible while also minimizing intra-class similarity. This approach aims to distribute the generated samples as closely as possible along the decision boundary.
  • Figure 3: The consistency rate of predicted labels by the target model for non-disputed samples before and after data augmentation.
  • Figure 4: The accuracy of our method and other methods varies with the number of queries on Microsoft Azure.
  • Figure 5: Sensitivity analysis about hyperparameters $\alpha$ and $\beta$ and $\gamma$.

Theorems & Definitions (3)

  • Theorem
  • Theorem
  • proof