Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Linear Model Extraction via Factual and Counterfactual Queries

Daan Otto, Jannis Kurtz, Dick den Hertog, Ilker Birbil

TL;DR

The paper analyzes how a linear classifier can be reverse-engineered via different query types: factual, counterfactual, and robust counterfactual. It derives tractable formulations for the classification regions under arbitrary query sets and establishes precise bounds on the number of queries needed to recover the hyperplane parameters, showing that differentiable distance measures enable exact recovery with a single counterfactual, while non-differentiable measures require up to $p+1$ counterfactuals (and more under robustness). Robust counterfactuals further amplify privacy by increasing the data needed for parameter recovery, with the distance function and robustness level significantly affecting security. The results illuminate privacy-security trade-offs in explainability tools and suggest avenues for defense, kernel extensions, and broader model classes. All mathematical notation is presented with explicit delimiters to ensure clarity and reproducibility.

Abstract

In model extraction attacks, the goal is to reveal the parameters of a black-box machine learning model by querying the model for a selected set of data points. Due to an increasing demand for explanations, this may involve counterfactual queries besides the typically considered factual queries. In this work, we consider linear models and three types of queries: factual, counterfactual, and robust counterfactual. First, for an arbitrary set of queries, we derive novel mathematical formulations for the classification regions for which the decision of the unknown model is known, without recovering any of the model parameters. Second, we derive bounds on the number of queries needed to extract the model's parameters for (robust) counterfactual queries under arbitrary norm-based distances. We show that the full model can be recovered using just a single counterfactual query when differentiable distance measures are employed. In contrast, when using polyhedral distances for instance, the number of required queries grows linearly with the dimension of the data space. For robust counterfactuals, the latter number of queries doubles. Consequently, the applied distance function and robustness of counterfactuals have a significant impact on the model's security.

Linear Model Extraction via Factual and Counterfactual Queries

TL;DR

The paper analyzes how a linear classifier can be reverse-engineered via different query types: factual, counterfactual, and robust counterfactual. It derives tractable formulations for the classification regions under arbitrary query sets and establishes precise bounds on the number of queries needed to recover the hyperplane parameters, showing that differentiable distance measures enable exact recovery with a single counterfactual, while non-differentiable measures require up to counterfactuals (and more under robustness). Robust counterfactuals further amplify privacy by increasing the data needed for parameter recovery, with the distance function and robustness level significantly affecting security. The results illuminate privacy-security trade-offs in explainability tools and suggest avenues for defense, kernel extensions, and broader model classes. All mathematical notation is presented with explicit delimiters to ensure clarity and reproducibility.

Abstract

In model extraction attacks, the goal is to reveal the parameters of a black-box machine learning model by querying the model for a selected set of data points. Due to an increasing demand for explanations, this may involve counterfactual queries besides the typically considered factual queries. In this work, we consider linear models and three types of queries: factual, counterfactual, and robust counterfactual. First, for an arbitrary set of queries, we derive novel mathematical formulations for the classification regions for which the decision of the unknown model is known, without recovering any of the model parameters. Second, we derive bounds on the number of queries needed to extract the model's parameters for (robust) counterfactual queries under arbitrary norm-based distances. We show that the full model can be recovered using just a single counterfactual query when differentiable distance measures are employed. In contrast, when using polyhedral distances for instance, the number of required queries grows linearly with the dimension of the data space. For robust counterfactuals, the latter number of queries doubles. Consequently, the applied distance function and robustness of counterfactuals have a significant impact on the model's security.
Paper Structure (18 sections, 15 theorems, 78 equations, 6 figures, 1 table, 1 algorithm)

This paper contains 18 sections, 15 theorems, 78 equations, 6 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Factual Queries
  4. Counterfactual Queries
  5. Classification Regions
  6. Extracting the Hyperplane
  7. Differentiable Norms
  8. Non-differentiable norms
  9. Robust Counterfactual Queries
  10. Extracting the Hyperplane
  11. Differentiable Norms
  12. Non-differentiable Norms
  13. Classification Regions
  14. Conclusion
  15. Proofs
  16. ...and 3 more sections

Key Result

Theorem 5

Given data points $\bm{x}^{(i)}$, $i\in I$ such that each $\bm{x}^{(i)}$ is classified as 'No' for $i\in I_{0}$ and as 'Yes' for $i\in I_1$, where $I_{0} \cup I_1 = I$. Then, the 'Yes' and 'No' regions are given by

Figures (6)

  • Figure 1: Illustration of the definitions.
  • Figure 2: Example of 'Yes' and 'No' regions for a set of given factuals.
  • Figure 3: Example of the classification regions given one data point classified as 'No' and corresponding counterfactual for different norms.
  • Figure 4: Example of extracting the hyperplane using counterfactual queries with $N_1=\ell_{\infty}$.
  • Figure 5: Example of extracting the hyperplane using robust counterfactual queries with $N_1=\ell_{\infty}$ and robustness set given by $\mathcal{S}=\{\bm{s}\mid\|\bm{s}\|_{1}\leq 1\}$.
  • ...and 1 more figures

Theorems & Definitions (36)

  • Definition 1: Equivalent Hyperplane
  • Definition 2: Factual Query
  • Definition 3: Counterfactual Query
  • Definition 4: Robust Counterfactual Query
  • Theorem 5
  • Theorem 6
  • Lemma 7
  • Theorem 8
  • Corollary 9
  • Remark 10
  • ...and 26 more