Man of steal: Exploring model stealing attacks against image classifiers

Abstract

Machine learning models offered as a service are the most common targets for a model stealing attack that aims to reproduce a model's behaviour without its owner's consent. Such attacks lead to intellectual property violations and unfair competition, bringing more attention to the topic. This work analyses the most significant group of model stealing attacks against black-box image classifiers. We categorise relevant work based on the considered attacker's profile, and highlight inconsistencies in experiment design and attack evaluation that lead to comparability issues. Further, we conduct experiments against CNN image classifiers and investigate how different attacker's capabilities and attack optimisation techniques impact the attack's performance. In particular, we propose a novel data-free attack, which is significantly more efficient while having comparable performance with the state-of-the-art. Subsequently, we study three data-perturbation defences as countermeasures against model stealing attacks and investigate how they affect the utility of the target model. Finally, we re-visit the related work issues and propose solutions for each to ensure comparability in future work.