Adversarial extraction attacks constitute an insidious threat against Deep Learning (DL) models in-which an adversary aims to steal the architecture, parameters, and hyper-parameters of a targeted DL model. Existing extraction attack literature have observed varying levels of attack success for different DL models and datasets, yet the underlying cause(s) behind their susceptibility often remain unclear, and would help facilitate creating secure DL systems. In this paper we present PINCH: an efficient and automated extraction attack framework capable of designing, deploying, and analyzing extraction attack scenarios across heterogeneous hardware platforms. Using PINCH, we perform extensive experimental evaluation of extraction attacks against 21 model architectures to explore new extraction attack scenarios and further attack staging. Our findings show (1) key extraction characteristics whereby particular model configurations exhibit strong resilience against specific attacks, (2) even partial extraction success enables further staging for other adversarial attacks, and (3) equivalent stolen models uncover differences in expressive power, yet exhibit similar captured knowledge.

翻译：对抗性提取攻击是针对深度学习（DL）模型的一种隐蔽威胁，攻击者旨在窃取目标深度学习模型的架构、参数和超参数。现有提取攻击文献观察到，不同深度学习模型和数据集上攻击成功率存在差异，但其脆弱性背后的根本原因通常仍不明确，而揭示这些原因将有助于构建安全的深度学习系统。本文提出PINCH：一个高效且自动化的提取攻击框架，能够跨异构硬件平台设计、部署和分析提取攻击场景。利用PINCH，我们针对21种模型架构进行了广泛的提取攻击实验评估，以探索新的提取攻击场景并进一步推进攻击实施。我们的研究发现：（1）关键提取特性：特定模型配置对特定攻击表现出强韧性；（2）即使部分提取成功也能为其他对抗性攻击的进一步部署创造条件；（3）等效的窃取模型揭示了表达能力差异，但捕获的知识表现出相似性。