We study design of black-box model extraction attacks that can send minimal number of queries from a publicly available dataset to a target ML model through a predictive API with an aim to create an informative and distributionally equivalent replica of the target. First, we define distributionally equivalent and Max-Information model extraction attacks, and reduce them into a variational optimisation problem. The attacker sequentially solves this optimisation problem to select the most informative queries that simultaneously maximise the entropy and reduce the mismatch between the target and the stolen models. This leads to an active sampling-based query selection algorithm, Marich, which is model-oblivious. Then, we evaluate Marich on different text and image data sets, and different models, including CNNs and BERT. Marich extracts models that achieve $\sim 60-95\%$ of true model's accuracy and uses $\sim 1,000 - 8,500$ queries from the publicly available datasets, which are different from the private training datasets. Models extracted by Marich yield prediction distributions, which are $\sim 2-4\times$ closer to the target's distribution in comparison to the existing active sampling-based attacks. The extracted models also lead to $84-96\%$ accuracy under membership inference attacks. Experimental results validate that Marich is query-efficient, and capable of performing task-accurate, high-fidelity, and informative model extraction.

翻译：我们研究黑盒模型提取攻击的设计，该攻击能从公共数据集中通过预测API向目标机器学习模型发送最少查询，旨在创建目标模型的信息丰富且分布等价的副本。首先，我们定义分布等价和最大信息模型提取攻击，并将其简化为变分优化问题。攻击者依次求解该优化问题，选择信息量最大的查询，这些查询能同时最大化熵并减少目标模型与窃取模型之间的不匹配。由此提出一种基于主动采样的查询选择算法Marich，该算法与模型无关。随后，我们在不同文本和图像数据集以及不同模型（包括CNN和BERT）上评估Marich。Marich提取的模型能达到真实模型准确率的约60-95%，且仅使用公共数据集中的约1,000-8,500个查询，这些查询与私有训练数据集不同。Marich提取的模型产生的预测分布与目标分布的接近程度，比现有基于主动采样的攻击高出约2-4倍。这些提取模型在成员推理攻击下的准确率也达到84-96%。实验结果验证了Marich在查询效率上的优势，以及执行任务准确、高保真和信息丰富的模型提取的能力。