With growing popularity, deep learning (DL) models are becoming larger-scale, and only the companies with vast training datasets and immense computing power can manage their business serving such large models. Most of those DL models are proprietary to the companies who thus strive to keep their private models safe from the model extraction attack (MEA), whose aim is to steal the model by training surrogate models. Nowadays, companies are inclined to offload the models from central servers to edge/endpoint devices. As revealed in the latest studies, adversaries exploit this opportunity as new attack vectors to launch side-channel attack (SCA) on the device running victim model and obtain various pieces of the model information, such as the model architecture (MA) and image dimension (ID). Our work provides a comprehensive understanding of such a relationship for the first time and would benefit future MEA studies in both offensive and defensive sides in that they may learn which pieces of information exposed by SCA are more important than the others. Our analysis additionally reveals that by grasping the victim model information from SCA, MEA can get highly effective and successful even without any prior knowledge of the model. Finally, to evince the practicality of our analysis results, we empirically apply SCA, and subsequently, carry out MEA under realistic threat assumptions. The results show up to 5.8 times better performance than when the adversary has no model information about the victim model.

翻译：随着深度学习（DL）模型的日益普及，其规模不断增大，仅有拥有海量训练数据集和强大计算能力的公司才能支撑此类大规模模型的业务运营。多数DL模型属于企业专有资产，因此企业致力于保护私有模型免受模型提取攻击（MEA）——该类攻击旨在通过训练替代模型来窃取原始模型。当前，企业倾向于将模型从中央服务器迁移至边缘/终端设备。最新研究表明，攻击者利用此机会开辟新的攻击途径，对运行受害模型的设备实施侧信道攻击（SCA），从而获取模型架构（MA）与图像维度（ID）等各类模型信息。本研究首次系统阐释了此类信息间的关联性，将为未来攻击与防御领域的MEA研究提供重要参考——可明确SCA暴露的哪些信息较其他信息更具关键性。此外，我们的分析揭示：通过SCA获取受害模型信息后，即使攻击者对模型毫无先验知识，MEA仍能取得极高有效性与成功率。为验证分析结果的实用性，我们在真实威胁假设下实证应用SCA并继而实施MEA。实验表明，相较于攻击者无任何受害模型信息的情况，本方法性能提升最高可达5.8倍。