Machine Learning-as-a-Service (MLaaS) has become a widespread paradigm, making even the most complex machine learning models available for clients via e.g. a pay-per-query principle. This allows users to avoid time-consuming processes of data collection, hyperparameter tuning, and model training. However, by giving their customers access to the (predictions of their) models, MLaaS providers endanger their intellectual property, such as sensitive training data, optimised hyperparameters, or learned model parameters. Adversaries can create a copy of the model with (almost) identical behavior using the the prediction labels only. While many variants of this attack have been described, only scattered defence strategies have been proposed, addressing isolated threats. This raises the necessity for a thorough systematisation of the field of model stealing, to arrive at a comprehensive understanding why these attacks are successful, and how they could be holistically defended against. We address this by categorising and comparing model stealing attacks, assessing their performance, and exploring corresponding defence techniques in different settings. We propose a taxonomy for attack and defence approaches, and provide guidelines on how to select the right attack or defence strategy based on the goal and available resources. Finally, we analyse which defences are rendered less effective by current attack strategies.

翻译：机器学习即服务（MLaaS）已成为一种广泛应用的范式，使得即使是最复杂的机器学习模型也能通过按查询付费等原则向客户开放。这使得用户得以省去数据收集、超参数调优和模型训练等耗时流程。然而，在向客户提供模型（预测结果）访问权限的同时，MLaaS提供商正面临其知识产权（如敏感训练数据、优化后的超参数或学习到的模型参数）泄露的风险。攻击者仅利用预测标签即可复制出具有（近乎）相同行为的模型。尽管已有多种此类攻击变体的描述，但防御策略零散，仅针对个别威胁。这促使我们需要对模型窃取领域进行系统化梳理，以全面理解攻击为何成功，以及如何实现整体防御。为此，我们对模型窃取攻击进行分类和比较，评估其性能，并探讨不同场景下的相应防御技术。我们提出了攻击与防御方法的分类体系，并基于目标和可用资源提供攻击或防御策略的选择指南。最后，我们分析了当前攻击策略削弱了哪些防御措施的有效性。