We study black-box model stealing attacks where the attacker can query a machine learning model only through publicly available APIs. Specifically, our aim is to design a black-box model extraction attack that uses minimal number of queries to create an informative and distributionally equivalent replica of the target model. First, we define distributionally equivalent and max-information model extraction attacks. Then, we reduce both the attacks into a variational optimisation problem. The attacker solves this problem to select the most informative queries that simultaneously maximise the entropy and reduce the mismatch between the target and the stolen models. This leads us to an active sampling-based query selection algorithm, Marich. We evaluate Marich on different text and image data sets, and different models, including BERT and ResNet18. Marich is able to extract models that achieve $69-96\%$ of true model's accuracy and uses $1,070 - 6,950$ samples from the publicly available query datasets, which are different from the private training datasets. Models extracted by Marich yield prediction distributions, which are $\sim2-4\times$ closer to the target's distribution in comparison to the existing active sampling-based algorithms. The extracted models also lead to $85-95\%$ accuracy under membership inference attacks. Experimental results validate that Marich is query-efficient, and also capable of performing task-accurate, high-fidelity, and informative model extraction.

翻译：摘要：我们研究黑盒模型窃取攻击，其中攻击者仅能通过公开API查询机器学习模型。具体而言，我们的目标是设计一种黑盒模型提取攻击，使用最少的查询次数来创建目标模型的信息丰富且分布等价的复制品。首先，我们定义了分布等价和最大信息模型提取攻击。随后，将两种攻击简化为变分优化问题。攻击者求解该问题以选择最具信息量的查询，这些查询能够同时最大化熵并减小目标模型与窃取模型之间的失配。这引出了基于主动采样的查询选择算法Marich。我们在不同文本与图像数据集及不同模型（包括BERT和ResNet18）上评估了Marich。Marich能够提取出达到真实模型精度69%-96%的模型，并使用来自公开查询数据集（与私有训练数据集不同）的1,070-6,950个样本。与现有基于主动采样的算法相比，Marich提取的模型产生的预测分布在分布距离上接近目标分布约2-4倍。这些提取模型在成员推断攻击下的精度可达85-95%。实验结果验证了Marich在查询效率上的优势，并能实现任务精度高、保真度强且信息丰富的模型提取。