Model extraction attacks are designed to steal trained models with only query access, as is often provided through APIs that ML-as-a-Service providers offer. ML models are expensive to train, in part because data is hard to obtain, and a primary incentive for model extraction is to acquire a model while incurring less cost than training from scratch. Literature on model extraction commonly claims or presumes that the attacker is able to save on both data acquisition and labeling costs. We show that the attacker often does not. This is because current attacks implicitly rely on the adversary being able to sample from the victim model's data distribution. We thoroughly evaluate factors influencing the success of model extraction. We discover that prior knowledge of the attacker, i.e. access to in-distribution data, dominates other factors like the attack policy the adversary follows to choose which queries to make to the victim model API. Thus, an adversary looking to develop an equally capable model with a fixed budget has little practical incentive to perform model extraction, since for the attack to work they need to collect in-distribution data, saving only on the cost of labeling. With low labeling costs in the current market, the usefulness of such attacks is questionable. Ultimately, we demonstrate that the effect of prior knowledge needs to be explicitly decoupled from the attack policy. To this end, we propose a benchmark to evaluate attack policy directly.

翻译：模型提取攻击旨在仅通过查询访问（如机器学习即服务提供商通过API提供的服务）窃取已训练的模型。训练机器学习模型成本高昂，部分原因在于数据难以获取，而模型提取的主要动机是以低于从零训练的成本获取模型。关于模型提取的文献通常声称或假定攻击者能够节省数据获取和标注成本。我们证明事实往往并非如此——这是因为当前攻击隐式依赖攻击者能够对受害者模型的数据分布进行采样。我们全面评估了影响模型提取成功的因素，发现攻击者的先验知识（即获取分布内数据的能力）主导了其他因素，如攻击者为选择向受害者模型API发送查询而遵循的攻击策略。因此，预算固定的攻击者若想开发同等能力的模型，实际上几乎没有动机实施模型提取，因为要使攻击生效，他们仍需收集分布内数据，仅能节省标注成本。在当前市场标注成本较低的情况下，此类攻击的实用性值得怀疑。最终，我们证明必须将先验知识的影响与攻击策略明确解耦。为此，我们提出了一项用于直接评估攻击策略的基准测试。