Counterfactual explanations find ways of achieving a favorable model outcome with minimum input perturbation. However, counterfactual explanations can also be exploited to steal the model by strategically training a surrogate model to give similar predictions as the original (target) model. In this work, we investigate model extraction by specifically leveraging the fact that the counterfactual explanations also lie quite close to the decision boundary. We propose a novel strategy for model extraction that we call Counterfactual Clamping Attack (CCA) which trains a surrogate model using a unique loss function that treats counterfactuals differently than ordinary instances. Our approach also alleviates the related problem of decision boundary shift that arises in existing model extraction attacks which treat counterfactuals as ordinary instances. We also derive novel mathematical relationships between the error in model approximation and the number of queries using polytope theory. Experimental results demonstrate that our strategy provides improved fidelity between the target and surrogate model predictions on several real world datasets.

翻译：反事实解释通过最小化输入扰动来寻找实现有利模型输出的途径。然而，反事实解释也可能被利用来窃取模型——通过策略性地训练一个与原始（目标）模型预测结果相似的代理模型。本研究聚焦于利用反事实解释靠近决策边界这一特性进行模型抽取。我们提出了一种名为反事实夹击攻击（CCA）的新型模型抽取策略，该策略通过一种独特损失函数训练代理模型，将反事实样本与普通实例区别对待。所提方法还缓解了现有模型抽取攻击中将反事实视为普通实例时引发的决策边界偏移问题。基于多面体理论，我们推导出模型近似误差与查询次数之间的新型数学关系。实验结果表明，在多个真实世界数据集上，该策略显著提升了目标模型与代理模型预测结果间的保真度。