Adversarial Examples In Model Extraction

Posted on by Brian Colwell

While primarily known for their use in evasion attacks (causing misclassification), adversarial examples can also aid in model extraction by systematically exploring decision boundaries. By generating samples that lie close to these boundaries and observing the model’s responses, attackers can map the contours of the model’s decision space more efficiently than with random samples, accelerating the extraction process and improving the fidelity of the substitute model.

Adversarial Examples Are A Foundational Model Extraction Tool

As summarized by recent research (Carlini et al., 2023), adversarial examples are a foundational tool in model extraction attacks, enabling attackers to reverse-engineer LLMs and other AI models through carefully crafted queries designed to probe a target model’s decision boundaries, manipulate outputs to reveal underlying data or architecture details, or deliberately cause incorrect outputs that leak information about internal mechanisms. These examples exploit vulnerabilities in machine learning systems by leveraging the gap between a model’s learned representations and the true distribution of the data. As Goodfellow et al. (2015) established, these inputs are often nearly indistinguishable from legitimate data to humans yet can cause models to make incorrect or unexpected predictions.

In a typical model extraction attack, adversaries systematically query the target model with these crafted inputs and observe the outputs to map the model’s behavior, following a methodical process of querying the target model, mapping decision boundaries, reconstructing functionality through a “student” model that mimics the “teacher,” and optimizing efficiency using active learning techniques. Attackers generate these inputs to explore the model’s behavior and, by observing the outputs to their crafted queries, can infer the model’s internal logic and replicate it in a substitute model (Papernot et al., 2017). Once a substitute model is built, attackers can use white-box adversarial techniques on their own copy to discover further vulnerabilities, which often transfer back to the original model due to similar decision boundaries (Papernot et al., 2016).

Types Of Adversarial Examples Utilized In Model Extraction Attacks

Popular types of adversarial examples in model extraction attacks include Boundary-Finding Examples, Confidence-Manipulation Examples, Gradient-Approximation Examples, Architecture-Probing Examples, and Parameter-Fishing Examples.

Boundary-Finding Examples

Boundary-finding examples are adversarial inputs specifically designed to identify and map the decision thresholds of a target model. These examples systematically probe the regions where the model transitions from one output class or response to another, effectively revealing the shape and location of the model’s decision boundaries. By generating sequences of inputs that lie close to these boundaries, attackers can reconstruct the geometric properties of the decision surface. This technique is particularly effective in equation-solving attacks against neural networks with ReLU activation functions, where critical boundary points can be used to recover model weights (Jagielski et al., 2020). Boundary-finding examples often employ active learning strategies to efficiently identify the most informative points along decision boundaries with minimal queries, making them a core component of model extraction attacks that aim to replicate a target model’s classification behavior with high fidelity.

Confidence-Manipulation Examples

Confidence-manipulation examples are adversarial inputs crafted to extract probability distributions and confidence scores from target models. These examples exploit the tendency of models to provide confidence values that reveal information about their internal representations and decision processes. Attackers carefully design inputs that cause the model to produce outputs with specific confidence patterns, then analyze these patterns to infer model parameters or architecture details. For models that only provide class labels without confidence scores, attackers may use techniques like Black-Box Dissector (Wang et al., 2022) or other emulation methods to estimate confidence scores by systematically modifying inputs and observing how the outputs change. By collecting sufficient confidence information across various inputs, attackers can build more accurate substitute models that not only match the classification decisions of the target model but also replicate its uncertainty characteristics, significantly improving the extraction attack’s fidelity.

Gradient-Approximation Examples

Gradient-approximation examples consist of sequences of carefully crafted inputs that help estimate gradients without direct access to the model’s parameters. These examples typically involve small, systematic perturbations to inputs to observe how the model’s output changes, effectively approximating the gradient through finite differences. Techniques like Jacobian-Based Data Augmentation (JBDA), introduced by Papernot et al., 2017, use these estimated gradients to generate new synthetic training points that improve the extraction process. By approximating the gradient direction with respect to the input, attackers can identify the most sensitive features that influence the model’s decisions and generate additional queries that more efficiently reveal the model’s behavior. This approach is particularly powerful because it allows attackers to simulate gradient-based optimization techniques that would normally require white-box access, enabling more accurate replica models while minimizing the number of queries needed.

Architecture-Probing Examples

Architecture-probing examples are specialized adversarial inputs designed to reveal elements of the target model’s structure, including layer types, depths, activation functions, and other architectural components. These examples often test specific hypotheses about the model architecture by generating inputs that would produce distinctive outputs if a particular architectural element is present. For instance, meta-model attacks use architecture-probing examples to predict hyperparameters like the number of convolutional layers in a neural network. By analyzing how the model responds to these specially crafted inputs, attackers can infer what components make up the model and how they’re connected. This architectural information is crucial for attackers attempting to build substitute models that closely mimic the target model’s structure, as matching the architecture significantly improves the chances of successfully replicating the target model’s behavior across diverse inputs.

Parameter-Fishing Examples

Parameter-fishing examples are carefully crafted prompts designed to elicit responses from a model that might reveal training details, parameter values, or other internal configuration information. These examples are particularly relevant to large language models and text-based systems, where carefully formulated queries can sometimes cause the model to reveal information about its training process or parameter settings. For instance, attackers might use prompt engineering techniques to craft queries that indirectly reveal information about specific parameters or hyperparameters. In some cases, these examples might exploit the model’s tendency to memorize training data, potentially revealing sensitive information from the training dataset (Carlini et al., 2023). The effectiveness of parameter-fishing examples often relies on exploiting edge cases in the model’s behavior or leveraging the unintended consequences of how the model was trained, making them difficult to defend against without comprehensive testing and robust safeguards.

Thanks for reading!