Zero-Knowledge Attack for Replicating Protected Deep Neural Networks

Itay Mosafi, Eli David, Nathan S. Netanyahu

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

As deep neural networks constantly improve and provide state-of-the-art solutions to various problems, deployment of these models becomes more common, and so does the importance of protecting these models against malicious attacks attempting to replicate these models. In this paper, we present a novel zero-knowledge method for attacking and stealing knowledge from deep neural networks. Our method utilizes unlabeled data and the predictions of the mentor model we would like to steal. The presented method targets the most protected models which reveal only the minimal amount of information, i.e., the predicted label. We assume no access to any internal information about the model, and no access to the training data. The presented method improves the SOTA performance of attacking protected neural network models. The results show that all classification neural networks are vulnerable to the presented attack method, and any attacker can effectively replicate these models without having access to their architecture, parameters, training data, or softmax outputs.

Original languageEnglish
Title of host publicationIJCNN 2023 - International Joint Conference on Neural Networks, Proceedings
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781665488679
DOIs
StatePublished - 2023
Event2023 International Joint Conference on Neural Networks, IJCNN 2023 - Gold Coast, Australia
Duration: 18 Jun 202323 Jun 2023

Publication series

NameProceedings of the International Joint Conference on Neural Networks
Volume2023-June

Conference

Conference2023 International Joint Conference on Neural Networks, IJCNN 2023
Country/TerritoryAustralia
CityGold Coast
Period18/06/2323/06/23

Bibliographical note

Publisher Copyright:
© 2023 IEEE.

Fingerprint

Dive into the research topics of 'Zero-Knowledge Attack for Replicating Protected Deep Neural Networks'. Together they form a unique fingerprint.

Cite this