Are you under the impression that adversaries can’t steal your model because it is hard to get access to training data for the niche task your model solves? In our latest work on “Data-Free Model Extraction” we show that adversaries can steal your model with ZERO knowledge of your training data, in a black-box setting where you only expose model predictions to the public. We use a synthetic data generator that maximizes the disparity in the predictions of the victim and the stolen copy (L1 loss) via weak gradient approximation using forward differences. While our work does pose a threat to MLaaS, it poses a bigger threat to on-device ML systems — where attackers can typically make an unrestricted number of queries at no additional cost.


  • Data-Free Model Extraction. Jean-Baptiste Truong, Pratyush Maini, Robert J. Walls, Nicolas Papernot. IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2021.


You can find the source code respository for this project at https://github.com/cake-lab/datafree-model-extraction.