An extraction attack on image recognition model using VAE-kdtree model

Tianqi Wen; Haibo Hu; Huadi Zheng

doi:10.1117/12.2590844

An extraction attack on image recognition model using VAE-kdtree model

Tianqi Wen, Haibo Hu, Huadi Zheng

The Hong Kong Polytechnic University

Research output: Chapter in book / Conference proceeding › Conference article published in proceeding or book › Academic research › peer-review

1 Citation (Scopus)

Abstract

This paper proposes a black box extraction attack model on pre-trained image classifiers to rebuild a functionally equivalent model with high similarity. Common model extraction attacks use a large number of training samples to feed the target classifier which is time-consuming with redundancy. The attack results have a high dependency on the selected training samples and the target model. The extracted model may only get part of crucial features because of inappropriate sample selection. To eliminate these uncertainties, we proposed the VAE-kdtree attack model which eliminates the high dependency between selected training samples and the target model. It can not only save redundant computation, but also extract critical boundaries more accurately in image classification. This VAE-kdtree model has shown to achieve around 90% similarity on MNIST and around 80% similarity on MNIST-Fashion with a target Convolutional Network Model and a target Support Vector Machine Model. The performance of this VAE-kdtree model could be further improved by adopting higher dimension space of the kdtree.

Original language	English
Title of host publication	International Workshop on Advanced Imaging Technology, IWAIT 2021
Editors	Masayuki Nakajima, Jae-Gon Kim, Wen-Nung Lie, Qian Kemao
Publisher	SPIE
ISBN (Electronic)	9781510643642
DOIs	https://doi.org/10.1117/12.2590844
Publication status	Published - Mar 2021
Event	2021 International Workshop on Advanced Imaging Technology, IWAIT 2021 - Kagoshima, Virtual, Japan Duration: 5 Jan 2021 → 6 Jan 2021

Publication series

Name	Proceedings of SPIE - The International Society for Optical Engineering
Volume	11766
ISSN (Print)	0277-786X
ISSN (Electronic)	1996-756X

Conference

Conference	2021 International Workshop on Advanced Imaging Technology, IWAIT 2021
Country/Territory	Japan
City	Kagoshima, Virtual
Period	5/01/21 → 6/01/21

ASJC Scopus subject areas

Electronic, Optical and Magnetic Materials
Condensed Matter Physics
Computer Science Applications
Applied Mathematics
Electrical and Electronic Engineering

More information

10.1117/12.2590844

http://hdl.handle.net/10397/106879

Cite this

Wen, T., Hu, H., & Zheng, H. (2021). An extraction attack on image recognition model using VAE-kdtree model. In M. Nakajima, J.-G. Kim, W.-N. Lie, & Q. Kemao (Eds.), International Workshop on Advanced Imaging Technology, IWAIT 2021 Article 117660N (Proceedings of SPIE - The International Society for Optical Engineering; Vol. 11766). SPIE. https://doi.org/10.1117/12.2590844

@inproceedings{4abbcb1bc3aa432b97bc5538635570ff,

title = "An extraction attack on image recognition model using VAE-kdtree model",

abstract = "This paper proposes a black box extraction attack model on pre-trained image classifiers to rebuild a functionally equivalent model with high similarity. Common model extraction attacks use a large number of training samples to feed the target classifier which is time-consuming with redundancy. The attack results have a high dependency on the selected training samples and the target model. The extracted model may only get part of crucial features because of inappropriate sample selection. To eliminate these uncertainties, we proposed the VAE-kdtree attack model which eliminates the high dependency between selected training samples and the target model. It can not only save redundant computation, but also extract critical boundaries more accurately in image classification. This VAE-kdtree model has shown to achieve around 90% similarity on MNIST and around 80% similarity on MNIST-Fashion with a target Convolutional Network Model and a target Support Vector Machine Model. The performance of this VAE-kdtree model could be further improved by adopting higher dimension space of the kdtree. ",

author = "Tianqi Wen and Haibo Hu and Huadi Zheng",

note = "Funding Information: This work was supported by National Natural Science Foundation of China (Grant No: U1636205, 61572413), the Research Grants Council, Hong Kong SAR, China (Grant No: 15238116, 15222118, 15218919, and C1008-16G), and a research project from Huawei. Publisher Copyright: {\textcopyright} COPYRIGHT SPIE. Downloading of the abstract is permitted for personal use only.; 2021 International Workshop on Advanced Imaging Technology, IWAIT 2021 ; Conference date: 05-01-2021 Through 06-01-2021",

year = "2021",

month = mar,

doi = "10.1117/12.2590844",

language = "English",

series = "Proceedings of SPIE - The International Society for Optical Engineering",

publisher = "SPIE",

editor = "Masayuki Nakajima and Jae-Gon Kim and Wen-Nung Lie and Qian Kemao",

booktitle = "International Workshop on Advanced Imaging Technology, IWAIT 2021",

address = "United States",

}

Wen, T, Hu, H & Zheng, H 2021, An extraction attack on image recognition model using VAE-kdtree model. in M Nakajima, J-G Kim, W-N Lie & Q Kemao (eds), International Workshop on Advanced Imaging Technology, IWAIT 2021., 117660N, Proceedings of SPIE - The International Society for Optical Engineering, vol. 11766, SPIE, 2021 International Workshop on Advanced Imaging Technology, IWAIT 2021, Kagoshima, Virtual, Japan, 5/01/21. https://doi.org/10.1117/12.2590844

An extraction attack on image recognition model using VAE-kdtree model. / Wen, Tianqi; Hu, Haibo; Zheng, Huadi.
International Workshop on Advanced Imaging Technology, IWAIT 2021. ed. / Masayuki Nakajima; Jae-Gon Kim; Wen-Nung Lie; Qian Kemao. SPIE, 2021. 117660N (Proceedings of SPIE - The International Society for Optical Engineering; Vol. 11766).

Research output: Chapter in book / Conference proceeding › Conference article published in proceeding or book › Academic research › peer-review

TY - GEN

T1 - An extraction attack on image recognition model using VAE-kdtree model

AU - Wen, Tianqi

AU - Hu, Haibo

AU - Zheng, Huadi

N1 - Funding Information: This work was supported by National Natural Science Foundation of China (Grant No: U1636205, 61572413), the Research Grants Council, Hong Kong SAR, China (Grant No: 15238116, 15222118, 15218919, and C1008-16G), and a research project from Huawei. Publisher Copyright: © COPYRIGHT SPIE. Downloading of the abstract is permitted for personal use only.

PY - 2021/3

Y1 - 2021/3

N2 - This paper proposes a black box extraction attack model on pre-trained image classifiers to rebuild a functionally equivalent model with high similarity. Common model extraction attacks use a large number of training samples to feed the target classifier which is time-consuming with redundancy. The attack results have a high dependency on the selected training samples and the target model. The extracted model may only get part of crucial features because of inappropriate sample selection. To eliminate these uncertainties, we proposed the VAE-kdtree attack model which eliminates the high dependency between selected training samples and the target model. It can not only save redundant computation, but also extract critical boundaries more accurately in image classification. This VAE-kdtree model has shown to achieve around 90% similarity on MNIST and around 80% similarity on MNIST-Fashion with a target Convolutional Network Model and a target Support Vector Machine Model. The performance of this VAE-kdtree model could be further improved by adopting higher dimension space of the kdtree.

AB - This paper proposes a black box extraction attack model on pre-trained image classifiers to rebuild a functionally equivalent model with high similarity. Common model extraction attacks use a large number of training samples to feed the target classifier which is time-consuming with redundancy. The attack results have a high dependency on the selected training samples and the target model. The extracted model may only get part of crucial features because of inappropriate sample selection. To eliminate these uncertainties, we proposed the VAE-kdtree attack model which eliminates the high dependency between selected training samples and the target model. It can not only save redundant computation, but also extract critical boundaries more accurately in image classification. This VAE-kdtree model has shown to achieve around 90% similarity on MNIST and around 80% similarity on MNIST-Fashion with a target Convolutional Network Model and a target Support Vector Machine Model. The performance of this VAE-kdtree model could be further improved by adopting higher dimension space of the kdtree.

UR - http://www.scopus.com/inward/record.url?scp=85103246391&partnerID=8YFLogxK

U2 - 10.1117/12.2590844

DO - 10.1117/12.2590844

M3 - Conference article published in proceeding or book

AN - SCOPUS:85103246391

T3 - Proceedings of SPIE - The International Society for Optical Engineering

BT - International Workshop on Advanced Imaging Technology, IWAIT 2021

A2 - Nakajima, Masayuki

A2 - Kim, Jae-Gon

A2 - Lie, Wen-Nung

A2 - Kemao, Qian

PB - SPIE

T2 - 2021 International Workshop on Advanced Imaging Technology, IWAIT 2021

Y2 - 5 January 2021 through 6 January 2021

ER -

An extraction attack on image recognition model using VAE-kdtree model

Abstract

Publication series

Conference

ASJC Scopus subject areas

More information

Other files and links

Fingerprint

Cite this