The rise of Encoder-as-a-Service (EaaS) has made pre-trained encoders accessible for various AI tasks, but this has introduced significant security concerns, particularly with model stealing attacks. While defenses like the B4B mechanism [6] have been proposed to protect against such attacks, we reveal critical vulnerabilities in B4B’s strategies. B4B employs techniques such as embedding space coverage estimation, cost-based perturbation, and embedding transformations to thwart attackers. However, we introduce the first defense-penetrating attack that bypasses these protections. Our attack effectively circumvents all three defense mechanisms, enabling attackers to steal high-quality encoders with minimal degradation in performance. Extensive experiments show that the stolen encoder performs almost as well as the original, highlighting the weaknesses in B4B and similar defenses. Our work exposes significant gaps in the security of EaaS systems and calls for more robust, active defense strategies against model stealing.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

I Can Still Steal Your Encoder: A Defense-Penetrating Encoder-Stealing Attack

  • Rongbin Xiao,
  • Changyu Dong,
  • Jie Zhang,
  • Yan Pang,
  • Zihan Xie,
  • Han Wu

摘要

The rise of Encoder-as-a-Service (EaaS) has made pre-trained encoders accessible for various AI tasks, but this has introduced significant security concerns, particularly with model stealing attacks. While defenses like the B4B mechanism [6] have been proposed to protect against such attacks, we reveal critical vulnerabilities in B4B’s strategies. B4B employs techniques such as embedding space coverage estimation, cost-based perturbation, and embedding transformations to thwart attackers. However, we introduce the first defense-penetrating attack that bypasses these protections. Our attack effectively circumvents all three defense mechanisms, enabling attackers to steal high-quality encoders with minimal degradation in performance. Extensive experiments show that the stolen encoder performs almost as well as the original, highlighting the weaknesses in B4B and similar defenses. Our work exposes significant gaps in the security of EaaS systems and calls for more robust, active defense strategies against model stealing.