Tribhuvanesh Orekondy, Bernt Schiele Mario Fritz
Max Planck Institute for Informatics
Machine Learning (ML) models are increasingly deployed in the wild to perform a wide range of tasks. In this work, we ask to what extent can an adversary steal functionality of such "victim" models based solely on blackbox interactions: image in, predictions out. In contrast to prior work, we present an adversary lacking knowledge of train/test data used by the model, its internals, and semantics over model outputs. We formulate model functionality stealing as a two-step approach: (i) querying a set of input images to the blackbox model to obtain predictions; and (ii) training a "knockoff" with queried image-prediction pairs. We make multiple remarkable observations: (a) querying random images from a different distribution than that of the blackbox training data results in a well-performing knockoff; (b) this is possible even when the knockoff is represented using a different architecture; and (c) our reinforcement learning approach additionally improves query sample efficiency in certain settings and provides performance gains. We validate model functionality stealing on a range of datasets and tasks, as well as on a popular image analysis API where we create a reasonable knockoff for as little as $30.
tl;dr: We highlight a threat that functionality of blackbox models CNNs can easily 'knocked-off' under minimal assumptions
- Python 3.6
- Pytorch 1.1
Can be set up as:
$ conda env create -f environment.yml # anaconda; or
$ pip install -r requirements.txt # pipYou will need six datasets to perform all experiments in the paper, all extracted into the data/ directory.
- Victim datasets
- Caltech256 (Link. Images in
data/256_ObjectCategories/<classname>/*.jpg) - CUB-200-2011 (Link. Images in
data/CUB_200_2011/images/<classname>/*.jpg) - Indoor Scenes (Link. Images in
data/indoor/Images/<classname>/*.jpg) - Diabetic Retinopathy (Link. Images in
data/diabetic_retinopathy/training_imgs/<classname>/*.jpg)
- Caltech256 (Link. Images in
- Adversarial datasets
The commands/steps below will guide you to:
- Train victim models (or download pretrained models)
- Train knockoff models (or download pretrained models)
- Constructing transfer sets
- Training knockoff models
We follow the convention of storing victim models and related data (e.g., logs) under models/victim/P_V-F_V/ (e.g., cubs200-resnet34).
Zip files (containing resnet-34 pytorch checkpoint .pth.tar, hyperparameters and training logs):
- Caltech256 (Accuracy = 78.4%)
- CUBS200 (77.1%)
- Indoor67 (76.0%)
- Diabetic5 (59.4%)
# Format:
$ python knockoff/victim/train.py DS_NAME ARCH -d DEV_ID \
-o models/victim/VIC_DIR -e EPOCHS --pretrained
# where DS_NAME = {cubs200, caltech256, ...}, ARCH = {resnet18, vgg16, densenet161, ...}
# if the machine contains multiple GPUs, DEV_ID specifies which GPU to use
# More details:
$ python knockoff/victim/train.py --help
# Example (CUB-200):
$ python knockoff/victim/train.py CUBS200 resnet34 -d 1 \
-o models/victim/cubs200-resnet34 -e 10 --log-interval 25 \
--pretrained imagenetWe store the knockoff models and related data (e.g., transfer set, logs) under data/adversary/P_V-F_A-pi/ (e.g., cubs200-resnet50-random).
# Format
$ python knockoff/adversary/transfer.py random models/victim/VIC_DIR \
--out_dir models/adversary/ADV_DIR --budget BUDGET \
--queryset QUERY_SET --batch_size 8 -d DEV_ID
# where QUERY_SET = {ImageNet1k ,...}
# More details
$ python knockoff/adversary/transfer.py --help
# Examples (CUB-200):
# Random
$ python knockoff/adversary/transfer.py random models/victim/cubs200-resnet34 \
--out_dir models/adversary/cubs200-resnet34-random --budget 80000 \
--queryset ImageNet1k --batch_size 8 -d 2
# Adaptive
$ python knockoff/adversary/transfer.py adaptive models/victim/cubs200-resnet34 \
--out_dir models/adversary/cubs200-resnet34-random --budget 80000 \
--queryset ImageNet1k --batch_size 8 -d 2# Format:
$ python knockoff/adversary/train.py models/adversary/ADV_DIR ARCH DS_NAME \
--budgets BUDGET1,BUDGET2,.. -d DEV_ID --pretrained --epochs EPOCHS \
--lr LR
# DS_NAME refers to the dataset used to train victim model; used only to evaluate on test set during training of knockoff
# More details:
$ python knockoff/adversary/train.py --help
# Example (CUB-200)
$ python knockoff/adversary/train.py models/adversary/cubs200-resnet34-random \
resnet34 CUBS200 --budgets 60000 -d 0 --pretrained imagenet \
--log-interval 100 --epochs 200 --lr 0.01 Zip files (containing pytorch checkpoint, transferset pickle file, hyperparameters and logs) can be downloaded using the links below.
Specifically, the knockoffs are resnet34s at B=60k using imagenet as the query set (
| Random | Adaptive | |
|---|---|---|
| Caltech256 | zip (76.0%) | zip (%) |
| CUBS200 | zip (67.7%) | zip (%) |
| Indoor67 | zip (68.2%) | zip (%) |
| Diabetic5 | zip (43.6%) | zip (%) |
Since the current publicly available code uses an updated pytorch version and has been significantly refactored from the initially published version, expect minor differences in results. Please contact me (see below) in case you want the exact pretrained models used in the paper.
If you found this work or code useful, please cite us:
@inproceedings{orekondy19knockoff,
TITLE = {Knockoff Nets: Stealing Functionality of Black-Box Models},
AUTHOR = {Orekondy, Tribhuvanesh and Schiele, Bernt and Fritz, Mario},
YEAR = {2019},
BOOKTITLE = {CVPR},
}
In case of feedback, suggestions, or issues, please contact Tribhuvanesh Orekondy
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent