knockoff nets: stealing functionality of black-box …knockoff nets: stealing functionality of...
TRANSCRIPT
Knockoff Nets: Stealing Functionality of Black-Box Models
Tribhuvanesh Orekondy1 Bernt Schiele1 Mario Fritz2
1 Max Planck Institute for Informatics, Saarland Informatics Campus2 CISPA Helmholtz Center i.G., Saarland Informatics Campus
Abstract
Machine Learning (ML) models are increasingly de-ployed in the wild to perform a wide range of tasks. In thiswork, we ask to what extent can an adversary steal func-tionality of such “victim” models based solely on black-box interactions: image in, predictions out. In contrast toprior work, we present an adversary lacking knowledge oftrain/test data used by the model, its internals, and seman-tics over model outputs. We formulate model functionalitystealing as a two-step approach: (i) querying a set of inputimages to the blackbox model to obtain predictions; and (ii)training a “knockoff” with queried image-prediction pairs.We make multiple remarkable observations: (a) queryingrandom images from a different distribution than that of theblackbox training data results in a well-performing knock-off; (b) this is possible even when the knockoff is repre-sented using a different architecture; and (c) our reinforce-ment learning approach additionally improves query sam-ple efficiency in certain settings and provides performancegains. We validate model functionality stealing on a rangeof datasets and tasks, as well as on a popular image analy-sis API where we create a reasonable knockoff for as littleas $30.
1. IntroductionMachine Learning (ML) models and especially deep
neural networks are deployed to improve productivity or ex-perience e.g., photo assistants in smartphones, image recog-nition APIs in cloud-based internet services, and for navi-gation and control in autonomous vehicles. Developing andengineering such models for commercial use is a productof intense time, money, and human effort – ranging fromcollecting a massive annotated dataset to tuning the rightmodel for the task. The details of the dataset, exact modelarchitecture, and hyperparameters are naturally kept confi-dential to protect the models’ value. However, in order tobe monetized or simply serve a purpose, they are deployedin various applications (e.g., home assistants) to function as
API
Similar functionality
Blackbox Classifier Knockoff Classifier
grebe
finchani
tern
vireojay
Train data
.01
.13
.42
.03
...
.23
.04
.00
.33
...
.07
.01
.01
.05
......
.01
.00
.00
.18
...
Figure 1: An adversary can create a “knockoff” of a blackboxmodel solely by interacting with its API: image in, prediction out.The knockoff bypasses the monetary costs and intellectual effortinvolved in creating the blackbox model.
blackboxes: input in, predictions out.Large-scale deployments of deep learning models in the
wild has motivated the community to ask: can someoneabuse the model solely based on blackbox access? Therehas been a series of “inference attacks” [10, 27, 38, 40]which try to infer properties (e.g., training data [40], ar-chitecture [27]) about the model within the blackbox. Inthis work, we focus on model functionality stealing: canone create a “knockoff” of the blackbox model solely basedon observed input-output pairs? In contrast to previousworks [27, 32, 45], we work with minimal assumptions onthe blackbox and intend to purely steal the functionality.
We formulate model functionality stealing as follows(shown in Figure 1). The adversary interacts with a black-box “victim” CNN by providing it input images and obtain-ing respective predictions. The resulting image-predictionpairs are used to train a “knockoff” model. The adver-sary’s intention is for the knockoff to compete with the vic-tim model at the victim’s task. Note that knowledge trans-fer [5, 15] approaches are a special case within our formu-lation, where the task, train/test data, and white-box teacher(victim) model are known to the adversary.
Within this formulation, we spell out questions answeredin our paper with an end-goal of model functionality steal-ing:
1. Can we train a knockoff on a random set of query im-ages and corresponding blackbox predictions?
2. What makes for a good set of images to query?
1
arX
iv:1
812.
0276
6v1
[cs
.CV
] 6
Dec
201
8
3. How can we improve sample efficiency of queries?4. What makes for a good knockoff architecture?
2. Related Work
Privacy, Security and Computer Vision. Privacy hasbeen largely addressed within the computer vision commu-nity by proposing models [28, 30, 31, 42, 49, 50] which rec-ognize and control privacy-sensitive information in visualcontent. The community has also recently studied securityconcerns entailing real-world usage of models e.g., adver-sarial perturbations [2,20,25,26,29,34] in black- and white-box attack scenarios. In this work, we focus on functionalitystealing of CNNs in a blackbox attack scenario.
Model Stealing. Stealing various attributes of a blackboxML model has been recently gaining popularity: parameters[45], hyperparameters [48], architecture [27], informationon training data [40] and decision boundaries [32]. Theseworks lay the groundwork to precisely reproduce the black-box model. In contrast, we investigate stealing functionalityof the blackbox independent of its internals. Although twoworks [32, 45] are related to our task, they make relativelystronger assumptions (e.g., model family is known, victim’sdata is partly available). In contrast, we present a weakeradversary.
Knowledge Distillation. Distillation [15] and related ap-proaches [5, 6, 11, 51] transfer the knowledge from a com-plex “teacher” to a simpler “student” model. Within ourproblem formulation, this is a special case when the adver-sary has strong knowledge of the victim’s blackbox modele.g., architecture, train/test data is known. Although we dis-cuss this, a majority of the paper makes weak assumptionsof the blackbox.
Active Learning. Active Learning [7, 44] (AL) aims toreduce labeling effort while gathering data to train a model.Ours is a special case of pool-based AL [39], where thelearner (adversary) chooses from a pool of unlabeled data.However, unlike AL, the learner’s image pool in our caseis chosen without any knowledge of the data used by theoriginal model. Moreover, while AL considers the imageto be annotated by a human-expert, ours is annotated withpseudo-labels by the blackbox.
3. Problem StatementWe now formalize the task of functionality stealing (see
also Figure 2).
Functionality Stealing. In this paper, we introduce thetask as: given blackbox query access to a “victim” modelFV : X → Y , to replicate its functionality using “knock-off” model FA of the adversary. As shown in Figure 2, weset it up as a two-player game between a victim V and anadversaryA. Now, we discuss the assumptions in which the
Can A steal functionality of FV : 1. when PV and FV are unknown? 2. using minimum queries B?
B queriesSelect Images
Select Arch.Transfer Set
<latexit sha1_base64="kyP/x2zw0A4R9MhQM2HA9AbOO/g=">AAAEInicfVPdbtMwFPYWYFv52+CSm4hqEuJiatAEXG5iQkgIMX66FTWhOnFPM6u2E9nO2mDlEbiFF+BpuENcIfEwOG0k2rSapchfzvedP9snzjjTptP5s7HpXbt+Y2t7p3Xz1u07d3f37p3pNFcUuzTlqerFoJEziV3DDMdephBEzPE8Hr+o+PNLVJql8qMpMowEJJKNGAXjTB9eDo4Hu+3OQWe2/FUQ1KBN6nU62PN2wmFKc4HSUA5a94NOZiILyjDKsWyFucYM6BgS7DsoQaCO7KzW0t93lqE/SpX7pPFn1kUPC0LrQsROKcBc6CZXGddx/dyMnkeWySw3KOk80Sjnvkn9qnF/yBRSwwsHgCrmavXpBSigxh1Pa99fjKVpZKsMGXxJl/qxsWj8V4ZWKHFCUyFADm04BAOlDSt/CtyelOUyH4+TJfpzaHBqbGVuKN1F8loax/Z9k3bu04VIvTV8scB/avJVodo1glcF4RAjb6pmoRQu6i6Rlv0gcu0J2w6aUdyJKY3mfzPdlWI5c+9pSfO6qXE5JuUsw2QNNZ1T0zVUMaeKsrqrE3SvVuEbl+RthgpMqh7bEFQiwIWo96tkTM5lbnfDEzRHZRWcPTkIHH532D56Wo/RNnlAHpJHJCDPyBF5RU5Jl1CSkK/kG/nu/fB+er+833Pp5kbtc58sLe/vP6vPcfc=</latexit>
Train Knockoff
<latexit sha1_base64="QU9X5DdMTuNaaPQNJjmln//QQTM=">AAAEM3icfVPdbtMwFPYWfrby141LbiKqSYOLqUEIuEEaYkJICDEQ3YaaUJ24p51V24lsZ02w8ircwgvwMIg7xC3vgNNGok2rWYr85Xzf+bOP45Qzbbrdnxub3pWr165vbbdu3Lx1+057Z/dEJ5mi2KMJT9RZDBo5k9gzzHA8SxWCiDmexpOXFX96gUqzRH40RYqRgLFkI0bBONOgvRteIC385/6rwYv9CucPBu1O96A7W/4qCGrQIfU6Hux42+EwoZlAaSgHrftBNzWRBWUY5Vi2wkxjCnQCY+w7KEGgjuys+NLfc5ahP0qU+6TxZ9ZFDwtC60LETinAnOsmVxnXcf3MjJ5Flsk0MyjpPNEo475J/Ook/CFTSA0vHACqmKvVp+eggBp3Xq09fzGWppGtMqTwJVnqx8ai8V8ZWqHEKU2EADm04RAMlDas/Clwe1SWy3w8GS/Rn0ODubGVuaF0N8traRzbD03auecLkc7W8MUC/6nJV4Vq1wheFoRDjLypmoVSuKhzs1T2g8i1J2wnaEZxJ6Y0mv/N9FaK5czN05LmTVPjckzLWYbpGiqfU/kaqphTRVnd1RG6qVX41iV5l6ICk6iHNgQ1FuBC1PtlMibnMre7xxM0n8oqOHl0EDj8/nHn8En9jLbIPXKf7JOAPCWH5DU5Jj1CSU6+km/ku/fD++X99v7MpZsbtc9dsrS8v/8AYrl3sQ==</latexit>
Adversary ASelect Images
Select ModelAnnotate
Victim V
<latexit sha1_base64="Hah7Xqk0gSTBP68Hx4eTFZcyPXU=">AAAEInicfVNbb9MwFPYWLlu5bfDIS0Q1CfEwNQgBj5M2TUgIMS7tippQnbinnVXbiWxnbbDyE3iFP8Cv4Q3xhMSPwUkj0abVLEX+cr7v3GyfOOVMm07nz9a2d+36jZs7u61bt+/cvbe3f7+nk0xR7NKEJ6ofg0bOJHYNMxz7qUIQMcfzeHpc8ueXqDRL5EeTpxgJmEg2ZhSMM304HfaGe+3OYada/joIatAm9Tob7nu74SihmUBpKAetB0EnNZEFZRjlWLTCTGMKdAoTHDgoQaCObFVr4R84y8gfJ8p90viVddnDgtA6F7FTCjAXusmVxk3cIDPjl5FlMs0MSrpINM64bxK/bNwfMYXU8NwBoIq5Wn16AQqoccfTOvCXY2ka2TJDCl+SlX5sLBr/paEVSpzRRAiQIxuOwEBhw9KfArcnRbHKx9PJCv05NDg3tjQ3lO4ieS2NY/u+STv3+VKk/gY+X+I/NfmyUO0awauCcIiRN1VVKIXLukukxSCIXHvCtoNmFHdiSqP530x3rVjO3Hta0bxualyOWVFlmG2g5gtqvoHKF1RelHd1gu7VKnzjkrxNUYFJ1BMbgpoIcCHq/SoZkwuZ293wBM1RWQe9p4eBw++etY+e12O0Qx6SR+QxCcgLckRekTPSJZRMyFfyjXz3fng/vV/e74V0e6v2eUBWlvf3H/o7cgw=</latexit>
<latexit sha1_base64="6ct2FeXi5rj2vIc1zPKO0JLSWuM=">AAAENHicfVPNbtNAEN7W/LThL6VHLiuiSoVDFVcIOFaiBySECIikQbGJxptJusqube2um5iVn4UrvADvgsQNceUZWCeWSJyoI1k7nu+bv92ZKBVcm3b7586ud+Pmrdt7+407d+/df9A8eNjTSaYYdlkiEtWPQKPgMXYNNwL7qUKQkcCLaPqqxC+uUGmexB9NnmIoYRLzMWdgnGnYPAyukM2HnAaaS9oZ9o77T4bNVvukvRC6qfiV0iKVdIYH3n4wSlgmMTZMgNYDv52a0IIynAksGkGmMQU2hQkOnBqDRB3aRfUFPXKWER0nyn2xoQvrqocFqXUuI8eUYC51HSuN27BBZsYvQ8vjNDMYs2WicSaoSWh5FXTEFTIjcqcAU9zVStklKGDGXVjjiK7G0iy0ZYYUviRr/dhI1v5LQyOIccYSKSEe2WAEBgoblP4MhD0vinU8mk7W4M+BwbmxpbnGdE8rKmoU2Q912LnPVyL1t+D5Cv6pjpeFatcIXhdEQISizlqEUrjKc4NVDPzQtSdty69HcTemNJr/zXQ3ihXczdMa502d43LMikWG2RZovoTmW6B8CeVF+Vbn6KZW4VuX5F2KCkyintoA1ESCC1Gd19F4vKS50y2PX1+VTaV3euI7/f2z1tnzao32yCPymBwTn7wgZ+Q16ZAuYSQnX8k38t374f3yfnt/ltTdncrnkKyJ9/cfv894Tw==</latexit>
<latexit sha1_base64="QIB5YjJx7ElMAXrDi9vttmDPbFY=">AAAEP3icfVNfi9NAEN+7+Oeu/uvpoyCL5eAUORo50BfhwHsQRDzF9ipNDJvttLd0dxN2N9fGJW9+Gl/1C/gx/AS+ia++uUkDtmm5gbCT+f1mZmd2Jk4506bb/bm17V25eu36zm7rxs1bt++09+72dZIpCj2a8EQNYqKBMwk9wwyHQaqAiJjDWTx9WeJnF6A0S+QHk6cQCjKRbMwoMc4UtR8EI2JI1McvcGDxQXABdB6xJziP2CMcFFG70z3sVoLXFb9WOqiW02jP2w1GCc0ESEM50Xrod1MTWqIMoxyKVpBpSAmdkgkMnSqJAB3aqpAC7zvLCI8T5T5pcGVd9rBEaJ2L2DEFMee6iZXGTdgwM+PnoWUyzQxIukg0zjg2CS67gkdMATU8dwqhirm7YnpOFKHG9a61j5djaRraMkNKPicr9dhYNP5LQyuQMKOJEESObNXtwgalPyXcnhTFKh5PJyvwp8DA3NjS3GC6V+Y1NY7t+ybs3OdLkQYb8HwJ/9jEy4tqVwhcFoSTGHiTVYVSsMxzU1UM/dCVJ2zHb0ZxHVMazP9iemuX5czN0wrndZPjcsyKKsNsAzRfQPMNUL6A8qJ8qxNwU6vgjUvyNgVFTKIe24CoiSAuRH1eRmNyQXOnWx6/uSrrSv/poe/0d0ed46N6jXbQffQQHSAfPUPH6BU6RT1E0Rf0FX1D370f3i/vt/dnQd3eqn3uoRXx/v4DZ4R8Hg==</latexit>
Train Model
<latexit sha1_base64="N3yXjyNJ3jrgRCo4Bc+KbkPPYlA=">AAAEM3icfVPdbtMwFPYWfrby141LbiKqSYOLqZkQcIM0iQkhIcRAtCtqQnXinnZW7SSynTXByqtwCy/AwyDuELe8A04TiTatZinyl/N9588+DhPOlO52f25tO9eu37i5s9u6dfvO3Xvtvf2+ilNJsUdjHstBCAo5i7CnmeY4SCSCCDmeh7OXJX9+iVKxOPqo8wQDAdOITRgFbU2j9r5/iTR3X7ivRv3DEmePRu1O96i7WO468GrQIfU6G+05u/44pqnASFMOSg29bqIDA1IzyrFo+anCBOgMpji0MAKBKjCL4gv3wFrG7iSW9ou0u7AuexgQSuUitEoB+kI1udK4iRumevI8MCxKUo0RrRJNUu7q2C1Pwh0ziVTz3AKgktlaXXoBEqi259U6cJdjKRqYMkMCX+KVfkwoGv+loeVHOKexEBCNjT8GDYXxS38K3JwWxSofzqYr9GdfY6ZNaW4o7c3yWhqG5kOTtu7ZUqTBBj5f4j81+bJQZRvBq4JwCJE3VYtQEpd1dpaKoRfY9oTpeM0o9sSkQv2/md5asZzZeVrRvGlqbI55scgw30BlFZVtoPKKyovyrk7RTq3EtzbJuwQl6Fg+Nj7IqQAbot6vkrGoktndPh6v+VTWQf/4yLP4/ZPOydP6Ge2QB+QhOSQeeUZOyGtyRnqEkox8Jd/Id+eH88v57fyppNtbtc99srKcv/8Asbh3xg==</latexit>
Black-box model
<latexit sha1_base64="8b7XI9YUKky62LOkX5RdgrRCrAA=">AAAEKXicfVPNbtNAEN7W/LThr4UjF4uoUuEQ2RUCequgQkgIURBJA7GpxptJusru2tpdNzErvwVXeAGehhtw5UVYJ0EkbuhI1o7n++ZvdybJONMmCH6urXuXLl+5urHZuHb9xs1bW9u3OzrNFcU2TXmquglo5Exi2zDDsZspBJFwPE5Gzyr8+AyVZql8Z4oMYwFDyQaMgnGmD89POrvRGdLJ/ZOtZtDaD8L9R6F/XglbwVSaZC5HJ9veZtRPaS5QGspB614YZCa2oAyjHMtGlGvMgI5giD2nShCoYzstufR3nKXvD1LlPmn8qXXRw4LQuhCJYwowp7qOVcZVWC83gyexZTLLDUo6SzTIuW9Sv+rf7zOF1PDCKUAVc7X69BQUUONuqbHjL8bSNLZVhgw+pUv92ETU/itDI5I4pqkQIPs26oOB0kaVPwVuD8tyGU9GwyX4Y2RwYmxlrjHde/I5NUns2zrs3CcLkbor8GIBf1/Hq0K1awQvCsIhQV5nTUMpXOS5WSp7YezaE7YZ1qO4G1Mazb9m2ueK5czN0xLnZZ3jcozLaYbxCmgygyYroGIGFWX1VofoplbhK5fkdYYKTKoe2AjUUIALMT8vojE5o7nTLc/fDfH/r3T2WqHT3zxsHjydr9EGuUvukV0SksfkgLwgR6RNKJHkM/lCvnrfvO/eD+/XjLq+Nve5Q5bE+/0HJi91Dw==</latexit>
v4
<latexit sha1_base64="ng0rOiob/LABka60Ws6imjwvQJU=">AAAERHicfVPNbtNAEN7W/LThr4UjF4uoUuFQxagSHIvoAQkhAiJtUGyi8WaSrrJrW7vrJmHlB+BpuMIL8A68AzfEFTFOLJE4UUeydjzfNzM7szNxJoWxrdbPrW3v2vUbN3d2G7du37l7b2///plJc82xw1OZ6m4MBqVIsGOFldjNNIKKJZ7H45clfn6J2og0+WBnGUYKRokYCg6WTP29ZniJfNoXfmgs8LFG6cJMFC40QhV+u//isPuYWK2j1lz8dSWolCarpN3f93bDQcpzhYnlEozpBa3MRg60FVxi0QhzgxmlgxH2SE1AoYncvJrCPyDLwB+mmr7E+nPrsocDZcxMxcRUYC9MHSuNm7BebofPIyeSLLeY8EWiYS59m/pla/yB0MitnJECXAu6q88vQAO31MDGgb8cy/DIlRky+Jyu1ONiVfsvDY0wwQlPlYJk4MIBWKAWl/4cpDstilU8Ho9W4E+hxal1pbnGpKeWFTWO3fs6TO7TpUjdDfhsCf9Yx8uLGioErwoiIUZZZ81DaVzm0aAVvSCi8pRrBvUo1DFt0P4vprN2WSlonlY4r+scyjEp5hkmG6DpAppugGYLaFaUb3WKNLUa31CStxlqsKl+4kLQIwUUojqvoolkQaOTlieor8q6cvb0KCD93XHz5Lhaox32kD1ihyxgz9gJe8XarMM4+8K+sm/su/fD++X99v4sqNtblc8DtiLe338rrX+y</latexit>
<latexit sha1_base64="y0b/flo0oRrATC0f4FSN3qLPP+0=">AAAEPXicfZPNbtNAEMe3NR9t+GgKRzisiCoVhKoYgeBYiQohIURBJA2KTTTeTNJVdm1rd93ErHzhabjCC/AcPAA3xJUr68SIxI26kuXZ+f1nZmc/olRwbdrtHxub3qXLV65ubTeuXb9xc6e5e6urk0wx7LBEJKoXgUbBY+wYbgT2UoUgI4En0eR5yU/OUGmexO9NnmIoYRzzEWdgnGvQvBtYuh+cIZsN+EP6YtD9N7lPg2LQbLUP2vNBzxt+ZbRINY4Hu952MExYJjE2TIDWfb+dmtCCMpwJLBpBpjEFNoEx9p0Zg0Qd2nkbBd1zniEdJcp9saFz73KEBal1LiOnlGBOdZ2VznWsn5nRs9DyOM0MxmxRaJQJahJa7gkdcoXMiNwZwBR3a6XsFBQw43ausUeXc2kW2rJCCp+SlX5sJGvz0tEIYpyyREqIhzYYgoHCBmU8A2GPimKVR5PxCv4YGJwZW7prSnfGopJGkX1Xxy58tpSpt4bnS/xDnZcL1a4RvCiJgAhFXTVPpXBZ5y5U0fdD1560Lb+exe2Y0mj+N9M5t1jB3X1a0byqa1yNaTGvMF2DZgs0W4PyBcqL8qyO0N1aha9dkTcpKjCJemADUGMJLkX1v0jG44XM/d3j8etP5bzRfXTgO/vt49bhk+oZbZE75B7ZJz55Sg7JS3JMOoSRz+QL+Uq+ed+9n94v7/dCurlRxdwmK8P78xdz6Huf</latexit>
<latexit sha1_base64="9fHw5dc7GQ1vN52G/aMW0n+huDk=">AAAEXHicfVNdb9MwFPXWAqNjsIHECy8R1aSxh6lBk0DiZRJ7QEKIgeg21JTpxr3trNpJZN+sDVZ+Bq/wu3jht+A0kdak1SxFvjnn3E/bYSKFoV7v78Zmq33v/oOth53tRzuPn+zuPT03cao59nksY30ZgkEpIuyTIImXiUZQocSLcPq+4C9uUBsRR98oS3CoYBKJseBADhoEhHOyB/Aq9652u72j3mJ5q4ZfGV1WrbOrvda7YBTzVGFEXIIxA7+X0NCCJsEl5p0gNZgAn8IEB86MQKEZ2kXNubfvkJE3jrX7IvIW6LKHBWVMpkKnVEDXpskV4DpukNL47dCKKEkJI14mGqfSo9grBuCNhEZOMnMGcC1crR6/Bg2c3Jg6+95yLMOHtsiQwM+41o8l4ZpxkMYIZzxWCqLRYUA0wjGkkqxURHWPUDX+C6AT3LrbYAQEuQ2KjBykPc3zOh9OJzX6R3l8BdxQuisgK2kY2q9N2rnPlyJdruGzJf57ky8KNa4RvCuIhBBlU7UItTw0G9wgzwf+0LWnbNdvRnET0wbptpn+SrFSuBtY03xsalyOWb7IMFtDzUtqvobKSirLi7M6RXfPNX5yST4nqIFifWgD0BMFLkS13yUTUSlzu3tufvNxrRrnr498Z3857p4cVw9vi71gL9kB89kbdsI+sDPWZ5zF7Bf7zf60/rXb7e32Tind3Kh8nrHaaj//D51UhoU=</latexit> <latexit sha1_base64="S/p28qvSWuxE6fyiGKwE/0B3cqM=">AAAEXHicfVNdb9MwFPXWAqNjsIHECy8R1aSxh6lBk0DiZRJ7QEKIgeg21JTpxr3trNpJZN+sDVZ+Bq/wu3jht+A0kdak1SxFvjnn3E/bYSKFoV7v78Zmq33v/oOth53tRzuPn+zuPT03cao59nksY30ZgkEpIuyTIImXiUZQocSLcPq+4C9uUBsRR98oS3CoYBKJseBADhoEhHOyB+Gr3Lva7faOeovlrRp+ZXRZtc6u9lrvglHMU4URcQnGDPxeQkMLmgSXmHeC1GACfAoTHDgzAoVmaBc1596+Q0beONbui8hboMseFpQxmQqdUgFdmyZXgOu4QUrjt0MroiQljHiZaJxKj2KvGIA3Eho5ycwZwLVwtXr8GjRwcmPq7HvLsQwf2iJDAj/jWj+WhGvGQRojnPFYKYhGhwHRCMeQSrJSEdU9QtX4L4BOcOtugxEQ5DYoMnKQ9jTP63w4ndToH+XxFXBD6a6ArKRhaL82aec+X4p0uYbPlvjvTb4o1LhG8K4gEkKUTdUi1PLQbHCDPB/4Q9eesl2/GcVNTBuk22b6K8VK4W5gTfOxqXE5Zvkiw2wNNS+p+RoqK6ksL87qFN091/jJJfmcoAaK9aENQE8UuBDVfpdMRKXM7e65+c3HtWqcvz7ynf3luHtyXD28LfaCvWQHzGdv2An7wM5Yn3EWs1/sN/vT+tdut7fbO6V0c6PyecZqq/38P6FFhoY=</latexit>
Deploy
Figure 2: Problem Statement. Laying out the task of modelfunctionality stealing in the view of two players - victim V andadversary A. We group adversary’s moves into (a) Transfer SetConstruction (b) Training Knockoff FA.
players operate and their corresponding moves in this game.
Victim’s Move. The victim’s end-goal is to deploy atrained CNN model FV in the wild for a particular task(e.g., fine-grained bird classification). To train this par-ticular model, the victim: (i) collects task-specific imagesx ∼ PV (X) and obtains expert annotations resulting in adataset DV = {(xi, yi)}; (ii) selects the model FV thatachieves best performance (accuracy) on a held-out test setof imagesDtest
V . The resulting model is deployed as a black-box which predicts output probabilities y = FV (x) givenan image x. Furthermore, we assume each prediction incursa cost (e.g., monetary, latency).
Adversary’s Unknowns. The adversary is presented witha blackbox CNN image classifier, which given any imagex ∈ X returns a K-dim posterior probability vector y ∈[0, 1]K ,
∑k yk = 1. We relax this later by considering
truncated versions of y. We assume remaining aspects tobe unknown: (i) the internals of FV e.g., hyperparametersor architecture; (ii) the data used to train and evaluate themodel; and (iii) semantics over the K classes.
Adversary’s Attack. To train a knockoff, the adversary:(i) interactively queries images {xi
π∼ PA(X)} using strat-egy π to obtain a “transfer set” of images and pseudo-labels{(xi, FV (xi))}Bi=1; and (ii) selects an architecture FA forthe knockoff and trains it to mimic the behaviour of FV onthe transfer set.
Objective. We focus on the adversary, whose primary ob-jective is training a knockoff that performs well on the taskfor which FV was designed i.e., on an unknown Dtest
V . Inaddition, we address two secondary objectives: (i) sample-efficiency: maximizing performance within a budget of Bblackbox queries; and (ii) understanding what makes forgood images to query the blackbox.
Victim’s Defense. Although we primarily address the ad-versary’s strategy in the paper, we briefly discuss victim’scounter strategies (in Section 6) of reducing informative-
<latexit sha1_base64="zBtzm7LZ9qJygEzCBYfnR/AKwNA=">AAAEJXicfVPdbtMwFPYWYFv52+CSm4hq0uBiahASXOxiiF0gIURBtCtqQnXinnamthPZztpg5R24hRfgabhDSFzxKjhtJNq0mqXIX873nT/bJ04506bV+rO17V27fmNnd69x89btO3f3D+51dZIpih2a8ET1YtDImcSOYYZjL1UIIuZ4Hk9elvz5JSrNEvnB5ClGAsaSjRgF40zd9uDFUe/RYL/ZOm7Nl78Oggo0SbXagwNvLxwmNBMoDeWgdT9opSayoAyjHItGmGlMgU5gjH0HJQjUkZ2XW/iHzjL0R4lynzT+3LrsYUFonYvYKQWYC13nSuMmrp+Z0fPIMplmBiVdJBpl3DeJX/buD5lCanjuAFDFXK0+vQAF1LgTahz6y7E0jWyZIYUvyUo/Nha1/9LQCCVOaSIEyKENh2CgsGHpT4Hbs6JY5ePJeIX+FBqcGVuaa0p3l7ySxrF9X6ed+2wpUm8Dny/xH+t8Wah2jeBVQTjEyOuqeSiFy7pLpEU/iFx7wjaDehR3Ykqj+d9MZ61Yztx7WtG8rmtcjmkxzzDdQM0W1GwDlS+ovCjv6gzdq1X4xiV5m6ICk6jHNgQ1FuBCVPtVMiYXMre74Qnqo7IOuk+OA4ffPW2enlRjtEsekIfkiATkGTklr0ibdAgln8lX8o189354P71f3u+FdHur8rlPVpb39x/DMHLO</latexit><latexit sha1_base64="DSggV3G3uhbq7ORrsRcdD7EwIzY=">AAAEJXicfVPdbtMwFPYWYFv52+CSm4hq0uBiaiYkdsHFJHaBhBAF0a6oCdWJe9qZ2k5kO2uDlXfgFl6Ap+EOIXHFq+C0kWjTapYifznfd/5snzjlTJtW68/Wtnfj5q2d3b3G7Tt3793fP3jQ1UmmKHZowhPVi0EjZxI7hhmOvVQhiJjjRTx5WfIXV6g0S+QHk6cYCRhLNmIUjDN124PuUe/JYL/ZOm7Nl78Oggo0SbXagwNvLxwmNBMoDeWgdT9opSayoAyjHItGmGlMgU5gjH0HJQjUkZ2XW/iHzjL0R4lynzT+3LrsYUFonYvYKQWYS13nSuMmrp+Z0WlkmUwzg5IuEo0y7pvEL3v3h0whNTx3AKhirlafXoICatwJNQ795ViaRrbMkMKXZKUfG4vaf2lohBKnNBEC5NCGQzBQ2LD0p8DteVGs8vFkvEJ/Cg3OjC3NNaW7S15J49i+r9POfbYUqbeBz5f4j3W+LFS7RvC6IBxi5HXVPJTCZd0V0qIfRK49YZtBPYo7MaXR/G+ms1YsZ+49rWhe1zUux7SYZ5huoGYLaraByhdUXpR3dY7u1Sp845K8TVGBSdRTG4IaC3Ahqv06GZMLmdvd8AT1UVkH3ZPjwOF3z5pnL6ox2iWPyGNyRALynJyRV6RNOoSSz+Qr+Ua+ez+8n94v7/dCur1V+TwkK8v7+w8R6nLj</latexit>
FV
FA
T
<latexit sha1_base64="iE+CGaA5fkJj8jRRg47yfaAbNX4=">AAAEaHicfVNva9NAGL+tVWf91yki4puwMpC9GI0ICoIM7AthilPsVmliuVyedkfvknD3ZGs88mF8q5/Ir+Cn8NIE16RlB+Ge/H6/5+/dBYngGvv9P1vbrfaNm7d2bnfu3L13/0F39+GpjlPFYMhiEatRQDUIHsEQOQoYJQqoDAScBfN3BX92AUrzOPqKWQK+pLOITzmjaKFJ97EnKZ4zKsyHfOIhLNAcD/JJt9c/7C+Xs264ldEj1TqZ7LbeeGHMUgkRMkG1Hrv9BH1DFXImIO94qYaEsjmdwdiaEZWgfbOsP3f2LRI601jZL0Jnia56GCq1zmRglUW1uskV4CZunOL0tW94lKQIESsTTVPhYOwUw3BCroChyKxBmeK2VoedU0UZ2pF19p3VWJr5psiQ0B9xrR+D3DZjIQURXLJYShqFBx5iCFOaCjRCItY9Atn4L4COd+VuvJAizc3/0xnkeZ0P5rMa/b08vAJuKO11EJU0CMyXJm3dFyuRRhv4bIX/1uSLQrVtBK4LImgAoqlahlodmvEugOVj17ftSdNzm1HsxJQGvGpmuFas4PYG1jTHTY3NcZkvM1xuoBYltdhAZSWV5cVZDcDecwUfbZJPCSiKsTowHlUzSW2Iar9OxqNSZnf73Nzm41o3Tl8cutb+/LJ39LZ6eDvkGdkjz4lLXpEj8p6ckCFhxJCf5Bf53frb7raftJ+W0u2tyucRqa323j8zrYu6</latexit>
<latexit sha1_base64="rFaWapHAMp5yPvQz1WlXNj/a7T4=">AAAEaHicfVN/a9NAGL6tVWf9sU4REf8JKwPZH6MRQUGQwSYIKk6x26SJ5XJ52x29S8Ldm7XxyIfxX/1EfgU/hZcmuCYtOwj35nme9+fdBYngGvv9PxubrfaNm7e2bnfu3L13f7u78+BUx6liMGCxiNV5QDUIHsEAOQo4TxRQGQg4C6ZHBX92CUrzOPqKWQK+pJOIjzmjaKFR95EnKV4wKsyHfOQhzNEcvc1H3V7/oL9YzqrhVkaPVOtktNN67YUxSyVEyATVeuj2E/QNVciZgLzjpRoSyqZ0AkNrRlSC9s2i/tzZs0jojGNlvwidBbrsYajUOpOBVRbV6iZXgOu4YYrjV77hUZIiRKxMNE6Fg7FTDMMJuQKGIrMGZYrbWh12QRVlaEfW2XOWY2nmmyJDQn/EtX4MctuMhRREMGOxlDQK9z3EEMY0FWiERKx7BLLxXwAd78rdeCFFmpv/p3Oc53U+mE5q9Pfy8Aq4obTXQVTSIDBfmrR1ny9FOl/DZ0v8tyZfFKptI3BdEEEDEE3VItTy0Ix3CSwfur5tT5qe24xiJ6Y04FUzg5ViBbc3sKZ539TYHLN8kWG2hpqX1HwNlZVUlhdndQz2niv4aJN8SkBRjNW+8aiaSGpDVPt1Mh6VMrvb5+Y2H9eqcfr8wLX25xe9wzfVw9siT8kueUZc8pIcknfkhAwII4b8JL/I79bfdrf9uP2klG5uVD4PSW21d/8BGByLsw==</latexit>
<latexit sha1_base64="ruoVE5pApEDvDMsHvcWvbYtAUVg=">AAAEXXicfVPNbtNAEN42KZRQSgsHDlwsokqohypGCJC4VKIHJIQoqGmDYhONN5N0lV3b2h03MSu/Bld4LU68CuskUmMn6krWjuf75ndnolQKQ53O363tRnPn3v3dB62He4/2Hx8cPrk0SaY5dnkiE92LwKAUMXZJkMReqhFUJPEqmnwo8asb1EYk8QXlKYYKxrEYCQ7kVEFwgzwfXPwICLLBQbtz0pkfb13wl0KbLc/54LDxPhgmPFMYE5dgTN/vpBRa0CS4xKIVZAZT4BMYY9+JMSg0oZ0nXXhHTjP0Rol2X0zeXLtqYUEZk6vIMRXQtaljpXIT1s9o9C60Ik4zwpgvAo0y6VHilR3whkIjJ5k7AbgWLlePX4MGTq5PrSNv1ZfhoS0jpPAzqdRjSbhinEpjjFOeKAXx8DggGuIIMklWKqKqRaRq/6WiFdya22AIBIUNyogcpD0riioeTcYV2L0bzsiW6hrTzYBcUqPIfqvDzny24qm3Ac9X8O91vEzUuELwLicSIpR11tzVatNsOYNF3w9decq2/boX1zFtkG6L6a4lK4WbwArnU53jYkyLeYTpBmi2gGYboHwB5UX5Vmfo5lzjZxfkS4oaKNHHNgA9VuBcLO+7aCJe0Nzt1s2vL9e6cPnqxHfy19ft0zfLxdtlz9kL9pL57C07ZR/ZOesyzlL2i/1mfxr/mjvNveb+grq9tbR5yiqn+ew/NkiHcA==</latexit>
<latexit sha1_base64="h69/yMBGaHovcmD+xqoD2hhEm04=">AAAEXXicfVPNbtNAEN42KZRQSgsHDlwsokqohypGCJC4VKIHJIQoP2mDYhON15N0lV3b2h03MSu/Bld4LU68CuskUhMn6krWjuf75ndnokwKQ53O363tRnPnzt3de637ew/2Hx4cProwaa45dnkqU92LwKAUCXZJkMRephFUJPEyGr+r8Mtr1EakyTcqMgwVjBIxFBzIqYLgGnkx+PojIMgHB+3OSWd2vHXBXwhttjjng8PG2yBOea4wIS7BmL7fySi0oElwiWUryA1mwMcwwr4TE1BoQjtLuvSOnCb2hql2X0LeTLtsYUEZU6jIMRXQlaljlXIT1s9p+Ca0IslywoTPAw1z6VHqVR3wYqGRkyycAFwLl6vHr0ADJ9en1pG37Mvw0FYRMviZrtRjSbhinEpjghOeKgVJfBwQxTiEXJKVimjVIlK1/0rRCm7MbRADQWmDKiIHac/KchWPxqMV2L0bTslW6hrTzYBcUKPIfqnDzny65Km3AS+W8O91vErUuELwNicSIpR11szVctNsNYNl3w9decq2/boX1zFtkG6K6a4lK4WbwBXOhzrHxZiUswiTDdB0Dk03QMUcKsrqrc7QzbnGjy7Ipww1UKqPbQB6pMC5WNy30UQyp7nbrZtfX6514eLFie/kzy/bp68Wi7fLnrJn7Dnz2Wt2yt6zc9ZlnGXsF/vN/jT+NXeae839OXV7a2HzmK2c5pP/MlWHbw==</latexit>
<latexit sha1_base64="R4NA++K4CsdPJh0DBNt9p6UAEvo=">AAAEZHicfVPditNAFJ7dVl3rqq2LV4IEy4LsxdIsooI3C+6FIOIqdrfSxDKZnHaHziRh5mTbOORRvNVn8gV8DidNYJu07ECYk/N953fOCRLBNQ4Gf3d2W+07d+/t3e882H/46HG39+RCx6liMGSxiNUooBoEj2CIHAWMEgVUBgIug/n7Ar+8BqV5HH3DLAFf0lnEp5xRtKpJt+ddA8smHsISDaoU8km3PzgerI6zKbiV0CfVOZ/0Wu+8MGaphAiZoFqP3UGCvqEKOROQd7xUQ0LZnM5gbMWIStC+WeWeO4dWEzrTWNkvQmelXbcwVGqdycAyJcUr3cQK5TZsnOL0rW94lKQIESsDTVPhYOwUjXBCroChyKxAmeI2V4ddUUUZ2nZ1Dp11X5r5poiQ0J9xrR6D3BZjVQoiWLBYShqFRx5iCFOaCjRCItYtAtn4LxQd78bceCFFmhuviMioMGd5XseD+awG/yifr1A3mHYUREUNAvO1CVvz5Zqn0RY8W8O/N/EiUW0LgducCBqAaLJWrtabZopBzMeub8uTpu82vdiOKQ14U8xwI1nB7QTWOB+bHBtjka8iLLZAyxJaboGyEsry4q3OwM65gk82yOcEFMVYHRmPqpmk1kV130bjUUmzt103t7lcm8LFybFr5S+v+qevq8XbI8/IC/KSuOQNOSUfyDkZEkYW5Bf5Tf60/rX32wftpyV1d6eyOSC1037+H7QdilQ=</latexit>
<latexit sha1_base64="7ONj3jnZWerMZ9ZBDyOlkJLX6tU=">AAAEdXicfVNNb9NAEN02AUr4SuGIkKyGotJDiRECJC6VyAEpQhRE2qA4VOv1JF1l17Z2x03Mynd+DVf4K/wSrqw/pCZO1JWsHb/3ZmZndtaPBdfY7f7d2m40b9y8tXO7defuvfsP2rsPT3WUKAYDFolIDX2qQfAQBshRwDBWQKUv4Myfvc/5s0tQmkfhV0xjGEs6DfmEM4oWOm/veQgLNP0wmgsIpuD0bE4uREE7B/3e8+y83ekedYvlrBtuZXRItU7OdxvvvCBiiYQQmaBaj9xujGNDFXImIGt5iYaYshmdwsiaIZWgx6YoJnP2LRI4k0jZL0SnQJc9DJVap9K3SknxQte5HNzEjRKcvB0bHsYJQsjKRJNEOBg5eWecgCtgKFJrUKa4PavDLqiiDG3/WvvOcizNxibPENMf0Uo9BrktxkIKQpizSEoaBoceYgATmgg0QiKueviy9p8DLe/K3XgBRZoZL8/IqDC9LFvl/dl0hf5e3moO15R2NkQl9X3zpU5b98VSpOEGPl3iv9X5/KDaFgLXBRHUB1FXFaGWm2a8S2DZyB3b8qTpuPUotmNKA14VM1g7rOB2Alc0/brG5phnRYb5BmpRUosNVFpSaZbfVQ/snCv4aJN8ikFRjNSh8aiaSmpDVPt1Mh6WMrvb5+bWH9e6cfryyLX251ed49fVw9shj8keOSAueUOOyQdyQgaEkZ/kF/lN/jT+NZ80nzafldLtrcrnEVlZzRf/AZL4kHw=</latexit>
<latexit sha1_base64="8wTj6WN7Boy6A+qXQ9V69CHbSp4=">AAAEXHicfVNdb9MwFPXWAqNjsIHECy8R1SS0h6mZECDxMok9ICG0geg21ITpxr3trNpJZN+sLVZ+Bq/wu3jht+A0kdak1SxFvjnn3E/bUSqFoV7v78Zmq33v/oOth53tRzuPn+zuPT03SaY59nkiE30ZgUEpYuyTIImXqUZQkcSLaPKh4C9uUBuRxN9onmKoYByLkeBADhoEhDOyp5k2+dVut3fYWyxv1fAro8uqdXa113ofDBOeKYyJSzBm4PdSCi1oElxi3gkygynwCYxx4MwYFJrQLmrOvX2HDL1Rot0Xk7dAlz0sKGPmKnJKBXRtmlwBruMGGY3ehVbEaUYY8zLRKJMeJV4xAG8oNHKSc2cA18LV6vFr0MDJjamz7y3HMjy0RYYUfia1fiwJ14yDNMY45YlSEA8PAqIhjiCTZKUiqntEqvFfAJ3g1t0GQyDIbVBk5CDtSZ7X+WgyrtE/yuMr4IbSXQFZSaPIfm3Szn22FOlyDT9f4r83+aJQ4xrBu4JIiFA2VYtQy0OzwQ3yfOCHrj1lu34zipuYNki3zfRXipXC3cCa5lNT43JM80WG6RpqVlKzNdS8pOZ5cVYn6O65xs8uyWmKGijRBzYAPVbgQlT7XTIRlzK3u+fmNx/XqnF+dOg7+8vr7vGb6uFtsRfsJXvFfPaWHbOP7Iz1GWcJ+8V+sz+tf+12e7u9U0o3NyqfZ6y22s//A+xdh14=</latexit>
S
<latexit sha1_base64="4C8jBXT8hsFxBptqPqFQJeN3bpI=">AAAEVnicfVNdb9MwFPXWjo3y1cEjLxHVJLSHqUEIkHiZxB6QEGIgug01YbpxbzurdhLZN2uDld/AK/wz+DMIp420Jq1mKfLNOed+2ddRKoWhfv/v1narvXNnd+9u5979Bw8fdfcfn5kk0xwHPJGJvojAoBQxDkiQxItUI6hI4nk0fVfy59eojUjir5SnGCqYxGIsOJCDBsE18vyy2+sf9RfLWzf8yuixap1e7rfeBqOEZwpj4hKMGfr9lEILmgSXWHSCzGAKfAoTHDozBoUmtItqC+/AISNvnGj3xeQt0FUPC8qYXEVOqYCuTJMrwU3cMKPxm9CKOM0IY75MNM6kR4lXtu6NhEZOMncGcC1crR6/Ag2c3AF1DrzVWIaHtsyQwo+k1o8l4ZpxkMYYZzxRCuLRYUA0wjFkkqxURHWPSDX+S6AT3LjbYAQEhQ3KjBykPSmKOh9NJzX6e0A4J1vCDaW7fFlJo8h+adLOfb4S6WIDn6/w35p8WahxjeBtQSREKJuqRajVQ7Pl8BVDP3TtKdvzm1HciWmDdNPMYK1YKdwE1jQfmhqXY1YsMsw2UPMlNd9A5UsqL8q7OkE35xo/uiSfUtRAiT60AeiJAhei2m+TiXgpc7t7bn7zca0bZy+OfGd/ftk7flU9vD32lD1jz5nPXrNj9p6dsgHjTLCf7Bf73frT+tfeae8updtblc8TVlvt7n+FkIVy</latexit>
<latexit sha1_base64="+hhaQhuXu5+xz4L8jZQ13JWqzQk=">AAAEXHicfVNNb9NAEN02AUpKoQWJCxeLqBLqoYoRAiQulegBCSEKIm1RbKrxZpKssmtbu+MmZuWfwRV+Fxd+C2vHUhMn6kqWx++9+fRslEphqNf7u7Xdat+5e2/nfmf3wd7DR/sHj89NkmmOfZ7IRF9GYFCKGPskSOJlqhFUJPEimr4v+Ytr1EYk8TfKUwwVjGMxEhzIQYNgAmSDa+R5cbXf7R33quOtG35tdFl9zq4OWu+CYcIzhTFxCcYM/F5KoQVNgkssOkFmMAU+hTEOnBmDQhPaqubCO3TI0Bsl2j0xeRW67GFBGZOryCkV0MQ0uRLcxA0yGr0NrYjTjDDmi0SjTHqUeOUAvKHQyEnmzgCuhavV4xPQwMmNqXPoLccyPLRlhhR+Jiv9WBKuGQdpjHHGE6UgHh4FREMcQSbJSkW06hGpxncJdIIbdxsMgaCwQZmRg7SnRbHKR9PxCv0jIJyTLeGG0q2ArKVRZL82aec+X4p0uYHPl/jvTb4s1LhG8LYgEiKUTVUVanlo1fYVAz907Snb9ZtR3MS0Qbpppr9WrBRuA1c0H5sal2NWVBlmG6j5gppvoPIFlRflvzpFt+caP7kkn1PUQIk+sgHosQIXon7fJhPxQube7rr5zcu1bpy/PPad/eVV9+R1ffF22DP2nL1gPnvDTtgHdsb6jLOE/WK/2Z/Wv3a7vdveW0i3t2qfJ2zltJ/+B3W0h0A=</latexit>
<latexit sha1_base64="AuQTufk8c2WTwsw6sYu3nbeM0po=">AAAEW3icfVNdaxNBFJ02UWus2io++bIYCrUPJSuCgiAF+yCIWMW00exa7k5u0iEzs8vM3TbrsP/CV/1fPvhfnE0CTTahA8vcPefcr5k7SSaFpU7n78Zmo3nr9p2tu6172/cfPNzZfXRq09xw7PJUpqaXgEUpNHZJkMReZhBUIvEsGb+r+LNLNFak+isVGcYKRloMBQfy0PeIcEJuH56X5zvtzmFnuoJVI5wbbTZfJ+e7jTfRIOW5Qk1cgrX9sJNR7MCQ4BLLVpRbzICPYYR9b2pQaGM3LbkM9jwyCIap8Z+mYIouejhQ1hYq8UoFdGHrXAWu4/o5DV/HTugsJ9R8lmiYy4DSoOo/GAiDnGThDeBG+FoDfgEGOPlTau0Fi7Esj12VIYOf6VI/joRvxkMGNV7xVCnQg4OIaIBDyCU5qYiWPRJV+6+AVnTt7qIBEJQuqjJykO64LJf5ZDxaon/Mbq+Ca0o/AXIuTRL3pU5798lCpN4avljgv9X5qlDrG8GbgkhIUNZV01CLh+aiS+RlP4x9e8q1w3oUf2LGIl03010pVgo/gUuaD3WNz3FVTjNcraEmM2qyhipmVFFWd3WMfs4NfvRJPmVogFJz4CIwIwU+xHy/SSb0TOZ3/9zC+uNaNU5fHIbe/vyyffR2/vC22FP2jO2zkL1iR+w9O2Fdxplmv9hv9qfxr9lotprbM+nmxtznMVtazSf/AfdchmU=</latexit> <latexit sha1_base64="n94rD8q+6Je1PPlVS3tV+LkJkCM=">AAAEW3icfVNdb9MwFPXWAqMM2EA88RJRTRp7mBqEBBISmsQekBBiILoVmjA5zm1n1XYi+2ZrsPIveIX/xQP/BaeJtCatZinyzTnnftnXUSq4wcHg78Zmp3vr9p2tu7172/cfPNzZfXRqkkwzGLJEJHoUUQOCKxgiRwGjVAOVkYCzaPau5M8uQRueqK+YpxBKOlV8whlFB30PEOZo96PnxflOf3A4WCxv1fBro0/qdXK+23kTxAnLJChkghoz9gcphpZq5ExA0QsyAyllMzqFsTMVlWBCuyi58PYcEnuTRLtPobdAlz0slcbkMnJKSfHCtLkSXMeNM5y8Di1XaYagWJVokgkPE6/s34u5BoYidwZlmrtaPXZBNWXoTqm35y3HMiy0ZYaU/kwa/VjkrhkHaVBwxRIpqYoPAsQYJjQTaIVEbHpEsvVfAr3g2t0GMUVa2KDMyKiwx0XR5KPZtEH/qG6vhFtKNwGilkaR/dKmnft8KdJoDZ8v8d/afFmocY3ATUEEjUC0VYtQy4dmg0tgxdgPXXvS9v12FHdi2gBeNzNcKVZwN4ENzYe2xuW4KhYZrtZQ84qar6HyisqL8q6Owc25ho8uyacUNMVEH9iA6qmkLkS93yTjqpK53T03v/24Vo3TF4e+sz+/7B+9rR/eFnlKnpF94pNX5Ii8JydkSBhR5Bf5Tf50/nU73V53u5JubtQ+j0ljdZ/8B/tMhmY=</latexit>
Figure 3: Comparison to KD. (a) Adversary has access only toimage distribution PA(X) (b) Training in a KD-manner requiresstronger knowledge of the victim. Both S and FA are trained toclassify images x ∈ PV (X)
ness of predictions by truncation e.g., rounding-off.Remarks: Comparison to Knowledge Distillation (KD).Training the knockoff model is reminiscent of KD ap-proaches [15, 36], whose goal is to transfer the knowledgefrom a larger teacher network T (white-box) to a compactstudent network S (knockoff) via the transfer set. We il-lustrate key differences between KD and our setting in Fig-ure 3: (a) Independent distribution PA: FA is trained onimages x ∼ PA(X) independent to distribution PV usedfor training FV ; (b) Data for supervision: Student networkS minimize variants of KD loss:
LKD = λ1LCE(ytrue, yS) + λ2LCE(yτS , yτT )
where yτT = softmax(aT /τ) is the softened posterior distri-bution of logits a controlled by temperature τ . In contrast,the knockoff (student) in our case lacks logits aT and truelabels ytrue to supervise training.
4. Generating KnockoffsIn this section, we elaborate on the adversary’s approach
in two steps: transfer set construction (Section 4.1) andtraining knockoff FA (Section 4.2).
4.1. Transfer Set Construction
The goal is to obtain a transfer set i.e., image-predictionpairs, on which the knockoff will be trained to imitate thevictim’s blackbox model FV .Selecting PA(X). The adversary first selects an imagedistribution to sample images. We consider this to be a largediscrete set of images. For instance, one of the distributionsPA we consider is the 1.2M images of ILSVRC dataset [8].Sampling Strategyπ. Once the image distributionPA(X)
is chosen, the adversary samples images x π∼ PA(X) usinga strategy π. We consider two strategies.
= animal<latexit sha1_base64="uqRPe7FBGLHqCtaEE7LREgY4kbI=">AAAEIHicfVPdbtMwFPYWfrbyt8ElNxHVJMTF1KBJcDlpu5iEEBuiW1ETphP3tLNqO5HtrM2sPAG38AI8DXeIS3ganCYSTVrNUuQv5/vOn+0Tp5xp0+v92dj07ty9d39ru/Pg4aPHT3Z2n57rJFMU+zThiRrEoJEziX3DDMdBqhBEzPEinh6V/MU1Ks0S+cnkKUYCJpKNGQXjTGc3lzvd3n5vsfxVENSgS+p1ernrbYejhGYCpaEctB4GvdREFpRhlGPRCTONKdApTHDooASBOrKLSgt/z1lG/jhR7pPGX1iXPSwIrXMRO6UAc6XbXGlcxw0zM34bWSbTzKCkVaJxxn2T+GXb/ogppIbnDgBVzNXq0ytQQI07nM6evxxL08iWGVK4SRr92Fi0/ktDJ5Q4o4kQIEc2HIGBwoalPwVuj4uiycfTSYP+EhqcG1uaW0p3jbyWxrH92Kad+3wp0mANny/xn9t8Wah2jeBtQTjEyNuqRSiFy7prpMUwiFx7wnaDdhR3Ykqj+d9Mf6VYztx7amjetTUux6xYZJitoeYVNV9D5RWVF+VdHaN7tQrfuyQfUlRgEvXKhqAmAlyIer9NxmQlc7sbnqA9Kqvg/PV+4PDZQffwoB6jLfKcvCAvSUDekENyQk5Jn1CC5Cv5Rr57P7yf3i/vdyXd3Kh9npHG8v7+A8iicXU=</latexit>
<latexit sha1_base64="lutrf/tTSHOs7cD5ZS3Y6GooDkM=">AAAEJ3icfVPdbtMwFPYWYFv52+CSm4hq0uBiaiYEu5zELpAQYiC6FTWhOnFPO6u2E9nO2szKS3ALL8DTcIfgkjfBaSLRptUsRf5yvu/82T5xypk2nc6fjU3v1u07W9s7rbv37j94uLv36FwnmaLYpQlPVC8GjZxJ7BpmOPZShSBijhfx5HXJX1yh0iyRn0yeYiRgLNmIUTDO1AtTNjAH188Gu+3OYWe+/FUQ1KBN6nU22PN2wmFCM4HSUA5a94NOaiILyjDKsWiFmcYU6ATG2HdQgkAd2XnBhb/vLEN/lCj3SePPrYseFoTWuYidUoC51E2uNK7j+pkZHUeWyTQzKGmVaJRx3yR+2b0/ZAqp4bkDQBVztfr0EhRQ486ote8vxtI0smWGFK6TpX5sLBr/paEVSpzSRAiQQxsOwUBhw9KfArenRbHMx5PxEv0lNDgztjQ3lO42eS2NY/uxSTv32UKk3ho+X+A/N/myUO0awZuCcIiRN1XzUAoXdVdIi34QufaEbQfNKO7ElEbzv5nuSrGcufe0pHnb1Lgc02KeYbqGmlXUbA2VV1RelHd1iu7VKnznkrxPUYFJ1HMbghoLcCHq/SYZk5XM7W54guaorILzo8PA4Q8v2icv6zHaJk/IU3JAAvKKnJA35Ix0CSWcfCXfyHfvh/fT++X9rqSbG7XPY7K0vL//AKrvdBY=</latexit>
= 0.3
bird
sparrow
0.5
0.2
<latexit sha1_base64="MHx89ZLivKUkF26SlAOaWppLM6o=">AAAEJnicfVPNbtNAEN7W/LThr4UjF4uoEuJQxQgBx0r0gIQQBZEmKDbReDNJV9m1rd11E7PyQ3CFF+BpuCHEjUdhnFgicaKOZO14vm/+dmfiTApjO50/O7vetes3bu7tt27dvnP33sHh/XOT5ppjl6cy1f0YDEqRYNcKK7GfaQQVS+zF01cV3rtEbUSafLRFhpGCSSLGgoMlUy+8RD4f2uFBu3PcWYi/qQS10ma1nA0Pvf1wlPJcYWK5BGMGQSezkQNtBZdYtsLcYAZ8ChMckJqAQhO5Rb2lf0SWkT9ONX2J9RfWVQ8HyphCxcRUYC9ME6uM27BBbscvIyeSLLeY8GWicS59m/pV8/5IaORWFqQA14Jq9fkFaOCWrqh15K/GMjxyVYYMvqRr/bhYNf4rQytMcMZTpSAZuXAEFkoXVv4cpDsty3U8nk7W4M+hxbl1lbnBpMeUNTWO3YcmTO7zlUj9LXixgn9q4lWhhhrBq4JIiFE2WYtQGld5NEzlIIioPeXaQTMK3Zg2aP83090oVgqapzXOmyaHcszKRYbZFmi+hOZboGIJFWX1VqdIU6vxLSV5l6EGm+onLgQ9UUAh6vMqmkiWNDppeYLmqmwq50+PA9LfP2ufPK/XaI89ZI/YYxawF+yEvWZnrMs4m7Kv7Bv77v3wfnq/vN9L6u5O7fOArYn39x/ErnQe</latexit>
<latexit sha1_base64="lxlXnLOtKLwbRUMSHkBPjb71NwE=">AAAEInicfVNbb9MwFPYWLlu5bfDIS0Q1CfEwNWgCHiexBySEGJduRU2oTtzTzqrtRLazNlj5CbzCH+DX8IZ4QuLH4DSRaNJqliJ/Od93brZPnHKmTa/3Z2vbu3b9xs2d3c6t23fu3tvbv3+mk0xR7NOEJ2oQg0bOJPYNMxwHqUIQMcfzePay5M8vUWmWyI8mTzESMJVswigYZ/qgRma01+0d9pbLXwdBDbqkXqejfW83HCc0EygN5aD1MOilJrKgDKMci06YaUyBzmCKQwclCNSRXdZa+AfOMvYniXKfNP7SuuphQWidi9gpBZgL3eZK4yZumJnJi8gymWYGJa0STTLum8QvG/fHTCE1PHcAqGKuVp9egAJq3PF0DvzVWJpGtsyQwpek0Y+NReu/NHRCiXOaCAFybMMxGChsWPpT4PakKJp8PJs26M+hwYWxpbmldBfJa2kc2/dt2rkvViINNvD5Cv+pzZeFatcIXhWEQ4y8rVqGUriqu0RaDIPItSdsN2hHcSemNJr/zfTXiuXMvaeG5nVb43LMi2WG+QZqUVGLDVReUXlR3tUJuler8I1L8jZFBSZRT2wIairAhaj3q2RMVjK3u+EJ2qOyDs6eHgYOvzvqHj+rx2iHPCSPyGMSkOfkmLwip6RPKJmSr+Qb+e798H56v7zflXR7q/Z5QBrL+/sPDwlyVg==</latexit>
<latexit sha1_base64="TFbnaBi5o/Et9D5tGthcNwX1lZM=">AAAEgXicfVPdahNBFJ62UWv8a/XSm8FQaHtRsqWo0JuCvSiIGMW0lWwMs5OTZMjM7jJztsk67Fv4NN7qS/g2nk0CTbahA8ucPd93/udEqVYOm81/G5tbtQcPH20/rj95+uz5i53dl5cuyayEtkx0Yq8j4UCrGNqoUMN1akGYSMNVNP5Q4lc3YJ1K4m+Yp9A1YhirgZICSdXbOQoRpuj3owN+ocAKK0eEaZ4mWsmcFzw0AkdR5FtFL0xVb6fRPGrODr8rBAuhwRan1dvdOg37icwMxCi1cK4TNFPsemFRSQ1FPcwcpEKOxRA6JMbCgOv6WWEF3yNNnw8SS1+MfKZdtvDCOJebiJhlmq6Klcp1WCfDwfuuV3GaIcRyHmiQaY4JL7vE+8qCRJ2TIKRVlCuXI2GFROplfY8v+3Ky68sIqfiZrNTjUVExpLIQw0Qmxoi4fxgi9mEgMo1eG8RVi8hU/ktFPbw192FfoCj8bCw0KH9eFKt4NB6uwD/mEy7VFSa9E72g0oC/VmEyny55ul6D50v49ypeJuqoELjPiRYR6Cpr5mq5aT68AVl0gi6VZ3wjqHqhjlkHeFtM+06yWtELXOF8rHIoxqSYRZisgaZzaLoGyudQXpSzOgd65xY+UZDPKW0UJvbQh8IOjSAXi/s+mornNLpp3YLqct0VLo+PApK/nDTO3i4Wb5u9Zm/YPgvYO3bGLliLtZlkv9hv9of9rW3VDmrN2vGcurmxsHnFVk7t9D93qJRt</latexit>
<latexit sha1_base64="9RSQuMm5X363WqgqAOBtqkqZw8A=">AAAEInicfVPdbtMwFPYWYFv52+CSm4hqEuJiatAkuEKbmBASQoyfbkVNqE7c08yq7US2szZYeQRu4QV4Gu4QV0g8DE4biTatZinyl/N958/2iTPOtOl0/mxseteu39ja3mndvHX7zt3dvXtnOs0VxS5Neap6MWjkTGLXMMOxlykEEXM8j8cvKv78EpVmqfxoigwjAYlkI0bBONOHl4PjwW67c9CZLX8VBDVok3qdDva8nXCY0lygNJSD1v2gk5nIgjKMcixbYa4xAzqGBPsOShCoIzurtfT3nWXoj1LlPmn8mXXRw4LQuhCxUwowF7rJVcZ1XD83o2eRZTLLDUo6TzTKuW9Sv2rcHzKF1PDCAaCKuVp9egEKqHHH09r3F2NpGtkqQwZf0qV+bCwa/5WhFUqc0FQIkEMbDsFAacPKnwK3J2W5zMfjZIn+HBqcGluZG0p3kbyWxrF936Sd+3QhUm8NXyzwn5p8Vah2jeBVQTjEyJuqWSiFi7pLpGU/iFx7wraDZhR3Ykqj+d9Md6VYztx7WtK8bmpcjkk5yzBZQ03n1HQNVcypoqzu6gTdq1X4xiV5m6ECk6rHNgSVCHAh6v0qGZNzmdvd8ATNUVkFZ08OAoffHbaPntdjtE0ekIfkEQnIU3JEXpFT0iWUJOQr+Ua+ez+8n94v7/dcurlR+9wnS8v7+w+uN3H/</latexit>
Reward signal
Train
Update policy<latexit sha1_base64="crajI7D0cI0TvgJpIM9EHSbvQzE=">AAAEK3icfVPNbtNAEN7W/LThr4UjF4uoUuEQ2QgBvaBKVAgJIQoiaVBsovFmkq6yu7Z2103Myq/BFV6Ap+EE4sp7sE6CSNzQkawdz/fN3+5MknGmTRD82Nj0Ll2+cnVru3Ht+o2bt3Z2b3d0miuKbZryVHUT0MiZxLZhhmM3Uwgi4XiSjJ9X+MkZKs1S+d4UGcYCRpINGQXjTNGLfmc/OkM67Zv7/Z1m0DoIwoPHoX9eCVvBTJpkIcf9XW87GqQ0FygN5aB1LwwyE1tQhlGOZSPKNWZAxzDCnlMlCNSxnRVd+nvOMvCHqXKfNP7MuuxhQWhdiMQxBZhTXccq4zqsl5vh09gymeUGJZ0nGubcN6lf3YA/YAqp4YVTgCrmavXpKSigxt1TY89fjqVpbKsMGXxKV/qxiaj9V4ZGJHFCUyFADmw0AAOljSp/CtweleUqnoxHK/DHyODU2MpcY7oX5Qtqkth3ddi5T5ciddfgxRL+oY5XhWrXCF4UhEOCvM6ahVK4zHPTVPbC2LUnbDOsR3E3pjSaf820zxXLmZunFc6rOsflmJSzDJM10HQOTddAxRwqyuqtjtBNrcLXLsmbDBWYVD2wEaiRABdicV5EY3JOc6dbnr8b4v9f6TxshU5/+6h5+GyxRlvkLrlH9klInpBD8pIckzahJCOfyRfy1fvmffd+er/m1M2Nhc8dsiLe7z+PFnXy</latexit>
<latexit sha1_base64="Ty9s5SiTw/AO8bAL2dGQ6rsw/78=">AAAEJnicfVPNbtNAEN7W/LThr4UjF4uoEuJQxQgJTqgSPSAhREGkCYpNNN5M0lV2bWt33cSs/BBc4QV4Gm4IceNRGCeWSJyoI1k7nu+bv92ZOJPC2E7nz86ud+36jZt7+61bt+/cvXdweP/cpLnm2OWpTHU/BoNSJNi1wkrsZxpBxRJ78fRVhfcuURuRJh9tkWGkYJKIseBgydQLL5HPh3Z40O4cdxbibypBrbRZLWfDQ28/HKU8V5hYLsGYQdDJbORAW8Ellq0wN5gBn8IEB6QmoNBEblFv6R+RZeSPU01fYv2FddXDgTKmUDExFdgL08Qq4zZskNvxi8iJJMstJnyZaJxL36Z+1bw/Ehq5lQUpwLWgWn1+ARq4pStqHfmrsQyPXJUhgy/pWj8uVo3/ytAKE5zxVClIRi4cgYXShZU/B+lOy3Idj6eTNfhzaHFuXWVuMOkxZU2NY/ehCZP7fCVSfwterOCfmnhVqKFG8KogEmKUTdYilMZVHg1TOQgiak+5dtCMQjemDdr/zXQ3ipWC5mmN86bJoRyzcpFhtgWaL6H5FqhYQkVZvdUp0tRqfEtJ3mWowab6iQtBTxRQiPq8iiaSJY1OWp6guSqbyvnT44D098/aJy/rNdpjD9kj9pgF7Dk7Ya/ZGesyzqbsK/vGvns/vJ/eL+/3krq7U/s8YGvi/f0HxxZ0Jg==</latexit>
<latexit sha1_base64="sM/zdGsjrCE1JwfmLbJ78MMA9tg=">AAAEJnicfVPNbtNAEN7W/LThr4UjF4uoEuJQxQgJTqgSPSAhREGkCYpNNN5M0lV2bWt33cSs/BBc4QV4Gm4IceNRGCeWSJyoI1k7nu+bv92ZOJPC2E7nz86ud+36jZt7+61bt+/cvXdweP/cpLnm2OWpTHU/BoNSJNi1wkrsZxpBxRJ78fRVhfcuURuRJh9tkWGkYJKIseBgydQLL5EXQzs8aHeOOwvxN5WgVtqslrPhobcfjlKeK0wsl2DMIOhkNnKgreASy1aYG8yAT2GCA1ITUGgit6i39I/IMvLHqaYvsf7CuurhQBlTqJiYCuyFaWKVcRs2yO34ReREkuUWE75MNM6lb1O/at4fCY3cyoIU4FpQrT6/AA3c0hW1jvzVWIZHrsqQwZd0rR8Xq8Z/ZWiFCc54qhQkIxeOwELpwsqfg3SnZbmOx9PJGvw5tDi3rjI3mPSYsqbGsfvQhMl9vhKpvwUvVvBPTbwq1FAjeFUQCTHKJmsRSuMqj4apHAQRtadcO2hGoRvTBu3/ZrobxUpB87TGedPkUI5Zucgw2wLNl9B8C1QsoaKs3uoUaWo1vqUk7zLUYFP9xIWgJwooRH1eRRPJkkYnLU/QXJVN5fzpcUD6+2ftk5f1Gu2xh+wRe8wC9pydsNfsjHUZZ1P2lX1j370f3k/vl/d7Sd3dqX0esDXx/v4DytR0Jw==</latexit>
<latexit sha1_base64="B2SDmFMw8ERbo6NXU9v1+m+ImVg=">AAAEP3icfVNbi9NAFJ7deNmtl+3qoyCDZWEVWRoR9EkW3AdBxFXsbqWJZTI9bYfOJGHmZNs45M1f46v+AX+Gv8A38dU3J23ANi17IMyX833nNpcolcJgu/1za9u7cvXa9Z3dxo2bt27vNffvnJkk0xw6PJGJ7kbMgBQxdFCghG6qgalIwnk0eVny5xegjUjiD5inECo2isVQcIbO1W/eDyQM8TC4AD7r42NagryPNNBiNMaH/WarfdSeG10HfgVapLLT/r63GwwSnimIkUtmTM9vpxhaplFwCUUjyAykjE/YCHoOxkyBCe18kIIeOM+ADhPtvhjp3LscYZkyJleRUyqGY1PnSucmrpfh8HloRZxmCDFfFBpmkmJCy12hA6GBo8wdYFwL1yvlY6YZR7d3jQO6nMvw0JYVUvY5WZnHRqr2XzoaQQxTnijF4oENBgxZYYMynjNpT4pilY8moxX6U4AwQ1u6a0p3yrKSRpF9X6dd+GwpU3cDny/xH+t82ahxg8BlSSSLQNZV81QalnXuUhU9P3TjKdvy61ncjmkD+H+YzlqzUrj7tKJ5Xde4GtNiXmG6gZotqNkGKl9QeVGe1Qm4W6vhjSvyNgXNMNGPbMD0SDGXolovk4l4IXOrezx+/amsg7MnR77D7562jl9Uz2iH3CMPyCHxyTNyTF6RU9IhnHwhX8k38t374f3yfnt/FtLtrSrmLlkx7+8/Db19YQ==</latexit>
<latexit sha1_base64="6o7jsYJ7VDFSp3YFhzN1iH51vec=">AAAENHicfVPNbtNAEN7W/LThL6VHLhZRReFQxRUSXEBFVAgJIQoibVBsrPF6kq6ya1u76yZm5WfhCi/AuyBxQ1x5BtaJJRIn6kjWjuf75m93Jso4U7rb/bmx6Vy5eu361nbrxs1bt++0d+6eqjSXFHs05ansR6CQswR7mmmO/UwiiIjjWTR+WeFnFygVS5OPusgwEDBK2JBR0NYUtneLB6F2n7mvwhf7/gXSaagfhu1O96A7E3dV8WqlQ2o5CXecbT9OaS4w0ZSDUgOvm+nAgNSMcixbfq4wAzqGEQ6smoBAFZhZ9aW7Zy2xO0yl/RLtzqyLHgaEUoWILFOAPldNrDKuwwa5Hj4NDEuyXGNC54mGOXd16lZX4cZMItW8sApQyWytLj0HCVTbC2vtuYuxFA1MlSGDL+lSPyYSjf/K0PITnNBUCEhi48egoTR+5U+Bm+OyXMaj8WgJ/uxrnGpTmRtM+7S8pkaR+dCErft0IVJ/DV4s4J+aeFWoso3gZUE4RMibrFkoiYs8O03lwAtse8J0vGYUe2NSof7fTG+lWM7sPC1x3jQ5NseknGWYrIGmc2i6BirmUFFWb3WMdmolvrVJ3mUoQafykfFBjgTYEPV5GY0lc5o97fJ4zVVZVU4PDzyrv3/cOXper9EWuUfuk33ikSfkiLwmJ6RHKCnIV/KNfHd+OL+c386fOXVzo/bZJUvi/P0HTEx39g==</latexit>
<latexit sha1_base64="pEb6DjyhdTtEBMnsIsu+VeK4k0g=">AAAEX3icfVNdb9MwFPXWwkaB0cET4iWimoT2UCUTAiZeKrEHJIQoiG5FTTY57m1n1U4i+2ZtsPI/eIV/xSP/BCctWpOVWYp8c865n7bDRHCNrvt7a7vRvHN3Z/de6/6Dh3uP2vuPT3WcKgYDFotYDUOqQfAIBshRwDBRQGUo4CycvSv4sytQmsfRV8wSCCSdRnzCGUULnfuS4mUYmn5+4Sf8ot1xu8eud/zKc24aXtctV4esVv9iv/HWH8cslRAhE1TrkecmGBiqkDMBectPNSSUzegURtaMqAQdmLLs3DmwyNiZxMp+EToluu5hqNQ6k6FVFmXqOleAm7hRipM3geFRkiJEbJlokgoHY6eYgTPmChiKzBqUKW5rddglVZShnVTrwFmPpVlgigwJ/R5X+jHIbTMWUhDBnMVS0mh86COOYUJTgUZIxKpHKGv/BdDyr92NP6ZIc1MeC6PCnOR5lQ9n0wp97iMs0BRwTWlvgVhJ7QF/qdPWfbEWabiBz9b4b3W+KFTbRuC2IIKGIOqqMtT60Ix/BSwfeYFtT5qOV49iJ6Y04HUzgxvFCm5vYEXzoa6xOeZ5mWG+gVosqcUGKltSWV6c1QnYe67go03yKQFFMVaHxqdqKqkNsdpvk/FoKbO7fW7/3pTzf+P0qOtZ+/PLTq+3eni75Bl5Tl4Qj7wmPfKe9MmAMKLID/KT/Gr8ae4095rtpXR7a+XzhFRW8+lfIICIuA==</latexit>
<latexit sha1_base64="Gu8g3dRzQ2+wYRTW6UL0dWRj0Xo=">AAAEZ3icfVPdahNBFJ42UWv8aaoigjeroVB7UbIiKnhTsBeCSKuYNpKN4ezsSTpkZneZOZufDvsu3uob+Qi+hbNJoMkmdGCZs9/3nd+ZCVMpDDWbf7e2K9Vbt+/s3K3du//g4W5979G5STLNscUTmeh2CAaliLFFgiS2U42gQokX4fBjwV+MUBuRxN9pmmJXwSAWfcGBHNSrPwkIJ2QP4JV36nQjgePc69UbzaPmbHnrhr8wGmyxznp7lQ9BlPBMYUxcgjEdv5lS14ImwSXmtSAzmAIfwgA7zoxBoenaWfm5t++QyOsn2n0xeTN02cOCMmaqQqdUQJemzBXgJq6TUf9914o4zQhjPk/Uz6RHiVfMwouERk5y6gzgWrhaPX4JGji5idX2veVYhndtkSGFq2SlH0vCNeMgjTGOeaIUxNFhQBRhHzJJViqiVY9Qlf4LoBZcu9sgAoLcBkVGDtKe5PkqHw4HK/TP+TkWcEnpboNcSMPQfivTzn2yFKm9gZ8u8T/KfFGocY3gTUEkhCjLqlmo5aHZYIQ87/hd156yDb8cxU1MG6TrZlprxUrhbuCK5nNZ43KM81mG8QZqMqcmG6jpnJrmxVmdoLvnGr+4JKcpaqBEH9oA9ECBC7HYb5KJeC5zu3tufvlxrRvnr498Z3990zh+u3h4O+w5e8kOmM/esWP2iZ2xFuPsiv1iv9mfyr/qbvVp9dlcur218HnMVlb1xX+TU4qJ</latexit>
Figure 4: Strategy adaptive.
4.1.1 Random Strategy
In this strategy, we randomly sample images (without re-placement) x iid∼ PA(X) to query FV . This is an extremecase where adversary performs pure exploration. However,there is a risk that the adversary samples images irrelevantto learning the task (e.g., over-querying dog images to abirds classifier).
4.1.2 Adaptive Strategy
We now incorporate a feedback signal resulting from eachimage queried to the blackbox. A policy π is learnt:
xt ∼ Pπ({xi,yi}t−1i=1)
to achieve two goals: (i) improving sample-efficiency ofqueries; and (ii) aiding interpretability of blackbox FV . Theapproach is outlined in Figure 4a. At each time-step t, thepolicy module Pπ produces a sample of images to query theblackbox. A reward signal rt is shaped based on multiplecriteria and is used to update the policy with an end-goal ofmaximizing the expected reward.
Supplementing PA. To encourage relevant queries, weenrich images in the adversary’s distribution by associat-ing each image xi with a label zi ∈ Z. No semantic rela-tion of these labels with the blackbox’s output classes is as-sumed or exploited. As an example, when PA correspondsto 1.2M images of the ILSVRC [8] dataset, we use labelsdefined over 1000 classes. These labels can be alternativelyobtained by unsupervised measures e.g., clustering or esti-mating graph-density [3,9]. We find using labels aids under-standing blackbox functionality. Furthermore, since we ex-pect labels {zi ∈ Z} to be correlated or inter-dependent, werepresent them within a coarse-to-fine hierarchy, as nodes ofa tree as shown in Figure 4b.
Actions. At each time-step t, we sample actions from adiscrete action space zt ∈ Z i.e., adversary’s independentlabel space. Drawing an action is a forward-pass (denotedby a blue line in Figure 4b) through the tree: at each level,
we sample a node with probability πt(z) . The probabilitiesare determined by a softmax distribution over the node po-tentials: πt(z) = eHt(z)∑
z′ Ht(z′). Upon reaching a leaf-node, a
sample of images is returned corresponding to label zt.Learning the Policy. We use the received reward rt foran action zt to update the policy π using the gradient banditalgorithm [43]. This update is equivalent to a backward-pass through the tree (denoted by a green line in Figure 4b),where the node potentials are updated as:
Ht+1(zt) = Ht(zt) + α(rt − rt)(1− πt(zt)) andHt+1(z′) = Ht(z
′) + α(rt − rt)πt(z′) ∀z′ 6= zt
where α = 1/N(z) is the learning rate, N(z) is the numberof times action z has been drawn, and rt is the mean-rewardover past ∆ time-steps.Rewards. To evaluate the quality of sampled images xt,we study three rewards. We use a margin-based certaintymeasure [19, 39] to encourage images where the victim isconfident (hence indicating the domain FV was trained on):
Rcert(yt) = P (yt,k1 |xt)− P (yt,k2 |xt) “cert”
To prevent the degenerate case of image exploitation over asingle label, we introduce a diversity reward:
Rdiv(y1:t) =∑k
max(0, yt,k − yt−∆,k) “div”
To encourage images where the knockoff prediction yt =FA(xt) does not imitate FV , we reward high loss:
RL(yt, yt) = L(yt, yt) “L”
We sum up individual rewards when multiple measures areused. To maintain an equal weighting, each reward is in-dividually rescaled to [0, 1] and subtracted with a baselinecomputed over past ∆ time-steps.
4.2. Training Knockoff FAAs a product of the previous step of interactively
querying the blackbox model, we have a transfer set{(xt, FV (xt)}Bt=1, xt
π∼ PA(X). Now we address howthis is used to train a knockoff FA.Selecting Architecture FA. Few works [27, 48] have re-cently explored reverse-engineering the blackbox i.e., iden-tifying the architecture, hyperparameters, etc. We how-ever argue this is orthogonal to our requirement of sim-ply stealing the functionality. Instead, we represent FAwith a reasonably complex architecture e.g., VGG [41] orResNet [14]. Existing findings in KD [11, 15] and modelcompression [5,13,17] indicate robustness to choice of rea-sonably complex student models. We investigate the choiceunder weaker knowledge of the teacher (FV ) e.g., trainingdata and architecture is unknown.
Blackbox (FV ) |DtrainV |+ |Dtest
V | Output classes K
Caltech256 [12] 23.3k + 6.4k 256 general object categoriesCUBS200 [47] 6k + 5.8k 200 bird speciesIndoor67 [35] 14.3k + 1.3k 67 indoor scenesDiabetic5 [1] 34.1k + 1k 5 diabetic retinopathy scales
Table 1: Four victim blackboxes FV . Each blackbox is namedin the format: [dataset][# output classes].
Training to Imitate. To bootstrap learning, we begin witha pretrained Imagenet network FA. We train the knock-off FA to imitate FV on the transfer set by minimizingthe cross-entropy (CE) loss: LCE(y, y) = −
∑k p(yk) ·
log p(yk). This is a standard CE loss, albeit weighed withthe confidence p(yk) of the victim’s label. This formulationis equivalent to minimizing the KL-divergence between thevictim’s and knockoff’s predictions over the transfer set.
5. Experimental Setup
We now discuss the experimental setup of multiple vic-tim blackboxes (Section 5.1), followed by details on the ad-versary’s approach (Section 5.2).
5.1. Black-box Victim Models FVWe choose four diverse image classification CNNs, ad-
dressing multiple challenges in image classification e.g.,fine-grained recognition. Each CNN performs a task spe-cific to a dataset. A summary of the blackboxes is presentedin Table 1 (extended descriptions in appendix).
Training the Black-boxes. All models are trained us-ing a ResNet-34 architecture (with ImageNet [8] pretrainedweights) on the training split of the respective datasets. Wefind this architecture choice achieve strong performance onall datasets at a reasonable computational cost. Models aretrained using SGD with momentum (of 0.5) optimizer for200 epochs with a base learning rate of 0.1 decayed by afactor of 0.1 every 60 epochs. We follow the train-test splitssuggested by the respective authors for Caltech-256 [12],CUBS-200-2011 [47], and Indoor-Scenes [35]. Since GTannotations for Diabetic-Retinopathy [1] test images arenot provided, we reserve 200 training images for each ofthe five classes for testing. The number of test images perclass for all datasets are roughly balanced. The test imagesof these datasets Dtest
V are used to evaluate both the victimand knockoff models.
After these four victim models are trained, we use themas a blackbox for the remainder of the paper: images in,posterior probabilities out.
5.2. Representing PAIn this section, we elaborate on the setup of two aspects
relevant to transfer set construction (Section 4.1).
5.2.1 Choice of PA
Our approach for transfer set construction involves the ad-versary querying images from a large discrete image distri-bution PA. In this section, we present four choices con-sidered in our experiments. Any information apart fromthe images from the respective datasets are unused in therandom strategy. For the adaptive strategy, we use image-level labels (chosen independent of blackbox models) toguide sampling.PA = PV . For reference, we sample from the exact setof images used to train the blackboxes. This is a specialcase of knowledge-distillation [15] with unlabeled data attemperature τ = 1.PA = ILSVRC [8, 37]. We use the collection of 1.2Mimages over 1000 categories presented in the ILSVRC-2012[37] challenge.PA = OpenImages [22]. OpenImages v4 is a large-scaledataset of 9.2M images gathered from Flickr. We use a sub-set of 550K unique images, gathered by sampling 2k imagesfrom each of 600 categories.PA = D2. We construct a dataset wherein the adver-sary has access to all images in the universe. In our case,we create the dataset by pooling training data from: (i) allfour datasets listed in Section 5.1; and (ii) both datasets pre-sented in this section. This results in a “dataset of datasets”D2 of 2.2M images and 2129 classes.Overlap between PA and PV . We compute overlap be-tween labels of the blackbox (K, e.g., 256 Caltech classes)and the adversary’s dataset (Z, e.g., 1k ILSVRC classes) as:100× |K ∩ Z|/|K|. Based on the overlap between the twoimage distributions, we categorize PA as:
1. PA = PV : Images queried are identical to the onesused for training FV . There is a 100% overlap.
2. Closed-world (PA = D2): Blackbox train data PVis a subset of the image universe PA. There is a 100%overlap.
3. Open-world (PA ∈ {ILSVRC, OpenImages}): Anyoverlap between PV and PA is purely coinciden-tal. Overlaps are: Caltech256 (42% ILSVRC, 44%OpenImages), CUBS200 (1%, 0.5%), Indoor67 (15%,6%), and Diabetic5 (0%, 0%).
5.2.2 Adaptive Strategy
In the adaptive strategy (Section 4.1.2), we make use ofauxiliary information (labels) in the adversary’s data PA toguide the construction of the transfer set. We represent theselabels as the leaf nodes in the coarse-to-fine concept hier-archy tree. The root node in all cases is a single concept“entity”. We obtain the rest of the hierarchy as follows: (i)D2: we add as parents the dataset the images belong to; (ii)ILSVRC: for each of the 1K labels, we obtain 30 coarse
labels by clustering the mean visual features of each labelobtained using 2048-dim pool features of an ILSVRC pre-trained Resnet model; (iii) OpenImages: We use the exacthierarchy provided by the authors.
6. Results
We now discuss the experimental results.
Training Phases. The knockoff models are trained in twophases: (a) Online: during transfer set construction (Section4.1); followed by (b) Offline: the model is retrained usingtransfer set obtained thus far (Section 4.2). All results onknockoff are reported after step (b).
Evaluation Metric. We evaluate two aspects of the knock-off: (a) Top-1 accuracy: computed on victim’s held-out testdata Dtest
V (b) sample-efficiency: best performance achievedafter a budget of B queries. Accuracy is reported in twoforms: absolute (x%) or relative to blackbox FV (x×).
In each of the following experiments, we evaluate ourapproach with identical hyperparameters across all black-boxes, highlighting the generalizability of model function-ality stealing.
6.1. Transfer Set Construction
In this section, we analyze influence of transfer set{(xi, FV (xi)} on the knockoff. For simplicity, for the re-mainder of this section we fix the architecture of the victimand knockoff to a Resnet-34 [14].
Reference: PA = PV (KD). From Table 2 (second row),we observe: (i) all knockoff models recover 0.92-1.05×performance of FV ; (ii) a better performance than FV itself(e.g., 3.8% improvement on Caltech256) due to regulariz-ing effect of training on soft-labels [15].
Can we learn by querying randomly from an indepen-dent distribution? Unlike KD, the knockoff is now trainedand evaluated on different image distributions (PA and PVrespectively). We first focus on the random strategy, whichdoes not use any auxiliary information.
We make the following observations from Table 2(random): (i) closed-world: the knockoff is able to rea-sonably imitate all the blackbox models, recovering 0.84-0.97× blackbox performance; (ii) open-world: in this chal-lenging scenario, the knockoff model has never encounteredimages of numerous classes at test-time e.g., >90% of thebird classes in CUBS200. Yet remarkably, the knockoff isable to obtain 0.81-0.96× performance of the blackbox.Moreover, results marginally vary (at most 0.04×) betweenILSVRC and OpenImages, indicating any large diverse setof images makes for a good transfer set.
Upon qualitative analysis, we find the image and pseudo-label pairs in the transfer set are semantically incoherent(Fig. 6a) for output classes non-existent in training images
random adaptive
PA Caltech256 CUBS200 Indoor67 Diabetic5 Caltech256 CUBS200 Indoor67 Diabetic5
PV (FV ) 78.8 (1×) 76.5 (1×) 74.9 (1×) 58.1 (1×) - - - -PV (KD) 82.6 (1.05×) 70.3 (0.92×) 74.4 (0.99×) 54.3 (0.93×) - - - -
Closed D2 76.6 (0.97×) 68.3 (0.89×) 68.3 (0.91×) 48.9 (0.84×) 82.7 (1.05×) 74.7 (0.98×) 76.3 (1.02×) 48.3 (0.83×)
Open ILSVRC 75.4 (0.96×) 68.0 (0.89×) 66.5 (0.89×) 47.7 (0.82×) 76.2 (0.97×) 69.7 (0.91×) 69.9 (0.93×) 44.6 (0.77×)OpenImg 73.6 (0.93×) 65.6 (0.86×) 69.9 (0.93×) 47.0 (0.81×) 74.2 (0.94×) 70.1 (0.92×) 70.2 (0.94×) 47.7 (0.82×)
Table 2: Accuracy on test sets. Accuracy of blackbox FV indicated in gray and knockoffs FA in black. KD = Knowledge Distillation.Closed- and open-world accuracies reported at B=60k.
0k 1k 10k 100kBudget B
0255075
100
Accu
racy
Caltech256
0k 1k 10k 100kBudget B
CUBS200
0k 1k 10k 100kBudget B
Indoor67PA = D2 ILSVRC OpenImg PV π = adaptive random
0k 1k 10k 100kBudget B
Diabetic5
Figure 5: Performance of the knockoff at various budgets. Presented for various choices of adversary’s image distribution (PA) andsampling strategy π. represents accuracy of blackbox FV and represents chance-level performance.
PA. However, when relevant images are presented at test-time (Fig. 6b), the adversary displays strong performance.Furthermore, we find the top predictions by knockoff rele-vant to the image e.g., predicting one comic character (su-perman) for another.
How sample-efficient can we get? Now we evaluatethe adaptive strategy (discussed in Section 4.1.2). Notethat we make use of auxiliary information of the images inthese tasks (labels of images in PA). We use the rewardset which obtained the best performance in each scenario:{certainty} in closed-world and {certainty, diversity, loss}in open-world.
From Figure 5, we observe: (i) closed-world: adaptiveis extremely sample-efficient in all but one case. Itsperformance is comparable to KD in spite of samplesdrawn from a 36-188× larger image distribution. Wefind significant sample-efficiency improvements e.g., whileCUBS200-random reaches 68.3% at B=60k, adaptiveachieves this 6× quicker at B=10k. We find compara-bly low performance in Diabetic5 as the blackbox ex-hibits confident predictions for all images resulting in poorfeedback signal to guide policy; (ii) open-world: althoughwe find marginal improvements over random in this chal-lenging scenario, they are pronounced in few cases e.g.,1.5× quicker to reach an accuracy 57% on CUBS200 withOpenImages. (iii) as an added-benefit apart from sample-efficiency, from Table 2, we find adaptive display im-proved performance (up to 4.5%) consistently across allchoices of FV .
What can we learn by inspecting the policy? From previ-
ous experiments, we observed two benefits of the adaptivestrategy: sample-efficiency (although more prominent inthe closed-world) and improved performance. The policy πtlearnt by adaptive (Section 4.1.2) additionally allows us tounderstand what makes for good images to query. πt(z) isa discrete probability distribution indicating preference overaction z. Each action z in our case corresponds to labels inthe adversary’s image distribution.
We visualize πt(z) in Figure 7, where each bar repre-sents an action and its color, the parent in the hierarchy.We observe: (i) closed-world (Fig. 7 top): actions sampledwith higher probabilities consistently correspond to outputclasses of FV . Upon analyzing parents of these actions (thedataset source), the policy also learns to sample images forthe output classes from an alternative richer image sourcee.g., “ladder” images in Caltech256 sampled from Open-Images instead; (ii) open-world (Fig. 7 bottom): unlikeclosed-world, the optimal mapping between adversary’s ac-tions to blackbox’s output classes is non-trivial and unclear.However, we find top actions typically correspond to outputclasses of FV e.g., indigo bunting. The policy, in addition,learns to sample coarser actions related to the FV ’s task e.g.,predominantly drawing from birds and animals images toknockoff CUBS200.
What makes for a good reward? Using the adaptivesampling strategy, we now address influence of three re-wards (discussed in Section 4.1.2). We observe: (i) closed-world (Fig. 8 left): All reward signals in adaptive helpswith the sample efficiency over random. Reward cert(which encourages exploitation) provides the best feedback
<latexit sha1_base64="hxlY4mPthYhOm4tFnDsLuZ0FQ6E=">AAAEanicfVPNbtNAEN42AUr4S8sBoV4sQqXSQxQjJJC4VKIHJIQoqGmD4lCNN5N0lV3b2h03CSs/DVd4IN6Bh2AdW5A4UVeydvx938zszM6GiRSGOp3fW9u1+q3bd3buNu7df/DwUXN379zEqebY5bGMdS8Eg1JE2CVBEnuJRlChxItw8i7nL65RGxFHZzRPcKBgHImR4EAOumw+CQhnZA/hhXemITIj1J5Byi6brU67s1jeuuGXRouV6/Ryt/Y2GMY8VRgRl2BM3+8kNLCgSXCJWSNIDSbAJzDGvjMjUGgGdlFB5h04ZOiNYu2+iLwFuuxhQRkzV6FTKqArU+VycBPXT2n0ZmBFlKSEES8SjVLpUezl7fCGQiMnOXcGcC3cWT1+BRo4uaY1DrzlWIYPbJ4hge/xSj2WhCvGQRojnPJYKYiGRwHREEeQSrJSEa16hKrynwON4L+7DYZAkNkgz8hB2pMsW+XDyXiF/lZcZQ5XlG4gZCkNQ/ulSjv32VKk3gZ+vsR/rfL5QY0rBG8KIiFEWVUtQi03zQbXyLO+P3DlKdvyq1Fcx3Q+nv+K6a4dVgo3gSuaD1WNyzHNFhmmG6hZQc02UPOCmmf5XZ2gm3ONH12STwlqoFgf2QD0WIELUe43yURUyNzunptffVzrxvnLtu/sz69ax+3y4e2wffaMHTKfvWbH7D07ZV3GWcZ+sJ/sV+1Pfa/+tL5fSLe3Sp/HbGXVn/8F8EiL2Q==</latexit><latexit sha1_base64="nSwIrIrJQ80GyHfW5uMnI2IwlOg=">AAAEZnicfVPNbtNAEN42AUqANqVCHLhYRJVKD1WMkEDiUokekBCioKYNik20Xk/SVXZta3fcxKz8LFzhkXgDHoN1bEHsRF3J2vF83/zuTJAIrrHf/7213WrfuXtv537nwcNHu3vd/ceXOk4VgwGLRayGAdUgeAQD5ChgmCigMhBwFczeFfjVDSjN4+gCswR8SacRn3BG0arG3QMPYYHmKHjhXIBGRwPm426vf9JfHmddcCuhR6pzPt5vvfXCmKUSImSCaj1y+wn6hirkTEDe8VINCWUzOoWRFSMqQftmmX3uHFpN6ExiZb8InaV21cJQqXUmA8uUFK91EyuUm7BRipM3vuFRkiJErAw0SYWDsVO0wgm5AoYiswJlittcHXZNFWVoG9Y5dFZ9aeabIkJCv8e1egxyW4xVKYhgzmIpaRQee4ghTGgq0AiJWLcIZOO/UHS8/+bGCynS3HhFREaFOcvzOh7MpjX4W/mMhbrBtMMgKmoQmC9N2JovVjwNN+DZCv61iReJalsI3OZE0ABEk7V0tdo0490Ay0eub8uTpuc2vdiOqWI8/xUzWEtWcDuBNc6HJsfGmOfLCPMN0KKEFhugrISyvHirM7BzruCjDfIpAUUxVsfGo2oqqXVR3bfReFTS7G3XzW0u17pw+fLEtfLnV73Tk2rxdsgz8pwcEZe8JqfkPTknA8JIRn6Qn+RX6097t/2k/bSkbm9VNgekdtrOX8BLig0=</latexit>
H. Sparrow: 0.73 Gadwall: 0.08
T. Sparrow: 0.06
H. Sparrow: 0.41 Frigate bird: 0.06 B. Cowbird: 0.05
H. Sparrow: 0.81 WC. Sparrow: 0.04 WT. Sparrow: 0.03
M. Warbler: 0.17 H. Sparrow: 0.14 D. E. Junco: 0.10
Gym: 0.98 Locker room: 0.01 Bowling: 0.004
Gym: 0.724 Museum: 0.20
Studio Music: 0.02
Gym: 0.98 Airport Inside: 0.0 TV Studio: 0.00
Hairsalon: 0.23 Gym: 0.17
Office: 0.11
Proliferative: 0.99 Moderate: 0.006
No DR: 0.003
Proliferative: 0.6 Severe: 0.24
Moderate: 0.13
Proliferative: 0.99 Moderate: 0.003 No DR: 0.002
Severe: 0.42 Proliferative: 0.35
Moderate: 0.15
H. Simpson: 0.81 Refrigerator: 0.07 Strain glass: 0.01
H. Simpson: 0.41 Backpack: 0.09 Gas Pump: 0.09
H. Simpson: 0.99 Cartman: 0.00
Stained glass: 0.0
Superman: 0.42 H. Simpson: 0.40 Backpack: 0.08
<latexit sha1_base64="9h7hZ5F8lWUdKEgig6eepj/EQrc=">AAAEUnicfVNNb9NAEN00AdpQIIUjF4u0EuJQxan4uCBVaoWQEKIgkgbFIRpvxskqu7a1u25iVv4d/Bqu8Ae48Fc4sXYskbhR97Lj9968mdn1+jFnSnc6f2o79cat23d295p39+/df9A6eNhXUSIp9mjEIznwQSFnIfY00xwHsUQQPsdLf36W85dXKBWLws86jXEkYBqygFHQFhq33MM34/6hY7wgCnUAgvHUcKFU5llPpDqHndfOGXCNdNZ9/iIbt9qd406xnOuBWwZtUq6L8UF9z5tENBEYaspBqaHbifXIgNSMcsyaXqIwBjqHKQ5tGIJANTLFbJlzZJGJE0TSKVop0PUMA7bbVPhWKUDPVJXLwW3cMNHBq5FhYZxoDOmqUJBwR0dOflDOhEk7P09tAFQy26tDZyCBanuczSNn3UvRkckrxPAt2pjH+KLynQNNL8QFjYSAcGK8CWjIjJfnU+DmPMs2eX8+3aC/ehqX2uRwRWkvnpdS3zefqrRNX645Dbbw6Rr/pcrnjSo7CN5kwsFHXlUVVhLXdVdIs6E7suMJ03arLvbEpEL9f5jetWY5s//ThuZdVWNrLLKiwmILtVxRyy1UuqLSLL+rc7R/rcT3tsiHGCXoSD4zHsipAGtR7jfJWLiS2d0+Hrf6VK4H/e6xa+OP3fbpSfmMdslj8oQ8JS55SU7JW3JBeoSS7+QH+Ul+1X/X/zZqjfpKulMrcx6RjdXY/wfm24IU</latexit>
<latexit sha1_base64="ECkkVCPwoq0HQsIYTiXkMTzL0yo=">AAAEZ3icfVPdahNBFJ42UWv8aaoigjeroSC9CNkiKHhTaC8UFWs1aSQbw+zkJB0ys7vMnG2SDvsu3uob+Qi+hWeTQJNN6MAyZ8/3ne/8zEyYKGmx0fi7tV0q37p9Z+du5d79Bw93q3uPWjZOjYCmiFVs2iG3oGQETZSooJ0Y4DpUcB6OjnP8/BKMlXH0HacJdDUfRnIgBUdy9apPAoQJug+fvrXOjj1JKNisV6016o3Z8tYNf2HU2GKd9vZK74J+LFINEQrFre34jQS7jhuUQkFWCVILCRcjku+QGXENtutm5WfePnn63iA29EXozbzLEY5ra6c6JKbmeGGLWO7chHVSHLztOhklKUIk5okGqfIw9vJZeH1pQKCaksGFkVSrJy644QJpYpV9b1nLiq7LMyT8Kl7px6GkZshlIIKxiLXmUf8gQOzDgKcKndKIqxGhLvznjkpwHe6CPkeeuSDPKLhyJ1m2ioej4Qr8c36OubvApNugFtQwdGdFmMInS0rtDfh0Cf9RxPNCLTUCN4koHoIqsmZSy0NzwSWIrON3qT3tan5RhSZmLOB1M821YpWkG7jC+VjkUI5xNssw3gBN5tBkAzSdQ9MsP6sToHtu4DMl+ZKA4RibAxdwM9ScJBb7TTQZzWm003Pzi49r3Wgd1n2yv76uHdUXD2+HPWcv2SvmszfsiL1np6zJBLtiv9hv9qf0r7xbflp+Nqduby1iHrOVVX7xHw9KiqE=</latexit><latexit sha1_base64="2f3klyPLzDBortaHAXR34qejQOg=">AAAEaXicfVNfixMxEM9dq571z7UKIvqyWA7lHkpXBAVfDrwHQcRTbK/SrSWbnfZCk90lmb22xv0yvuoX8jP4JZxtC9duywWWzM7vN7/JTCZhqqTFdvvv3n6leuPmrYPbtTt3790/rDcedG2SGQEdkajE9EJuQckYOihRQS81wHWo4DycvCvw80swVibxV5ynMNB8HMuRFBzJNaw/ChBm6LpSoNTPrScJB5sP6812q71Y3rbhr4wmW62zYaPyNogSkWmIUShubd9vpzhw3KAUCvJakFlIuZiQfJ/MmGuwA7coIPeOyBN5o8TQF6O38K5HOK6tneuQmJrjhS1jhXMX1s9w9GbgZJxmCLFYJhplysPEK7rhRdKAQDUngwsj6ayeuOCGC6Se1Y68dS0rBq7IkPIfyUY9jlpHPasFBmKYikRrHkfHAWIEI54pdEojbkaEuvRfOGrBVbgLIo48d0GRUXDlTvN8Ew8n4w34+/ImC3eJSfOgVtQwdF/KMIXP1pR6O/D5Gv6tjBcHtVQIXCeieAiqzFpIrTfNBZcg8r4/oPK0a/plFeqYsYBXxXS2DqskTeAG50OZQzmm+SLDdAc0W0KzHdB8Cc3z4q5OgebcwEdK8ikFwzExxy7gZqw5Saz262gyXtJop+fmlx/XttF92fLJ/vyqedJaPbwD9pQ9Yy+Yz16zE/aenbEOE+wn+8V+sz+Vf9VG9XH1yZK6v7eKecg2VrX5Hyoui+g=</latexit>
<latexit sha1_base64="ivsMLvi8K//HScbS2Qd06fgU9yA=">AAAET3icfVPLjtMwFPVMC8yUVweWbCw6IyEWVdJZwAZpxIwQEkIMj3aKmlA57k3Hqp1EtjNtsPIXfA1b+AGWfAk7hJNGok2r8cbX5xyfe68fQcKZ0o7ze2e30bxx89befuv2nbv37rcPHgxUnEoKfRrzWA4DooCzCPqaaQ7DRAIRAYeLYHZa8BdXIBWLo086S8AXZBqxkFGiLTRudw9fjQeH2HhhHOmQCMYzw4VSuWc9geoCxi/waf/lx57j5ON2x+k65cCbgVsFHVSN8/FBY9+bxDQVEGnKiVIj10m0b4jUjHLIW16qICF0RqYwsmFEBCjflI3l+MgiExzGEpd1lOjqDkNsqZkIrFIQfanqXAFu40apDp/7hkVJqiGiy0RhyrGOcXFKeMKkbZ5nNiBUMlsrppdEEqrtWbaO8KqXor4pMiTka7zWjwlEbV0ALS+COY2FINHEeBOiSW68Yj8l3Jzl+TofzKZr9BdPw0KbAq4p7a3zShoE5kOdttsXK07DLXy2wn+u80WhyjYC15lwEgCvq0orCau6K6D5yPVte8J03LqLPTGpQP9vpr9RLGf2Pa1p3tQ1Nsc8LzPMt1CLJbXYQmVLKsuLuzoD+2olvLVJ3iUgiY7lU+MRORXEWlTzdTIWLWV2tp/HrX+VzWDQ67o2ft/rnBxX32gPPUKP0RPkomfoBL1G56iPKPqGvqMf6GfjV+NP42+zku7uVMFDtDaa+/8AfouBYw==</latexit> <latexit sha1_base64="rquHQW98hLx2a7uzO3aOx1RgDIs=">AAAEUHicfVPLbhMxFHWbAG14pbBkY5FWQixKpkiUDVIlKgRCiIJIGpQZIo/nTmrFHo9sT5PBms/ga9jCD7DjT9iBZxKJZBLVG1+fc3zuvX6EKWfadLu/t7YbzWvXb+zstm7eun3nbnvvXl/LTFHoUcmlGoREA2cJ9AwzHAapAiJCDufh5GXJn1+C0kwmn0yeQiDIOGExo8Q4aNR+sv9q1N/H1o9lYmIiGM8tF1oXvvMEakoYv8BvkkhK9ey4GLU73cNuNfB64C2CDlqMs9FeY9ePJM0EJIZyovXQ66YmsEQZRjkULT/TkBI6IWMYujAhAnRgq84KfOCQCMdS4aqQCl3eYYmrNRehUwpiLnSdK8FN3DAz8fPAsiTNDCR0nijOODYSl8eEI6Zc9zx3AaGKuVoxvSCKUOMOs3WAl700DWyZISVf5Uo/NhS1dQm0/ASmVApBksj6ETGksH65nxJuT4tilQ8n4xX6i29gZmwJ15Tu2vlCGob2Y51222dLToMNfL7Ef67zZaHaNQJXmXASAq+rKisFy7pLoMXQC1x7wna8uos7MaXB/G+mt1YsZ+49rWje1jUux7SoMkw3ULM5NdtA5XMqL8q7OgX3ahW8c0nep6CIkeqx9YkaC+IsFvNVMpbMZW52n8erf5X1oH906Ln4w1Hn5OniG+2gB+gheoQ8dIxO0Gt0hnqIom/oO/qBfjZ+Nf40/ja35tLtxYzuo5XRbP0D0+WChg==</latexit> <latexit sha1_base64="3SKYAXo91YP/xh4lUzxQNBJeWGM=">AAAEUXicfVNNb9NAEN02AdqUjxSOXCzSSohDFbdCcEGqRISQEKIgkgbFJlpvxukqu7a1u25iVv4b/Bqu8Ac48VO4MXYskThR97Lj9968mVnvBong2nS7f3Z2G81bt+/s7bcO7t67/6B9+HCg41Qx6LNYxGoYUA2CR9A33AgYJgqoDARcBrPXBX95DUrzOPpssgR8SacRDzmjBqFxu3v0Zjw4cqwXxpEJqeQis0JqnXvoCcwUsPPK6XEagOHseT5ud7on3XI5m4FbBR1SrYvxYWPfm8QslRAZJqjWI7ebGN9ShX4C8paXakgom9EpjDCMqATt23K03DlGZOKEsXLKTkp0NcNSbDaTASolNVe6zhXgNm6UmvClb3mUpAYitiwUpsIxsVOckzPhCscXGQaUKY69OuyKKsoMnmbr2Fn10sy3RYWEfovX5rGBrH0XQMuLYM5iKWk0sd6EGppbr8hnVNhenq/zwWy6Rn/1DCyMLeCaEv+7qKRBYD/VaUxfrDgNt/DZCv+lzheNahwEbjIReE9EXVVaKVjVXQPLR66P40nbcesueGJKg/k/TH+jWcHxPq1p3tU1WGOelxXmW6jFklpsobIlleXFv+oB3loF77HIhwQUNbF6Zj2qppKiRbXfJOPRUoY7Ph63/lQ2g8HpiYvxx9PO+Vn1jPbIY/KEPCUueUHOyVtyQfqEke/kB/lJfjV+N/42SXN3Kd3dqXIekbXVPPgHk8yCAw==</latexit>
Figure 6: Qualitative Results. (a) Samples from the transfer set ({(xi, FV (xi))},xi ∼ PA(X)) displayed for four output classes (onefrom each blackbox): ‘Homer Simpson’, ‘Harris Sparrow’, ‘Gym’, and ‘Proliferative DR’. (b) With the knockoff FA trained on the transferset, we visualize its predictions on victim’s test set ({(xi, FA(xi))},xi ∼ Dtest
V ). Ground truth labels are underlined. Objects from theseclasses, among numerous others, were never encountered while training FA.
airpla
nes-1
01
mot
orbik
es-1
01
face
s-eas
y-10
1
t-shir
t
ham
moc
k
billia
rds
horse
ladde
r
bath
tub
binoc
ulars
goril
la
peop
le
mus
hroo
m
watc
h-10
1
grap
es
light
-hou
se
mat
tress
leopa
rds-1
01
socc
er-b
all
mus
sels
mar
s
peng
uin
hot-t
ub
base
ball-
glove
back
pack
tread
mill
head
-pho
nes
racc
oon
brea
dmak
er
teap
ot
Actions z
0.0
0.02
fiz
Caltech256 · PA = D2
caltechcubsdiabetic
ilsvrcindooropenimg
goldfi
nch
hous
efinc
hjun
coind
igobu
nting
bram
bling
jacam
arch
ickad
eehu
mm
ingbir
dvin
esna
kejag
uar
amer
ican
cham
eleon
bulbu
lcr
icket
redb
reas
ted
mer
gans
ergr
een
lizar
dbe
eeat
ergr
een
snak
egr
een
mam
baleo
pard
dugo
ngtig
er jaydr
ake
robin
redb
acke
dsa
ndpip
ertre
efro
galb
atro
ssm
antis
dam
selfly be
e
Actions z
0.0
0.01
fiz
CUBS200 · PA = ILSVRC
animal bird bird 1 carnivore
Figure 7: Policy π learnt by the adaptive approach. Each barrepresents preference for action z. Top 30 actions (out of 2.1k and1k) are displayed. Colors indicate parent of action in hierarchy.
0
25
50
75
100
Accu
racy
Caltech256 ·PA = D2
rewardcertcert + div
cert + div + Lnoneuncert
Caltech256 ·PA = ILSVRC
0 5k 10k 15k 20kBudget B
0
25
50
75
100
Accu
racy
CUBS200 ·PA = D2
0 5k 10k 15k 20kBudget B
CUBS200 ·PA = ILSVRC
Figure 8: Reward Ablation. cert: certainty, uncert: uncertainty,div: diversity, L: loss, none: no reward (random strategy).
signal. Including other rewards (cert+div+L) slightly de-teriorates performance, as they encourage exploration overrelated or unseen actions – which is not ideal in a closed-world. Reward uncert, a popular measure used in AL liter-ature [3, 9, 39] underperforms in our setting since it encour-ages uncertain (in our case, irrelevant) images. (ii) open-world (Fig. 8 right): All rewards display only none-to-
0 10k 20k 30k 40kBudget B
0
25
50
75
100
Accu
racy
top-k · Caltech256 ·PA = ILSVRC
top k1
25
Noneargmax
0 10k 20k 30k 40kBudget B
rounding · Caltech256 ·PA = ILSVRC
round r12
3Noneargmax
Figure 9: Truncated Posteriors. Influence of training knockoffwith truncated posteriors.
marginal improvements for all choices of FV , with the high-est improvement in CUBS200 using cert+div+L. How-ever, we notice an influence on learnt policies where adopt-ing exploration (div + L) with exploitation (cert) goalsresult in a softer probability distribution π over the actionspace and in turn, encouraging related images.
Can we train knockoffs with truncated blackbox outputs?So far, we found adversary’s attack objective of knockingoff blackbox models can be effectively carried out with min-imal assumptions. Now we explore the influence of vic-tim’s defense strategy of reducing informativeness of black-box predictions to counter adversary’s model stealing at-tack. We consider two truncation strategies: (a) top-k: top-k (out of K) unnormalized posterior probabilities are re-tained, while rest are zeroed-out; (b) rounding r: posteriorsare rounded to r decimals e.g., round(0.127, r=2) = 0.13.In addition, we consider the extreme case “argmax”, whereonly index k = arg maxk yk is returned.
From Figure 9 (with K = 256), we observe: (i) truncat-ing yi – either using top-k or rounding – slightly impacts theknockoff performance, with argmax achieving 0.76-0.84×accuracy of original performance for any budgetB; (ii) top-k: even small increments of k significantly recovers theoriginal performance – 0.91× at k = 2 and 0.96× at k = 5;(iii) rounding: recovery is more pronounced, with 0.99×original accuracy achieved at just r = 2. We find model
0 10k 20k 30k 40kBudget B
0
25
50
75
100
Accu
racy
Caltech256 ·FV = Resnet-34
alexnetdensenet161resnet101resnet18
resnet34resnet50vgg16
0 10k 20k 30k 40kBudget B
Caltech256 ·FV = VGG-16
Figure 10: Architecture choices. FV (left: Resnet-34 and right:VGG-16) and FA (lines in each plot).
functionality stealing minimally impacted by reducing in-formativeness of blackbox predictions.
6.2. Architecture choice
In the previous section, we found model functionalitystealing to be consistently effective while keeping the ar-chitectures of the blackbox and knockoff fixed. Now westudy the influence of the architectural choice FA vs. FV .
How does the architecture of FA influence knockoff per-formance? We study the influence using two choices ofthe blackbox FV architecture: Resnet-34 [14] and VGG-16 [41]. Keeping these fixed, we vary architecture of theknockoff FA by choosing from: Alexnet [21], VGG-16[41], Resnet-{18, 34, 50, 101} [14], and Densenet-161 [16].
From Figure 10, we observe: (i) performance of theknockoff ordered by model complexity: Alexnet (lowestperformance) is at one end of the spectrum while sig-nificantly more complex Resnet-101/Densenet-161 are atthe other; (ii) performance transfers across model fami-lies: Resnet-34 achieves similar performance when stealingVGG-16 and vice versa; (iii) complexity helps: selecting amore complex model architecture of the knockoff is bene-ficial. This contrasts KD settings where the objective is tohave a more compact student (knockoff) model.
6.3. Stealing Functionality of a Real-world Black-box Model
Now we validate model functionality stealing on a pop-ular image analysis API. Such image recognition servicesare gaining popularity allowing users to obtain image-predictions for a variety of tasks at low costs ($1-2 per 1kqueries). These image recognition APIs have also beenused to evaluate other attacks e.g., adversarial examples[4, 18, 23]. We focus on a facial characteristics API whichgiven an image, returns attributes and confidences per face.Note that in this experiment, we have semantic informationof blackbox output classes.
Collecting PA. The API returns probability vectors perface in the image and thus, querying irrelevant images leadsto a wasted result with no output information. Hence, weuse two face image sets PA for this experiment: CelebA(220k images) [24] and OpenImages-Faces (98k images).
0 10k 20k 30kBudget B
0
25
50
75
100
Accu
racy
PA = CelebA
0 10k 20k 30kBudget B
PA = OpenImg-Faces
Test setOpenImg-FacesCelebA
FA
resnet101resnet34
Figure 11: Knocking-off a real-world API. Performance of theknockoff achieved with two choices of PA.
We create the latter by cropping faces (plus margin) fromimages in the OpenImages dataset [22].
Evaluation. Unlike previous experiments, we cannot ac-cess victim’s test data. Hence, we create test sets for eachimage set by collecting and manually screening seed anno-tations from the API on ∼5K images.
How does this translate to the real-world? We modeltwo variants of the knockoff using the random strategy(adaptive is not used since no relevant auxiliary informa-tion of images are available). We present each variant usingtwo choices of architecture FA: a compact Resnet-34 anda complex Resnet-101. From Figure 11, we observe: (i)strong performance of the knockoffs achieving 0.76-0.82×performance as that of the API on the test sets; (ii) the di-verse nature OpenImages-Faces helps improve generaliza-tion resulting in 0.82× accuracy of the API on both test-sets; (iii) the complexity of FA does not play a significantrole: both Resnet-34 and Resnet-101 show similar perfor-mance indicating a compact architecture is sufficient to cap-ture discriminative features for this particular task.
We find model functionality stealing translates well tothe real-world with knockoffs exhibiting a strong perfor-mance. The knockoff circumvents monetary and labourcosts of: (a) collecting images for the task; (b) obtainingexpert annotations; and (c) tuning a model. As a result, aninexpensive knockoff is trained which exhibits strong per-formance, using victim API queries amounting to only $30.
7. Conclusion
We investigated the problem of model functionalitystealing where an adversary transfers the functionality of avictim model into a knockoff via blackbox access. In spiteof minimal assumptions on the blackbox, we demonstratedthe surprising effectiveness of our approach. Finally, wevalidated our approach on a popular image recognition APIand found strong performance of knockoffs. We find func-tionality stealing poses a real-world threat that potentiallyundercuts an increasing number of deployed ML models.
Acknowledgement. This research was partially supportedby the German Research Foundation (DFG CRC 1223). Wethank Yang Zhang for helpful discussions.
References[1] Eyepacs. https://www.kaggle.com/c/
diabetic-retinopathy-detection. Accessed: 2018-11-08. 4, 11
[2] N. Akhtar, J. Liu, and A. Mian. Defense against universaladversarial perturbations. In CVPR, 2018. 2
[3] W. H. Beluch, T. Genewein, A. Nurnberger, and J. M. Kohler.The power of ensembles for active learning in image classi-fication. In CVPR, 2018. 3, 7
[4] A. N. Bhagoji, W. He, B. Li, and D. Song. Exploring thespace of black-box attacks on deep neural networks. arXivpreprint arXiv:1712.09491, 2017. 8
[5] C. Bucilua, R. Caruana, and A. Niculescu-Mizil. Modelcompression. In KDD, 2006. 1, 2, 4
[6] G. Chen, W. Choi, X. Yu, T. Han, and M. Chandraker. Learn-ing efficient object detection models with knowledge distil-lation. In NIPS, 2017. 2
[7] D. A. Cohn, Z. Ghahramani, and M. I. Jordan. Active learn-ing with statistical models. JAIR, 1996. 2
[8] J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei. Imagenet: A large-scale hierarchical image database. InCVPR, 2009. 3, 4, 5, 12
[9] S. Ebert, M. Fritz, and B. Schiele. Ralf: A reinforced activelearning formulation for object class recognition. In CVPR,2012. 3, 7
[10] M. Fredrikson, S. Jha, and T. Ristenpart. Model inversionattacks that exploit confidence information and basic coun-termeasures. In CCS, 2015. 1
[11] T. Furlanello, Z. C. Lipton, M. Tschannen, L. Itti, andA. Anandkumar. Born again neural networks. In ICML,2018. 2, 4
[12] G. Griffin, A. Holub, and P. Perona. Caltech-256 object cat-egory dataset. 2007. 4, 11
[13] S. Han, H. Mao, and W. J. Dally. Deep compression: Com-pressing deep neural networks with pruning, trained quanti-zation and huffman coding. In ICLR, 2016. 4
[14] K. He, X. Zhang, S. Ren, and J. Sun. Deep residual learningfor image recognition. In CVPR, pages 770–778, 2016. 4, 5,8
[15] G. Hinton, O. Vinyals, and J. Dean. Distilling the knowledgein a neural network. arXiv:1503.02531, 2015. 1, 2, 3, 4, 5,12
[16] G. Huang, Z. Liu, L. van der Maaten, and K. Q. Weinberger.Densely connected convolutional networks. In CVPR, 2017.8
[17] F. N. Iandola, S. Han, M. W. Moskewicz, K. Ashraf, W. J.Dally, and K. Keutzer. Squeezenet: Alexnet-level accu-racy with 50x fewer parameters and¡ 0.5 mb model size.arXiv:1602.07360, 2016. 4
[18] A. Ilyas, L. Engstrom, A. Athalye, and J. Lin. Black-boxadversarial attacks with limited queries and information. InICML, 2018. 8
[19] A. J. Joshi, F. Porikli, and N. Papanikolopoulos. Multi-classactive learning for image classification. In CVPR, 2009. 4
[20] V. Khrulkov and I. Oseledets. Art of singular vectors anduniversal adversarial perturbations. In CVPR, 2018. 2
[21] A. Krizhevsky, I. Sutskever, and G. E. Hinton. Imagenetclassification with deep convolutional neural networks. InNIPS, 2012. 8
[22] A. Kuznetsova, H. Rom, N. Alldrin, J. Uijlings, I. Krasin,J. Pont-Tuset, S. Kamali, S. Popov, M. Malloci, T. Duerig,et al. The open images dataset v4: Unified image classifi-cation, object detection, and visual relationship detection atscale. arXiv:1811.00982, 2018. 5, 8, 11
[23] Y. Liu, X. Chen, C. Liu, and D. Song. Delving into transfer-able adversarial examples and black-box attacks. In ICLR,2017. 8
[24] Z. Liu, P. Luo, X. Wang, and X. Tang. Deep learning faceattributes in the wild. In ICCV, 2015. 8
[25] S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, andP. Frossard. Universal adversarial perturbations. In CVPR,2017. 2
[26] S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard. Deep-fool: a simple and accurate method to fool deep neural net-works. In CVPR, 2016. 2
[27] S. J. Oh, M. Augustin, B. Schiele, and M. Fritz. Towardsreverse-engineering black-box neural networks. In ICLR,2018. 1, 2, 4
[28] S. J. Oh, R. Benenson, M. Fritz, and B. Schiele. Facelessperson recognition; privacy implications in social media. InECCV, 2016. 2
[29] S. J. Oh, M. Fritz, and B. Schiele. Adversarial image pertur-bation for privacy protection – a game theory perspective. InICCV, 2017. 2
[30] T. Orekondy, M. Fritz, and B. Schiele. Connecting pixels toprivacy and utility: Automatic redaction of private informa-tion in images. In CVPR, 2018. 2
[31] T. Orekondy, B. Schiele, and M. Fritz. Towards a visualprivacy advisor: Understanding and predicting privacy risksin images. In ICCV, 2017. 2
[32] N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik,and A. Swami. Practical black-box attacks against machinelearning. In Asia CCS, 2017. 1, 2
[33] F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel,B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss,V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau,M. Brucher, M. Perrot, and E. Duchesnay. Scikit-learn: Ma-chine learning in Python. Journal of Machine Learning Re-search, 12:2825–2830, 2011. 12
[34] O. Poursaeed, I. Katsman, B. Gao, and S. Belongie. Genera-tive adversarial perturbations. In CVPR, 2018. 2
[35] A. Quattoni and A. Torralba. Recognizing indoor scenes. InCVPR, 2009. 4, 11
[36] A. Romero, N. Ballas, S. E. Kahou, A. Chassang, C. Gatta,and Y. Bengio. Fitnets: Hints for thin deep nets. In ICLR,2015. 3
[37] O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh,S. Ma, Z. Huang, A. Karpathy, A. Khosla, M. Bernstein,et al. Imagenet large scale visual recognition challenge.IJCV, 2015. 5, 12
[38] A. Salem, Y. Zhang, M. Humbert, M. Fritz, and M. Backes.Ml-leaks: Model and data independent membership infer-ence attacks and defenses on machine learning models. InNDSS, 2019. 1
[39] B. Settles and M. Craven. An analysis of active learningstrategies for sequence labeling tasks. In EMNLP, 2008. 2,4, 7
[40] R. Shokri, M. Stronati, C. Song, and V. Shmatikov. Member-ship inference attacks against machine learning models. InSecurity and Privacy (S&P), 2017. 1, 2
[41] K. Simonyan and A. Zisserman. Very deep con-volutional networks for large-scale image recognition.arXiv:1409.1556, 2014. 4, 8
[42] Q. Sun, L. Ma, S. J. Oh, L. van Gool, B. Schiele, andM. Fritz. Natural and effective obfuscation by head inpaint-ing. In CVPR, 2018. 2
[43] R. S. Sutton and A. G. Barto. Introduction to reinforcementlearning, volume 135. MIT press Cambridge, 1998. 4
[44] S. Tong and D. Koller. Support vector machine active learn-ing with applications to text classification. JMLR, 2001. 2
[45] F. Tramer, F. Zhang, A. Juels, M. K. Reiter, and T. Risten-part. Stealing machine learning models via prediction apis.In USENIX Security, 2016. 1, 2
[46] A. Vittorio. Toolkit to download and visualize single or mul-tiple classes from the huge open images v4 dataset. https://github.com/EscVM/OIDv4_ToolKit, 2018. 12
[47] C. Wah, S. Branson, P. Welinder, P. Perona, and S. Belongie.The Caltech-UCSD Birds-200-2011 Dataset. Technical Re-port CNS-TR-2011-001, California Institute of Technology,2011. 4, 11
[48] B. Wang and N. Z. Gong. Stealing hyperparameters in ma-chine learning. In Security and Privacy (S&P), 2018. 2, 4
[49] Z. Wu, Z. Wang, Z. Wang, and H. Jin. Towards privacy-preserving visual recognition via adversarial training: A pilotstudy. In ECCV, 2018. 2
[50] R. Yonetani, V. N. Boddeti, K. M. Kitani, and Y. Sato.Privacy-preserving visual learning using doubly permutedhomomorphic encryption. In ICCV, 2017. 2
[51] Y. Zhang, T. Xiang, T. M. Hospedales, and H. Lu. Deepmutual learning. In CVPR, 2018. 2
AppendicesA. Contents
The appendix contains:
A. Contents (this section)
B. Extended descriptions
1. Blackbox models
2. Overlap between PV and PA3. Aggregating OpenImages and OpenImages-
Faces
4. Additional implementation details
C. Extensions of existing results
1. Qualitative Results
2. Sample-efficiency of GT
3. Policies learnt by adaptive strategy
4. Reward Ablation
D. Auxiliary experiments
1. Seen and unseen classes
2. Adaptive strategy: With/without hierarchy
3. Semi-open world: τD2
B. Extended DescriptionsIn this section, we provide additional detailed descrip-
tions and implementation details.
B.1. Black-box models
We supplement Section 5.1 by providing extended de-scriptions of the blackboxes listed in Table 1. Each black-box FV is trained on one particular image classificationdataset.
Black-box 1: Caltech256 [12]. Caltech-256 is a popu-lar dataset for general object recognition gathered by down-loading relevant examples from Google Images and manu-ally screening for quality and errors. The dataset contains30k images covering 256 common object categories.
Black-box 2: CUBS200 [47]. A fine-grained bird-classifieris trained on the CUBS-200-2011 dataset. This dataset con-tains roughly 30 train and 30 test images for each of 200species of birds. Due to the low intra-class variance, col-lecting and annotating images is challenging even for expertbird-watchers.
Black-box 3: Indoor67 [35]. We introduce another fine-grained task of recognizing 67 types of indoor scenes. This
PV
PACaltech256
(K=256)CUBS200(K=200)
Indoor67(K=67)
Diabetic5(K=5)
ILSVRC (Z=1000) 108 (42%) 2 (1%) 10 (15%) 0 (0%)OpenImages (Z=601) 114 (44%) 1 (0.5%) 4 (6%) 0 (0%)
Table 3: Overlap between PA and PV .
dataset consists of 15.6k images collected from Google Im-ages, Flickr, and LabelMe.Black-box 4: Diabetic5 [1]. Diabetic Retinopathy (DR)is a medical eye condition characterized by retinal damagedue to diabetes. Cases are typically determined by trainedclinicians who look for presence of lesions and vascular ab-normalities in digital color photographs of the retina cap-tured using specialized cameras. Recently, a dataset of such35k retinal image scans was made available as a part of aKaggle competition [1]. Each image is annotated by a clini-cian on a scale of 0 (no DR) to 4 (proliferative DR). Thishighly-specialized biomedical dataset also presents chal-lenges in the form of extreme imbalance (largest class con-tains 30× as the smallest one).
B.2. Overlap: Open-world
In this section, we supplement Section 5.2.1 in the mainpaper by providing more details on how overlap was cal-culated in the open-world scenarios. We manually com-pute overlap between labels of the blackbox (K, e.g., 256Caltech classes) and the adversary’s dataset (Z, e.g., 1kILSVRC classes) as: 100 × |K ∩ Z|/|K|. We denote twolabels k ∈ K and z ∈ Z to overlap if: (a) they havethe same semantic meaning; or (b) z is a type of k e.g.,z = “maltese dog” and k = “dog”. The exact numbers areprovided in Table 3. We remark that this is a soft-lowerbound. For instance, while ILSVRC contains “Humming-bird” and CUBS-200-2011 contains three distinct speciesof hummingbirds, this is not counted towards the overlap asthe adversary lacks annotated data necessary to discriminateamong the three species.
B.3. Dataset Aggregation
All datasets used in the paper (expect OpenImages) havebeen used in the form made publicly available by the au-thors. We use a subset of OpenImages due to storage con-straints imposed by its massive size (9M images). The de-scription to obtain these subsets are provided below.OpenImages. We retrieve 2k images for each of the 600OpenImages [22] “boxable” categories, resulting in 554kunique images. ∼19k images are removed for either beingcorrupt or representing Flickr’s placeholder for unavailableimages. This results in a total of 535k unique images.OpenImages-Faces. We download all images (422k) fromOpenImages [22] with label “/m/0dzct: Human face”
0 10k 20kBudget B
0255075
100
Accu
racy
Caltech256
PV (KD)PV (FV )
2k 4kBudget B
CUBS200
0 5k 10kBudget B
Indoor67
0 10k 20k 30kBudget B
Diabetic5
Figure 12: Training on GT vs. KD. Extension of Figure 5. We compare sample efficiency of first two rows in Table 2: “PV (FV )”(training with GT data) and “PV (KD)” (training with soft-labels of GT images produced by FV )
using the OID tool [46]. The bounding box annotations areused to crop faces (plus a margin of 25%) containing at least180×180 pixels. We restrict to at most 5 faces per image tomaintain diversity between train/test splits. This results in atotal of 98k faces images.
B.4. Additional Implementation Details
In this section, we provide implementation details to sup-plement discussions in the main paper.
Training FV = Diabetic5. Training this victimmodel is identical to other blackboxes except for one as-pect: weighted loss. Due to the extreme imbalance betweenclasses of the dataset, we weigh each class as follows. Letnk denote the number of images belonging to class k andlet nmin = mink nk. We weigh the loss for each class kas nmin/nk. From our experiments with weighted loss, wefound approximately 8% absolute improvement in overallaccuracy on the test set. However, the training of knock-offs of all blackboxes are identical in all aspects, includinga non-weighted loss irrespective of the victim blackbox tar-geted.
Creating ILSVRC Hierarchy. We represent the 1k labelsof ILSVRC as a hierarchy Figure 4b in the form: root node“entity” → N coarse nodes → 1k leaf nodes. We obtainN (30 in our case) coarse labels as follows: (i) a 2048-dmean feature vector representation per 1k labels is obtainedusing an Imagenet-pretrained ResNet ; (ii) we cluster the 1kfeatures into N clusters using scikit-learn’s [33] implemen-tation of agglomerative clustering; (iii) we obtain semanticlabels per cluster (i.e., coarse node) by finding the commonparent in the Imagenet semantic hierarchy.
Adaptive Strategy. Recall from Section 6, we train theknockoff in two phases: (a) Online: during transfer set con-struction; followed by (b) Offline: the model is retrainedusing transfer set obtained thus far. In phase (a), we trainFA with SGD (with 0.5 momentum) with a learning rate of0.0005 and batch size of 4 (i.e., 4 images sampled at eacht). In phase (b), we train the knockoff FA from scratch onthe transfer set using SGD (with 0.5 momentum) for 100
epochs with learning rate of 0.01 decayed by a factor of 0.1every 60 epochs.
C. Extensions of Existing ResultsIn this section, we present extensions of existing results
discussed in the main paper.
C.1. Qualitative Results
Qualitative results to supplement Figure 6 are providedin Figures 13-16. Each row in the figures correspond toan output class of the blackbox whose images the knockoffhas never encountered before. Images in the “transfer set”column were randomly sampled from ILSVRC [8, 37]. Incontrast, images in the “test set” belong to the victim’s testset (Caltech256, CUBS-200-2011, etc.).
C.2. Sample Efficiency: Training Knockoffs on GT
We extend Figure 5 in the main paper to include train-ing on the same ground-truth data used to train the black-boxes. This extension “PV (FV )” is illustrated in Figure12, displayed alongside KD approach. The figure repre-sents the sample-efficiency of the first two rows of 2. Herewe observe: (i) comparable performance in all but one case(Diabetic5, discussed shortly) indicating KD is an effec-tive approach to train knockoffs; (ii) we find KD achievebetter performance in Caltech256 and Diabetic5 due toregularizing effect of training on soft-labels [15] on an im-balanced dataset.
C.3. Policies learnt by Adaptive
We inspected the policy π learnt by the adaptive strat-egy in Section 6.1. In this section, we provide policies overall blackboxes in the closed- and open-world setting. Fig-ures 17a and 17c display probabilities of each action z ∈ Zat t = 2500.
Since the distribution of rewards is non-stationary, wevisualize the policy over time in Figure 17b for CUBS200in a closed-world setup. From this figure, we observe anevolution where: (i) at early stages (t ∈ [0, 2000]), the
Transfer Set Test Set
Buddha: 0.65Boxing glove: 0.07Jesus Christ: 0.034
Buddha: 0.49Cake: 0.06
Minotaur: 0.05
Buddha: 0.28Minotaur: 0.09
Dog: 0.09
Buddha: 0.68Tombstone: 0.07Elephant: 0.04
Buddha: 0.5Minaret: 0.08
Tower Pisa: 0.05
People: 0.26Buddha: 0.25T-shirt: 0.14
Floppy-disk: 0.77Socks: 0.04
Mattress: 0.03
Floppy-disk: 0.46iPod: 0.18CD: 0.06
Floppy-disk: 0.18Flashlight: 0.08
Pez-dispenser: 0.07
Floppy-disk: 0.74Necktie: 0.04
Video Projec.: 0.02
Floppy-disk: 0.61Socks: 0.02
Teddy bear: 0.02
iPod: 0.49Floppy-disk: 0.08
CD: 0.04
Tomato: 0.96Grapes: 0.01
Boxing glove: 0.00
Tomato: 0.43Welding mask: 0.12Bowling ball: 0.01
Tomato: 0.27Dice: 0.18
Stained glass: 0.01
Tomato: 0.94Boxing glove: 0.04Bowling ball: 0.00
Tomato: 0.41Cactus: 0.07Iguana: 0.6
Mushroom: 0.17Tomato: 0.10Birdbath: 0.07
Figure 13: Qualitative results: Caltech256. Extends Figure 6 in the main paper. GT labels are underlined, correct knockoff top-1predictions in green and incorrect in red.
Transfer Set Test Set
Gadwall: 0.65Nighthawk: 0.06
Horned Lark: 0.05
Gadwall: 0.31B. Swallow: 0.14N. Flicker: 0.12
Gadwall: 0.14Chuck. Widow: 0.13Swain. Warbler: 0.1
Gadwall: 0.95Mallard: 0.01
Rb. Merganser: 0.00
Gadwall: 0.44Mallard: 0.15
Rb. Merganser: 0.11
Pom. Jaeger: 0.16Black Tern: 0.11
Herring Gull: 0.07
Lin. Sparrow: 0.82Ovenbird: 0.07
House Sparrow: 0.03
Lin. Sparrow: 0.49Mockingbird: 0.18
N. Waterthrush: 0.07
Lin. Sparrow: 0.32Song Sparrow: 0.06Tree Sparrow: 0.05
Lin. Sparrow: 0.64Hen. Sparrow: 0.05
Clay c. Sparrow: 0.03
Lin. Sparrow: 0.50Song Sparrow: 0.24Hen. Sparrow: 0.04
Hen. Sparrow: 0.28Ovenbird: 0.11
Lin. Sparrow: 0.10
Cactus Wren: 0.95W. Meadowlark: 0.02
Lin. Sparrow: 0.00
Cactus Wren: 0.88Geococcyx: 0.04
W. Meadowlark: 0.03
Cactus Wren: 0.33N. Flicker: 0.28
Lin. Sparrow: 0.07
Cactus Wren: 0.86Rock Wren: 0.02
R. Blackbird: 0.01
Cactus Wren: 0.82N. Flicker: 0.02Geococcyx: 0.02
Geococcyx: 0.25Cactus Wren: 0.20Nighthawk: 0.08
Figure 14: Qualitative results: CUBS200. Extends Figure 6 in the main paper.
Transfer Set Test Set
Casino: 0.79Deli: 0.03
Jewel. Shop: 0.03
Casino: 0.38Airport ins.: 0.35
Bowling: 0.05
Casino: 0.18Bar: 0.18
Movie theater: 0.13
Casino: 0.99Deli: 0.00
Toystore: 0.00
Casino: 0.88Toystore: 0.08
Bar: 0.01
Restaurant: 0.46Bar: 0.24
Airport ins.: 0.07
Ins. Subway: 0.87Video store: 0.11
Dental office: 0.01
Ins. Subway: 0.59Florist: 0.12
Greenhouse: 0.06
Ins. Subway: 0.37Airport ins.: 0.12Train station: 0.08
Ins. Subway: 0.96Casino: 0.02
Museum: 0.01
Ins. Subway: 0.86Train station: 0.07
Subway: 0.05
Corridor: 0.45Ins. Subway: 0.11
Bar: 0.09
Prison cell: 0.52Elevator: 0.20
Airport ins.: 0.11
Prison cell: 0.23Museum: 0.19Nursery: 0.17
Prison cell: 0.21Museum: 0.12
Airport ins.: 0.11
Prison cell: 0.83Kitchen: 0.03
Locker room: 0.03
Prison cell: 0.52Subway: 0.08Nursery: 0.07
Wine cellar: 0.31Prison cell: 0.17Staircase: 0.09
Figure 15: Qualitative results: Indoor67. Extends Figure 6 in the main paper. GT labels are underlined, correct top-1 knockoffpredictions in green and incorrect in red.
Transfer Set Test Set
No DR: 0.73Proliferative: 0.12
Moderate: 0.08
No DR: 0.48Mild: 0.36
Moderate: 0.16
No DR: 0.30Moderate: 0.29
Proliferative: 0.28
No DR: 0.50Mild: 0.33
Moderate: 0.13
No DR: 0.36Mild: 0.33
Moderate: 0.28
Mild: 0.53No DR: 0.43
Moderate: 0.03
Moderate: 0.69No DR: 0.31Mild: 0.01
Moderate: 0.63No DR: 0.15Severe: 0.13
Moderate: 0.35Mild: 0.32
No DR: 0.22
Moderate: 0.48Mild: 0.316No DR: 0.21
Moderate: 0.35Mild: 0.31
No DR: 0.23
No DR: 0.36Mild: 0.33
Moderate: 0.26
Severe: 0.73Proliferative: 0.23
Moderate: 0.04
Severe: 0.70Proliferative: 0.30
Moderate: 0.00
Severe: 0.53Mild: 0.16
Moderate: 0.15
Severe: 0.57Moderate: 0.23
Proliferative: 0.19
Severe: 0.41Proliferative: 0.29
Moderate: 0.24
Moderate: 0.62Severe: 0.16Mild: 0.13
Figure 16: Qualitative results: Diabetic5. Extends Figure 6 in the main paper.
Policy: D^2
hum
min
gbird
ham
moc
k
wate
rfall
car-t
ire
gras
shop
per
porc
upin
e
syrin
ge
skat
eboa
rd
picn
ic-ta
ble
fire-
hydr
ant
fire-
extin
guish
er
palm
-tree
tenn
is-co
urt
cowb
oy-h
at
goril
la
hour
glass
bask
etba
ll-ho
op
eyeg
lasse
s
cake
sadd
le
refri
gera
tor
dolp
hin-
101
swor
d
hom
er-si
mps
on
bons
ai-10
1
zebr
a
billia
rds
cock
roac
h
tra�
c-lig
ht
tread
mill
Actions z
0.0
0.01
0.02
0.03
fiz
Caltech256 · PA = D2 · t œ [0, 2500] · T = 7401
caltechcubsdiabetic
ilsvrcindooropenimg
bowl
ing
lock
erro
om
laund
rom
at
ware
hous
e
book
store
groc
erys
tore
dini
ngro
om bar
airpo
rtin
side
mee
ting
room
bake
ry
mall
mov
iethe
ater
tvstu
dio
kitch
en
wine
cella
r
audi
toriu
m
stairs
case
insid
esu
bway deli
subw
ay
train
statio
n
gym
pooli
nsid
e
waiti
ngro
om
casin
o
livin
groo
m
hairs
alon
bath
room
mus
eum
Actions z
0.0
0.01
0.02
0.03
fiz
Indoor67 · PA = D2 · t œ [0, 2500] · T = 7401
caltechcubsdiabetic
ilsvrcindooropenimg
Easte
rnTo
whee
LeCo
nte
Spar
row
Pied
bille
dGr
ebe
Flor
ida
Jay
Hood
edOr
iole
Whi
tebr
easte
dNu
that
ch
Long
taile
dJa
eger
Gadw
all
Seas
ide
Spar
row
Logg
erhe
adSh
rike
Gras
shop
perS
parro
w
War
blin
gVi
reo
Belte
dKi
ngfis
her
Pilea
ted
Woo
dpec
ker
Whi
tebr
easte
dKi
ngfis
her
Bobo
link
Ceda
rWax
wing
Hood
edM
erga
nser
Fish
Crow
Sciss
orta
iled
Flyc
atch
er
Rufo
usHu
mm
ingb
ird
Sum
mer
Tana
ger
Calif
orni
aGu
ll
Man
grov
eCu
ckoo
Bran
dtCo
rmor
ant
Herri
ngGu
ll
Pom
arin
eJa
eger
Amer
ican
Gold
finch
Wes
tern
Greb
e
Wor
mea
ting
War
bler
Actions z
0.0
0.025
fiz
CUBS200 · PA = D2 · t œ [0, 2500] · T = 7401
caltechcubs
diabeticilsvrc
indooropenimg
snail
fire-
hydr
ant
porc
upin
e
cano
e
dog
toas
ter
back
pack
cam
el
bath
tub
duck frog
llam
a-10
1
zebr
a
kang
aroo
-101
scor
pion
-101
wire
haire
dfo
xte
rrier
ham
ster
mot
orsc
oote
r
suit
castl
e
sloth
bear
skun
k
man
dolin
wom
bat
gira�
e
mus
hroo
m
sidew
inde
r
quail hen
flam
ingo
Actions z
0.0
0.02
fiz
Diabetic5 · PA = D2 · t œ [0, 2500] · T = 7401
caltechcubs
diabeticilsvrc
indooropenimg
(a) Closed world.
Policy: D^2 - evolution over time
Flor
ida
Jay
Logg
erhe
adSh
rike
Wes
tern
Greb
e
Brow
nTh
rash
er
Yello
wbr
easte
dCh
at
Hood
edOr
iole
Com
mon
Yello
wthr
oat
Whi
tebr
easte
dNu
that
ch
Long
taile
dJa
eger
Cape
May
War
bler
Prair
ieW
arbl
er
Bank
Swall
ow
Ring
edKi
ngfis
her
Leas
tFlyc
atch
er
Com
mon
Tern
Hens
lowSp
arro
w
Nelso
nSh
arp
taile
dSp
arro
w
Pine
Gros
beak
Chuc
kwi
llW
idow
Brew
erSp
arro
w
Blue
Jay
Hous
eW
ren
Bay
brea
sted
War
bler
Gray
King
bird
Whi
teey
edVi
reo
Sava
nnah
Spar
row
Wes
tern
Gull
Red
brea
sted
Mer
gans
er
Glau
cous
wing
edGu
ll
Bewi
ckW
ren
Actions z
0.0
0.01
fiz
CUBS200 · PA = D2 · t œ [0, 1000] · T = 7401
caltechcubs
diabeticilsvrc
indooropenimg
Blue
Gros
beak
Fish
Crow
Tree
Swall
ow
Blac
kbi
lled
Cuck
oo
Acad
ianFl
ycat
cher
Pain
ted
Bunt
ing
Sage
Thra
sher
Kent
ucky
War
bler
Win
terW
ren
Cres
ted
Aukle
t
Heer
man
nGu
ll
Whi
tene
cked
Rave
n
Amer
ican
Reds
tart
Ruby
thro
ated
Hum
min
gbird
Mag
nolia
War
bler
Blue
wing
edW
arbl
er
Soot
yAl
batro
ss
Indi
goBu
ntin
g
Mou
rnin
gW
arbl
er
Hood
edW
arbl
er
Whi
tePe
lican
Pelag
icCo
rmor
ant
Whi
ppo
orW
ill
Rock
Wre
n
Oven
bird
North
ern
Flick
er
Gras
shop
perS
parro
w
Eleg
antT
ern
Whi
teth
roat
edSp
arro
w
Easte
rnTo
whee
Actions z
0.0
0.01
fiz
CUBS200 · PA = D2 · t œ [1000, 2000] · T = 7401
caltechcubs
diabeticilsvrc
indooropenimg
ostri
ch
tenn
is-sh
oes
jagua
r
cran
e
jacke
t
bicy
clewh
eel
box
duck
car-t
ire
bino
cular
s
peng
uin
snak
e
porc
upin
e
gond
ola
spor
tsun
iform
teap
ot
tenn
isra
cket
chee
se
tank
scre
wdriv
er
foot
ball
helm
et
gold
fish
skys
crap
er
skat
eboa
rd
carb
onar
a
violin
willo
w
drag
onfly
goril
la
cras
hhe
lmet
Actions z
0.0
0.005
0.01
fiz
CUBS200 · PA = D2 · t œ [3000, 4000] · T = 7401
caltechcubs
diabeticilsvrc
indooropenimg
snail
shee
t-mus
ic
ipod
goat
back
pack
close
t
otte
r
rota
ry-p
hone
budd
ha-1
01
spag
hetti
squa
sh
mixi
ngbo
wl
jagua
r
cano
e
tom
bsto
ne
pape
rclip
pant
ry
wine
video
store
lemon
labor
ator
ywet
knife
gold
fish
fryin
g-pa
n
eleph
ant
coin
bide
t
kite
swan
jackf
ruit
rottw
eiler
Actions z
0.0
0.005
0.01
fiz
CUBS200 · PA = D2 · t œ [2000, 3000] · T = 7401
caltechcubs
diabeticilsvrc
indooropenimg
(b) Closed world. Analyzing policy over time t for CUBS200.
Policy: ILSVRC
libra
rypo
olta
ble crib
book
case
altar
ward
robe
thea
terc
urta
inbo
oksh
opor
gan
wash
erto
ysho
pdin
ingta
blegu
acam
olech
i�on
ierpiz
zash
ojim
edici
nech
est
desk
top
com
pute
rho
tpot
resta
uran
tde
skm
icrow
ave
groc
ery
store
refri
gera
tor
filech
inaca
binet
toba
cco
shop
carb
onar
ash
oesh
oppla
te
Actions z
0.0
0.01
fiz
Indoor67 · PA = ILSVRC
artifact 1 artifact 5 instrumentality physical entity 1
carb
onar
am
anho
leco
ver
elect
ricfa
nty
pewr
iterk
eybo
ard
amer
ican
lobste
rse
acu
cum
ber
dom
eco
mpu
terk
eybo
ard
pizza
shiel
dwo
kwa
lking
stick coil
runn
ingsh
oejac
kolan
tern
chee
tah
diam
ondb
ack
hotp
otim
pala
elect
ricloc
omot
iveco
nfec
tione
ry ox ram
mea
tloa
fco
ralf
ungu
sab
acus
toys
hop
wire
haire
dfox
terri
erwa
rthog
bison
Actions z
0.0
0.01
fiz
Diabetic5 · PA = ILSVRC
animal 2artifact 4carnivore
dogeven-toed ungulate
physical entityphysical entity 1
physical entity 3self-propelled vehicle
radio
teles
cope
airlin
erwa
rplan
ebe
acon
airsh
ipho
urgla
ssze
bra
scho
oner
chee
sebu
rger
mon
arch
gard
ensp
ider
yawl
starfi
shca
ssette
playe
rsn
owm
obile
black
and
gold
phot
ocop
ierha
ndhe
ldco
mpu
ter
goldfi
shto
aste
rob
elisk
ballo
onjoy
stick fly
pitch
erha
mm
erhe
adkil
lerwh
alem
icrow
ave
man
tis pick
Actions z
0.0
0.01
fiz
Caltech256 · PA = ILSVRC
animalanimal 1animal 2
artifactartifact 4artifact 5
even-toed ungulateinstrumentalityinstrumentality 1
instrumentality 2physical entityphysical entity 1
goldfi
nch
hous
efinc
hjun
coind
igobu
nting
bram
bling
jacam
arch
ickad
eehu
mm
ingbir
dvin
esna
kejag
uar
amer
ican
cham
eleon
bulbu
lcr
icket
redb
reas
ted
mer
gans
ergr
een
lizar
dbe
eeat
ergr
een
snak
egr
een
mam
baleo
pard
dugo
ngtig
er jaydr
ake
robin
redb
acke
dsa
ndpip
ertre
efro
galb
atro
ssm
antis
dam
selfly be
e
Actions z
0.0
0.01
fiz
CUBS200 · PA = ILSVRC
animal bird bird 1 carnivore
(c) Open world.
Figure 17: Policies learnt by adaptive strategy. Supplements Figure 7 in the main paper.
approach samples (without replacement) images that over-laps with the victim’s train data; and (ii) at later stages(t ∈ [2000, 4000]), since the overlapping images have beenexhausted, the approach explores related images from otherdatasets e.g., “ostrich”, “jaguar”.
C.4. Reward Ablation
The reward ablation experiment 8 for the remainingdatasets are provided in Figure 18. We make similar ob-servations as before for Indoor67. However, since FV =Diabetic5 demonstrates confident predictions in all im-ages (discussed in 563-567), we find little-to-no improve-
0
25
50
75
100
Accu
racy
Indoor67 ·PA = D2
rewardcertcert + div
cert + div + Lnoneuncert
Indoor67 ·PA = ILSVRC
0 5k 10k 15k 20kBudget B
0
25
50
75
100
Accu
racy
Diabetic5 ·PA = D2
0 5k 10k 15k 20kBudget B
Diabetic5 ·PA = ILSVRC
Figure 18: Reward Ablation. Supplements Figure 8 in the mainpaper.
0 20k 40k 60kBudget B
0
25
50
75
100
Accu
racy
Caltech256
classesallseenunseen
0 20k 40k 60kBudget B
Indoor67
Figure 19: Per class evaluation. Per-class evaluation split intoseen and unseen classes.
ment for knockoffs of this victim model.
D. Auxiliary ExperimentsIn this section, we present experiments to supplement
existing results in the main paper.
D.1. Seen and Unseen classes
We now discuss evaluation to supplement Section 5.2.1and Section 6.
In 6.1 we highlighted strong performance of the knock-off even among classes that were never encountered (see Ta-ble 3 for exact numbers) during training. To elaborate, wesplit the blackbox output classes into “seen” and “unseen”categories and present mean per-class accuracies in Figure19. Although we find better performance on classes seenwhile training the knockoff, performance of unseen classesis remarkably high, with the knockoff achieving >70% per-formance in both cases.
D.2. Adaptive: With and without hierarchy
The adaptive strategy presented in Section 4.1.2 usesa hierarchy discussed in Section 5.2.2. As a result, we ap-proached this as a hierarchical multi-armed bandit problem.Now, we present an alternate approach adaptive-flat,without the hierarchy. This is simply a multi-armed banditproblem with |Z| arms (actions).
Figure 20 illustrates the performance of these approachesusing PA = D2 (|Z| = 2129) and rewards {certainty, diver-sity, loss}. We observe adaptive consistently outperforms
adaptive-flat. For instance, in CUBS200, adaptive is2× more sample-efficient to reach accuracy of 50%. Wefind the hierarchy helps the adversary (agent) better navi-gate the large action space.
D.3. Semi-open World
The closed-world experiments (PA = D2) presented inSection 6.1 and discussed in Section 5.2.1 assumed accessto the image universe. Thereby, the overlap between PA andPV was 100%. Now, we present an intermediate overlapscenario semi-open world by parameterizing the overlapas: (i) τd: The overlap between images PA and PV is 100×τd; and (ii) τk: The overlap between labelsK andZ is 100×τk. In both these cases τd, τk ∈ (0, 1] represents the fractionof PA used. τd = τk = 1 depicts the closed-world scenariodiscussed in Section 6.1.
From Figure 21, we observe: (i) the random strategyis unaffected in the semi-open world scenario, displayingcomparable performance for all values of τd and τk; (ii) τd:knockoff obtained using adaptive obtains strong perfor-mance even with low overlap e.g., a difference of at most3% performance in Caltech256 even at τd = 0.1; (iii)τk: although the adaptive strategy is minimally affectedin few cases (e.g., CUBS200), we find the performance dropdue to a pure exploitation (certainty) that is used. We ob-served recovery in performance by using all rewards indi-cating exploration goals (diversity, loss) are necessary whentransitioning to an open-world scenario.
0 10k 20k 30kBudget B
0
25
50
75
100
Accu
racy
Caltech256
StrategyPV (KD)adaptive
adaptive-flatrandom
0 5k 10k 15k 20kBudget B
CUBS200
0 5k 10k 15k 20kBudget B
Indoor67
0 10k 20k 30k 40kBudget B
Diabetic5
Figure 20: Hierarchy. Evaluating adaptive with and without hierarchy using PA = D2. represents accuracy of blackbox FV andrepresents chance-level performance.
0 10k 20kBudget B
0
25
50
75
100
Accu
racy
Caltech256
0 10k 20kBudget B
CUBS200
0 10k 20kBudget B
Indoor67
τd = 0.01 0.1 0.5 1.0 π = adaptive random
0 10k 20kBudget B
Diabetic5
0 10k 20kBudget B
0
25
50
75
100
Accu
racy
Caltech256
0 10k 20kBudget B
CUBS200
0 10k 20kBudget B
Indoor67
τk = 0.01 0.1 0.5 1.0 π = adaptive random
0 10k 20kBudget B
Diabetic5
Figure 21: Semi-open world: τd and τk.