New Paper: Attackers Can Do Better

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

May 13, 2025

In April 2025, the paper “Attackers Can Do Better: Over- and Understated Factors of Model Stealing Attacks“, authored by Daryna Oliynyk, Rudolf Mayer, and Andreas Rauber, was presented at the IEEE Conference on Secure and Trustworthy Machine Learning (SaTML).

The paper performs a detailed ablation study on model stealing attacks, which try to infringe copyright and IP rights of machine learning models by making an (approximate) copy of them. The paper identifies several factors that contribute to the success rate of such attacks, and thus lays a foundation for developing novel defence strategies to protect the IP of valuable machine learning models.

Abstract

Machine learning (ML) models were shown to be vulnerable to different security attacks – including model stealing attacks, which lead to intellectual property infringement. Among other attack types, substitute model training is an all-encompassing attack applicable to any machine learning model whose behaviour can be approximated from input-output queries. Whereas previous works mainly focused on improving the performance of substitute models by, e.g. developing a new substitute training method, there have been only limited comprehensive ablation studies that try to understand the impact the strength of an attacker has on the substitute model’s performance. As a result, different authors came to diverse, sometimes contradicting conclusions.

In this work, we therefore exhaustively examine the influence of different factors, primarily forming the attacker’s capabilities and knowledge, on a substitute training attack. We investigate how the quality of the substitute training data, the training strategy, and discrepancies between the characteristics of the target and substitute models impact the performance of the attack.

Our findings suggest that some of the factors that have been considered important in the past are, in fact, not that influential; instead, we discover new correlations between the attack conditions and success rate. Moreover, our results often exceed or match the performance of attacks that assume a stronger attacker, suggesting that these stronger attacks are likely endangering a model owner’s intellectual property to a significantly higher degree than shown until now.

Authors

Daryna Oliynyk, Rudolf Mayer (SBA Research), Andreas Rauber (TU Wien)

Links

Conference
Paper

News