Student surpasses teacher: Imitation attack for black-box NLP APIs

Qiongkai Xu; Xuanli He; Lingjuan Lyu; Lizhen Qu; Gholamreza Haffari

Student surpasses teacher: Imitation attack for black-box NLP APIs

Qiongkai Xu, Xuanli He, Lingjuan Lyu, Lizhen Qu, Gholamreza Haffari

Department of Data Science & AI

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

11 Citations (Scopus)

Abstract

Machine-learning-as-a-service (MLaaS) has attracted millions of users to their splendid large-scale models. Although published as black-box APIs, the valuable models behind these services are still vulnerable to imitation attacks. Recently, a series of works have demonstrated that attackers manage to steal or extract the victim models. Nonetheless, none of the previous stolen models can outperform the original black-box APIs. In this work, we conduct unsupervised domain adaptation and multi-victim ensemble to showing that attackers could potentially surpass victims, which is beyond previous understanding of model extraction. Extensive experiments on both benchmark datasets and real-world APIs validate that the imitators can succeed in outperforming the original black-box models on transferred domains. We consider our work as a milestone in the research of imitation attack, especially on NLP APIs, as the superior performance could influence the defense or even publishing strategy of API providers.

Original language	English
Title of host publication	Proceedings of the Main Conference - The 29th International Conference on Computational Linguistics
Editors	Hansaem Kim, James Pustejovsky, Leo Wanner
Place of Publication	Stroudsburg PA USA
Pages	2849-2860
Number of pages	12
Publication status	Published - 2022
Event	International Conference on Computational Linguistics 2022 - Gyeongju, Korea, South Duration: 12 Oct 2022 → 17 Oct 2022 Conference number: 29th https://coling2022.org/ https://aclanthology.org/volumes/2022.coling-1/ (Proceedings)

Publication series

Name	The 29th International Conference on Computational Linguistics
Publisher	Association for Computational Linguistics (ACL)
Number	1
Volume	29
ISSN (Print)	2951-2093

Conference

Conference	International Conference on Computational Linguistics 2022
Abbreviated title	COLING
Country/Territory	Korea, South
City	Gyeongju
Period	12/10/22 → 17/10/22
Internet address	https://coling2022.org/ https://aclanthology.org/volumes/2022.coling-1/ (Proceedings)

Access to Document

501597904-oaFinal published version, 433 KB

https://aclanthology.org/2022.coling-1.251

Cite this

Xu, Q., He, X., Lyu, L., Qu, L., & Haffari, G. (2022). Student surpasses teacher: Imitation attack for black-box NLP APIs. In H. Kim, J. Pustejovsky, & L. Wanner (Eds.), Proceedings of the Main Conference - The 29th International Conference on Computational Linguistics (pp. 2849-2860). (The 29th International Conference on Computational Linguistics; Vol. 29, No. 1).. https://aclanthology.org/2022.coling-1.251

Xu, Qiongkai ; He, Xuanli ; Lyu, Lingjuan et al. / Student surpasses teacher : Imitation attack for black-box NLP APIs. Proceedings of the Main Conference - The 29th International Conference on Computational Linguistics. editor / Hansaem Kim ; James Pustejovsky ; Leo Wanner. Stroudsburg PA USA, 2022. pp. 2849-2860 (The 29th International Conference on Computational Linguistics; 1).

@inproceedings{60d1821db6d84886afb29c33f1345be9,

title = "Student surpasses teacher: Imitation attack for black-box NLP APIs",

abstract = "Machine-learning-as-a-service (MLaaS) has attracted millions of users to their splendid large-scale models. Although published as black-box APIs, the valuable models behind these services are still vulnerable to imitation attacks. Recently, a series of works have demonstrated that attackers manage to steal or extract the victim models. Nonetheless, none of the previous stolen models can outperform the original black-box APIs. In this work, we conduct unsupervised domain adaptation and multi-victim ensemble to showing that attackers could potentially surpass victims, which is beyond previous understanding of model extraction. Extensive experiments on both benchmark datasets and real-world APIs validate that the imitators can succeed in outperforming the original black-box models on transferred domains. We consider our work as a milestone in the research of imitation attack, especially on NLP APIs, as the superior performance could influence the defense or even publishing strategy of API providers.",

author = "Qiongkai Xu and Xuanli He and Lingjuan Lyu and Lizhen Qu and Gholamreza Haffari",

note = "Publisher Copyright: {\textcopyright} 2022 Proceedings - International Conference on Computational Linguistics, COLING. All rights reserved.; International Conference on Computational Linguistics 2022, COLING ; Conference date: 12-10-2022 Through 17-10-2022",

year = "2022",

language = "English",

series = "The 29th International Conference on Computational Linguistics",

publisher = "Association for Computational Linguistics (ACL)",

number = "1",

pages = "2849--2860",

editor = "Hansaem Kim and James Pustejovsky and Leo Wanner",

booktitle = "Proceedings of the Main Conference - The 29th International Conference on Computational Linguistics",

url = "https://coling2022.org/, https://aclanthology.org/volumes/2022.coling-1/",

}

Xu, Q, He, X, Lyu, L, Qu, L & Haffari, G 2022, Student surpasses teacher: Imitation attack for black-box NLP APIs. in H Kim, J Pustejovsky & L Wanner (eds), Proceedings of the Main Conference - The 29th International Conference on Computational Linguistics. The 29th International Conference on Computational Linguistics, no. 1, vol. 29, Stroudsburg PA USA, pp. 2849-2860, International Conference on Computational Linguistics 2022, Gyeongju, Korea, South, 12/10/22. <https://aclanthology.org/2022.coling-1.251>

Student surpasses teacher: Imitation attack for black-box NLP APIs. / Xu, Qiongkai; He, Xuanli; Lyu, Lingjuan et al.
Proceedings of the Main Conference - The 29th International Conference on Computational Linguistics. ed. / Hansaem Kim; James Pustejovsky; Leo Wanner. Stroudsburg PA USA, 2022. p. 2849-2860 (The 29th International Conference on Computational Linguistics; Vol. 29, No. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Student surpasses teacher

T2 - International Conference on Computational Linguistics 2022

AU - Xu, Qiongkai

AU - He, Xuanli

AU - Lyu, Lingjuan

AU - Qu, Lizhen

AU - Haffari, Gholamreza

N1 - Conference code: 29th

PY - 2022

Y1 - 2022

N2 - Machine-learning-as-a-service (MLaaS) has attracted millions of users to their splendid large-scale models. Although published as black-box APIs, the valuable models behind these services are still vulnerable to imitation attacks. Recently, a series of works have demonstrated that attackers manage to steal or extract the victim models. Nonetheless, none of the previous stolen models can outperform the original black-box APIs. In this work, we conduct unsupervised domain adaptation and multi-victim ensemble to showing that attackers could potentially surpass victims, which is beyond previous understanding of model extraction. Extensive experiments on both benchmark datasets and real-world APIs validate that the imitators can succeed in outperforming the original black-box models on transferred domains. We consider our work as a milestone in the research of imitation attack, especially on NLP APIs, as the superior performance could influence the defense or even publishing strategy of API providers.

AB - Machine-learning-as-a-service (MLaaS) has attracted millions of users to their splendid large-scale models. Although published as black-box APIs, the valuable models behind these services are still vulnerable to imitation attacks. Recently, a series of works have demonstrated that attackers manage to steal or extract the victim models. Nonetheless, none of the previous stolen models can outperform the original black-box APIs. In this work, we conduct unsupervised domain adaptation and multi-victim ensemble to showing that attackers could potentially surpass victims, which is beyond previous understanding of model extraction. Extensive experiments on both benchmark datasets and real-world APIs validate that the imitators can succeed in outperforming the original black-box models on transferred domains. We consider our work as a milestone in the research of imitation attack, especially on NLP APIs, as the superior performance could influence the defense or even publishing strategy of API providers.

UR - http://www.scopus.com/inward/record.url?scp=85140791539&partnerID=8YFLogxK

M3 - Conference Paper

AN - SCOPUS:85140791539

T3 - The 29th International Conference on Computational Linguistics

SP - 2849

EP - 2860

BT - Proceedings of the Main Conference - The 29th International Conference on Computational Linguistics

A2 - Kim, Hansaem

A2 - Pustejovsky, James

A2 - Wanner, Leo

CY - Stroudsburg PA USA

Y2 - 12 October 2022 through 17 October 2022

ER -

Student surpasses teacher: Imitation attack for black-box NLP APIs

Abstract

Publication series

Conference

Access to Document

Other files and links

Cite this