Model extraction attacks are designed to steal trained models with only query
access, as is often provided through APIs that ML-as-a-Service providers offer.
ML models are expensive to train, in part because data is hard to obtain, and a
primary incentive for model extraction is to acquire a model while incurring
less cost than training from scratch. Literature on model extraction commonly
claims or presumes that the attacker is able to save on both data acquisition
and labeling costs. We show that the attacker often does not. This is because
current attacks implicitly rely on the adversary being able to sample from the
victim model's data distribution. We thoroughly evaluate factors influencing
the success of model extraction. We discover that prior knowledge of the
attacker, i.e. access to in-distribution data, dominates other factors like the
attack policy the adversary follows to choose which queries to make to the
victim model API. Thus, an adversary looking to develop an equally capable
model with a fixed budget has little practical incentive to perform model
extraction, since for the attack to work they need to collect in-distribution
data, saving only on the cost of labeling. With low labeling costs in the
current market, the usefulness of such attacks is questionable. Ultimately, we
demonstrate that the effect of prior knowledge needs to be explicitly decoupled
from the attack policy. To this end, we propose a benchmark to evaluate attack
policy directly.

以查询访问方式为前提设计的模型提取攻击旨在通过机器学习即服务提供商所提供的 API 获取已训练模型，该攻击的主要动机在于以比重新训练模型更低的成本获取模型。然而，我们的研究显示，攻击者常常无法节约数据采集和标注成本，并且攻击成功与攻击者的先验知识密切相关。因此，对于预算有限但仍想要开发具有相同能力的模型的攻击者而言，模型提取攻击的实际意义值得商榷。最终，我们提出了一种评估攻击策略的基准方案，明确将先验知识的影响与攻击策略分离。