@techreport{oai:ipsj.ixsq.nii.ac.jp:00241072,
 author = {平本, 麗弥 and 岩瀬, 俊 and 前田, 英作 and Reiya, Hiramoto and Shun, Iwase and Eisaku, Maeda},
 issue = {13},
 month = {Nov},
 note = {攻撃対象となる標的 Deep Neural Network（DNN）に対しその入出力関係についてのデータを収集し，それを用いて新たな DNN モデルを学習することにより，標的モデルの性能を模擬したクローンモデルを作成することが可能であることが知られている．これは，Model Extraction Attack (MEA) と呼ばれ，Machine Learning as a Survice における脅威の一つとされているとともに，技術的には DNN の knowledge distillation とも深い関係がある．MEA の改良手法や MEA に対する防御手法に関する多くの先行研究があるものの，DNN のもつ様々な特性と MEA に対する脆弱性，頑健性との関係については十分な知見が得られていない．そこで本論文では，MEA に対する頑健性を決める要因として，攻撃対象モデルが実現している入出力関係の複雑さ，タスクの難易度，攻撃対象モデルが用いた学習データと攻撃に利用するデータとの分布間距離などに着目し，こうした DNN モデルの特性と MEA によって生成されるクローンモデルの性能との関係について検討を行った．, It is known that it is possible to create a cloned model that simulates the performance of the target Deep Neural Network (DNN) model by collecting data on its input-output relationships and training a new DNN model using that data. This is called Model Extraction Attack (MEA) and is considered one of the threats in Machine Learning as a Service, as well as being closely related to knowledge distillation of DNNs in technology. Although there are many previous studies on methods for improving MEA and defending against MEA, not enough is known about the relationship between various properties of DNNs and their vulnerability and robustness against MEA. In this paper, we focus on the factors that determine robustness to MEA, such as the complexity of the input-output relationship realized by the attack target model, the difficulty of the task, and the distance between the training data used by the attack target model and the data used in the attack. The relationship between these DNN model characteristics and the performance of the cloned model generated by MEA was examined.},
 title = {Model Extraction Attackに対するDNNモデルの頑健性について},
 year = {2024}
}