{"id":"https://openalex.org/W2978872500","doi":"https://doi.org/10.1109/ijcnn.2019.8851798","title":"Stealing Knowledge from Protected Deep Neural Networks Using Composite Unlabeled Data","display_name":"Stealing Knowledge from Protected Deep Neural Networks Using Composite Unlabeled Data","publication_year":2019,"publication_date":"2019-07-01","ids":{"openalex":"https://openalex.org/W2978872500","doi":"https://doi.org/10.1109/ijcnn.2019.8851798","mag":"2978872500"},"language":"en","primary_location":{"id":"doi:10.1109/ijcnn.2019.8851798","is_oa":false,"landing_page_url":"https://doi.org/10.1109/ijcnn.2019.8851798","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2019 International Joint Conference on Neural Networks (IJCNN)","raw_type":"proceedings-article"},"type":"article","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://arxiv.org/pdf/1912.03959","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Itay Mosafi","orcid":null},"institutions":[{"id":"https://openalex.org/I13955877","display_name":"Bar-Ilan University","ror":"https://ror.org/03kgsv495","country_code":"IL","type":"education","lineage":["https://openalex.org/I13955877"]}],"countries":["IL"],"is_corresponding":true,"raw_author_name":"Itay Mosafi","raw_affiliation_strings":["Department of Computer Science, Bar-Ilan University, Ramat-Gan, Israel"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science, Bar-Ilan University, Ramat-Gan, Israel","institution_ids":["https://openalex.org/I13955877"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Eli Omid David","orcid":null},"institutions":[{"id":"https://openalex.org/I13955877","display_name":"Bar-Ilan University","ror":"https://ror.org/03kgsv495","country_code":"IL","type":"education","lineage":["https://openalex.org/I13955877"]}],"countries":["IL"],"is_corresponding":false,"raw_author_name":"Eli Omid David","raw_affiliation_strings":["Department of Computer Science, Bar-Ilan University, Ramat-Gan, Israel"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science, Bar-Ilan University, Ramat-Gan, Israel","institution_ids":["https://openalex.org/I13955877"]}]},{"author_position":"last","author":{"id":null,"display_name":"Nathan S. Netanyahu","orcid":null},"institutions":[{"id":"https://openalex.org/I13955877","display_name":"Bar-Ilan University","ror":"https://ror.org/03kgsv495","country_code":"IL","type":"education","lineage":["https://openalex.org/I13955877"]}],"countries":["IL"],"is_corresponding":false,"raw_author_name":"Nathan S. Netanyahu","raw_affiliation_strings":["Department of Computer Science, Bar-Ilan University, Ramat-Gan, Israel"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science, Bar-Ilan University, Ramat-Gan, Israel","institution_ids":["https://openalex.org/I13955877"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I13955877"],"apc_list":null,"apc_paid":null,"fwci":0.434,"has_fulltext":false,"cited_by_count":11,"citation_normalized_percentile":{"value":0.72399067,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":97},"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"8"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10036","display_name":"Advanced Neural Network Applications","score":0.9973000288009644,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12357","display_name":"Digital Media Forensic Detection","score":0.9944000244140625,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/softmax-function","display_name":"Softmax function","score":0.8711000084877014},{"id":"https://openalex.org/keywords/artificial-neural-network","display_name":"Artificial neural network","score":0.7343999743461609},{"id":"https://openalex.org/keywords/copying","display_name":"Copying","score":0.35269999504089355},{"id":"https://openalex.org/keywords/training-set","display_name":"Training set","score":0.35010001063346863},{"id":"https://openalex.org/keywords/core","display_name":"Core (optical fiber)","score":0.33500000834465027},{"id":"https://openalex.org/keywords/deep-neural-networks","display_name":"Deep neural networks","score":0.3321000039577484},{"id":"https://openalex.org/keywords/pattern-recognition","display_name":"Pattern recognition (psychology)","score":0.3303999900817871}],"concepts":[{"id":"https://openalex.org/C188441871","wikidata":"https://www.wikidata.org/wiki/Q7554146","display_name":"Softmax function","level":3,"score":0.8711000084877014},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.7343999743461609},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7178999781608582},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.6086000204086304},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.43220001459121704},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.38370001316070557},{"id":"https://openalex.org/C2779151265","wikidata":"https://www.wikidata.org/wiki/Q1156791","display_name":"Copying","level":2,"score":0.35269999504089355},{"id":"https://openalex.org/C51632099","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Training set","level":2,"score":0.35010001063346863},{"id":"https://openalex.org/C2164484","wikidata":"https://www.wikidata.org/wiki/Q5170150","display_name":"Core (optical fiber)","level":2,"score":0.33500000834465027},{"id":"https://openalex.org/C2984842247","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep neural networks","level":3,"score":0.3321000039577484},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.3303999900817871},{"id":"https://openalex.org/C157486923","wikidata":"https://www.wikidata.org/wiki/Q1376436","display_name":"String (physics)","level":2,"score":0.3239000141620636},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.30410000681877136},{"id":"https://openalex.org/C41608201","wikidata":"https://www.wikidata.org/wiki/Q980509","display_name":"Embedding","level":2,"score":0.30149999260902405},{"id":"https://openalex.org/C150817343","wikidata":"https://www.wikidata.org/wiki/Q875932","display_name":"Digital watermarking","level":3,"score":0.2987000048160553},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.27790001034736633},{"id":"https://openalex.org/C2780224610","wikidata":"https://www.wikidata.org/wiki/Q1530061","display_name":"Credibility","level":2,"score":0.2581000030040741},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.2558000087738037},{"id":"https://openalex.org/C2778067643","wikidata":"https://www.wikidata.org/wiki/Q166507","display_name":"Interval (graph theory)","level":2,"score":0.2556999921798706},{"id":"https://openalex.org/C193415008","wikidata":"https://www.wikidata.org/wiki/Q639681","display_name":"Network architecture","level":2,"score":0.25130000710487366}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/ijcnn.2019.8851798","is_oa":false,"landing_page_url":"https://doi.org/10.1109/ijcnn.2019.8851798","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2019 International Joint Conference on Neural Networks (IJCNN)","raw_type":"proceedings-article"},{"id":"pmh:oai:arXiv.org:1912.03959","is_oa":true,"landing_page_url":"http://arxiv.org/abs/1912.03959","pdf_url":"https://arxiv.org/pdf/1912.03959","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"}],"best_oa_location":{"id":"pmh:oai:arXiv.org:1912.03959","is_oa":true,"landing_page_url":"http://arxiv.org/abs/1912.03959","pdf_url":"https://arxiv.org/pdf/1912.03959","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":21,"referenced_works":["https://openalex.org/W1902237438","https://openalex.org/W2051267297","https://openalex.org/W2108598243","https://openalex.org/W2135459805","https://openalex.org/W2155800262","https://openalex.org/W2579318729","https://openalex.org/W2753783305","https://openalex.org/W2766677542","https://openalex.org/W2787075213","https://openalex.org/W2808195004","https://openalex.org/W2963037989","https://openalex.org/W6620707391","https://openalex.org/W6631782140","https://openalex.org/W6637373629","https://openalex.org/W6678097026","https://openalex.org/W6718639682","https://openalex.org/W6743581629","https://openalex.org/W6750186640","https://openalex.org/W6751912496","https://openalex.org/W6787972765","https://openalex.org/W6967208686"],"related_works":[],"abstract_inverted_index":{"As":[0],"state-of-the-art":[1],"deep":[2],"neural":[3,121,156,197],"networks":[4,46,198],"are":[5,199],"deployed":[6],"at":[7],"the":[8,17,77,95,103,133,145,154,173,212,219],"core":[9],"of":[10,55,161],"more":[11],"advanced":[12],"Al-based":[13],"products":[14],"and":[15,58,158,181,217,229],"services,":[16],"incentive":[18],"for":[19,113,117],"copying":[20],"them":[21,50,224],"(i.e.,":[22],"their":[23,60],"intellectual":[24],"properties)":[25],"by":[26,48,63],"rival":[27],"adversaries":[28],"is":[29,47,91,175],"expected":[30],"to":[31,39,68,84,92,177,201],"increase":[32],"considerably":[33],"over":[34],"time.":[35],"The":[36,80],"best":[37],"way":[38,83],"extract":[40],"or":[41,138],"steal":[42],"knowledge":[43],"from":[44],"such":[45,87],"querying":[49],"using":[51,123,236],"a":[52,65,88,110,119,124,188,233],"large":[53],"dataset":[54],"random":[56],"samples":[57],"recording":[59],"output,":[61,216],"followed":[62],"training":[64,135],"student":[66,125,169,220],"network":[67,122,157,170],"mimic":[69],"these":[70],"outputs,":[71],"without":[72,98],"making":[73],"any":[74],"assumption":[75],"about":[76],"original":[78],"networks.":[79],"most":[81,213],"effective":[82],"protect":[85],"against":[86],"mimicking":[89,202],"attack":[90],"provide":[93],"only":[94],"classification":[96],"result,":[97],"confidence":[99],"values":[100],"associated":[101],"with":[102],"softmax":[104,147],"layer.In":[105],"this":[106],"paper,":[107],"we":[108],"present":[109],"novel":[111],"method":[112,128,151],"generating":[114],"composite":[115],"images":[116],"attacking":[118],"mentor":[120],"model.":[126],"Our":[127],"assumes":[129],"no":[130,142],"information":[131,143],"regarding":[132,144],"mentor's":[134,146],"dataset,":[136],"architecture,":[137],"weights.":[139],"Further":[140],"assuming":[141],"output":[148],"values,":[149],"our":[150,168],"successfully":[152],"mimics":[153,223],"given":[155],"steals":[159],"all":[160,195],"its":[162],"knowledge.":[163],"We":[164],"also":[165],"demonstrate":[166],"that":[167,194,218],"(which":[171],"copies":[172],"mentor)":[174],"impervious":[176],"watermarking":[178],"protection":[179],"methods,":[180],"thus":[182],"would":[183],"not":[184,208],"be":[185,226],"detected":[186,228],"as":[187,232],"stolen":[189,234],"model.Our":[190],"results":[191],"imply,":[192],"essentially,":[193],"current":[196],"vulnerable":[200],"attacks,":[203],"even":[204],"if":[205],"they":[206],"do":[207],"divulge":[209],"anything":[210],"but":[211],"basic":[214],"required":[215],"model":[221],"which":[222],"cannot":[225],"easily":[227],"singled":[230],"out":[231],"copy":[235],"currently":[237],"available":[238],"techniques.":[239]},"counts_by_year":[{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":3},{"year":2023,"cited_by_count":3},{"year":2022,"cited_by_count":1},{"year":2020,"cited_by_count":1},{"year":2019,"cited_by_count":1}],"updated_date":"2026-03-20T23:20:44.827607","created_date":"2019-10-10T00:00:00"}