{"id":"https://openalex.org/W4323059284","doi":"https://doi.org/10.1109/tifs.2023.3246766","title":"APMSA: Adversarial Perturbation Against Model Stealing Attacks","display_name":"APMSA: Adversarial Perturbation Against Model Stealing Attacks","publication_year":2023,"publication_date":"2023-01-01","ids":{"openalex":"https://openalex.org/W4323059284","doi":"https://doi.org/10.1109/tifs.2023.3246766"},"language":"en","primary_location":{"id":"doi:10.1109/tifs.2023.3246766","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2023.3246766","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5100680951","display_name":"Jiliang Zhang","orcid":"https://orcid.org/0000-0001-8712-2964"},"institutions":[{"id":"https://openalex.org/I16609230","display_name":"Hunan University","ror":"https://ror.org/05htk5m33","country_code":"CN","type":"education","lineage":["https://openalex.org/I16609230"]},{"id":"https://openalex.org/I198357462","display_name":"Changsha University","ror":"https://ror.org/011d8sm39","country_code":"CN","type":"education","lineage":["https://openalex.org/I198357462"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Jiliang Zhang","raw_affiliation_strings":["Changsha Semiconductor Technology and Application Innovation Research Institute, College of Semiconductors (College of Integrated Circuits), Hunan University, Changsha, China","Innovation Institute of Industrial Design and Machine Intelligence Quanzhou-Hunan University, Quanzhou, China"],"affiliations":[{"raw_affiliation_string":"Changsha Semiconductor Technology and Application Innovation Research Institute, College of Semiconductors (College of Integrated Circuits), Hunan University, Changsha, China","institution_ids":["https://openalex.org/I198357462","https://openalex.org/I16609230"]},{"raw_affiliation_string":"Innovation Institute of Industrial Design and Machine Intelligence Quanzhou-Hunan University, Quanzhou, China","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5022000153","display_name":"Shuang Peng","orcid":"https://orcid.org/0000-0002-4404-4027"},"institutions":[{"id":"https://openalex.org/I16609230","display_name":"Hunan University","ror":"https://ror.org/05htk5m33","country_code":"CN","type":"education","lineage":["https://openalex.org/I16609230"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Shuang Peng","raw_affiliation_strings":["College of Semiconductors (College of Integrated Circuits), Hunan University, Changsha, China"],"affiliations":[{"raw_affiliation_string":"College of Semiconductors (College of Integrated Circuits), Hunan University, Changsha, China","institution_ids":["https://openalex.org/I16609230"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5067969908","display_name":"Yansong Gao","orcid":"https://orcid.org/0000-0001-6029-5064"},"institutions":[{"id":"https://openalex.org/I1292875679","display_name":"Commonwealth Scientific and Industrial Research Organisation","ror":"https://ror.org/03qn8fb07","country_code":"AU","type":"government","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I4387156119"]},{"id":"https://openalex.org/I36399199","display_name":"Nanjing University of Science and Technology","ror":"https://ror.org/00xp9wg62","country_code":"CN","type":"education","lineage":["https://openalex.org/I36399199"]},{"id":"https://openalex.org/I42894916","display_name":"Data61","ror":"https://ror.org/03q397159","country_code":"AU","type":"other","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I42894916","https://openalex.org/I4387156119"]}],"countries":["AU","CN"],"is_corresponding":false,"raw_author_name":"Yansong Gao","raw_affiliation_strings":["School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing, China","Data61, CSIRO, Eveleigh, NSW, Australia"],"affiliations":[{"raw_affiliation_string":"School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing, China","institution_ids":["https://openalex.org/I36399199"]},{"raw_affiliation_string":"Data61, CSIRO, Eveleigh, NSW, Australia","institution_ids":["https://openalex.org/I42894916","https://openalex.org/I1292875679"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100410710","display_name":"Zhi Zhang","orcid":"https://orcid.org/0000-0003-3604-5369"},"institutions":[{"id":"https://openalex.org/I177877127","display_name":"The University of Western Australia","ror":"https://ror.org/047272k79","country_code":"AU","type":"education","lineage":["https://openalex.org/I177877127"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Zhi Zhang","raw_affiliation_strings":["Department of Computer Science and Software Engineering, The University of Western Australia, Perth, WA, Australia"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science and Software Engineering, The University of Western Australia, Perth, WA, Australia","institution_ids":["https://openalex.org/I177877127"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5052210009","display_name":"Qinghui Hong","orcid":"https://orcid.org/0000-0002-6210-6033"},"institutions":[{"id":"https://openalex.org/I16609230","display_name":"Hunan University","ror":"https://ror.org/05htk5m33","country_code":"CN","type":"education","lineage":["https://openalex.org/I16609230"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qinghui Hong","raw_affiliation_strings":["College of Computer Science and Electronic Engineering, Hunan University, Changsha, China"],"affiliations":[{"raw_affiliation_string":"College of Computer Science and Electronic Engineering, Hunan University, Changsha, China","institution_ids":["https://openalex.org/I16609230"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5100680951"],"corresponding_institution_ids":["https://openalex.org/I16609230","https://openalex.org/I198357462"],"apc_list":null,"apc_paid":null,"fwci":14.085,"has_fulltext":false,"cited_by_count":82,"citation_normalized_percentile":{"value":0.99243096,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":98,"max":100},"biblio":{"volume":"18","issue":null,"first_page":"1667","last_page":"1679"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10036","display_name":"Advanced Neural Network Applications","score":0.9595999717712402,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9537000060081482,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8636074066162109},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.693941593170166},{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.6354033946990967},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.6247917413711548},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.5966945886611938},{"id":"https://openalex.org/keywords/low-confidence","display_name":"Low Confidence","score":0.5441842675209045},{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.5027072429656982},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.47848695516586304},{"id":"https://openalex.org/keywords/data-modeling","display_name":"Data modeling","score":0.42505186796188354},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.27985233068466187},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.1938464343547821},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.11869418621063232}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8636074066162109},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.693941593170166},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.6354033946990967},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.6247917413711548},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.5966945886611938},{"id":"https://openalex.org/C2909755999","wikidata":"https://www.wikidata.org/wiki/Q4751126","display_name":"Low Confidence","level":2,"score":0.5441842675209045},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.5027072429656982},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.47848695516586304},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.42505186796188354},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.27985233068466187},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.1938464343547821},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.11869418621063232},{"id":"https://openalex.org/C15744967","wikidata":"https://www.wikidata.org/wiki/Q9418","display_name":"Psychology","level":0,"score":0.0},{"id":"https://openalex.org/C77805123","wikidata":"https://www.wikidata.org/wiki/Q161272","display_name":"Social psychology","level":1,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/tifs.2023.3246766","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2023.3246766","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},{"id":"pmh:oai:pure.atira.dk:publications/bcebd80c-e27b-4ec3-a331-061512037578","is_oa":false,"landing_page_url":"https://research-repository.uwa.edu.au/en/publications/bcebd80c-e27b-4ec3-a331-061512037578","pdf_url":null,"source":{"id":"https://openalex.org/S4306402523","display_name":"UWA Profiles and Research Repository (University of Western Australia)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I177877127","host_organization_name":"The University of Western Australia","host_organization_lineage":["https://openalex.org/I177877127"],"host_organization_lineage_names":[],"type":"repository"},"license":"public-domain","license_id":"https://openalex.org/licenses/public-domain","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Zhang , J , Peng , S , Gao , Y , Zhang , Z &amp; Hong , Q 2023 , ' APMSA : Adversarial Perturbation Against Model Stealing Attacks ' , IEEE Transactions on Information Forensics and Security , vol. 18 , pp. 1667-1679 . https://doi.org/10.1109/tifs.2023.3246766","raw_type":"article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.4399999976158142,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[{"id":"https://openalex.org/G419831423","display_name":null,"funder_award_id":"BK20200461","funder_id":"https://openalex.org/F4320322769","funder_display_name":"Natural Science Foundation of Jiangsu Province"},{"id":"https://openalex.org/G4757893089","display_name":null,"funder_award_id":"U20A20202","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G485163565","display_name":null,"funder_award_id":"62122023","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G7884576325","display_name":null,"funder_award_id":"2021J01544","funder_id":"https://openalex.org/F4320321878","funder_display_name":"Natural Science Foundation of Fujian Province"},{"id":"https://openalex.org/G7884758391","display_name":null,"funder_award_id":"62002167","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320321878","display_name":"Natural Science Foundation of Fujian Province","ror":null},{"id":"https://openalex.org/F4320322769","display_name":"Natural Science Foundation of Jiangsu Province","ror":"https://ror.org/01h0zpd94"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":31,"referenced_works":["https://openalex.org/W1977610018","https://openalex.org/W2067713319","https://openalex.org/W2603766943","https://openalex.org/W2781800156","https://openalex.org/W2891828758","https://openalex.org/W2916286792","https://openalex.org/W2949639282","https://openalex.org/W2963303354","https://openalex.org/W2963465081","https://openalex.org/W2963857521","https://openalex.org/W2964137095","https://openalex.org/W2969695741","https://openalex.org/W2973414778","https://openalex.org/W2984353870","https://openalex.org/W2996649838","https://openalex.org/W3007318395","https://openalex.org/W3035379805","https://openalex.org/W3083230431","https://openalex.org/W3104679284","https://openalex.org/W3118608800","https://openalex.org/W3135274971","https://openalex.org/W3168455774","https://openalex.org/W3215966579","https://openalex.org/W4293846201","https://openalex.org/W6640425456","https://openalex.org/W6677919164","https://openalex.org/W6759204839","https://openalex.org/W6769160930","https://openalex.org/W6772101090","https://openalex.org/W6787972765","https://openalex.org/W6792077504"],"related_works":["https://openalex.org/W4320018150","https://openalex.org/W2040808657","https://openalex.org/W2918664383","https://openalex.org/W4320855730","https://openalex.org/W106056076","https://openalex.org/W2135200719","https://openalex.org/W2085319386","https://openalex.org/W1551379303","https://openalex.org/W2034199088","https://openalex.org/W4293790771"],"abstract_inverted_index":{"Training":[0],"a":[1,17,28,41,82,99,138,163,204,248,257,297,322,356,384],"Deep":[2],"Learning":[3,26],"(DL)":[4],"model":[5,18,33,55,64,71,84,105,132,185,358,373,381],"requires":[6,326],"proprietary":[7],"data":[8],"and":[9,89,109,325,336,353],"computing-intensive":[10],"resources.":[11],"To":[12,214],"recoup":[13],"their":[14],"training":[15],"costs,":[16],"provider":[19],"can":[20,366],"monetize":[21],"DL":[22],"models":[23],"through":[24,218,347],"Machine":[25],"as":[27,67,189,269,321],"Service":[29],"(MLaaS).":[30],"Generally,":[31,242],"the":[32,37,70,92,111,114,122,126,131,151,156,194,212,236,240,260,267,270,275,281,289,294,313,318,330,362,368,371,379],"is":[34,153,199,245,263,333,345],"deployed":[35],"at":[36],"cloud,":[38],"while":[39],"providing":[40],"publicly":[42],"accessible":[43],"Application":[44],"Programming":[45],"Interface":[46],"(API)":[47],"for":[48,74,201,284,391],"paid":[49],"queries":[50,81,202],"to":[51,62,85,155,169,174,230,235,265,293,303,329,338,376,383],"obtain":[52,86],"benefits.":[53],"However,":[54],"stealing":[56,186],"attacks":[57,187],"have":[58],"posed":[59],"security":[60],"threats":[61],"this":[63,117,216,243],"monetizing":[65],"scheme":[66],"they":[68],"steal":[69],"without":[72,279],"paying":[73],"future":[75],"extensive":[76],"queries.":[77],"Specifically,":[78],"an":[79],"adversary":[80],"targeted":[83],"input-output":[87],"pairs":[88],"thus":[90,167,334],"infer":[91],"model\u2019s":[93],"internal":[94,148],"working":[95],"mechanism":[96],"by":[97,374],"reverse-engineering":[98],"substitute":[100,164,315],"model,":[101],"which":[102],"has":[103],"deprived":[104],"owner\u2019s":[106],"business":[107],"advantage":[108],"leaked":[110,154,290],"privacy":[112],"of":[113,150,162,211,239,251,312,343,351,359,370],"model.":[115,165,316],"In":[116,191],"work,":[118],"we":[119,221],"observe":[120],"that":[121,158,259],"confidence":[123,128,172,178,195,233,291],"vector":[124],"or":[125],"top-1":[127],"returned":[129,197],"from":[130,203],"under":[133],"attack":[134],"(MUA)":[135],"varies":[136],"in":[137,247,296],"relative":[139],"large":[140,385],"degree":[141],"given":[142,180],"different":[143,181],"queried":[144,271],"inputs.":[145],"Therefore,":[146],"rich":[147],"information":[149,209,292],"MUA":[152,357],"attacker":[157,295],"facilities":[159],"her":[160],"reconstruction":[161],"We":[166],"propose":[168],"leverage":[170],"adversarial":[171,253],"perturbation":[173],"hide":[175],"such":[176],"varied":[177],"distribution":[179],"queries,":[182],"consequentially":[183],"against":[184],"(dubbed":[188],"APMSA).":[190],"other":[192],"words,":[193],"vectors":[196],"now":[198],"similar":[200,249],"specific":[205],"category,":[206],"considerably":[207],"reducing":[208],"leakage":[210],"MUA.":[213,241],"achieve":[215],"objective,":[217],"automated":[219],"optimization,":[220],"constructively":[222],"add":[223],"delicate":[224],"noise":[225],"into":[226],"per":[227],"input":[228],"query":[229],"make":[231],"its":[232],"close":[234,302],"decision":[237,304],"boundary":[238],"process":[244],"achieved":[246],"means":[250],"crafting":[252],"examples":[254],"but":[255,287],"with":[256,387],"distinction":[258],"hard":[261],"label":[262],"preserved":[264],"be":[266],"same":[268],"input.":[272],"This":[273],"retains":[274],"inference":[276,282,395],"utility":[277],"(i.e.,":[278,301],"sacrificing":[280],"accuracy)":[283],"normal":[285,392],"users":[286],"bounded":[288],"small":[298],"constrained":[299],"area":[300],"boundary).":[305],"The":[306,340],"later":[307],"renders":[308],"greatly":[309],"deteriorated":[310],"accuracy":[311,369,389],"attacker\u2019s":[314],"As":[317],"APMSA":[319,344],"serves":[320],"plug-in":[323],"front-end":[324],"no":[327],"change":[328],"MUA,":[331],"it":[332],"generic":[335],"easy":[337],"deploy.":[339],"high":[341],"efficacy":[342],"validated":[346],"experiments":[348],"on":[349,361],"datasets":[350],"CIFAR10":[352],"GTSRB.":[354],"Given":[355],"ResNet-18":[360],"CIFAR10,":[363],"our":[364],"defense":[365],"degrade":[367],"stolen":[372,380],"up":[375],"15%":[377],"(rendering":[378],"useless":[382],"extent)":[386],"0%":[388],"drop":[390],"user\u2019s":[393],"hard-label":[394],"request.":[396]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":10},{"year":2024,"cited_by_count":22},{"year":2023,"cited_by_count":48}],"updated_date":"2026-04-17T18:11:37.981687","created_date":"2025-10-10T00:00:00"}