{"id":"https://openalex.org/W4383221380","doi":"https://doi.org/10.1145/3579856.3590336","title":"QUDA: Query-Limited Data-Free Model Extraction","display_name":"QUDA: Query-Limited Data-Free Model Extraction","publication_year":2023,"publication_date":"2023-07-05","ids":{"openalex":"https://openalex.org/W4383221380","doi":"https://doi.org/10.1145/3579856.3590336"},"language":"en","primary_location":{"id":"doi:10.1145/3579856.3590336","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3579856.3590336","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM Asia Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5041044253","display_name":"Zijun Lin","orcid":"https://orcid.org/0009-0009-4502-4157"},"institutions":[{"id":"https://openalex.org/I172675005","display_name":"Nanyang Technological University","ror":"https://ror.org/02e7b5302","country_code":"SG","type":"education","lineage":["https://openalex.org/I172675005"]}],"countries":["SG"],"is_corresponding":true,"raw_author_name":"Zijun Lin","raw_affiliation_strings":["Nanyang Technological University, Singapore"],"raw_orcid":"https://orcid.org/0009-0009-4502-4157","affiliations":[{"raw_affiliation_string":"Nanyang Technological University, Singapore","institution_ids":["https://openalex.org/I172675005"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100737915","display_name":"Ke Xu","orcid":"https://orcid.org/0000-0001-7462-3348"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ke Xu","raw_affiliation_strings":["Huawei International, Singapore"],"raw_orcid":"https://orcid.org/0000-0001-7462-3348","affiliations":[{"raw_affiliation_string":"Huawei International, Singapore","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5089400788","display_name":"Chengfang Fang","orcid":"https://orcid.org/0000-0002-8313-0980"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chengfang Fang","raw_affiliation_strings":["Huawei International, Singapore"],"raw_orcid":"https://orcid.org/0000-0002-8313-0980","affiliations":[{"raw_affiliation_string":"Huawei International, Singapore","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5007825677","display_name":"Huadi Zheng","orcid":"https://orcid.org/0000-0003-1224-9885"},"institutions":[{"id":"https://openalex.org/I2250955327","display_name":"Huawei Technologies (China)","ror":"https://ror.org/00cmhce21","country_code":"CN","type":"company","lineage":["https://openalex.org/I2250955327"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Huadi Zheng","raw_affiliation_strings":["Huawei Technology, China"],"raw_orcid":"https://orcid.org/0000-0003-1224-9885","affiliations":[{"raw_affiliation_string":"Huawei Technology, China","institution_ids":["https://openalex.org/I2250955327"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5092404299","display_name":"Aneez Ahmed Jaheezuddin","orcid":"https://orcid.org/0009-0004-9092-2080"},"institutions":[{"id":"https://openalex.org/I172675005","display_name":"Nanyang Technological University","ror":"https://ror.org/02e7b5302","country_code":"SG","type":"education","lineage":["https://openalex.org/I172675005"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Aneez Ahmed Jaheezuddin","raw_affiliation_strings":["Nanyang Technological University, Singapore"],"raw_orcid":"https://orcid.org/0009-0004-9092-2080","affiliations":[{"raw_affiliation_string":"Nanyang Technological University, Singapore","institution_ids":["https://openalex.org/I172675005"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5050620372","display_name":"Jie Shi","orcid":"https://orcid.org/0009-0004-8022-4051"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jie Shi","raw_affiliation_strings":["Huawei International, Singapore"],"raw_orcid":"https://orcid.org/0009-0004-8022-4051","affiliations":[{"raw_affiliation_string":"Huawei International, Singapore","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5041044253"],"corresponding_institution_ids":["https://openalex.org/I172675005"],"apc_list":null,"apc_paid":null,"fwci":2.2153,"has_fulltext":false,"cited_by_count":13,"citation_normalized_percentile":{"value":0.90103672,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"913","last_page":"924"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9846000075340271,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.972599983215332,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8620673418045044},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.5231496095657349},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.45137113332748413},{"id":"https://openalex.org/keywords/online-aggregation","display_name":"Online aggregation","score":0.4439452886581421},{"id":"https://openalex.org/keywords/limiting","display_name":"Limiting","score":0.42090779542922974},{"id":"https://openalex.org/keywords/data-extraction","display_name":"Data extraction","score":0.41495928168296814},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.4140610098838806},{"id":"https://openalex.org/keywords/sargable","display_name":"Sargable","score":0.4138990640640259},{"id":"https://openalex.org/keywords/web-search-query","display_name":"Web search query","score":0.3741602897644043},{"id":"https://openalex.org/keywords/information-retrieval","display_name":"Information retrieval","score":0.3621577024459839},{"id":"https://openalex.org/keywords/search-engine","display_name":"Search engine","score":0.1888420581817627},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.17220649123191833}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8620673418045044},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.5231496095657349},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.45137113332748413},{"id":"https://openalex.org/C24028149","wikidata":"https://www.wikidata.org/wiki/Q7094056","display_name":"Online aggregation","level":5,"score":0.4439452886581421},{"id":"https://openalex.org/C188198153","wikidata":"https://www.wikidata.org/wiki/Q1613840","display_name":"Limiting","level":2,"score":0.42090779542922974},{"id":"https://openalex.org/C2777466982","wikidata":"https://www.wikidata.org/wiki/Q5227287","display_name":"Data extraction","level":3,"score":0.41495928168296814},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.4140610098838806},{"id":"https://openalex.org/C192939062","wikidata":"https://www.wikidata.org/wiki/Q104840822","display_name":"Sargable","level":4,"score":0.4138990640640259},{"id":"https://openalex.org/C164120249","wikidata":"https://www.wikidata.org/wiki/Q995982","display_name":"Web search query","level":3,"score":0.3741602897644043},{"id":"https://openalex.org/C23123220","wikidata":"https://www.wikidata.org/wiki/Q816826","display_name":"Information retrieval","level":1,"score":0.3621577024459839},{"id":"https://openalex.org/C97854310","wikidata":"https://www.wikidata.org/wiki/Q19541","display_name":"Search engine","level":2,"score":0.1888420581817627},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.17220649123191833},{"id":"https://openalex.org/C2779473830","wikidata":"https://www.wikidata.org/wiki/Q1540899","display_name":"MEDLINE","level":2,"score":0.0},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.0},{"id":"https://openalex.org/C78519656","wikidata":"https://www.wikidata.org/wiki/Q101333","display_name":"Mechanical engineering","level":1,"score":0.0},{"id":"https://openalex.org/C199539241","wikidata":"https://www.wikidata.org/wiki/Q7748","display_name":"Law","level":1,"score":0.0},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3579856.3590336","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3579856.3590336","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM Asia Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.800000011920929}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":16,"referenced_works":["https://openalex.org/W2108598243","https://openalex.org/W2145339207","https://openalex.org/W2596585349","https://openalex.org/W2603766943","https://openalex.org/W2747329762","https://openalex.org/W2963303354","https://openalex.org/W2963465081","https://openalex.org/W2996851481","https://openalex.org/W3113058464","https://openalex.org/W3200953672","https://openalex.org/W4234552385","https://openalex.org/W4255536601","https://openalex.org/W4300511536","https://openalex.org/W4365800005","https://openalex.org/W4386059972","https://openalex.org/W4402776467"],"related_works":["https://openalex.org/W3125756434","https://openalex.org/W1560919561","https://openalex.org/W2096359267","https://openalex.org/W185198413","https://openalex.org/W2150741898","https://openalex.org/W2901901036","https://openalex.org/W2184296057","https://openalex.org/W1793997780","https://openalex.org/W2362460270","https://openalex.org/W4381740310"],"abstract_inverted_index":{"Model":[0],"extraction":[1,69,133,151,186],"attack":[2,152],"typically":[3,93],"refers":[4],"to":[5,21,46,53,66,84,107,161,173,243],"extracting":[6],"non-public":[7],"information":[8],"from":[9,38,51],"a":[10,48,108,146,223],"black-box":[11],"machine":[12],"learning":[13,172],"model.":[14,59],"Its":[15],"unauthorized":[16],"nature":[17],"poses":[18],"significant":[19],"threat":[20],"intellectual":[22],"property":[23],"rights":[24],"of":[25,111,123,169,219,232,237],"the":[26,31,35,39,42,121,127,167,182,206,229,235],"model":[27,50,68,112,132,150,185],"owners.":[28],"By":[29],"using":[30,72],"well-designed":[32],"queries":[33,233],"and":[34,114,166,200,203,247],"predictions":[36],"returned":[37],"victim":[40,58],"model,":[41],"adversary":[43],"is":[44,240],"able":[45],"train":[47],"clone":[49,87],"scratch":[52],"obtain":[54],"similar":[55],"functionality":[56],"as":[57,252],"Recently,":[60],"some":[61,103],"methods":[62,80],"have":[63,81],"been":[64,82],"proposed":[65],"perform":[67],"attacks":[70,134],"without":[71],"any":[73],"in-distribution":[74],"data":[75,239],"(Data-free":[76],"setting).":[77],"Although":[78],"these":[79],"shown":[83],"achieve":[85],"high":[86,109],"accuracy,":[88],"their":[89],"query":[90,137,175,196,217],"budgets":[91],"are":[92,256],"around":[94],"10":[95],"million":[96,101],"or":[97,234],"even":[98,204],"exceed":[99],"20":[100],"in":[102,139,198,209],"datasets,":[104,202],"which":[105],"lead":[106],"cost":[110],"stealing":[113],"can":[115],"be":[116],"easily":[117],"defended":[118],"by":[119,131,157],"limiting":[120],"number":[122],"queries.":[124],"To":[125],"illustrate":[126],"severe":[128],"threats":[129],"induced":[130],"with":[135,181],"limited":[136,230],"budget":[138,218],"realistic":[140],"scenarios,":[141],"we":[142],"propose":[143],"QUDA":[144,188,213,221],"\u2013":[145],"novel":[147],"QUey-limited":[148],"DAta-free":[149],"that":[153,225],"incorporates":[154],"GAN":[155],"pre-trained":[156],"public":[158],"unrelated":[159],"dataset":[160],"provide":[162],"weak":[163],"image":[164],"prior":[165],"technique":[168],"deep":[170],"reinforcement":[171],"make":[174],"generation":[176],"strategy":[177],"more":[178],"efficient.":[179],"Compared":[180],"state-of-the-art":[183],"data-free":[184],"method,":[187],"achieves":[189],"better":[190],"results":[191],"under":[192],"query-limited":[193],"condition":[194],"(0.1M":[195],"budget)":[197],"FMNIST":[199],"CIFAR-10":[201],"outperforms":[205],"baseline":[207],"method":[208],"most":[210],"cases":[211],"when":[212],"uses":[214],"only":[215],"10%":[216],"its.":[220],"issued":[222],"warning":[224],"solely":[226],"relying":[227],"on":[228],"numbers":[231],"confidentiality":[236],"training":[238],"not":[241],"reliable":[242],"protect":[244],"model\u2019s":[245],"security":[246],"privacy.":[248],"Potential":[249],"countermeasures,":[250],"such":[251],"detection-based":[253],"defense":[254],"approach,":[255],"also":[257],"provided.":[258]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":7},{"year":2024,"cited_by_count":4},{"year":2023,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}