{"id":"https://openalex.org/W4386815519","doi":"https://doi.org/10.14428/esann/2023.es2023-125","title":"On the Limitations of Model Stealing with Uncertainty Quantification Models","display_name":"On the Limitations of Model Stealing with Uncertainty Quantification Models","publication_year":2023,"publication_date":"2023-01-01","ids":{"openalex":"https://openalex.org/W4386815519","doi":"https://doi.org/10.14428/esann/2023.es2023-125"},"language":"en","primary_location":{"id":"doi:10.14428/esann/2023.es2023-125","is_oa":true,"landing_page_url":"https://doi.org/10.14428/esann/2023.es2023-125","pdf_url":"https://doi.org/10.14428/esann/2023.es2023-125","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ESANN 2023 proceesdings","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.14428/esann/2023.es2023-125","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5111667912","display_name":"David Pape","orcid":null},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"David Pape","raw_affiliation_strings":["-CISPA Helmholtz Center for Information Security,"],"affiliations":[{"raw_affiliation_string":"-CISPA Helmholtz Center for Information Security,","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5021713263","display_name":"Sina D\u00e4ubener","orcid":null},"institutions":[{"id":"https://openalex.org/I904495901","display_name":"Ruhr University Bochum","ror":"https://ror.org/04tsk2644","country_code":"DE","type":"education","lineage":["https://openalex.org/I904495901"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Sina D\u00e4ubener","raw_affiliation_strings":["-Ruhr University Bochum"],"affiliations":[{"raw_affiliation_string":"-Ruhr University Bochum","institution_ids":["https://openalex.org/I904495901"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5092891783","display_name":"Thosten Eisenhofer","orcid":null},"institutions":[{"id":"https://openalex.org/I904495901","display_name":"Ruhr University Bochum","ror":"https://ror.org/04tsk2644","country_code":"DE","type":"education","lineage":["https://openalex.org/I904495901"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Thosten Eisenhofer","raw_affiliation_strings":["-Ruhr University Bochum"],"affiliations":[{"raw_affiliation_string":"-Ruhr University Bochum","institution_ids":["https://openalex.org/I904495901"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5031868744","display_name":"Antonio Emanuele Cin\u00e1","orcid":"https://orcid.org/0000-0003-3807-6417"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Antonio Emanuele Cin\u00e0","raw_affiliation_strings":["-CISPA Helmholtz Center for Information Security,"],"affiliations":[{"raw_affiliation_string":"-CISPA Helmholtz Center for Information Security,","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5049219646","display_name":"Lea Sch\u00f6nherr","orcid":"https://orcid.org/0000-0003-3779-7781"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Lea Sch\u00f6nherr","raw_affiliation_strings":["-CISPA Helmholtz Center for Information Security,"],"affiliations":[{"raw_affiliation_string":"-CISPA Helmholtz Center for Information Security,","institution_ids":["https://openalex.org/I4210128801"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5111667912"],"corresponding_institution_ids":["https://openalex.org/I4210128801"],"apc_list":null,"apc_paid":null,"fwci":0.5185,"has_fulltext":true,"cited_by_count":3,"citation_normalized_percentile":{"value":0.71973103,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":91,"max":96},"biblio":{"volume":null,"issue":null,"first_page":"133","last_page":"138"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11307","display_name":"Domain Adaptation and Few-Shot Learning","score":0.9958000183105469,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9955999851226807,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7802724838256836},{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.7376264929771423},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.5871122479438782},{"id":"https://openalex.org/keywords/variance","display_name":"Variance (accounting)","score":0.5751439332962036},{"id":"https://openalex.org/keywords/fidelity","display_name":"Fidelity","score":0.5750882029533386},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.5054574012756348},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.4856899678707123},{"id":"https://openalex.org/keywords/fraction","display_name":"Fraction (chemistry)","score":0.46474310755729675},{"id":"https://openalex.org/keywords/function","display_name":"Function (biology)","score":0.4469899535179138},{"id":"https://openalex.org/keywords/statistical-model","display_name":"Statistical model","score":0.4216778874397278},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.3513854146003723},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.08969339728355408}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7802724838256836},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.7376264929771423},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.5871122479438782},{"id":"https://openalex.org/C196083921","wikidata":"https://www.wikidata.org/wiki/Q7915758","display_name":"Variance (accounting)","level":2,"score":0.5751439332962036},{"id":"https://openalex.org/C2776459999","wikidata":"https://www.wikidata.org/wiki/Q2119376","display_name":"Fidelity","level":2,"score":0.5750882029533386},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.5054574012756348},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.4856899678707123},{"id":"https://openalex.org/C149629883","wikidata":"https://www.wikidata.org/wiki/Q660926","display_name":"Fraction (chemistry)","level":2,"score":0.46474310755729675},{"id":"https://openalex.org/C14036430","wikidata":"https://www.wikidata.org/wiki/Q3736076","display_name":"Function (biology)","level":2,"score":0.4469899535179138},{"id":"https://openalex.org/C114289077","wikidata":"https://www.wikidata.org/wiki/Q3284399","display_name":"Statistical model","level":2,"score":0.4216778874397278},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3513854146003723},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.08969339728355408},{"id":"https://openalex.org/C76155785","wikidata":"https://www.wikidata.org/wiki/Q418","display_name":"Telecommunications","level":1,"score":0.0},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.0},{"id":"https://openalex.org/C121955636","wikidata":"https://www.wikidata.org/wiki/Q4116214","display_name":"Accounting","level":1,"score":0.0},{"id":"https://openalex.org/C178790620","wikidata":"https://www.wikidata.org/wiki/Q11351","display_name":"Organic chemistry","level":1,"score":0.0},{"id":"https://openalex.org/C201995342","wikidata":"https://www.wikidata.org/wiki/Q682496","display_name":"Systems engineering","level":1,"score":0.0},{"id":"https://openalex.org/C185592680","wikidata":"https://www.wikidata.org/wiki/Q2329","display_name":"Chemistry","level":0,"score":0.0},{"id":"https://openalex.org/C78458016","wikidata":"https://www.wikidata.org/wiki/Q840400","display_name":"Evolutionary biology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.14428/esann/2023.es2023-125","is_oa":true,"landing_page_url":"https://doi.org/10.14428/esann/2023.es2023-125","pdf_url":"https://doi.org/10.14428/esann/2023.es2023-125","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ESANN 2023 proceesdings","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.14428/esann/2023.es2023-125","is_oa":true,"landing_page_url":"https://doi.org/10.14428/esann/2023.es2023-125","pdf_url":"https://doi.org/10.14428/esann/2023.es2023-125","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ESANN 2023 proceesdings","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G18682879","display_name":null,"funder_award_id":"390781972","funder_id":"https://openalex.org/F4320320879","funder_display_name":"Deutsche Forschungsgemeinschaft"},{"id":"https://openalex.org/G5106512922","display_name":null,"funder_award_id":"Deutsche Forschungsgemeinschaft (DFG","funder_id":"https://openalex.org/F4320320879","funder_display_name":"Deutsche Forschungsgemeinschaft"},{"id":"https://openalex.org/G5717916917","display_name":null,"funder_award_id":"39078197","funder_id":"https://openalex.org/F4320320879","funder_display_name":"Deutsche Forschungsgemeinschaft"}],"funders":[{"id":"https://openalex.org/F4320320879","display_name":"Deutsche Forschungsgemeinschaft","ror":"https://ror.org/018mejw64"}],"has_content":{"pdf":true,"grobid_xml":false},"content_urls":{"pdf":"https://content.openalex.org/works/W4386815519.pdf"},"referenced_works_count":15,"referenced_works":["https://openalex.org/W582134693","https://openalex.org/W1959608418","https://openalex.org/W2335728318","https://openalex.org/W2560321925","https://openalex.org/W2789304371","https://openalex.org/W2905209730","https://openalex.org/W2951266961","https://openalex.org/W2963238274","https://openalex.org/W2963303354","https://openalex.org/W2992525328","https://openalex.org/W3010489274","https://openalex.org/W3023663521","https://openalex.org/W3118608800","https://openalex.org/W3174136778","https://openalex.org/W4288117700"],"related_works":["https://openalex.org/W2381850946","https://openalex.org/W4380449851","https://openalex.org/W3125091513","https://openalex.org/W4318832338","https://openalex.org/W1919390113","https://openalex.org/W4248383205","https://openalex.org/W4234745530","https://openalex.org/W2146383839","https://openalex.org/W2231829109","https://openalex.org/W2044710239"],"abstract_inverted_index":{"Model":[0],"stealing":[1,78,161],"aims":[2],"at":[3,9,118],"inferring":[4],"a":[5,10,76,123],"victim":[6],"model's":[7,24,114],"functionality":[8],"fraction":[11],"of":[12,63,94,106,112,125],"the":[13,17,23,61,64,84,100,104,110,113,119,132,141,159],"original":[14,29],"training":[15,30,126],"cost.While":[16],"goal":[18],"is":[19,152],"clear,":[20],"in":[21,75,92],"practice":[22],"architecture,":[25],"weight":[26],"dimension,":[27],"and":[28,55],"data":[31],"can":[32],"not":[33,153],"be":[34],"determined":[35],"exactly,":[36],"leading":[37],"to":[38,59,89,99,135,146],"mutual":[39],"uncertainty":[40,49,72,149],"during":[41,130],"stealing.In":[42],"this":[43,48],"work,":[44],"we":[45,68,108,144],"explicitly":[46],"tackle":[47],"by":[50,116],"generating":[51],"multiple":[52],"possible":[53],"networks":[54],"combining":[56],"their":[57],"predictions":[58],"improve":[60],"quality":[62],"stolen":[65,101],"model.For":[66],"this,":[67,107],"compare":[69],"five":[70],"popular":[71],"quantification":[73,150],"models":[74,86,133,151],"model":[77,160],"task.Surprisingly,":[79],"our":[80],"results":[81],"indicate":[82],"that":[83,129,140],"considered":[85],"only":[87],"lead":[88],"marginal":[90],"improvements":[91,157],"terms":[93],"label":[95],"agreement":[96],"(i.e.,":[97],"fidelity)":[98],"model.To":[102],"find":[103],"cause":[105],"inspect":[109],"diversity":[111,143],"prediction":[115,120],"looking":[117],"variance":[121],"as":[122],"function":[124],"iterations.We":[127],"realize":[128],"training,":[131],"tend":[134],"have":[136],"similar":[137],"predictions,":[138],"indicating":[139],"network":[142],"wanted":[145],"leverage":[147],"using":[148],"(high)":[154],"enough":[155],"for":[156],"on":[158],"task.":[162]},"counts_by_year":[{"year":2025,"cited_by_count":1},{"year":2023,"cited_by_count":2}],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-10-10T00:00:00"}