{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,19]],"date-time":"2026-02-19T15:34:00Z","timestamp":1771515240246,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":73,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,12,6]],"date-time":"2021-12-06T00:00:00Z","timestamp":1638748800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001866","name":"Fonds National de la Recherche Luxembourg","doi-asserted-by":"publisher","award":["13550291"],"award-info":[{"award-number":["13550291"]}],"id":[{"id":"10.13039\/501100001866","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,12,6]]},"DOI":"10.1145\/3485832.3485838","type":"proceedings-article","created":{"date-parts":[[2021,12,6]],"date-time":"2021-12-06T13:42:32Z","timestamp":1638798152000},"page":"1-16","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":29,"title":["Stealing Machine Learning Models: Attacks and Countermeasures for Generative Adversarial Networks"],"prefix":"10.1145","author":[{"given":"Hailong","family":"Hu","sequence":"first","affiliation":[{"name":"SnT, University of Luxembourg, Luxembourg"}]},{"given":"Jun","family":"Pang","sequence":"additional","affiliation":[{"name":"FSTM &amp; SnT, University of Luxembourg, Luxembourg"}]}],"member":"320","published-online":{"date-parts":[[2021,12,6]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"e_1_3_2_1_2_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Agustsson Eirikur","year":"2019","unstructured":"Eirikur Agustsson, Alexander Sage, Radu Timofte, and Luc\u00a0Van Gool. 2019. Optimal Transport Maps For Distribution Preserving Operations on Latent Spaces of Generative Models. In Proceedings of International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_3_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Azadi Samaneh","year":"2019","unstructured":"Samaneh Azadi, Catherine Olsson, Trevor Darrell, Ian Goodfellow, and Augustus Odena. 2019. Discriminator Rejection Sampling. In Proceedings of International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1146\/annurev-conmatphys-031119-050745"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00460"},{"key":"e_1_3_2_1_6_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Brock Andrew","year":"2019","unstructured":"Andrew Brock, Jeff Donahue, and Karen Simonyan. 2019. Large Scale GAN Training for High Fidelity Natural Image Synthesis. In Proceedings of International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_7_1","unstructured":"Tom\u00a0B Brown Benjamin Mann Nick Ryder Melanie Subbiah Jared Kaplan Prafulla Dhariwal Arvind Neelakantan Pranav Shyam Girish Sastry Amanda Askell 2020. Language models are few-shot learners. arXiv preprint arXiv:2005.14165(2020)."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3437526"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-56877-1_7"},{"key":"e_1_3_2_1_10_1","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association, 2633\u20132650","author":"Carlini Nicholas","year":"2021","unstructured":"Nicholas Carlini, Florian Tramer, Eric Wallace, Matthew Jagielski, Ariel Herbert-Voss, Katherine Lee, Adam Roberts, Tom Brown, Dawn Song, Ulfar Erlingsson, 2021. Extracting Training Data from Large Language Models. In Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association, 2633\u20132650."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_1_12_1","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association.","author":"Chandrasekaran Varun","year":"2020","unstructured":"Varun Chandrasekaran, Kamalika Chaudhuri, Irene Giacomelli, Somesh Jha, and Songbai Yan. 2020. Exploring Connections Between Active Learning and Model Extraction. In Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417238"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453090"},{"key":"e_1_3_2_1_15_1","volume-title":"BERT: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805(2018).","author":"Devlin Jacob","year":"2018","unstructured":"Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2018. BERT: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805(2018)."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSP.2020.2979601"},{"key":"e_1_3_2_1_17_1","unstructured":"Joachim Folz. 2020. simplejpeg 1.4.0. https:\/\/gitlab.com\/jfolz\/simplejpeg"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243834"},{"key":"e_1_3_2_1_19_1","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 2672\u20132680","author":"Goodfellow Ian","year":"2014","unstructured":"Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. 2014. Generative adversarial nets. In Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 2672\u20132680."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2019-0008"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_1_22_1","unstructured":"Yingzhe He Guozhu Meng Kai Chen Xingbo Hu and Jinwen He. 2019. Towards Privacy and Security of Deep Learning Systems: A Survey. arXiv preprint arXiv:1911.12562(2019)."},{"key":"e_1_3_2_1_23_1","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 6626\u20136637","author":"Heusel Martin","year":"2017","unstructured":"Martin Heusel, Hubert Ramsauer, Thomas Unterthiner, Bernhard Nessler, and Sepp Hochreiter. 2017. Gans trained by a two time-scale update rule converge to a local nash equilibrium. In Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 6626\u20136637."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2019-0067"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.167"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.202"},{"key":"e_1_3_2_1_27_1","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association.","author":"Jagielski Matthew","year":"2020","unstructured":"Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. 2020. High Accuracy and High Fidelity Extraction of Neural Networks. In Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23096"},{"key":"e_1_3_2_1_29_1","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association","author":"Jia Hengrui","year":"2021","unstructured":"Hengrui Jia, Christopher\u00a0A Choquette-Choo, Varun Chandrasekaran, and Nicolas Papernot. 2021. Entangled watermarks as a defense against model extraction. In Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association, 1937\u20131954."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00044"},{"key":"e_1_3_2_1_31_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Karras Tero","year":"2018","unstructured":"Tero Karras, Timo Aila, Samuli Laine, and Jaakko Lehtinen. 2018. Progressive Growing of GANs for Improved Quality, Stability, and Variation. In Proceedings of International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00453"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00813"},{"key":"e_1_3_2_1_34_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Krishna Kalpesh","year":"2020","unstructured":"Kalpesh Krishna, Gaurav\u00a0Singh Tomar, Ankur\u00a0P. Parikh, Nicolas Papernot, and Mohit Iyyer. 2020. Thieves on Sesame Street! Model Extraction of BERT-based APIs. In Proceedings of International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1093\/bioinformatics\/btz682"},{"key":"e_1_3_2_1_36_1","volume-title":"Proceedings of IEEE Security and Privacy Workshops. IEEE, 43\u201349","author":"Lee Taesung","year":"2019","unstructured":"Taesung Lee, Benjamin Edwards, Ian Molloy, and Dong Su. 2019. Defending against model stealing attacks using deceptive perturbations. In Proceedings of IEEE Security and Privacy Workshops. IEEE, 43\u201349."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46487-9_43"},{"key":"e_1_3_2_1_38_1","unstructured":"Huiying Li Emily Wenger Ben\u00a0Y Zhao and Haitao Zheng. 2019. Piracy Resistant Watermarks for Deep Neural Networks. arXiv preprint arXiv:1910.01226(2019)."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00461"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.01065"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.425"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/1081870.1081950"},{"key":"e_1_3_2_1_43_1","volume-title":"Proceedings of International Conference on Machine Learning (ICML). 4183\u20134192","author":"Lu\u010di\u0107 Mario","year":"2019","unstructured":"Mario Lu\u010di\u0107, Michael Tschannen, Marvin Ritter, Xiaohua Zhai, Olivier Bachem, and Sylvain Gelly. 2019. High-Fidelity Image Generation With Fewer Labels. In Proceedings of International Conference on Machine Learning (ICML). 4183\u20134192."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01216-8_12"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3287560.3287562"},{"key":"e_1_3_2_1_46_1","volume-title":"\u201ccompletely blind","author":"Mittal Anish","year":"2012","unstructured":"Anish Mittal, Rajiv Soundararajan, and Alan\u00a0C Bovik. 2012. Making a \u201ccompletely blind\u201d image quality analyzer. IEEE Signal processing letters 20, 3 (2012), 209\u2013212."},{"key":"e_1_3_2_1_47_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Miyato Takeru","year":"2018","unstructured":"Takeru Miyato, Toshiki Kataoka, Masanori Koyama, and Yuichi Yoshida. 2018. Spectral Normalization for Generative Adversarial Networks. In Proceedings of International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_48_1","volume-title":"Proceedings of International Conference on Machine Learning (ICML). 2642\u20132651","author":"Odena Augustus","year":"2017","unstructured":"Augustus Odena, Christopher Olah, and Jonathon Shlens. 2017. Conditional image synthesis with auxiliary classifier GANs. In Proceedings of International Conference on Machine Learning (ICML). 2642\u20132651."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00509"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i01.5432"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00244"},{"key":"e_1_3_2_1_53_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Radford Alec","year":"2016","unstructured":"Alec Radford, Luke Metz, and Soumith Chintala. 2016. Unsupervised representation learning with deep convolutional generative adversarial networks. In Proceedings of International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_54_1","volume-title":"Proceedings of Advances in Neural Information Processing Systems (NeurIPS), Vol.\u00a031","author":"Richardson Eitan","year":"2018","unstructured":"Eitan Richardson and Yair Weiss. 2018. On gans and gmms. In Proceedings of Advances in Neural Information Processing Systems (NeurIPS), Vol.\u00a031. Curran Associates, Inc., 5847\u20135858."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11263-015-0816-y"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23119"},{"key":"e_1_3_2_1_57_1","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 2234\u20132242","author":"Salimans Tim","year":"2016","unstructured":"Tim Salimans, Ian Goodfellow, Wojciech Zaremba, Vicki Cheung, Alec Radford, and Xi Chen. 2016. Improved techniques for training GANs. In Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 2234\u20132242."},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00926"},{"key":"e_1_3_2_1_59_1","unstructured":"Reza Shokri Martin Strobel and Yair Zick. 2019. Privacy risks of explaining machine learning models. arXiv preprint arXiv:1907.00164(2019)."},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"crossref","unstructured":"Tatsuya Takemura Naoto Yanai and Toru Fujiwara. 2020. Model Extraction Attacks against Recurrent Neural Networks. arXiv preprint arXiv:2002.00123(2020).","DOI":"10.2197\/ipsjjip.28.1010"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"crossref","unstructured":"Luke Tierney. 1994. Markov chains for exploring posterior distributions. The Annals of Statistics(1994) 1701\u20131728.","DOI":"10.1214\/aos\/1176325750"},{"key":"e_1_3_2_1_63_1","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 8250\u20138260","author":"Touvron Hugo","year":"2019","unstructured":"Hugo Touvron, Andrea Vedaldi, Matthijs Douze, and Herv\u00e9 J\u00e9gou. 2019. Fixing the train-test resolution discrepancy. In Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS). Curran Associates, Inc., 8250\u20138260."},{"key":"e_1_3_2_1_64_1","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association, 601\u2013618","author":"Tram\u00e8r Florian","year":"2016","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael\u00a0K Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction APIs. In Proceedings of USENIX Security Symposium (USENIX Security). USENIX Association, 601\u2013618."},{"key":"e_1_3_2_1_65_1","volume-title":"Proceedings of International Conference on Machine Learning (ICML). 6345\u20136353","author":"Turner Ryan","year":"2019","unstructured":"Ryan Turner, Jane Hung, Eric Frank, Yunus Saatchi, and Jason Yosinski. 2019. Metropolis-hastings generative adversarial networks. In Proceedings of International Conference on Machine Learning (ICML). 6345\u20136353."},{"key":"e_1_3_2_1_66_1","volume-title":"scikit-image: image processing in Python. PeerJ 2 (6","author":"van\u00a0der Walt St\u00e9fan","year":"2014","unstructured":"St\u00e9fan van\u00a0der Walt, Johannes\u00a0L. Sch\u00f6nberger, Juan Nunez-Iglesias, Fran\u00e7ois Boulogne, Joshua\u00a0D. Warner, Neil Yager, Emmanuelle Gouillart, Tony Yu, and the scikit-image contributors. 2014. scikit-image: image processing in Python. PeerJ 2 (6 2014), e453."},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1109\/NCC.2015.7084843"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00038"},{"key":"e_1_3_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00882"},{"key":"e_1_3_2_1_70_1","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P). IEEE, 1471\u20131488","author":"Xudong Pan","year":"2020","unstructured":"Pan Xudong, Zhang Mi, Ji Shouling, and Yang Min. 2020. Privacy Risks of General-Purpose Language Models. In Proceedings of IEEE Symposium on Security and Privacy (S&P). IEEE, 1471\u20131488."},{"key":"e_1_3_2_1_71_1","volume-title":"LSUN: Construction of a Large-scale Image Dataset using Deep Learning with Humans in the Loop. arXiv preprint arXiv:1506.03365(2015).","author":"Yu Fisher","year":"2015","unstructured":"Fisher Yu, Ari Seff, Yinda Zhang, Shuran Song, Thomas Funkhouser, and Jianxiong Xiao. 2015. LSUN: Construction of a Large-scale Image Dataset using Deep Learning with Humans in the Loop. arXiv preprint arXiv:1506.03365(2015)."},{"key":"e_1_3_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.629"},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46454-1_36"}],"event":{"name":"ACSAC '21: Annual Computer Security Applications Conference","location":"Virtual Event USA","acronym":"ACSAC '21"},"container-title":["Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3485832.3485838","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3485832.3485838","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T19:16:20Z","timestamp":1755890180000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3485832.3485838"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,12,6]]},"references-count":73,"alternative-id":["10.1145\/3485832.3485838","10.1145\/3485832"],"URL":"https:\/\/doi.org\/10.1145\/3485832.3485838","relation":{},"subject":[],"published":{"date-parts":[[2021,12,6]]},"assertion":[{"value":"2021-12-06","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}