{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,4]],"date-time":"2026-04-04T18:07:00Z","timestamp":1775326020868,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":61,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,4,22]],"date-time":"2025-04-22T00:00:00Z","timestamp":1745280000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/https:\/\/doi.org\/10.13039\/501100002920","name":"Research Grants Council, University Grants Committee","doi-asserted-by":"publisher","award":["15226221, 15209922, 15208923, 15210023, 15224124"],"award-info":[{"award-number":["15226221, 15209922, 15208923, 15210023, 15224124"]}],"id":[{"id":"10.13039\/https:\/\/doi.org\/10.13039\/501100002920","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/https:\/\/doi.org\/10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["92270123, 62372122"],"award-info":[{"award-number":["92270123, 62372122"]}],"id":[{"id":"10.13039\/https:\/\/doi.org\/10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,4,28]]},"DOI":"10.1145\/3696410.3714894","type":"proceedings-article","created":{"date-parts":[[2025,4,22]],"date-time":"2025-04-22T22:57:28Z","timestamp":1745362648000},"page":"4300-4315","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["MER-Inspector: Assessing Model Extraction Risks from An Attack-Agnostic Perspective"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1267-5182","authenticated-orcid":false,"given":"Xinwei","family":"Zhang","sequence":"first","affiliation":[{"name":"Hong Kong Polytechnic University, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9008-2112","authenticated-orcid":false,"given":"Haibo","family":"Hu","sequence":"additional","affiliation":[{"name":"Hong Kong Polytechnic University, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1547-2847","authenticated-orcid":false,"given":"Qingqing","family":"Ye","sequence":"additional","affiliation":[{"name":"Hong Kong Polytechnic University, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7202-3178","authenticated-orcid":false,"given":"Li","family":"Bai","sequence":"additional","affiliation":[{"name":"Hong Kong Polytechnic University, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1224-9885","authenticated-orcid":false,"given":"Huadi","family":"Zheng","sequence":"additional","affiliation":[{"name":"Huawei Technologies Co., Ltd., Shenzhen, China"}]}],"member":"320","published-online":{"date-parts":[[2025,4,22]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"The Kendall rank correlation coefficient. Encyclopedia of Measurement and Statistics","author":"Abdi Herv\u00e9","year":"2007","unstructured":"Herv\u00e9 Abdi. 2007. The Kendall rank correlation coefficient. Encyclopedia of Measurement and Statistics. Sage, Thousand Oaks, CA (2007), 508--510."},{"key":"e_1_3_2_1_2_1","first-page":"18022","article-title":"Reproducibility in optimization: Theoretical framework and limits","volume":"35","author":"Ahn Kwangjun","year":"2022","unstructured":"Kwangjun Ahn, Prateek Jain, Ziwei Ji, Satyen Kale, Praneeth Netrapalli, and Gil I ShACM Comamir. 2022. Reproducibility in optimization: Theoretical framework and limits. In Proceedings of the Advances in Neural Information Processing Systems, Vol. 35. 18022--18033.","journal-title":"Proceedings of the Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_3_1","first-page":"4","article-title":"Membership inference attacks and defenses in federated learning: A survey","volume":"57","author":"Bai Li","year":"2024","unstructured":"Li Bai, Haibo Hu, Qingqing Ye, Haoyang Li, Leixia Wang, and Jianliang Xu. 2024. Membership inference attacks and defenses in federated learning: A survey. ACM Computer Surveys, Vol. 57, 4 (Dec. 2024), 35 pages.","journal-title":"ACM Computer Surveys"},{"key":"e_1_3_2_1_4_1","volume-title":"Proceedings of the Advances in Neural Information Processing Systems","volume":"32","author":"Cao Yuan","year":"2019","unstructured":"Yuan Cao and Quanquan Gu. 2019. Generalization bounds of stochastic gradient descent for wide and deep neural networks. In Proceedings of the Advances in Neural Information Processing Systems, Vol. 32."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489286"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/3424308"},{"key":"e_1_3_2_1_7_1","volume-title":"Proceedings of the fourteenth international conference on artificial intelligence and statistics. 215--223","author":"Coates Adam","year":"2011","unstructured":"Adam Coates, Andrew Ng, and Honglak Lee. 2011. An analysis of single-layer networks in unsupervised feature learning. In Proceedings of the fourteenth international conference on artificial intelligence and statistics. 215--223."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-00296-0"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2018.8489592"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01204"},{"key":"e_1_3_2_1_11_1","volume-title":"Proceedings of the International Conference on Learning Representations.","author":"Harutyunyan Hrayr","year":"2023","unstructured":"Hrayr Harutyunyan, Ankit Singh Rawat, Aditya Krishna Menon, Seungyeon Kim, and Sanjiv Kumar. 2023. Supervision complexity and its role in knowledge distillation. In Proceedings of the International Conference on Learning Representations."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3313577"},{"key":"e_1_3_2_1_14_1","volume-title":"VAE-based membership cleanser against membership inference attacks","author":"Hu Li","year":"2024","unstructured":"Li Hu, Hongyang Yan, Yun Peng, Haibo Hu, Shaowei Wang, and Jin Li. 2024b. VAE-based membership cleanser against membership inference attacks. IEEE Transactions on Dependable and Secure Computing (2024)."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.243"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3543507.3583348"},{"key":"e_1_3_2_1_17_1","volume-title":"Proceedings of the Advances in Neural Information Processing Systems","volume":"31","author":"Jacot Arthur","year":"2018","unstructured":"Arthur Jacot, Franck Gabriel, and Clement Hongler. 2018. Neural tangent kernel: Convergence and generalization in neural networks. In Proceedings of the Advances in Neural Information Processing Systems, Vol. 31."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489288"},{"key":"e_1_3_2_1_19_1","first-page":"20823","article-title":"Knowledge distillation in wide neural networks: Risk bound, data efficiency and imperfect teacher","volume":"33","author":"Ji Guangda","year":"2020","unstructured":"Guangda Ji and Zhanxing Zhu. 2020. Knowledge distillation in wide neural networks: Risk bound, data efficiency and imperfect teacher. In Proceedings of the Advances in Neural Information Processing Systems, Vol. 33. 20823--20833.","journal-title":"Proceedings of the Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313564"},{"key":"e_1_3_2_1_21_1","volume-title":"A comprehensive defense framework against model extraction attacks","author":"Jiang Wenbo","year":"2023","unstructured":"Wenbo Jiang, Hongwei Li, Guowen Xu, Tianwei Zhang, and Rongxing Lu. 2023. A comprehensive defense framework against model extraction attacks. IEEE Transactions on Dependable and Secure Computing (2023)."},{"key":"e_1_3_2_1_22_1","volume-title":"Proceedings of the 2019 IEEE European Symposium on Security and Privacy (EuroS&P'19)","author":"Juuti Mika","unstructured":"Mika Juuti, Sebastian Szyller, Samuel Marchal, and N. Asokan. 2019. PRADA: Protecting against DNN model stealing attacks. In Proceedings of the 2019 IEEE European Symposium on Security and Privacy (EuroS&P'19). 512--527."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.01360"},{"key":"e_1_3_2_1_25_1","volume-title":"Proceedings of the ICML Workshop on Extreme Classification: Learning with a Very Large Number of Labels.","author":"Kuznetsov Vitaly","year":"2015","unstructured":"Vitaly Kuznetsov, Mehryar Mohri, and Umar Syed. 2015. Rademacher complexity margin bounds for learning with a large number of classes. In Proceedings of the ICML Workshop on Extreme Classification: Learning with a Very Large Number of Labels."},{"key":"e_1_3_2_1_26_1","volume-title":"Proceedings of the Advances in Neural Information Processing Systems.","author":"Lee Jaehoon","year":"2019","unstructured":"Jaehoon Lee, Lechao Xiao, Samuel S. Schoenholz, Yasaman Bahri, Roman Novak, Jascha Sohl-Dickstein, and Jeffrey Pennington. 2019b. Wide neural networks of any depth evolve as linear models under gradient descent. In Proceedings of the Advances in Neural Information Processing Systems."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2019.00020"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3634737.3657002"},{"key":"e_1_3_2_1_29_1","volume-title":"ACM Computer Surveys","volume":"54","author":"Liu Bo","year":"2021","unstructured":"Bo Liu, Ming Ding, Sina Shaham, Wenny Rahayu, Farhadse Farokhi, and Zihuai Lin. 2021. When machine learning meets privacy: A survey and outlook. ACM Computer Surveys, Vol. 54, 2 (2021), 31:1--31:36."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560586"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3543507.3583198"},{"key":"e_1_3_2_1_32_1","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security'22)","author":"Liu Yugeng","year":"2022","unstructured":"Yugeng Liu, Rui Wen, Xinlei He, Ahmed Salem, Zhikun Zhang, Michael Backes, Emiliano De Cristofaro, Mario Fritz, and Yang Zhang. 2022b. ML-DOCTOR: Holistic risk assessment of inference attacks against machine learning models. In Proceedings of the 31st USENIX Security Symposium (USENIX Security'22). 4525--4542."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.425"},{"key":"e_1_3_2_1_34_1","volume-title":"Proceedings of the Advances in Neural Information Processing Systems. 11642--11657","author":"Loo Noel","year":"2022","unstructured":"Noel Loo, Ramin Hasani, Alexander Amini, and Daniela Rus. 2022. Evolution of neural tangent kernels under benign and adversarial training. In Proceedings of the Advances in Neural Information Processing Systems. 11642--11657."},{"key":"e_1_3_2_1_35_1","volume-title":"Proceedings of the International Conference on Learning Representations.","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. In Proceedings of the International Conference on Learning Representations."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-33765-9_59"},{"key":"e_1_3_2_1_37_1","unstructured":"Mehryar Mohri Afshin Rostamizadeh and Ameet Talwalkar. 2018. Foundations of machine learning."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01156"},{"key":"e_1_3_2_1_39_1","volume-title":"Proceedings of the International Conference on Machine Learning. 17018--17044","author":"Novak Roman","year":"2022","unstructured":"Roman Novak, Jascha Sohl-Dickstein, and Samuel S Schoenholz. 2022. Fast finite width neural tangent kernel. In Proceedings of the International Conference on Machine Learning. 17018--17044."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00509"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i01.5432"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_1_43_1","volume-title":"Proceedings of the International Conference on Machine Learning.","author":"Phuong Mary","unstructured":"Mary Phuong and Christoph H. Lampert. 2019. Towards understanding knowledge distillation. In Proceedings of the International Conference on Machine Learning."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE60146.2024.00133"},{"key":"e_1_3_2_1_45_1","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR'22)","author":"Sanyal Sunandini","unstructured":"Sunandini Sanyal, Sravanti Addepalli, and R. Venkatesh Babu. 2022. Towards data-free model stealing in a hard label setting. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR'22). 15284--15293."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-44581-1_27"},{"key":"e_1_3_2_1_47_1","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security'21)","author":"Song Liwei","year":"2021","unstructured":"Liwei Song and Prateek Mittal. 2021. Systematic evaluation of privacy risks of machine learning models. In Proceedings of the 30th USENIX Security Symposium (USENIX Security'21)."},{"key":"e_1_3_2_1_48_1","volume-title":"Proceedings of the Advances in Neural Information Processing Systems. 19523--19536","author":"Sorscher Ben","year":"2022","unstructured":"Ben Sorscher, Robert Geirhos, Shashank Shekhar, Surya Ganguli, and Ari Morcos. 2022. Beyond neural scaling laws: Beating power law scaling via data pruning. In Proceedings of the Advances in Neural Information Processing Systems. 19523--19536."},{"key":"e_1_3_2_1_49_1","volume-title":"Proceedings of the International Conference on Machine Learning. 34222--34262","author":"Tifrea Alexandru","year":"2023","unstructured":"Alexandru Tifrea, Jacob Clarysse, and Fanny Yang. 2023. Margin-based sampling in high dimensions: When being active is less efficient than staying passive. In Proceedings of the International Conference on Machine Learning. 34222--34262."},{"key":"e_1_3_2_1_50_1","volume-title":"Proceedings of the 25th USENIX Security Symposium (USENIX Security'16)","author":"Tram\u00e8r Florian","year":"2016","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction APIs. In Proceedings of the 25th USENIX Security Symposium (USENIX Security'16). 601--618."},{"key":"e_1_3_2_1_51_1","volume-title":"Fashion-MNIST: A novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747","author":"Xiao Han","year":"2017","unstructured":"Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-MNIST: A novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747 (2017)."},{"key":"e_1_3_2_1_52_1","first-page":"10203","article-title":"MExMI: Pool-based active model extraction crossover membership inference","volume":"35","author":"Xiao Yaxin","year":"2022","unstructured":"Yaxin Xiao, Qingqing Ye, Haibo Hu, Huadi Zheng, Chengfang Fang, and Jie Shi. 2022. MExMI: Pool-based active model extraction crossover membership inference. In Proceedings of the Advances in Neural Information Processing Systems, Vol. 35. 10203--10216.","journal-title":"Proceedings of the Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_53_1","volume-title":"Proceedings of the International Conference on Machine Learning. 11613--11625","author":"Xu Jingjing","year":"2021","unstructured":"Jingjing Xu, Liang Zhao, Junyang Lin, Rundong Gao, Xu Sun, and Hongxia Yang. 2021. KNAS: Green neural architecture search. In Proceedings of the International Conference on Machine Learning. 11613--11625."},{"key":"e_1_3_2_1_54_1","volume-title":"Proceedings of the International Conference on Machine Learning. 25198--25240","author":"Yang Jianyi","year":"2022","unstructured":"Jianyi Yang and Shaolei Ren. 2022. Informed learning by wide neural networks: Convergence, generalization and sampling complexity. In Proceedings of the International Conference on Machine Learning. 25198--25240."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560675"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24178"},{"key":"e_1_3_2_1_57_1","volume-title":"Wide residual networks. arXiv preprint arXiv:1605.07146","author":"Zagoruyko Sergey","year":"2016","unstructured":"Sergey Zagoruyko and Nikos Komodakis. 2016. Wide residual networks. arXiv preprint arXiv:1605.07146 (2016)."},{"key":"e_1_3_2_1_58_1","volume-title":"Proceedings of the 34th USENIX Security Symposium (USENIX Security'24)","author":"Zhang Boyang","year":"2024","unstructured":"Boyang Zhang, Zheng Li, Ziqing Yang, Xinlei He, Michael Backes, Mario Fritz, and Yang Zhang. 2024. SecurityNet: Assessing machine learning vulnerabilities on public models. In Proceedings of the 34th USENIX Security Symposium (USENIX Security'24)."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3246766"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/MIS.2020.3010335"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-29959-0_4"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.3043382"}],"event":{"name":"WWW '25: The ACM Web Conference 2025","location":"Sydney NSW Australia","acronym":"WWW '25","sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"]},"container-title":["Proceedings of the ACM on Web Conference 2025"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714894","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3696410.3714894","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:53Z","timestamp":1750295933000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714894"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,22]]},"references-count":61,"alternative-id":["10.1145\/3696410.3714894","10.1145\/3696410"],"URL":"https:\/\/doi.org\/10.1145\/3696410.3714894","relation":{},"subject":[],"published":{"date-parts":[[2025,4,22]]},"assertion":[{"value":"2025-04-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}