摘要
In the past few years, Convolutional Neural Networks (CNNs 卷积神经网络) have been achieving state-of-the-art performance(已经取得了最先进的性能) on a variety of problems(在各种问题上).
Many companies employ resources and money to generate these models and provide them as an API, therefore it is in their best interest(为了他们的最大利益) to protect them, i.e., to avoid that someone else copy them.
Recent studies revealed that(最近的研究表明) stateof-the-art CNNs are vulnerable to adversarial examples attacks(对抗样本攻击), and this weakness indicates(表明) that CNNs do not need to operate in the problem domain (PD 问题域).
Therefore, we hypothesize(假设) that they also do not need to be trained with examples of the PD in order to operate in it.
Given these facts(鉴于这些事实), in this paper, we investigate(研究) if a target blackbox(目标黑箱) CNN can be copied by persuading(说服) it to confess(承认) its knowledge through(通过) random non-labeled data(随机的非标记数据).
The copy is two-fold: i) the target network is queried(查询目标网络) with random data(随机数据) and its predictions are used(使用其预测) to create a fake dataset(创建虚假数据集) with the knowledge of the network(带有网络知识); and ii) a copyca