A Method for Extracting Black Box Models Based on Interpretable Attention

Deep neural networks have achieved remarkable success in face recognition. However, their vulnerability has attracted considerable attention. Researchers can analyse the weaknesses of face recognition models by extracting their functionality, aiming to enhance the security performance of these models. The findings of the study reveal that current model extraction methods are afflicted with notable drawbacks, namely low similarity in capturing model functionality and insufficient availability of samples. These limitations significantly impede the analysis of model security performance. We propose an interpretable attention-based method for black-box model extraction, enhancing the similarity between substitute and victim model functionality. Our main contributions are summarized as follows: (i) This study addresses the issue of limited sample training caused by the restricted number of black-box hard label queries. (ii) By applying input perturbations, we obtain feedback from deep black-box models, enabling us to identify facial local regions and the distribution of feature weights that positively influence predictions. (iii) By normalizing the feature weight distribution matrix and associating it with the attention weight matrix, the construction of an attention mask for the dataset is achieved, enabling differential attention to features in different regions. (iv) Leveraging a pre-trained base model, we extract relevant knowledge and features, facilitating cross-domain knowledge transfer. Experiments on Emore, PubFig and CASIA-WebFace show that our method outperforms traditional methods by 10%–20% in model consistency for the same query budget. Also, our method achieves the highest model stealing consistency on the three datasets: 94.51%, 93.27% and 91.74%, respectively.