A new model stealing defense based on DNN retraining for decision boundary protection

Deep neural networks (DNNs) are vulnerable to input transformations, posing challenges in thwarting model stealing attacks. Existing methods predominantly analyze the distribution differences of attack samples; however, those based on decision boundary approximation often mimic the distributions of benign samples, thereby circumventing defenses. Furthermore, the addition of deceptive perturbations to the output posterior by complex defense processing modules external to the victim model increases both computational costs and processing latency. In response, this paper proposes a novel training technique named PDB (Protecting Decision Boundaries) that robustly counters model stealing without relying on presumptions about the distribution of attack samples. Instead, PDB secures the primary targets of these attacks— the decision boundaries. It integrates an input gradient penalty into the loss function to displace the decision boundaries away from benign samples. To further enhance protection, samples near these boundaries—referred to as transition samples—are explicitly recategorized into a new, dedicated class. This recategorization is implemented by adding a corresponding neuron to the output layer, thereby fortifying the defense mechanism. Crucially, PDB discards the requirement for complex defense processing modules by employing straightforward mechanisms such as normal prediction processes and selective label flipping for a minimal number of cases. Experimental evidence confirms that PDB surpasses leading methods and marks a pioneering advance in safeguarding decision boundaries against potential breaches.