Self-enhancing defense for protecting against model stealing attacks on deep learning systems

Defending against model stealing (MS) is crucial for safeguarding intellectual property and the security of deep learning applications. Current countermeasures, however, have notable shortcomings. First, defense strategies reliant on distribution classification often fail to accurately identify attack samples with semantic and visual similarities, thereby reducing their effectiveness. Second, the method of leveraging query samples from unknown origins to bolster defense capability in application scenarios remains an unresolved yet critical issue. This paper presents SED (Self-Enhancing Model Stealing Defense Method), an innovative defense method against model stealing. SED incorporates a deep hashing model and introduces a novel Penalty-Weighted Hamming (PWH) distance for sample segmentation, which effectively overcomes the drawbacks of traditional distribution-based classification. Subsequently, SED employs dynamic temperature scaling and label flipping to realize defense. Moreover, SED maintains an archive of historical query samples and utilizes a greedy algorithm to construct a database of malicious samples, thereby improving defense tactics for future queries similar to those catalogued. Experimental results confirm that SED substantially diminishes the accuracy of the attackers’ substitute models and effectively utilizes historical data for self-enhancement.