IPES: Improved Pre-trained Encoder Stealing Attack in Contrastive Learning

Recent studies have shed light on security vulnerabilities in Encoder-as-a-Service (EaaS) systems that enable the theft of valuable encoder attributes such as functionality. However, many of these attacks often either simply used the data augmentation method, or solely explored the idea of contrastive learning to improve the performance, lacking analysis and a combination of both two aspects. Furthermore, they also ignored the potential of harnessing the inner characteristics of the encoder, specifically its robustness. Thus, we introduce Improved Pretrained Encoder Stealing (IPES), a novel approach that capitalizes on augmented and perturbed samples to enhance the surrogate encoder's ability to replicate the aim encoder. Additionally, we place emphasis on optimizing the query budget by leveraging the inherent robustness of well-trained encoders. By combining the idea of contrastive learning and the inherent robustness of the encoder, IPES improves the performance by more than 14% in downstream accuracy compared to conventional methods.