attack 2025

Delving into Cryptanalytic Extraction of PReLU Neural Networks

Yi Chen 1, Xiaoyang Dong 1,2, Ruijie Ma 1, Yantian Shen 1,2, Anyu Wang 1,3,2, Hongbo Yu 1,2, Xiaoyun Wang 1,3,2,4

1 Tsinghua University

2 Zhongguancun Laboratory

3 Shandong University

4 Shandong Institute of Blockchain

0 citations
α

Published on arXiv

2509.16620

Model Theft

OWASP ML Top 10 — ML05

Key Finding

First practical end-to-end demonstration of exact parameter recovery for PReLU neural networks across three distinct query-access scenarios (raw output, full probability scores, top-m scores).

Cryptanalytic PReLU Parameter Recovery

Novel technique introduced

The machine learning problem of model extraction was first introduced in 1991 and gained prominence as a cryptanalytic challenge starting with Crypto 2020. For over three decades, research in this field has primarily focused on ReLU-based neural networks. In this work, we take the first step towards the cryptanalytic extraction of PReLU neural networks, which employ more complex nonlinear activation functions than their ReLU counterparts. We propose a raw output-based parameter recovery attack for PReLU networks and extend it to more restrictive scenarios where only the top-m probability scores are accessible. Our attacks are rigorously evaluated through end-to-end experiments on diverse PReLU neural networks, including models trained on the MNIST dataset. To the best of our knowledge, this is the first practical demonstration of PReLU neural network extraction across three distinct attack scenarios.

Key Contributions

  • First cryptanalytic extraction attack targeting PReLU neural networks, which have more complex nonlinear activation functions than ReLU
  • Raw output-based parameter recovery attack that exactly recovers all network parameters (weights, biases, PReLU slopes)
  • Extension to more restrictive top-m probability score access scenarios, with end-to-end validation on MNIST-trained PReLU models

🛡️ Threat Analysis

Model Theft

The paper's sole contribution is a parameter recovery attack that extracts the weights, biases, and PReLU parameters of a neural network through carefully crafted queries — this is direct model theft via cryptanalytic extraction, extending prior ReLU-focused extraction attacks to PReLU architectures.

Details

Domains
vision
Model Types
cnntraditional_ml
Threat Tags
black_boxinference_timetargeted
Datasets
MNIST
Applications
image classificationneural network model extraction
Read PDF arXiv

Similar Papers

attack

Data Augmentation Techniques to Reverse-Engineer Neural Network Weights from Input-Output Queries

2025 0 cit.
Model Theft
91%
attack

Is the Hard-Label Cryptanalytic Model Extraction Really Polynomial?

2025 4 cit.
Model Theft
91%
attack

DiMEx: Breaking the Cold Start Barrier in Data-Free Model Extraction via Latent Diffusion Priors

2026 0 cit.
Model Theft
75%
attack

Stabilizing Data-Free Model Extraction

2025 0 cit.
Model Theft
69%
attack

Attack on a PUF-based Secure Binary Neural Network

2025 1 cit.
Model Theft
69%
survey

Application-Specific Power Side-Channel Attacks and Countermeasures: A Survey

2025 0 cit.
Model Theft
69%
defense

DivQAT: Enhancing Robustness of Quantized Convolutional Neural Networks against Model Extraction Attacks

2025 0 cit.
Model Theft
67%
attack

Breaking SafetyCore: Exploring the Risks of On-Device AI Deployment

2025 0 cit.
Model TheftInput Manipulation Attack
62%