Model Extraction Attacks Overview
- Model Extraction Attacks (MEAs) are techniques where adversaries use query–response pairs to train surrogates that mimic proprietary models.
- MEAs exploit various output types—hard labels, confidence scores, or embeddings—across cloud, edge, and federated environments using methods such as active learning and synthetic query generation.
- These attacks highlight a trade-off between model utility and security, prompting defenses like output perturbation, watermarking, and identity-independent monitoring.
Searching arXiv for recent and foundational papers on model extraction attacks and defenses to ground the article. Model Extraction Attacks (MEAs) are attacks in which an adversary interacts with a target model through an oracle or API, collects query–response pairs, and trains a surrogate model that approximates the target’s functionality. In the standard oracle-access setting, the target is a proprietary model , the adversary chooses queries , and the extracted model is trained to minimize a discrepancy measure over a data distribution or over the collected transfer set (Zhao et al., 20 Aug 2025). Across cloud MLaaS, edge deployments, and federated settings, MEAs are studied as threats to intellectual property, privacy, downstream attack enablement, and service revenue, and their modern forms span classifiers, object detectors, image-to-image translation systems, self-supervised speech models, graph neural networks, graph foundation models, sequential recommenders, recurrent models, and aligned LLMs (Zhao et al., 22 Feb 2025).
1. Formal problem statement and threat models
A common formalization treats MEA as surrogate fitting from black-box supervision. Let the target be . The adversary seeks
where consists of query–response pairs and is the total number of queries (Zhao et al., 22 Feb 2025). In classification settings, success is often expressed through fidelity or agreement,
or through a function-level discrepancy such as 0 (Zhao et al., 20 Aug 2025).
Threat models vary along access level, knowledge, and budget. In the black-box regime, the adversary sees only API outputs, which may be hard labels, confidence vectors, embeddings, ranked lists, or structured outputs such as bounding boxes (Zhao et al., 20 Aug 2025). In gray-box and white-box variants, additional signals such as side-channel traces or gradient updates may be available (Zhao et al., 22 Feb 2025). The attacker may have in-domain public data, out-of-domain data, no real data at all, or modality-specific partial visibility such as a known subgraph in GNN extraction or partial node attributes in graph foundation model extraction (Wang et al., 21 Jun 2025).
The object-detection formulation illustrates that MEAs are not limited to categorical outputs. For a cloud-hosted detector 1, an image 2 of size 3 yields
4
where 5 is the category and 6 denotes center coordinates and width/height. The adversary, with only black-box API access, adaptively submits images and trains a surrogate 7 to minimize 8 without access to parameters or ground-truth labels (Koda et al., 2024). This same black-box logic reappears in graph, recommender, speech, and LLM extraction, but with output spaces specialized to those modalities.
2. Taxonomy of attack mechanisms and environments
Current taxonomies organize MEAs along three recurring axes: mechanism, output type, and deployment environment. By mechanism, the literature distinguishes query-based attacks, equation-solving attacks, path-finding extraction for decision trees, knowledge-distillation-style surrogate training, side-channel attacks, gradient-based leakage, and modality-specific procedures for text, vision, and graph models (Zhao et al., 20 Aug 2025). By output type, attacks split into hard-label and soft-label regimes. By environment, the major settings are cloud-based MLaaS, edge devices, and federated learning (Zhao et al., 20 Aug 2025).
In cloud MLaaS, the dominant pattern is query-based extraction. A transfer set is collected from the API and a surrogate is trained by minimizing cross-entropy or a related distillation loss. Representative strategies include random sampling, active learning, uncertainty sampling, 9-center selection, adversarial-query generation, and data-free query synthesis (Liang et al., 2023). In edge deployments, the attack surface expands because a nominally black-box API may coexist with hardware leakage. Side-channel-aided MEAs observe timing, cache, power, or electromagnetic signals and use them to recover input dimensions, loop counts, or architectural hints that accelerate extraction (Lee et al., 2024). In federated settings, gradient updates can expose reconstruction or extraction channels that differ qualitatively from API-only attacks (Zhao et al., 22 Feb 2025).
A second taxonomy concerns attacker knowledge. Data-driven attacks assume a reference dataset or substitute pool. Data-free attacks synthesize or construct queries without access to real in-domain data. Knowledge assumptions also include whether the attacker knows the model architecture, whether the task exposes soft labels or only top-1 outputs, and whether the substitute architecture matches the victim’s family (Zhao et al., 22 Feb 2025). The modern literature repeatedly shows that architectural mismatch, hard-label access, and out-of-domain data do not eliminate MEA feasibility; they merely change the sample complexity, surrogate design, or extraction objective (Liang et al., 2023).
This classification has practical significance because defenses frequently overfit to one branch of the taxonomy. A defense designed for a single client identity in a cloud classifier API may not address distributed querying; a detector calibrated to confidence-vector anomalies may not transfer to label-only, embedding, or structured-output APIs; and watermarking schemes effective for classifiers may fail to survive removal attacks or may not transfer cleanly to object detection (Schwarzer et al., 2 Jun 2026).
3. Core extraction methodologies across modalities
The canonical extraction workflow is transfer-set construction followed by surrogate training. A minimal black-box loop samples or synthesizes 0, queries the target, stores 1, and optimizes a surrogate on those responses (Zhao et al., 22 Feb 2025). In image classification, this often appears as cross-entropy or knowledge distillation on victim outputs. In “Thief, Beware of What Get You There,” the process is recast as a Markov Decision Process in which a reinforcement-learning agent adaptively chooses a target soft-label distribution 2 and an iterative-FGSM step size 3, observes statistics over recent query–response pairs, and optimizes a reward that combines boundary exploration and distributional criteria (Zhang et al., 2021).
Data-free extraction replaces dataset collection with synthetic query generation. For object detection, “Data-Free Model Extraction Attacks in the Context of Object Detection” defines a generator 4 that maps latent variables to synthetic images, a student detector 5, and a min–max objective
6
where 7 combines 8 loss on classification logits and MSE on bounding-box coordinates (Shah et al., 2023). For GAN-based image translation, the extraction problem is framed around domain shift rather than only data scarcity: the surrogate is trained with a high-frequency wavelet penalty and Sharpness-Aware Minimization to mitigate overfitting to shifted query distributions (Mi et al., 2024).
Modality-specific attacks introduce distinct supervision signals. For self-supervised speech models, extraction is a two-stage process: first, a lightweight CNN+Transformer surrogate is pretrained with a HuBERT-style self-supervised objective on unlabeled speech; second, an actively selected subset of clips is queried to obtain victim representations, and the surrogate is fine-tuned with a layerwise distillation objective combining cosine alignment and 9 distance (Hsu et al., 2022). For aligned LLMs, “Yes, My LoRD.” argues that maximum-likelihood and standard knowledge-distillation objectives are misaligned with RLHF-trained victims, and proposes Locality Reinforced Distillation, a policy-gradient-style extraction procedure that samples local candidate responses, infers a preferred response from likelihood-change signals, and updates the local model with a clipped ratio-based loss (Liang et al., 2024).
Graph and recommender extraction further broaden the methodological space. CEGA addresses GNN extraction when bulk queries are prohibited, only a limited set of initial nodes is available, and queries are pay-per-node. It iteratively ranks nodes by PageRank-based representativeness, entropy-based uncertainty, and diversity in embedding space, with weights that evolve over extraction rounds (Wang et al., 21 Jun 2025). A systematic study of MEAs on graph foundation models uses a one-loss embedding-regression method,
0
and shows that zero-shot alignment to the victim’s text encoder can be preserved without contrastive pretraining pairs (Xu et al., 14 Nov 2025). In sequential recommendation, LLM4MEA uses an LLM as a “human-like” ranker: given a partial history and the victim recommender’s top-1 candidates, the LLM selects the next item, thereby building synthetic sessions whose distribution is closer to real user behavior than random synthetic data (Zhao et al., 22 Jul 2025).
4. Empirical behavior, query efficiency, and determinants of success
Empirical studies repeatedly show that MEA performance depends strongly on the information content of queries and outputs, but weakly on several assumptions that are often treated as protective. In strict image-classification settings without pretrained attacker backbones, extraction quality can collapse: on Caltech256 with 2 queries, a ResNet-34 surrogate without ImageNet pretraining attains 20.1% accuracy versus 78.1% with pretraining, and even on ImageNet a non-pretrained ResNet-50 requires 3 queries to recover 77.8% accuracy (Zhang et al., 2021). The same study reports counterintuitive effects of attacker hyperparameters, including that “bigger” attacker architectures are not always better and that Adam routinely under-performs SGD in extraction (Zhang et al., 2021).
At the same time, several conventional constraints are weaker defenses than they appear. Soft labels carry richer decision-boundary information than hard labels, but hard-label extraction remains effective in multiple settings. “Model Extraction Attacks Revisited” reports that state-of-the-art APIs in 2023 remain highly vulnerable, with fidelity often exceeding 80% under realistic budgets, and that active learning and semi-supervised selection provide only modest gains over strong baselines in some cases (Liang et al., 2023). “Thief, Beware of What Get You There” further reports that even white-noise queries can yield nontrivial surrogate accuracy and that out-of-distribution query pools still support substantial extraction (Zhang et al., 2021).
Side-channel assistance can shift the regime from blind approximation to highly targeted replication. “Precise Extraction of Deep Learning Models via Side-Channel Attacks on Edge/Endpoint Devices” shows that Flush+Reload traces of OpenBLAS GEMM routines can recover loop counts and execution-time statistics that leak the victim’s input dimension and, to a lesser extent, architecture. The study reports that correct input dimension is the single most valuable leakage, that 92% of the time the best surrogate accuracy occurs when 4, and that side-channel-derived information yields up to 5.8 times better performance than when the adversary has no model information about the victim model (Lee et al., 2024).
Several newer domains demonstrate that distributional realism, not only raw query count, drives extraction quality. LLM4MEA reports that using an LLM ranker reduces the divergence between synthetic and real-world data by up to 64.98% and improves MEA performance by 44.82% on average across NARM, SASRec, and BERT4Rec (Zhao et al., 22 Jul 2025). LoRD reports that a locality-reinforced objective reaches its performance plateau with about 13% of the queries needed by MLE and remains 2–4% above MLE at equal budgets in its experiments (Liang et al., 2024). For graph foundation models, attackers can train surrogates using only a tiny fraction of the original training cost: the reported GPS-light surrogate trains in about 5 minutes, GAT in about 2 minutes, and GCN in about 1.7 minutes, versus 56 GPU-hours for the victim GraphCLIP (Xu et al., 14 Nov 2025). These results suggest that query efficiency is increasingly governed by structure-aware sample construction, alignment-preserving objectives, and leakage of auxiliary information.
5. Defenses, detection, watermarking, and ownership verification
Defense strategies are commonly divided into proactive and reactive families. Proactive defenses modify outputs or training to reduce extractable information, including output perturbation, confidence truncation or rounding, watermarking, and differentially private training. Reactive defenses monitor or throttle interaction patterns through query monitoring, anomaly detection, rate limiting, authentication, or access control (Zhao et al., 22 Feb 2025). These categories are useful, but the literature also emphasizes that utility–security trade-offs are pervasive: larger perturbations reduce extraction success while degrading legitimate accuracy, confidence truncation reduces leaked bits but harms calibration and interpretability, and watermarking provides traceability rather than prevention (Zhao et al., 20 Aug 2025).
A central controversy concerns the reliance of many detectors on the Single Client Assumption. “AI Model Extraction Attacks: Bypassing Single-Client Assumptions in Defenses” formalizes the case in which coordinated threat actors partition a global query sequence across many client identities so that each individual stream stays below a detector’s statistical threshold. Using CerberusAI, the study shows that PRADA can be bypassed by basic round-robin query distribution and that even global aggregation becomes operationally useless under adaptive traffic mixing with 5, because precision collapses to about 1% despite recall near 99.3% (Schwarzer et al., 2 Jun 2026). This directly motivates stateful, identity-independent defenses.
Watermarking and ownership verification have diversified substantially. HoneypotNet introduces an “attack-as-defense” paradigm in which the victim’s classification layer is replaced by a honeypot layer and fine-tuned via bi-level optimization with a shadow model so that extracted substitutes inherit a backdoor while clean accuracy remains unchanged. Under 30k queries, the reported ownership-verification accuracy rises from approximately 0–3% to 52–92%, and the backdoor attack success rate rises from approximately 1–12% to 57–92%; even under the hard-label BlackBox Dissector setting, the reported ASR is about 79–92% (Wang et al., 2 Jan 2025). For object detectors, Bounding-box Watermarking poisons API responses rather than inputs by modifying only width and height of triggered bounding boxes. On Pascal VOC2007, poisoning only 6 of objects with 7 produces an mAP50 drop below 0.1% while achieving AUROC 8, and across 18 9 configurations on three datasets the paper reports 100% identification in the vast majority of settings (Koda et al., 2024).
The watermarking literature also studies removal attacks and robustness after extraction. “Class-feature Watermark” identifies a vulnerability in sample-level backdoor watermarks and introduces WRK, a watermark removal attack that reduces watermark success rates by at least 88.79% across existing benchmarks, then proposes Class-Feature Watermarks to improve resilience using a synthetic class of out-of-domain samples; under combined MEA and WRK distortion, the method maintains watermark success rate of at least 70.15% while preserving model utility (Xiao et al., 11 Nov 2025). Beyond empirical watermarking, CREDIT proposes certified ownership verification based on mutual information between defended victim embeddings and suspect-model embeddings. It defines a practical threshold 0, proves exponential bounds on false alarms and missed detections under stated assumptions, and reports 100% AUC with millisecond-scale preparation and verification times on image and graph tasks (Shen et al., 23 Feb 2026). In graph MLaaS specifically, ATOM combines 1-core-aware query embeddings, sequential modeling, and PPO-based decision making for real-time detection, reporting stable superiority over baselines across time steps (Cheng et al., 20 Mar 2025).
6. Evaluation methodology, theoretical risk assessment, and unresolved problems
Evaluation of MEAs uses a heterogeneous but now fairly standard metric set. Across surveys and empirical studies, the most common measures are extraction accuracy on held-out task labels, fidelity or agreement with victim predictions, query complexity, function-level distances, AUROC for watermark or detector decisions, and modality-specific scores such as mAP50 for object detection, FID or KID for image translation, PSNR and LPIPS for super-resolution, NDCG@10 and Hit-Rate@10 for recommender systems, and downstream task scores for extracted speech representations (Zhao et al., 20 Aug 2025). This diversity reflects real differences in output spaces, but it also complicates cross-paper comparison. Both recent surveys identify the lack of unified benchmarks, standardized threat models, and standardized side-channel cost models as major limitations of current evaluation practice (Zhao et al., 22 Feb 2025).
Recent work has begun to study extraction risk independently of any single attack algorithm. MER-Inspector uses Neural Tangent Kernel linearization to formulate linearized MEA as a regularized kernel classification problem and derives a fidelity-gap bound and a generalization-error bound. Its attack-agnostic theoretical metric, Model Recovery Complexity,
2
quantifies the ease with which the victim’s parameter update can be recovered in NTK feature space; smaller MRC indicates higher extraction risk. The same study reports a strong positive correlation between victim model accuracy and attack fidelity, with Pearson’s 3 and Kendall’s 4, and shows that combining victim-model accuracy with MRC allows MER-Inspector to compare the extraction risks of model pairs with up to 89.58% accuracy (Zhang et al., 23 Sep 2025).
Several recurring misconceptions are directly challenged by the literature. Limiting output richness does not eliminate extraction, because labels-only and even white-noise-query regimes can still produce usable surrogates (Zhang et al., 2021). Hiding training data does not prevent extraction, because data-free generators, synthetic graph construction, and alternative public corpora remain effective (Shah et al., 2023). Per-client query monitoring is not intrinsically robust, because distributed threat actors can partition attacks across identities (Schwarzer et al., 2 Jun 2026). Finally, the migration of models from cloud services to edge devices or multimodal foundation-model APIs does not narrow the attack surface; it changes the dominant leakage channels and therefore the required defenses (Lee et al., 2024).
Open problems therefore center on defense architectures and evaluation discipline rather than on proof of vulnerability. The surveys call for integrated defenses that combine proactive and reactive layers, cross-paradigm defenses that remain effective when a model moves from cloud to edge to federated settings, adaptive attack–defense formulations, standardized benchmarks, and environment-specific solutions such as lightweight side-channel masking or privacy-preserving embedding release (Zhao et al., 22 Feb 2025). The recent breakdown of the Single Client Assumption further suggests that future defenses must be stateful and identity-independent, monitoring the evolving exposure of a model rather than only the behavior of isolated client accounts (Schwarzer et al., 2 Jun 2026).