How to Prevent Model Extraction Attacks | Quiz

[WHY] Sophisticated attackers bypass static limits using botnets – account farming – cloud proxy rotation – or slow extraction spread over weeks or months. [CONTEXT] Rate limiting increases extraction costs but determined attackers can work around single-layer defenses. [REMEMBER] Attackers distribute and slow down to bypass limits.

[WHY] The article explicitly lists high risk as: public API with generous limits – high-value proprietary model – and no query monitoring. [CONTEXT] The example given is a custom medical diagnostic LLM with open API access. [REMEMBER] Public plus generous limits plus high value plus no monitoring equals high risk.

[WHY] Repeated parameter sweeps with tiny variations is explicitly listed as a red flag for model extraction – designed to map decision boundaries rather than get useful answers. [CONTEXT] This pattern suggests the attacker is systematically exploring the model’s behavior to train a substitute. [REMEMBER] Systematic variation equals extraction attempt.

[WHY] A stolen model provides attackers with a white-box version they can analyze offline to prepare adversarial attacks – probe for vulnerabilities – and identify weaknesses. [CONTEXT] Attackers can also remove safety measures and content filters when deploying their extracted version. [REMEMBER] Stolen models enable downstream attacks.

[WHY] Source code secrecy is irrelevant because extraction works through API behavior – not code access. Attackers only need API responses to various inputs. [CONTEXT] This is explicitly listed as a common misconception in the article. [REMEMBER] Extraction needs API responses – not source code.

[WHY] Model watermarking must be integrated during the training process – not added at deployment. [CONTEXT] The data science team must incorporate watermarking techniques before the model is finalized for production. [REMEMBER] Watermark during training – not after.

[WHY] Extraction attacks are designed to look like normal API usage – attackers spread queries across multiple accounts – use realistic timing patterns – and stay under rate limits. [CONTEXT] Many attacks require no stolen credentials and operate entirely within allowed usage parameters. [REMEMBER] Extraction looks like normal traffic.