How to Prevent Model Extraction Attacks | Quiz

[WHY] The article explicitly lists high risk as: public API with generous limits – high-value proprietary model – and no query monitoring. [CONTEXT] The example given is a custom medical diagnostic LLM with open API access. [REMEMBER] Public plus generous limits plus high value plus no monitoring equals high risk.

[WHY] Attackers can start from the same open-source foundation and focus extraction efforts specifically on stealing your fine-tuned layers or adapters – the part representing your unique investment. [CONTEXT] This partial access attack is particularly concerning because it reduces the extraction effort required. [REMEMBER] Fine-tuned layers are the extraction target.

[WHY] Source code secrecy is irrelevant because extraction works through API behavior – not code access. Attackers only need API responses to various inputs. [CONTEXT] This is explicitly listed as a common misconception in the article. [REMEMBER] Extraction needs API responses – not source code.

[WHY] A functional equivalent is a model that may not be an exact copy but produces similar enough outputs to undermine your competitive advantage. [CONTEXT] Attackers do not need perfection – a good enough clone that captures the model’s core value is sufficient to erode market position. [REMEMBER] Not exact copy – just similar enough to compete.

[WHY] Extraction attacks are designed to look like normal API usage – attackers spread queries across multiple accounts – use realistic timing patterns – and stay under rate limits. [CONTEXT] Many attacks require no stolen credentials and operate entirely within allowed usage parameters. [REMEMBER] Extraction looks like normal traffic.

[WHY] The article explicitly identifies rate limiting – query pattern analysis – output obfuscation – model watermarking – and legal protections as the five defense layers. [CONTEXT] No single control prevents model extraction – these layers must work together to detect – deter – and mitigate extraction attempts. [REMEMBER] Rate limits – patterns – obfuscation – watermarks – legal.

[WHY] Attackers only need enough query-response pairs to train their own model that behaves similarly to yours – they do not need source code or training data. [CONTEXT] Black-box extraction attacks succeed without any knowledge of model internals – only input and output access is required. [REMEMBER] Just API access – not code or data.