RADEP: A Resilient Adaptive Defense Framework Against Model Extraction Attacks

TL;DR

RADEP is a comprehensive defense framework that enhances the security of MLaaS models against extraction attacks by combining adversarial training, query detection, adaptive responses, and ownership verification, maintaining performance for legitimate users.

Contribution

This paper introduces RADEP, a novel multi-layered defense framework that effectively counters model extraction attacks with adaptive mechanisms and minimal impact on legitimate queries.

Findings

RADEP significantly reduces attack success rates.

High detection accuracy for malicious queries.

Resilient against adaptive adversaries.

Abstract

Machine Learning as a Service (MLaaS) enables users to leverage powerful machine learning models through cloud-based APIs, offering scalability and ease of deployment. However, these services are vulnerable to model extraction attacks, where adversaries repeatedly query the application programming interface (API) to reconstruct a functionally similar model, compromising intellectual property and security. Despite various defense strategies being proposed, many suffer from high computational costs, limited adaptability to evolving attack techniques, and a reduction in performance for legitimate users. In this paper, we introduce a Resilient Adaptive Defense Framework for Model Extraction Attack Protection (RADEP), a multifaceted defense framework designed to counteract model extraction attacks through a multi-layered security approach. RADEP employs progressive adversarial training to enhance model resilience against extraction attempts. Malicious query detection is achieved through a combination of uncertainty quantification and behavioral pattern analysis, effectively identifying adversarial queries. Furthermore, we develop an adaptive response mechanism that dynamically modifies query outputs based on their suspicion scores, reducing the utility of stolen models. Finally, ownership verification is enforced through embedded watermarking and backdoor triggers, enabling reliable identification of unauthorized model use. Experimental evaluations demonstrate that RADEP significantly reduces extraction success rates while maintaining high detection accuracy with minimal impact on legitimate queries. Extensive experiments show that RADEP effectively defends against model extraction attacks and remains resilient even against adaptive adversaries, making it a reliable security framework for MLaaS models.