A Systematic Survey of Model Extraction Attacks and Defenses: State-of-the-Art and Perspectives

TL;DR

This paper provides a comprehensive survey of model extraction attacks on machine learning models, categorizing attack and defense methods, analyzing their effectiveness, and discussing future research directions and societal implications.

Contribution

It introduces a novel taxonomy for classifying MEAs and defenses, offering a structured overview of current techniques and highlighting key challenges and trade-offs.

Findings

Attack techniques vary in effectiveness and complexity.

Defenses face trade-offs between security and model utility.

MEAs pose significant threats to intellectual property and privacy.

Abstract

Machine learning (ML) models have significantly grown in complexity and utility, driving advances across multiple domains. However, substantial computational resources and specialized expertise have historically restricted their wide adoption. Machine-Learning-as-a-Service (MLaaS) platforms have addressed these barriers by providing scalable, convenient, and affordable access to sophisticated ML models through user-friendly APIs. While this accessibility promotes widespread use of advanced ML capabilities, it also introduces vulnerabilities exploited through Model Extraction Attacks (MEAs). Recent studies have demonstrated that adversaries can systematically replicate a target model's functionality by interacting with publicly exposed interfaces, posing threats to intellectual property, privacy, and system security. In this paper, we offer a comprehensive survey of MEAs and corresponding defense strategies. We propose a novel taxonomy that classifies MEAs according to attack mechanisms, defense approaches, and computing environments. Our analysis covers various attack techniques, evaluates their effectiveness, and highlights challenges faced by existing defenses, particularly the critical trade-off between preserving model utility and ensuring security. We further assess MEAs within different computing paradigms and discuss their technical, ethical, legal, and societal implications, along with promising directions for future research. This systematic survey aims to serve as a valuable reference for researchers, practitioners, and policymakers engaged in AI security and privacy. Additionally, we maintain an online repository continuously updated with related literature at https://github.com/kzhao5/ModelExtractionPapers.