# I Stolenly Swear That I Am Up to (No) Good: Design and Evaluation of Model Stealing Attacks

**Authors:** Daryna Oliynyk, Rudolf Mayer, Kathrin Grosse, Andreas Rauber

arXiv: 2508.21654 · 2025-09-01

## TL;DR

This paper provides standardized guidelines and a comprehensive framework for designing, evaluating, and comparing model stealing attacks, addressing a key gap in the security assessment of machine learning models.

## Contribution

It introduces the first comprehensive threat model and evaluation framework for model stealing attacks on image classification models, along with best practices and open research questions.

## Key findings

- Developed a standardized threat model for model stealing attacks
- Created a framework for attack comparison and evaluation
- Identified key tasks and models most studied in the field

## Abstract

Model stealing attacks endanger the confidentiality of machine learning models offered as a service. Although these models are kept secret, a malicious party can query a model to label data samples and train their own substitute model, violating intellectual property. While novel attacks in the field are continually being published, their design and evaluations are not standardised, making it challenging to compare prior works and assess progress in the field. This paper is the first to address this gap by providing recommendations for designing and evaluating model stealing attacks. To this end, we study the largest group of attacks that rely on training a substitute model -- those attacking image classification models. We propose the first comprehensive threat model and develop a framework for attack comparison. Further, we analyse attack setups from related works to understand which tasks and models have been studied the most. Based on our findings, we present best practices for attack development before, during, and beyond experiments and derive an extensive list of open research questions regarding the evaluation of model stealing attacks. Our findings and recommendations also transfer to other problem domains, hence establishing the first generic evaluation methodology for model stealing attacks.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/2508.21654/full.md

## Figures

9 figures with captions in the complete paper: https://tomesphere.com/paper/2508.21654/full.md

## References

105 references — full list in the complete paper: https://tomesphere.com/paper/2508.21654/full.md

---
Source: https://tomesphere.com/paper/2508.21654