CalvinBackup/www-project-ai-testing-guide
1
0
Fork 0
mirror of https://github.com/OWASP/www-project-ai-testing-guide.git synced 2026-03-02 22:33:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
eeaa84828dba35e8d052d99d25ff43c67b5d520e
www-project-ai-testing-guide/Document/content/tests/AITG-APP-09_Testing_for_Model_Extraction.md
Matteo Meucci 9d01b136f8 Revise expected output for model extraction tests 
Updated expected output criteria for model extraction testing, clarifying fidelity levels and defensive mechanisms.
2025-11-02 17:46:43 +01:00

8.7 KiB
Raw Blame History

AITG-APP-09 - Testing for Model Extraction

Summary

Model extraction attacks involve adversaries systematically querying a machine learning model to reconstruct a surrogate model that closely replicates the original models decision-making process. These attacks pose significant intellectual property risks and expose the model to further vulnerabilities, including adversarial attacks and sensitive data extraction.

Test Objectives

  • Identify susceptibility to model extraction attacks through various query strategies.
  • Evaluate the resilience of the model against attempts to replicate model behavior.
  • Ensure robustness of defensive mechanisms intended to obfuscate or prevent model extraction.

How to Test/Payloads

Payload 1:

  • Systematic querying of the model using adaptive query strategies (black-box extraction).
    • Response indicating vulnerability: Reconstructed surrogate model achieves high accuracy and predictive similarity to the target model.

Payload 2:

  • Using confidence-based extraction methods, exploiting probability distribution outputs.
    • Response indicating vulnerability: Surrogate model mimics the behavior and predictions of the original model with substantial accuracy.

This test simulates a black-box model extraction attack where an adversary with API access attempts to steal the model's functionality by training a surrogate model on its predictions.

Prerequisites

  • API Access: An API endpoint for the target model that accepts input data and returns predictions.
  • Dataset: A representative dataset for querying the model. For a classification model, this would be a set of inputs (e.g., text samples, images). The dataset should be split into a training set (for querying) and a test set (for evaluation).
  • Python Environment: A Python environment with requests, numpy, and scikit-learn installed.

Step 1: Data Acquisition via API Queries

The first step is to create a labeled dataset by querying the target model with your training data. The model's predictions will serve as the labels for training your surrogate model.

import requests
import numpy as np

# --- Configuration ---
API_URL = "https://api.example.com/predict" # Target model's API endpoint
API_KEY = "your_api_key_here"

# Load your dataset (e.g., a list of text inputs)
# For this example, we'll use a simple list.
query_dataset = [
    "This is a great product, I love it!",
    "The service was terrible, I am very disappointed.",
    "It's an okay experience, neither good nor bad.",
    # ... add at least 1,000-5,000 data points for a meaningful test
]

# --- Data Acquisition ---
def query_target_model(text_input):
    """Sends a request to the target model's API and returns the prediction."""
    headers = {"Authorization": f"Bearer {API_KEY}"}
    payload = {"text": text_input}
    try:
        response = requests.post(API_URL, json=payload, headers=headers)
        response.raise_for_status() # Raise an exception for bad status codes
        # Assuming the API returns a JSON with a 'label' key (e.g., 'positive', 'negative')
        return response.json().get('label')
    except requests.exceptions.RequestException as e:
        print(f"API request failed: {e}")
        return None

# Create a new dataset with labels from the target model
stolen_labels = []
for text in query_dataset:
    label = query_target_model(text)
    if label:
        stolen_labels.append(label)

# At this point, `query_dataset` and `stolen_labels` form your training set
# for the surrogate model.
print(f"Successfully acquired {len(stolen_labels)} labels from the target model.")

Step 2: Training a Surrogate Model

Using the dataset acquired in Step 1, train a simple surrogate model. The goal is to see if a standard, off-the-shelf model can effectively mimic the target model's behavior.

from sklearn.feature_extraction.text import TfidfVectorizer
from sklearn.tree import DecisionTreeClassifier
from sklearn.pipeline import make_pipeline

# Ensure you have data from Step 1
if not stolen_labels:
    raise ValueError("No labels were acquired from the target model. Cannot train surrogate.")

# Create and train the surrogate model pipeline
# We use a simple TF-IDF vectorizer and a Decision Tree for simplicity.
surrogate_model = make_pipeline(
    TfidfVectorizer(),
    DecisionTreeClassifier(random_state=42)
)

# Train the model on the data acquired from the target API
surrogate_model.fit(query_dataset, stolen_labels)

print("Surrogate model trained successfully.")

Step 3: Evaluating the Surrogate Model's Fidelity

Now, evaluate how well the surrogate model has learned to imitate the target model. This is done by comparing their predictions on a separate, unseen test set. A high level of agreement (fidelity) indicates a successful extraction attack.

from sklearn.metrics import accuracy_score

# --- Evaluation ---
# Load your unseen test set (should not have been used in Step 1)
test_dataset = [
    "I would definitely recommend this to my friends.",
    "A complete waste of money and time.",
    # ... add a representative set of test data
]

# 1. Get ground truth predictions from the TARGET model for the test set
target_model_predictions = [query_target_model(text) for text in test_dataset]

# 2. Get predictions from your SURROGATE model for the same test set
surrogate_model_predictions = surrogate_model.predict(test_dataset)

# 3. Compare the predictions to measure fidelity
# Ensure there are no None values from failed API calls
valid_indices = [i for i, label in enumerate(target_model_predictions) if label is not None]

if not valid_indices:
    raise ValueError("Could not get any valid predictions from the target model for the test set.")

target_preds_filtered = [target_model_predictions[i] for i in valid_indices]
surrogate_preds_filtered = [surrogate_model_predictions[i] for i in valid_indices]

model_fidelity = accuracy_score(target_preds_filtered, surrogate_preds_filtered)

print(f"Surrogate Model Fidelity (Agreement with Target Model): {model_fidelity:.2%}")

# --- Interpretation ---
if model_fidelity > 0.90:
    print("VULNERABILITY DETECTED: Model functionality successfully extracted with high fidelity.")
elif model_fidelity > 0.75:
    print("WARNING: Model shows susceptibility to extraction. Fidelity is moderately high.")
else:
    print("INFO: Model appears resilient to this extraction attempt. Fidelity is low.")

Expected Output

  • High Fidelity (>90%): This is a Response indicating vulnerability. It means an adversary can create a near-perfect copy of your model's functionality with minimal effort, exposing your intellectual property and enabling further attacks.
  • Low Fidelity (<75%): This is the desired outcome. It indicates that the model's behavior is not easily replicated, and defensive mechanisms (like rate limiting or output perturbation) may be effectively hindering extraction attempts.
  • Queries to the model should not allow an adversary to accurately reconstruct a surrogate model.
  • Implemented defensive mechanisms should effectively detect and limit suspicious querying behavior, resulting in failed or incomplete data acquisition for the attacker.

Remediation

  • Implement query rate limiting, anomaly detection, and throttling mechanisms to mitigate extraction risks.
  • Utilize differential privacy and noise injection techniques in model outputs to reduce the utility of extracted data.
  • Deploy robust model monitoring and anomaly detection systems to flag and respond to extraction attempts.

Suggested Tools for this Specific Test

  • ML Privacy Meter: Tool specifically designed to quantify risks of model extraction and related privacy vulnerabilities (ML Privacy Meter GitHub).
  • PrivacyRaven: A tool for testing extraction vulnerabilities and defending machine learning models through detection and mitigation strategies (PrivacyRaven GitHub).
  • ART (Adversarial Robustness Toolbox): Includes modules for detecting and mitigating model extraction vulnerabilities (ART GitHub).

References

  • OWASP Top 10 for LLM Applications 2025 - LLM02:2025 Sensitive Information Disclosure (OWASP LLM 2025)
  • "Stealing Machine Learning Models via Prediction APIs," Tramèr et al., USENIX Security Symposium, 2016 (Paper)
  • "Extraction Attacks on Machine Learning Models," Jagielski et al., IEEE Symposium on Security and Privacy, 2020 (Paper)
  • "Efficient and Effective Model Extraction" Paper
Reference in New Issue View Git Blame Copy Permalink