S0092Significant

模型功能性複製攻擊

Operation & Monitoring

Risk Description

Attackers query target APIs extensively, collecting input-output pairs as training data to train a functionally equivalent surrogate model. Unlike traditional model stealing (attempting to replicate exact parameters), functional replication only requires similar performance on target tasks. Attackers can use surrogate models to find adversarial vulnerabilities, bypass usage restrictions, or compete commercially.

Framework Mappings

iso 23894R2
mitre atlasAML.T0044
tw principle資安與安全
tw risk type技術設計缺陷(Technical Design Flaw)

Controls English translation pending

  • 查詢行為異常偵測
  • 輸出資訊限制

Implementation Steps English translation pending

  1. 部署查詢行為異常偵測,識別系統性的模型探測模式
  2. 對 API 輸出進行資訊限制(如只返回 top-1 結果而非完整機率分佈)
  3. 實施動態查詢速率限制和帳戶行為分析
  4. 在模型輸出中嵌入可追蹤的浮水印特徵