Machine Learning Model Stealing Detection System: Multi-Algorithm Defense Framework and Practical Strategies

This article introduces an open-source model stealing detection framework that covers multiple detection methods such as entropy-based detection, Isolation Forest, and One-Class SVM, as well as defense mechanisms like rate limiting and response randomization, helping developers protect machine learning APIs from malicious replication attacks.

• Original Author/Maintainer: kryptologyst
• Source Platform: GitHub
• Original Title: Model-Stealing-Detection-System
• Original Link: https://github.com/kryptologyst/Model-Stealing-Detection-System
• Publication Date: June 7, 2026

---

With the popularization of the Machine Learning as a Service (MLaaS) model, more and more enterprises and research institutions provide model inference capabilities through API interfaces. While this model brings convenience, it also introduces new security threats—Model Extraction Attacks.

Attackers can collect input-output sample pairs by querying the target API in large quantities, then use these samples to train a substitute model with similar functions. The harms of such attacks include:

• Intellectual Property Loss: The model itself may represent the core competitiveness of an enterprise
• Privacy Leakage Risk: The model may encode sensitive information from training data
• Adversarial Sample Transfer: Stolen models can be used to generate adversarial samples to attack the original service
• Bypassing Security Restrictions: Attackers can test attack strategies on local copies

Therefore, developing effective model stealing detection and defense mechanisms is crucial for protecting the security of machine learning systems.

---

This project is a comprehensive research and education framework that provides a complete solution from detection, defense to evaluation. The system adopts a modular design and includes the following core components:

To simulate real attack scenarios, the project implements a synthetic data generator that can generate mixed datasets containing legitimate users and stealing attackers. The generator supports configuration of:

• Number of legitimate users and their behavior patterns
• Number of attackers and their attack strategies
• Feature dimensions and distribution characteristics
• Time series characteristics (query frequency, session patterns)

The key to the detection system lies in extracting effective features that can distinguish between normal queries and stealing queries. The project implements a rich feature engineering module:

Basic Statistical Features:

• Mean, standard deviation, maximum/minimum values, quantiles of query features
• Distribution features: skewness, kurtosis, normality test

Time Series Features:

• Query frequency and interval distribution
• Sliding window statistics
• Temporal changes in query similarity

Anomaly Detection Features:

• Isolation Forest anomaly score
• Local Outlier Factor (LOF)
• One-Class SVM anomaly score

Behavioral Features:

• User-level query pattern analysis
• Session-level behavioral features

---

The project implements five complementary detection methods, covering multiple technical routes from traditional machine learning to deep learning:

Based on information theory principles, this detector identifies abnormal patterns by analyzing the entropy value of query sequences. Queries from normal users usually have high randomness and diversity, while model stealing attacks often exhibit systematic query patterns, leading to abnormal entropy values.

Core ideas:

• Calculate the entropy of query feature distribution
• Set an entropy threshold to distinguish between normal and abnormal
• Mark low-entropy query sequences as suspicious