Title: AI Model Extraction Attacks: Bypassing Single-Client Assumptions in Defenses

Abstract

Safeguarding Artificial Intelligence (AI) models integrated into critical infrastructure and military Command and Control (C2) systems is vital for preserving information superiority. Model Extraction Attacks (MEAs) represent a severe risk, allowing adversaries to clone proprietary models, expose sensitive data, and facilitate offline adversarial operations. However, existing countermeasures largely depend on the Single Client Assumption (SCA)—the implicit premise that malicious actors operate as isolated entities. This study systematically proves that the SCA is fundamentally flawed when facing coordinated threat actors, such as Advanced Persistent Threats (APTs). To address this, we present CerberusAI, a modular, open-source framework designed for reproducible research on model theft, which we utilize to simulate distributed attack vectors. Our empirical analysis reveals that established defenses, including Protecting Against Deep Neural Network Model Stealing Attacks (PRADA), are vulnerable to simple round-robin query distribution techniques, leading to a substantial drop in detection efficacy. Additionally, we show that adaptive traffic mixing can neutralize even global aggregation methods. These findings underscore the urgent need for a paradigm shift toward stateful, identity-independent defense architectures in the context of model extraction threats.

This paper was originally presented at the International Conference on Military Communication and Information Systems (ICMCIS), organized by the Information Systems Technology (IST) Scientific and Technical Committee, IST-224-RSY. The conference took place in Bath, United Kingdom, on May 12-13, 2026, and the work was honored with the best paper award.

Source: arXiv Generated at: 2026-06-03 00:00:00 UTC