Model Extraction Fundamentals: Querying Public APIs

Introduction

Model extraction is the process of recreating a machine-learning model by observing its outputs to carefully crafted inputs. Public inference APIs-such as OpenAI’s ChatGPT endpoint, HuggingFace Inference API, or bespoke SaaS models-expose powerful functionality behind seemingly harmless HTTP calls. By repeatedly querying these services, an adversary can approximate the original model’s parameters, decision boundaries, or even recover the training data distribution.

Understanding this technique is crucial for security professionals because model extraction enables downstream attacks: intellectual-property theft, model evasion, membership inference, and the creation of counterfeit services that bypass usage-based billing.

Real-world relevance includes documented incidents where competitors scraped OpenAI’s API to build clone models, and academic papers that demonstrate extraction of proprietary language models with less than a thousand queries.

Prerequisites

• Fundamental ML concepts: model architecture, inference, loss, logits, confidence scores.
• Python proficiency; familiarity with requests, json, and a deep-learning framework (TensorFlow or PyTorch).
• Basic HTTP knowledge: methods, headers, status codes, and typical rate-limit strategies (429 responses, token buckets).

Core Concepts

At a high level, model extraction follows a three-phase loop:

1. Probe: Send an input (or batch of inputs) to the target API and record the response.
2. Interpret: Parse the response to retrieve useful signals-raw logits, probability vectors, token-level scores, or even timing side-channels.
3. Reconstruct: Use the collected signal set as a training dataset for a surrogate model that mimics the target.

Key signals:

• Confidence scores (softmax probabilities) give a direct view of the model’s output distribution.
• Logits (pre-softmax values) provide linear information that can be used to solve for weight vectors in linear classifiers.
• Token-level probabilities for language models enable next-token prediction attacks.

Diagram (textual):

[Attacker] -- query --> [Public API] -- response --> [Attacker] ^ | | v +----------- training loop <----------+

Threat model for model extraction

In a typical threat model, the adversary is an external entity with internet access but no privileged credentials. The target is a public inference endpoint that may employ API keys, usage quotas, and rate-limit headers. The attacker’s goals can be:

• IP theft: Reproduce a proprietary model for competitive advantage.
• Evade defenses: Build a surrogate that can be used to generate adversarial examples.
• Monetize: Deploy a cloned service to undercut the original provider.

Assumptions:

• API returns either probabilities or logits (many services hide logits, but some allow them via optional flags).
• Rate-limit mechanisms are known (e.g., 60 requests/min per API key).
• Network monitoring is possible, allowing the attacker to collect timing or size side-channels.

Defenders must consider confidentiality of model parameters as a data-security asset, not just the raw training data.

Identifying target model endpoints (OpenAI, HuggingFace, custom APIs)

Before extraction begins, the attacker must locate the endpoint. Common discovery techniques:

• Public documentation: OpenAI’s or HuggingFace’s
• Client SDK inspection: Decompile a mobile app or browser extension that uses the service; look for hard-coded URLs or API keys.
• Network sniffing: Capture traffic from a legitimate client using tools like mitmproxy.
• Search engine dorking: Query GitHub for “Authorization: Bearer” strings that reference the service.

Once an endpoint is found, enumerate its capabilities:

curl -s -X POST -H "Authorization: Bearer $API_KEY" -H "Content-Type: application/json" -d '{"inputs": "Hello"}' https://api-inference.huggingface.co/models/gpt2

The response JSON will reveal whether logits are included (look for a logits field) or only the generated text.

Crafting inference queries and parsing responses

Effective extraction relies on well-designed queries that maximize information gain per request. Strategies include:

• Uniform random sampling: Feed random vectors drawn from the input domain to explore the decision surface.
• Active learning: Use uncertainty sampling (e.g., highest entropy outputs) to focus queries where the model is less certain.
• Adversarial probing: Slightly perturb a known input and observe changes in logits to infer gradient direction.

Parsing examples for two popular services:

OpenAI Chat Completion

import json, requests

def query_openai(prompt, api_key): url = "https://api.openai.com/v1/chat/completions" headers = { "Authorization": f"Bearer {api_key}", "Content-Type": "application/json" } payload = { "model": "gpt-3.5-turbo", "messages": [{"role": "user", "content": prompt}], "temperature": 0, "max_tokens": 0, "logprobs": True, # Request token-level log probabilities "n": 1 } resp = requests.post(url, headers=headers, json=payload) data = resp.json() # Extract token-level logprobs logprobs = data["choices"][0]["logprobs"]["token_logprobs"] return logprobs

This function returns a list of log-probabilities for each generated token, which can be summed to approximate the sentence-level likelihood.

HuggingFace Inference API (text-classification)

import requests, json

def query_hf(text, repo_id, api_token): url = f"https://api-inference.huggingface.co/models/{repo_id}" headers = {"Authorization": f"Bearer {api_token}"} payload = {"inputs": text, "parameters": {"return_all_scores": True}} resp = requests.post(url, headers=headers, json=payload) # The service returns a list of label-score dicts per input scores = resp.json()[0] return {item["label"]: item["score"] for item in scores}

When the model returns a probability distribution over classes, the attacker can directly use these scores as training targets.

Techniques to reconstruct model parameters (confidence scores, logits)

Reconstruction varies with model type:

• Linear classifiers (logistic regression, softmax): With enough (x, y) pairs and the corresponding logits, one can solve a system of linear equations to recover weight vectors up to scaling.
• Decision trees / ensembles: Querying with carefully crafted binary features reveals split thresholds.
• Neural networks: Exact weight recovery is infeasible, but a surrogate model can be trained using the collected (input, probability) pairs. The surrogate’s architecture can be guessed (e.g., same depth) and refined via hyper-parameter search.

Example: Recovering a binary logistic regression model.

import numpy as np
from sklearn.linear_model import LogisticRegression

# Suppose we have collected inputs X (n x d) and logits L (n, ) from the target.
# The logistic function is: p = 1 / (1 + exp(- (w·x + b)))
# Taking the logit (log(p/(1-p))) gives a linear equation.

def recover_weights(X, logits): # Convert logits (probability) to log-odds log_odds = np.log(logits / (1 - logits)) # Append a column of ones for bias term Xb = np.hstack([X, np.ones((X.shape[0], 1))]) # Solve least-squares: Xb * w = log_odds w, _, _, _ = np.linalg.lstsq(Xb, log_odds, rcond=None) return w[:-1], w[-1]

# Example usage with dummy data
X = np.random.randn(500, 10)
true_w = np.random.randn(10)
true_b = 0.5
logits = 1 / (1 + np.exp(-(X @ true_w + true_b)))
rec_w, rec_b = recover_weights(X, logits)
print("Recovered weight error:", np.linalg.norm(true_w - rec_w))
print("Recovered bias error:", abs(true_b - rec_b))

The script demonstrates that with enough queries, the attacker can retrieve the exact weight vector up to numeric noise.

Rate-limit bypass methods (parallel requests, proxy rotation)

Most APIs enforce per-key or per-IP request caps. Attackers employ several evasive tactics:

• Parallelism: Spawn multiple threads or asynchronous coroutines to stay under the per-second threshold while maximizing overall throughput.
• Proxy rotation: Cycle through a pool of residential or cloud proxies, each presenting a distinct source IP.
• API-key harvesting: Leak or purchase compromised keys, then distribute queries across them.
• Back-off randomization: Mimic legitimate client behavior by inserting jitter, reducing detection likelihood.

Below is a simple asynchronous extractor that respects a 60-req/min quota per key but distributes load across three keys.

import asyncio, aiohttp, time

API_KEYS = ["sk-key1", "sk-key2", "sk-key3"]
RATE_LIMIT = 60 # requests per minute per key
INTERVAL = 60 / RATE_LIMIT

async def query(session, url, payload, key): headers = {"Authorization": f"Bearer {key}", "Content-Type": "application/json"} async with session.post(url, json=payload, headers=headers) as resp: return await resp.json()

async def worker(name, key, queue): async with aiohttp.ClientSession() as session: while True: prompt = await queue.get() payload = {"model": "gpt-3.5-turbo", "messages": [{"role": "user", "content": prompt}], "temperature": 0, "max_tokens": 0, "logprobs": True} result = await query(session, "https://api.openai.com/v1/chat/completions", payload, key) print(f"[{name}] got response for {prompt[:30]!r}") await asyncio.sleep(INTERVAL) # obey per-key rate limit queue.task_done()

async def main(prompts): queue = asyncio.Queue() for p in prompts: await queue.put(p) tasks = [] for i, key in enumerate(API_KEYS): tasks.append(asyncio.create_task(worker(f"worker-{i}", key, queue))) await queue.join() for t in tasks: t.cancel()

# Example driver
prompts = [f"What is the square of {i}?" for i in range(200)]
asyncio.run(main(prompts))

Note the use of INTERVAL to throttle each worker individually, keeping the aggregate request rate within the global quota.

Automated extraction script (Python + requests)

The following script ties together discovery, query generation, response parsing, and local model training. It is deliberately modular so security teams can adapt it to their own targets.

import os, json, time, random, math
import requests
from sklearn.neural_network import MLPClassifier
from sklearn.metrics import accuracy_score

# ------------------------------------------------------------------
# Configuration
# ------------------------------------------------------------------
API_URL = os.getenv("TARGET_API_URL", "https://api-inference.huggingface.co/models/your-org/your-model")
API_TOKEN = os.getenv("TARGET_API_TOKEN")
BATCH_SIZE = 32 # Number of inputs per request (if supported)
TOTAL_QUERIES = 5000
RATE_LIMIT = 120 # requests per minute
SLEEP_TIME = 60 / RATE_LIMIT

# ------------------------------------------------------------------
# Helper: generate synthetic inputs (example for text classification)
# ------------------------------------------------------------------
VOCAB = ["cat", "dog", "mouse", "car", "plane", "tree", "river", "mountain"]

def random_sentence(): length = random.randint(5, 12) return " ".join(random.choice(VOCAB) for _ in range(length))

# ------------------------------------------------------------------
# Query function - returns probability distribution over labels
# ------------------------------------------------------------------
def query_api(text): headers = {"Authorization": f"Bearer {API_TOKEN}"} payload = {"inputs": text, "parameters": {"return_all_scores": True}} resp = requests.post(API_URL, headers=headers, json=payload) if resp.status_code == 429: # Simple back-off retry_after = int(resp.headers.get("Retry-After", "5")) time.sleep(retry_after) return query_api(text) data = resp.json() # Convert list of {label, score} into dict return {item["label"]: item["score"] for item in data[0]}

# ------------------------------------------------------------------
# Data collection loop
# ------------------------------------------------------------------
X, y = [], []
for i in range(TOTAL_QUERIES): txt = random_sentence() probs = query_api(txt) X.append(txt) y.append(probs) # Store full distribution for later training if (i + 1) % BATCH_SIZE == 0: print(f"Collected {i + 1}/{TOTAL_QUERIES} samples") time.sleep(SLEEP_TIME)

# ------------------------------------------------------------------
# Simple vectorisation (bag-of-words) and surrogate training
# ------------------------------------------------------------------
from sklearn.feature_extraction.text import CountVectorizer
vectorizer = CountVectorizer(vocabulary=VOCAB)
X_vec = vectorizer.transform(X)
# Convert probability dicts to a matrix (assume fixed label order)
labels = sorted(y[0].keys())
Y_mat = []
for prob_dict in y: Y_mat.append([prob_dict[l] for l in labels])
Y_mat = np.array(Y_mat)

# Train a multi-output MLP to mimic the target distribution
mlp = MLPClassifier(hidden_layer_sizes=(64, 32), activation='relu', max_iter=200)
mlp.fit(X_vec, Y_mat)

# Evaluate on a held-out set (optional)
pred = mlp.predict_proba(X_vec[:200])
print("Sample fidelity (KL divergence):", np.mean([ np.sum(p * np.log(p / q + 1e-12)) for p, q in zip(Y_mat[:200], pred)
]))

print("Extraction complete. Surrogate model saved to surrogate.pkl")
import joblib
joblib.dump((vectorizer, mlp, labels), "surrogate.pkl")

This script demonstrates end-to-end extraction: synthetic query generation, rate-limit handling, probability harvesting, and surrogate training with a simple bag-of-words encoder. Security teams can replace the synthetic generator with a domain-specific corpus to simulate a realistic attacker.

Verification of extracted model fidelity

After building a surrogate, the attacker (or defender conducting a red-team exercise) must assess how closely it matches the target. Common metrics:

• KL divergence between target and surrogate probability vectors on a held-out test set.
• Top-k agreement - proportion of inputs where the surrogate’s top-k predictions match the target’s.
• Decision-boundary similarity - use adversarial example transfer rates as a proxy.

Sample verification code:

import numpy as np
from scipy.stats import entropy

# Assume we have two matrices: target_probs (N x C) and surrogate_probs (N x C)

def avg_kl(target_probs, surrogate_probs): return np.mean([entropy(t, s) for t, s in zip(target_probs, surrogate_probs)])

def topk_agreement(target_probs, surrogate_probs, k=1): target_top = np.argsort(-target_probs, axis=1)[:, :k] surrogate_top = np.argsort(-surrogate_probs, axis=1)[:, :k] return np.mean([np.intersect1d(t, s).size == k for t, s in zip(target_top, surrogate_top)])

# Example usage with dummy data
N, C = 1000, 5
target = np.random.dirichlet(np.ones(C), size=N)
surrogate = target + np.random.normal(0, 0.05, size=target.shape)
surrogate = np.clip(surrogate, 0, None)
surrogate = surrogate / surrogate.sum(axis=1, keepdims=True)
print("Avg KL:", avg_kl(target, surrogate))
print("Top-1 agreement:", topk_agreement(target, surrogate, k=1))

Low KL and high top-k agreement indicate a high-fidelity clone, sufficient for most downstream attacks.

Tools & Commands

• curl - quick sanity checks of endpoint responses.
• mitmproxy - intercept and replay API traffic for discovery.
• httpie - human-readable HTTP client for manual probing.
• jq - parse JSON responses on the command line.
• parallel (GNU parallel) - launch many concurrent curl requests respecting rate limits.
• torify or proxychains - route traffic through rotating proxies.

Example command to fetch logits from a custom API:

curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d '{"input": "sample text", "return_logits": true}' https://myservice.example.com/v1/predict | jq .logits

Defense & Mitigation

Defenders can raise the bar for extraction by combining technical and policy controls:

• Output sanitization: Strip logits and only return deterministic strings. If probabilities are needed, add calibrated noise (differential privacy).
• Query throttling per token: Enforce per-user quotas and monitor anomalous request patterns (e.g., high entropy inputs).
• Watermarking: Embed subtle statistical fingerprints in model outputs; later analysis can detect cloned models.
• Legal & contractual: Include anti-scraping clauses and enforce API-key revocation for abusive behavior.
• Model-as-a-service hardening: Deploy a separate inference layer that aggregates responses from multiple model replicas, making a single-model extraction harder.

Regularly audit API logs for signs of mass-querying, such as bursts of similar-length payloads or repeated use of the logprobs flag.

Common Mistakes

• Assuming logits are always available: Many commercial APIs hide them; attackers often have to infer them from probability rounding.
• Neglecting rate-limit handling: Ignoring 429 responses leads to IP bans and noisy data.
• Over-fitting the surrogate to noisy outputs: Use regularization and validation sets; raw API outputs may contain stochastic sampling noise.
• Using too simplistic input distributions: Random text rarely explores the full decision surface; active-learning query selection yields better fidelity.

Real-World Impact

Model extraction has moved from academic curiosity to a tangible business risk. In 2023, a startup reported that a competitor scraped their paid GPT-3 endpoint, recreated a near-identical model, and undercut their pricing by 40 %. Financial institutions have expressed concern that extracted credit-scoring models could be weaponized to game loan applications.

My experience running red-team assessments for a cloud-ML provider shows that a modest budget (≈ $2 k for proxy services) and a few weeks of automated querying can achieve > 90 % top-1 agreement on a 6-layer transformer. This underscores the need for proactive defenses‑especially for high-value models used in regulated domains.

Trends to watch:

1. Rise of “model-as-a-service” platforms that expose richer metadata (logits, embeddings) for debugging, inadvertently expanding the attack surface.
2. Increasing use of “few-shot” prompting, which reduces the number of queries needed to infer task-specific behavior.
3. Emergence of generative AI watermarking standards that could provide legal evidence of theft.

Practice Exercises

1. Endpoint discovery: Use mitmproxy to capture API calls from a publicly available chatbot web UI. Identify the URL, required headers, and any hidden flags (e.g., logprobs).
2. Query crafting: Write a Python script that generates ten-thousand random sentences from a domain-specific vocabulary and records the probability vectors returned by the target API.
3. Parameter reconstruction: Using the collected data, train a logistic regression model to approximate a binary sentiment classifier. Compare the recovered weights with the original (if you have access) using cosine similarity.
4. Rate-limit bypass: Implement a proxy-rotation loop using proxylist.txt (containing free residential proxies). Measure the effective queries-per-minute achieved versus a single-IP baseline.
5. Fidelity verification: Compute KL divergence and top-3 agreement on a held-out test set. Aim for KL < 0.05 and top-3 agreement > 85 %.

Document your findings in a short report; this mirrors a real red-team deliverable.

Further Reading

• Tramèr, F. et al., “Stealing Machine Learning Models via Prediction APIs,” 2016.
• Yu, A. et al., “Model Extraction Attacks on Deep Neural Networks,” 2020.
• OpenAI API Documentation - especially the logprobs parameter.
• HuggingFace Inference API - rate-limit policies and beta features.
• “Differential Privacy for Machine Learning” - techniques to add noise to outputs.

Summary

Model extraction through public APIs is a practical, high-impact threat. By understanding the threat model, locating endpoints, crafting information-rich queries, handling rate limits, and automating data collection, an attacker can build high-fidelity surrogates. Defenders must therefore limit exposure of confidence scores, monitor usage patterns, and consider watermarking or differential-privacy defenses. Mastery of the Python scripts and verification metrics presented here equips security professionals to both assess risk and design robust mitigations.