In machine learning as a service, a provider trains a deep neural network and
gives many users access. The hosted (source) model is susceptible to model
stealing attacks, where an adversary derives a surrogate model from API access
to the source model. For post hoc detection of such at