Model extraction (ME) attacks represent one major threat to
Machine-Learning-as-a-Service (MLaaS) platforms by ``stealing'' the
functionality of confidential machine-learning models through querying
black-box APIs. Over seven years have passed since ME attacks were first
conceptualized in the seminal work. During this period, substantial advances
have been made in both ME attacks and MLaaS platforms, raising the intriguing
question: How has the vulnerability of MLaaS platforms to ME attacks been
evolving? In this work, we conduct an in-depth study to answer this critical
question. Specifically, we characterize the vulnerability of current,
mainstream MLaaS platforms to ME attacks from multiple perspectives including
attack strategies, learning techniques, surrogate-model design, and benchmark
tasks. Many of our findings challenge previously reported results, suggesting
emerging patterns of ME vulnerability. Further, by analyzing the vulnerability
of the same MLaaS platforms using historical datasets from the past four years,
we retrospectively characterize the evolution of ME vulnerability over time,
leading to a set of interesting findings. Finally, we make suggestions about
improving the current practice of MLaaS in terms of attack robustness. Our
study sheds light on the current state of ME vulnerability in the wild and
points to several promising directions for future research.

模型提取攻击是对机器学习即服务（MLaaS）平台的机器学习模型功能性进行 “窃取” 的主要威胁，本文通过综合多个角度对当前 MLaaS 平台的模型提取漏洞进行了深入研究，揭示了漏洞的演化规律，并提出了一些提高 MLaaS 的安全性的建议。