Lilly Tech Systems
Model Extraction Best Practices
A comprehensive guide to protecting your AI models in production, combining technical controls, legal safeguards, monitoring, and organizational policies.
Comprehensive Defense Strategy
PREVENT DETECT RESPOND Rate limiting Query monitoring Watermark verification Output perturbation Anomaly detection Legal enforcement Information min. Usage analytics Account suspension Query budgets Honeypot triggers Incident investigation
Implementation Priority
| Priority | Control | Effort | Impact |
|---|---|---|---|
| 1 (Critical) | Rate limiting and query budgets | Low | High |
| 2 (High) | Output information minimization | Low | High |
| 3 (High) | Query pattern monitoring | Medium | High |
| 4 (Medium) | Output perturbation | Medium | Medium |
| 5 (Medium) | Model watermarking | Medium | Medium |
| 6 (Medium) | Terms of service updates | Low | Medium |
| 7 (Low) | Honeypot trigger deployment | High | Low |
Legal Protections
Terms of Service
Explicitly prohibit model extraction, reverse engineering, and competitive use of API outputs. Include audit rights and penalties for violations.
Trade Secret Protection
Document your model as a trade secret. Maintain confidentiality through access controls, NDAs, and security measures required by trade secret law.
Patent Protection
Consider patenting novel model architectures or training methods. Patents provide stronger legal protection than trade secrets for disclosed innovations.
International Considerations
IP laws vary by jurisdiction. Consult with international IP counsel if your API serves global users to ensure your protections are enforceable worldwide.
Monitoring Dashboard Essentials
- Query volume per account: Track and alert on accounts exceeding normal usage patterns
- Query diversity score: Measure how diverse each account's queries are (extraction tends toward uniform coverage)
- Decision boundary proximity: Track how close queries are to model decision boundaries
- API output entropy: Monitor the information content of responses over time
- Account creation patterns: Detect coordinated account creation for distributed extraction
Frequently Asked Questions
The legality depends on jurisdiction, how the extraction is done, and the terms of service. In many jurisdictions, violating ToS that prohibit reverse engineering may create legal liability. The Computer Fraud and Abuse Act (CFAA) in the US may apply if the extraction exceeds authorized access. However, the legal landscape is still evolving for AI-specific IP theft.
If you embedded watermarks, you can verify ownership by querying the suspect model with your trigger set. Even without watermarks, you can compare model behavior on carefully designed test inputs. High agreement on unusual or adversarial inputs suggests extraction. However, proving extraction in court requires strong evidence and expert testimony.
When calibrated correctly, output perturbation has minimal impact on legitimate use. A noise level of 1-5% on probability scores is typically imperceptible for application-level decisions. The key is to add enough noise to degrade extraction quality while maintaining prediction usability. Test with your actual use cases to find the right balance.