The Honeypot Defense

Model extraction attacks are straightforward: query a production ML model repeatedly, record the inputs and outputs, and train a substitute model that approximates the original. The stolen model inherits the victim’s capabilities without the cost of training data, compute, or expertise. Standard defenses try to detect or limit extraction — rate-limiting queries, watermarking outputs, monitoring for suspicious query patterns.

Wang et al. (arXiv:2501.01090) propose the opposite: let the extraction succeed, but ensure the stolen model is poisoned.

HoneypotNet replaces the classification layer of the production model with a honeypot layer, fine-tuned through bi-level optimization to produce outputs that are correct for normal use but inject a backdoor into any model trained on them. The victim model performs normally. Its outputs are accurate. But a model trained to mimic those outputs inherits a hidden vulnerability — a backdoor trigger that the original owner controls.

The defense turns the attack into ownership verification. If a competitor deploys a model that responds to the backdoor trigger, it was stolen. The trigger serves as both proof and deterrent: the stolen model is not just identifiable but degradable on demand.

The structural insight: the optimal defense against theft is not prevention but corruption. Preventing extraction is an arms race that the defender tends to lose (the attacker only needs queries, which are hard to distinguish from legitimate use). Corrupting the extraction is asymmetric: the attacker must steal the model whole, backdoor included, and cannot detect the corruption without knowing the trigger. The best defense is to make the theft succeed — perfectly, silently, and on your terms.

Wang et al., “HoneypotNet: Backdoor Attacks Against Model Extraction,” arXiv:2501.01090 (2025).