Daryna Oliynyk @ ESSAI

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

December 23, 2025

At the end of November, our colleague Daryna Oliynyk, a researcher at SBA Research and the Security and Privacy Research Group at the University of Vienna, was invited to speak at the European Symposium on Security and AI (ESSAI) in Rennes, France. She presented the joint paper “Attackers Can Do Better: Over- and Understated Factors of Model Stealing Attacks“, co-authored with Rudolf Mayer and Andreas Rauber.

Abstract

Machine learning (ML) models were shown to be vulnerable to different security attacks – including model stealing attacks, which lead to intellectual property infringement. Among other attack types, substitute model training is an all-encompassing attack applicable to any machine learning model whose behaviour can be approximated from input-output queries. Whereas previous works mainly focused on improving the performance of substitute models by, e.g. developing a new substitute training method, there have been only limited comprehensive ablation studies that try to understand the impact the strength of an attacker has on the substitute model’s performance. As a result, different authors came to diverse, sometimes contradicting conclusions.

In this work, we therefore exhaustively examine the influence of different factors, primarily forming the attacker’s capabilities and knowledge, on a substitute training attack. We investigate how the quality of the substitute training data, the training strategy, and discrepancies between the characteristics of the target and substitute models impact the performance of the attack.

Our findings suggest that some of the factors that have been considered important in the past are, in fact, not that influential; instead, we discover new correlations between the attack conditions and success rate. Moreover, our results often exceed or match the performance of attacks that assume a stronger attacker, suggesting that these stronger attacks are likely endangering a model owner’s intellectual property to a significantly higher degree than shown until now.

Authors

Daryna Oliynyk, Rudolf Mayer (SBA Research), Andreas Rauber (TU Wien)

About the Symposium

The European Symposium on Security and AI (ESSAI) is a research-oriented event co-organized by AMIAD and Inria within European Cyber Week in Rennes, France. It brings together international experts presenting their work that has been accepted at leading artificial intelligence and security conferences.

Links

Symposium
Paper

News