Name: JHONATAN MACHADO LEAO
Publication date: 10/03/2026
Examining board:
Name |
Role |
|---|---|
| GIOVANNI VENTORIM COMARELA | Examinador Interno |
| JURANDY GOMES DE ALMEIDA JUNIOR | Examinador Externo |
| THIAGO OLIVEIRA DOS SANTOS | Presidente |
Summary: Many companies develop artificial intelligence models as commercial products offered
through APIs to address diverse problems. Consequently, protecting the Intellectual
Property (IP) of these assets against potential attacks is a critical priority. Regarding
these threats, several studies have identified vulnerabilities in such systems, most notably
model extraction, where an adversary typically employs a vast amount of Problem Domain
(PD) and Non-Problem Domain (NPD) data to train a surrogate model that mimics the
target (Oracle).
This dissertation investigates the hypothesis that the success of model extraction is
primarily governed by the quality of the substitute dataset. We propose that by strategically
synthesizing the relevant visual patterns of the problem domain, it is possible to achieve
high-fidelity extraction using solely hard-label outputs, even when real images are limited
or entirely inaccessible. This hypothesis is validated across two distinct tasks: image
classification and object detection.
For classification scenarios, we introduce the Few-Shot Copycat, a method that applies
a blending process to a minimal set of PD images into the NPD dataset. Experiments
demonstrate that using as few as one image per class is sufficient to surpass baselines,
increasing the average extraction performance from 85.5% to 92.8% (with 10 samples) while
reducing data requirements by at least 6×. For object detection, we propose OD-Copycat,
a data-free extraction framework that relies exclusively on synthetic images generated by
diffusion models. By implementing a strategic generation and filtering pipeline guided by
the Oracle, OD-Copycat recovers over 83% of the Oracle’s performance without accessing
a single real image.
These results expose significant vulnerabilities in modern AI deployments and underscore
the urgent necessity for advanced defense mechanisms to secure proprietary models in
black-box environments.
