1. Extraction Risk Model
Extraction through an inference endpoint is an abuse problem with ML-specific economics. The attacker needs query volume, coverage, and feedback. The defender controls identity, quotas, output detail, sampling parameters, telemetry, and account response. vLLM and TensorRT-LLM deployments give you enough operational signals to make extraction noisy if you log them deliberately.
- Direct artifact theft is covered in OWASP LLM10 and belongs to storage, registry, and host controls.
- API extraction uses legitimate-looking inference calls at abnormal scale or structure.
- Behavioral profiling targets boundaries: refusals, tool-routing decisions, system-prompt behavior, or fine-tune style.
- Trace leakage can reveal prompts, completions, and retrieved context without touching the model endpoint.
The rest of this note focuses on API extraction and profiling because those are the cases where inference telemetry is decisive.
2. Telemetry to Capture
| Telemetry field | Extraction relevance | Implementation note |
|---|---|---|
| Principal and tenant | Links query bursts to identity and abuse history | Use stable account, API key, and organization IDs |
| Prompt and completion token counts | Shows systematic coverage and budget abuse | Store counts even when content is redacted |
| Embedding or similarity bucket | Detects many near-duplicate or grid-search prompts | Avoid storing sensitive raw prompts where not needed |
| Sampling parameters | Attackers may force deterministic or broad sampling patterns | Log temperature, top-p, max tokens, seed if exposed |
| Route and model ID | Shows focus on a specific fine-tune or expensive model | Use immutable model release IDs |
| Refusal and guardrail verdicts | Boundary probing often alternates allowed and denied requests | Send denied probes to SIEM |
vLLM-style continuous batching and TensorRT-LLM serving metrics also expose queue delay, active sequences, token throughput, and cache pressure. Those are primarily availability signals, but they help distinguish normal users from automated extraction sweeps.
3. Defensive Controls
- Token-aware quotas. Limit prompt tokens, completion tokens, and model-specific budget by principal and time window.
- Similarity-aware throttling. Many extraction runs use systematic prompt variants. Detect clusters, not only raw request rate.
- Canary behaviors. Add harmless, access-controlled canaries to sensitive fine-tunes or eval routes so suspicious reproduction can be investigated later.
- Output minimization. Do not expose logits, hidden states, excessive alternatives, or verbose policy traces unless the user role truly needs them.
- Tiered access. Keep high-value fine-tunes behind stronger identity, contractual, and network controls than commodity models.
- Trace governance. Redact and restrict observability exports; logs can be an extraction dataset.
# ILLUSTRATIVE - extraction-abuse score inputs
score = 0
score += burst_tokens_by_account(window="1h")
score += prompt_similarity_cluster_size(window="24h")
score += denied_boundary_probe_count(window="24h")
score += rare_model_route_focus(window="7d")
score += abnormal_sampling_parameter_pattern(window="24h")
if score > threshold:
throttle_account()
create_siem_event("llm.model_extraction_suspected")
4. Mapping and Response
| Scenario | Primary risk | Response |
|---|---|---|
| High-volume systematic queries | OWASP LLM10 model theft / extraction | Throttle, preserve evidence, require re-authentication |
| Boundary probing for refusals | Prompt/policy discovery | Return stable refusal and alert |
| Trace export spike | Sensitive prompt or output leakage | Revoke export, review access, shorten retention |
| GPU queue pressure from extraction run | LLM04 Model DoS overlap | Apply queue isolation and token budgets |
MITRE ATLAS gives the ML extraction vocabulary; MITRE ATT&CK applies when the same actor also compromises hosts, storage, or identities to obtain artifacts directly.
Treat Extraction as Abuse Detection
The field notes above are intentionally conceptual and defanged, but the controls are practical. Use AI red-teaming to validate the attack path safely, blue-team detection engineering to make the signals operational, and contact to scope a review of your own environment.