Model Theft: OWASP LLM10 for Weights, APIs, and Self-Hosted Inference

A trained model can embody capital: licensed weights, proprietary fine-tunes, domain adapters, prompt programs, evaluation data, and operational know-how. OWASP LLM10 Model Theft covers attempts to steal that value directly through weight exfiltration or indirectly through extraction over an API. In a self-hosted deployment, the attack surface includes object storage, model registries, GPU nodes, inference endpoints, adapter stores, backups, logs, and the people allowed to move artifacts. The defensive goal is to make the model hard to copy, hard to query at extraction scale, and easy to notice when someone tries.

1. What LLM10 Actually Is

Model theft is the unauthorized acquisition or replication of model value. Direct theft means copying weights, adapters, tokenizer files, or fine-tuned artifacts. Indirect theft means using an API to approximate behavior, recover sensitive training patterns, infer proprietary prompts, or build a competing model from outputs. The economics vary, but the defender's job is the same: reduce access, reduce extraction bandwidth, and increase detection probability.

Self-hosting changes the risk profile. You control the storage and network path, but you also run the registry, backups, GPU nodes, admin shells, observability pipeline, and artifact promotion process. A weak internal control can expose more model value than a public API would.

Theft is not only weights

Fine-tuned adapters, system prompts, retrieval corpora, eval sets, tokenizer changes, and response logs may reveal the defensible part of the system even when base weights are public.

2. Attack Shapes (Defanged)

Defensive detail only

This section avoids extraction recipes, query strategies, and operational exfiltration steps.

2.1 Weight or adapter exfiltration

An insider, compromised service account, exposed backup, or weak registry permission allows copying model artifacts. Large files make this visible if storage and network telemetry are monitored, but invisible if model stores are treated as ordinary shared folders.

2.2 API-based extraction

An attacker sends high-volume, systematic queries to approximate model behavior or harvest proprietary responses. The individual calls may look valid; the pattern is visible in volume, coverage, repetition, and account relationships.

2.3 Prompt and policy theft

The attacker tries to recover system prompts, tool schemas, guardrail policies, or routing logic through conversation. Even without weights, these assets reveal how to bypass or clone the application behavior.

2.4 Log and trace leakage

Observability stores can contain prompts, responses, retrieved context, and model identifiers. If traces are over-retained or broadly accessible, they become a second model-knowledge repository.

3. Blue-Team Detection

Model-theft detection combines data-loss prevention, identity analytics, storage monitoring, API abuse detection, and inference telemetry. The baseline is to know which principals can read artifacts and what normal artifact movement looks like.

Signal Why it matters Response
Large artifact read by unusual principal Possible weight or adapter staging Block session, rotate credentials, inspect host
Model registry export outside release window Artifact movement bypassing change control Require approval and compare manifest
High-volume systematic API queries Possible extraction attempt Throttle, challenge, or suspend account
Repeated prompt-disclosure probes Attempt to recover policy or tool schemas Return safe refusal and alert
Trace access spike Logs may be used as model-data source Restrict trace access and review exports

Map direct artifact theft to conventional MITRE ATT&CK collection/exfiltration behaviors and LLM-specific extraction to MITRE ATLAS. The investigation usually needs both views: host access tells you how files moved; model telemetry tells you whether behavior was extracted through the API.

4. Mitigation and Build Controls

  • Artifact access control. Treat weights, adapters, tokenizers, and eval sets as crown-jewel assets. Use least privilege, just-in-time access, and separate duties for build, deploy, and operate.
  • Encryption and key separation. Encrypt model stores and backups. Keep decryption keys away from broad application roles and CI workers that do not need raw artifacts.
  • Immutable registries and signed manifests. Use digest-pinned releases so artifact movement is expected and auditable.
  • API extraction controls. Rate-limit by tokens, task, account, and similarity. Detect systematic coverage patterns rather than only high request rates.
  • Output watermarking and canaries. Where appropriate, include defensible markers or canary behaviors to support investigation. Do not rely on watermarking as the only control.
  • Trace minimization. Redact secrets, shorten retention for sensitive prompts, and restrict trace export. Observability should not become an ungoverned model replica.
  • Incident-ready rollback. If a fine-tuned model is stolen, know which downstream customers, deployments, prompts, and keys are affected.
# ILLUSTRATIVE - artifact access policy
resource: model_registry/prod/*
read_raw_artifact:
  allowed_roles: [release_engineer]
  requires_jit: true
  requires_ticket: true
  network_zone: build_subnet_only
serve_artifact:
  allowed_roles: [inference_service]
  raw_export: false
alert_on:
  - bulk_download
  - access_outside_release_window
  - backup_restore_to_unapproved_host

5. Mapping to WSTG, ATLAS, and Related LLM Risks

Theft path OWASP WSTG / ASVS lens MITRE view Related LLM risks
Raw artifact access Authentication, authorization, secrets, and storage testing ATT&CK collection/exfiltration; ATLAS model theft LLM05
API extraction Rate limiting, abuse-case testing, and monitoring ATLAS extraction through inference endpoint LLM04, LLM09
Prompt or tool schema disclosure Information disclosure and access-control testing Discovery through application interface LLM01, LLM07
Trace/log leakage Logging, privacy, and data-retention testing Collection from observability systems LLM06

Model theft defense is not a single feature. It is a chain of storage security, deployment discipline, endpoint abuse controls, and incident response. If any link is informal, that is where the model value will leave.

Protect the Model Like a Crown-Jewel Asset

These risks are not solved by a policy paragraph. They need adversarial testing, defensive telemetry, and architecture changes that can be inspected. Use the AI red-teaming path to validate controls, the blue-team guide to operationalize detections, and the contact route to request a focused review.

Related Reading