AI Security

The Threat of Query Attacks on Machine Learning Models

While ML models excel at tasks like predictive analytics and natural language understanding, they are also susceptible to various forms of cyberattacks. One emerging threat that often flies under the radar is query attacks, which are designed to extract valuable model information.

The Basics of Machine Learning Models

Machine learning models are essentially algorithms that can learn from and make decisions or predictions based on data. They serve as the backbone for a plethora of applications that have become ubiquitous in our daily lives, such as recommendation systems that suggest your next favorite show on Netflix, natural language processing tools like chatbots and voice assistants, and image recognition technologies in healthcare diagnostics or security surveillance. While the practical benefits of these models are vast, the data they are trained on and the algorithms themselves often constitute proprietary or sensitive information. Thus, the security of these models is paramount. Unsecured models are vulnerable to a variety of risks, from the leaking of confidential data to the malicious manipulation of the model’s behavior, all of which could have severe financial and reputational repercussions for businesses and organizations utilizing them.

The Importance of Model Security

Beyond just data, the architecture, algorithms, and parameters of ML models themselves can be highly sensitive and proprietary. In some instances, the model’s structure and underlying data might even be considered a “trade secret,” giving organizations a competitive edge in the market. Failure to protect this valuable asset could result in data breaches that compromise user privacy or leaks that expose proprietary business information. Moreover, machine learning models are not just susceptible to query attacks; they can also fall prey to other types of cyber threats, such as adversarial attacks, data poisoning, and model inversion attacks. Each of these has unique implications, but collectively, they underscore the critical need for robust security measures to protect the integrity and confidentiality of machine learning models.

What are Query Attacks?

Query attacks are a type of cybersecurity attack specifically targeting machine learning models. In essence, attackers issue a series of queries, usually input data fed into the model, to gain insights from the model’s output. This could range from understanding the architecture and parameters of the model to uncovering the actual data on which it was trained. The nature of these attacks is often stealthy and surreptitious, designed to mimic legitimate user activity to escape detection.

How Query Attacks Can Be Conducted

The methods for conducting query attacks can vary in complexity. At its most basic, an attacker could feed a variety of inputs into a publicly accessible machine learning API and study the outputs. In more advanced attacks, specialized algorithms may be used to systematically query the model, with each query designed to reveal as much information as possible. Attackers might also manipulate or exploit accessible API endpoints to further their gains. These queries are often disguised as typical user interactions, making it difficult for traditional security systems to identify them as malicious activity.

Why Query Attacks Pose a Threat

The subtlety and complexity of query attacks make them a serious threat to machine learning models. One of the reasons they are so dangerous is that they can be conducted without necessarily needing access to the internal workings of the model. As a result, even well-secured models can be vulnerable. Attackers can utilize the insights gained from these queries for a variety of malicious purposes. This could include creating a copycat model, gaining unauthorized access to sensitive data, or manipulating the model’s behavior for nefarious ends. The outcomes can range from loss of intellectual property to severe breaches of user privacy, making the need for countermeasures exceptionally critical.

How Query Attacks Work

Understanding query attacks may seem like a daunting task, but let’s simplify the process step-by-step. Think of a machine learning model as a sort of “magic recipe book” that predicts the perfect dish based on the ingredients you have. Someone who wants to steal or replicate those unique recipes could perform what’s known as a query attack.

Identify the Target Model

First, the attacker identifies which machine learning model they wish to target. This could be a model that’s publicly accessible, like a chatbot, or something more proprietary and secure.


The attacker then prepares for the attack. They research to understand what kind of tasks the model performs, be it natural language processing, image recognition, etc. They also decide on the tools and algorithms they’ll use to interpret the model’s responses.

The Queries Begin

Next, the attacker starts sending inputs or queries to the model. These could be as straightforward as typing questions into a chatbot or uploading images into an image recognition model. This is akin to asking the “magic recipe book” for various recipes based on different sets of ingredients.

Collecting and Analyzing Data

Each query generates an output from the model, a chatbot’s response, for instance, or a recognized image. The attacker records these outputs and begins to analyze them to deduce information about the model’s internal structure and functionality.

Refining the Approach

Based on what they learn from the initial queries, the attacker may adjust their approach to gain even more detailed or specific insights from subsequent queries.

Final Extraction

After collecting sufficient data, the attacker reaches the final stage of extraction. Now, they have enough information to either clone the model or find ways to manipulate it maliciously. In the context of our “magic recipe book” analogy, the attacker has gathered enough recipes to either replicate or even alter the book’s unique offerings.

The Future Landscape

As machine learning technologies continue to evolve, so too will the landscape of model security and the sophistication of query attacks. Emerging trends indicate a double-edged sword: On one hand, advances in techniques like federated learning and differential privacy aim to make models more secure by decentralizing data or adding noise to queries, respectively. On the other hand, as machine learning models become more complex and integral to critical systems, they also become more enticing targets for attackers equipped with increasingly sophisticated methods. Additionally, the advent of quantum computing could introduce new layers of both security and vulnerability. This dynamic landscape underscores the importance of ongoing research and vigilance in cybersecurity to keep pace with the ever-changing threats and countermeasures.

Recent Research on Query Attacks

The academic community has shown a growing interest in understanding and mitigating query attacks on machine learning models. In a landmark paper [1], the authors explored the fundamentals of query attacks, establishing a taxonomy that has become widely accepted in the cybersecurity community. Another significant contribution [2] focused on the vulnerabilities of deep learning models, revealing that these models are particularly susceptible to query attacks due to their complexity. Research is also being conducted on defense mechanisms. For instance, a study [3] proposed for detecting the query attacks in real-time, offering a promising avenue for immediate counteraction. In a different approach, [4] investigated the use of differential privacy techniques to add noise to the model’s outputs, making it more difficult for attackers to reverse-engineer valuable information. Finally, a comprehensive review in [5] serves as an excellent resource for anyone looking to understand the current state of research on query attacks. The paper not only summarizes existing methods but also identifies gaps in current knowledge and suggests directions for future research.


As machine learning models become increasingly ubiquitous in various industries, from healthcare to finance, the need for robust security measures has never been greater. Query attacks pose a significant and often overlooked threat to these models, potentially leading to financial losses, breaches of sensitive data, and damage to brand reputation. Recent research highlights both the escalating sophistication of these attacks and the emerging defense mechanisms designed to counter them.


  1. Dwork, C., Smith, A., Steinke, T., & Ullman, J. (2017). Exposed! a survey of attacks on private data. Annual Review of Statistics and Its Application4, 61-84.
  2. Vo, V. Q., Abbasnejad, E., & Ranasinghe, D. C. (2022). Query efficient decision based sparse attacks against black-box deep learning models. arXiv preprint arXiv:2202.00091.
  3. Ali, N. S., & Shibghatullah, A. S. (2016). Protection web applications using real-time technique to detect structured query language injection attacks. International journal of computer applications149(6), 26-32.
  4. Yan, H., Li, X., Li, H., Li, J., Sun, W., & Li, F. (2021). Monitoring-based differential privacy mechanism against query flooding-based model extraction attack. IEEE Transactions on Dependable and Secure Computing19(4), 2680-2694.
  5. Alwan, Z. S., & Younis, M. F. (2017). Detection and prevention of SQL injection attack: a survey. International Journal of Computer Science and Mobile Computing6(8), 5-17.

For 30+ years, I've been committed to protecting people, businesses, and the environment from the physical harm caused by cyber-kinetic threats, blending cybersecurity strategies and resilience and safety measures. Lately, my worries have grown due to the rapid, complex advancements in Artificial Intelligence (AI). Having observed AI's progression for two decades and penned a book on its future, I see it as a unique and escalating threat, especially when applied to military systems, disinformation, or integrated into critical infrastructure like 5G networks or smart grids. More about me.

Luka Ivezic
Luka Ivezic

Luka Ivezic is the Lead Cybersecurity Consultant for Europe at the Information Security Forum (ISF), a leading global, independent, and not-for-profit organisation dedicated to cybersecurity and risk management. Before joining ISF, Luka served as a cybersecurity consultant and manager at PwC and Deloitte. His journey in the field began as an independent researcher focused on cyber and geopolitical implications of emerging technologies such as AI, IoT, 5G. He co-authored with Marin the book "The Future of Leadership in the Age of AI". Luka holds a Master's degree from King's College London's Department of War Studies, where he specialized in the disinformation risks posed by AI.

Related Articles

Share via
Copy link
Powered by Social Snap