I Can Still Steal Your Encoder: A Defense-Penetrating Encoder-Stealing Attack

Rongbin Xiao; Changyu Dong; Jie Zhang; Yan Pang; Zihan Xie; Han Wu

doi:10.1007/978-981-95-5764-6_33

I Can Still Steal Your Encoder: A Defense-Penetrating Encoder-Stealing Attack

Rongbin Xiao, Changyu Dong, Jie Zhang, Yan Pang, Zihan Xie, Han Wu

Research output: Chapter or section in a book/report/conference proceeding › Chapter in a published conference proceeding

Abstract

The rise of Encoder-as-a-Service (EaaS) has made pre-trained encoders accessible for various AI tasks, but this has introduced significant security concerns, particularly with model stealing attacks. While defenses like the B4B mechanism [6] have been proposed to protect against such attacks, we reveal critical vulnerabilities in B4B’s strategies. B4B employs techniques such as embedding space coverage estimation, cost-based perturbation, and embedding transformations to thwart attackers. However, we introduce the first defense-penetrating attack that bypasses these protections. Our attack effectively circumvents all three defense mechanisms, enabling attackers to steal high-quality encoders with minimal degradation in performance. Extensive experiments show that the stolen encoder performs almost as well as the original, highlighting the weaknesses in B4B and similar defenses. Our work exposes significant gaps in the security of EaaS systems and calls for more robust, active defense strategies against model stealing.

Original language	English
Title of host publication	Pattern Recognition and Computer Vision - 8th Chinese Conference, PRCV 2025, Proceedings
Editors	Josef Kittler, Hongkai Xiong, Weiyao Lin, Jian Yang, Xilin Chen, Jiwen Lu, Jingyi Yu, Weishi Zheng
Place of Publication	Singapore
Publisher	Springer
Pages	483-501
Number of pages	19
ISBN (Electronic)	9789819557646
ISBN (Print)	9789819557639
DOIs	https://doi.org/10.1007/978-981-95-5764-6_33
Publication status	Published - 24 Jan 2026
Event	8th Chinese Conference on Pattern Recognition and Computer Vision, PRCV 2025 - Shanghai, China Duration: 15 Oct 2025 → 18 Oct 2025

Publication series

Name	Lecture Notes in Computer Science
Volume	16289 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	8th Chinese Conference on Pattern Recognition and Computer Vision, PRCV 2025
Country/Territory	China
City	Shanghai
Period	15/10/25 → 18/10/25

Keywords

Defense-Penetrating Attack
Model Stealing
Representation Learning

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-981-95-5764-6_33

Cite this

Xiao, R., Dong, C., Zhang, J., Pang, Y., Xie, Z., & Wu, H. (2026). I Can Still Steal Your Encoder: A Defense-Penetrating Encoder-Stealing Attack. In J. Kittler, H. Xiong, W. Lin, J. Yang, X. Chen, J. Lu, J. Yu, & W. Zheng (Eds.), Pattern Recognition and Computer Vision - 8th Chinese Conference, PRCV 2025, Proceedings (pp. 483-501). (Lecture Notes in Computer Science; Vol. 16289 LNCS). Springer. https://doi.org/10.1007/978-981-95-5764-6_33

I Can Still Steal Your Encoder: A Defense-Penetrating Encoder-Stealing Attack. / Xiao, Rongbin; Dong, Changyu; Zhang, Jie et al.
Pattern Recognition and Computer Vision - 8th Chinese Conference, PRCV 2025, Proceedings. ed. / Josef Kittler; Hongkai Xiong; Weiyao Lin; Jian Yang; Xilin Chen; Jiwen Lu; Jingyi Yu; Weishi Zheng. Singapore: Springer, 2026. p. 483-501 (Lecture Notes in Computer Science; Vol. 16289 LNCS).

Research output: Chapter or section in a book/report/conference proceeding › Chapter in a published conference proceeding

Xiao, R, Dong, C, Zhang, J, Pang, Y, Xie, Z & Wu, H 2026, I Can Still Steal Your Encoder: A Defense-Penetrating Encoder-Stealing Attack. in J Kittler, H Xiong, W Lin, J Yang, X Chen, J Lu, J Yu & W Zheng (eds), Pattern Recognition and Computer Vision - 8th Chinese Conference, PRCV 2025, Proceedings. Lecture Notes in Computer Science, vol. 16289 LNCS, Springer, Singapore, pp. 483-501, 8th Chinese Conference on Pattern Recognition and Computer Vision, PRCV 2025, Shanghai, China, 15/10/25. https://doi.org/10.1007/978-981-95-5764-6_33

Xiao R, Dong C, Zhang J, Pang Y, Xie Z, Wu H. I Can Still Steal Your Encoder: A Defense-Penetrating Encoder-Stealing Attack. In Kittler J, Xiong H, Lin W, Yang J, Chen X, Lu J, Yu J, Zheng W, editors, Pattern Recognition and Computer Vision - 8th Chinese Conference, PRCV 2025, Proceedings. Singapore: Springer. 2026. p. 483-501. (Lecture Notes in Computer Science). doi: 10.1007/978-981-95-5764-6_33

Xiao, Rongbin ; Dong, Changyu ; Zhang, Jie et al. / I Can Still Steal Your Encoder : A Defense-Penetrating Encoder-Stealing Attack. Pattern Recognition and Computer Vision - 8th Chinese Conference, PRCV 2025, Proceedings. editor / Josef Kittler ; Hongkai Xiong ; Weiyao Lin ; Jian Yang ; Xilin Chen ; Jiwen Lu ; Jingyi Yu ; Weishi Zheng. Singapore : Springer, 2026. pp. 483-501 (Lecture Notes in Computer Science).

@inproceedings{525cf8c66dec4825bb5d2b7487068273,

title = "I Can Still Steal Your Encoder: A Defense-Penetrating Encoder-Stealing Attack",

abstract = "The rise of Encoder-as-a-Service (EaaS) has made pre-trained encoders accessible for various AI tasks, but this has introduced significant security concerns, particularly with model stealing attacks. While defenses like the B4B mechanism [6] have been proposed to protect against such attacks, we reveal critical vulnerabilities in B4B{\textquoteright}s strategies. B4B employs techniques such as embedding space coverage estimation, cost-based perturbation, and embedding transformations to thwart attackers. However, we introduce the first defense-penetrating attack that bypasses these protections. Our attack effectively circumvents all three defense mechanisms, enabling attackers to steal high-quality encoders with minimal degradation in performance. Extensive experiments show that the stolen encoder performs almost as well as the original, highlighting the weaknesses in B4B and similar defenses. Our work exposes significant gaps in the security of EaaS systems and calls for more robust, active defense strategies against model stealing.",

keywords = "Defense-Penetrating Attack, Model Stealing, Representation Learning",

author = "Rongbin Xiao and Changyu Dong and Jie Zhang and Yan Pang and Zihan Xie and Han Wu",

year = "2026",

month = jan,

day = "24",

doi = "10.1007/978-981-95-5764-6\_33",

language = "English",

isbn = "9789819557639",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "483--501",

editor = "Josef Kittler and Hongkai Xiong and Weiyao Lin and Jian Yang and Xilin Chen and Jiwen Lu and Jingyi Yu and Weishi Zheng",

booktitle = "Pattern Recognition and Computer Vision - 8th Chinese Conference, PRCV 2025, Proceedings",

address = "Singapore",

note = "8th Chinese Conference on Pattern Recognition and Computer Vision, PRCV 2025 ; Conference date: 15-10-2025 Through 18-10-2025",

}

TY - GEN

T1 - I Can Still Steal Your Encoder

T2 - 8th Chinese Conference on Pattern Recognition and Computer Vision, PRCV 2025

AU - Xiao, Rongbin

AU - Dong, Changyu

AU - Zhang, Jie

AU - Pang, Yan

AU - Xie, Zihan

AU - Wu, Han

PY - 2026/1/24

Y1 - 2026/1/24

N2 - The rise of Encoder-as-a-Service (EaaS) has made pre-trained encoders accessible for various AI tasks, but this has introduced significant security concerns, particularly with model stealing attacks. While defenses like the B4B mechanism [6] have been proposed to protect against such attacks, we reveal critical vulnerabilities in B4B’s strategies. B4B employs techniques such as embedding space coverage estimation, cost-based perturbation, and embedding transformations to thwart attackers. However, we introduce the first defense-penetrating attack that bypasses these protections. Our attack effectively circumvents all three defense mechanisms, enabling attackers to steal high-quality encoders with minimal degradation in performance. Extensive experiments show that the stolen encoder performs almost as well as the original, highlighting the weaknesses in B4B and similar defenses. Our work exposes significant gaps in the security of EaaS systems and calls for more robust, active defense strategies against model stealing.

AB - The rise of Encoder-as-a-Service (EaaS) has made pre-trained encoders accessible for various AI tasks, but this has introduced significant security concerns, particularly with model stealing attacks. While defenses like the B4B mechanism [6] have been proposed to protect against such attacks, we reveal critical vulnerabilities in B4B’s strategies. B4B employs techniques such as embedding space coverage estimation, cost-based perturbation, and embedding transformations to thwart attackers. However, we introduce the first defense-penetrating attack that bypasses these protections. Our attack effectively circumvents all three defense mechanisms, enabling attackers to steal high-quality encoders with minimal degradation in performance. Extensive experiments show that the stolen encoder performs almost as well as the original, highlighting the weaknesses in B4B and similar defenses. Our work exposes significant gaps in the security of EaaS systems and calls for more robust, active defense strategies against model stealing.

KW - Defense-Penetrating Attack

KW - Model Stealing

KW - Representation Learning

UR - https://www.scopus.com/pages/publications/105028955689

U2 - 10.1007/978-981-95-5764-6_33

DO - 10.1007/978-981-95-5764-6_33

M3 - Chapter in a published conference proceeding

AN - SCOPUS:105028955689

SN - 9789819557639

T3 - Lecture Notes in Computer Science

SP - 483

EP - 501

BT - Pattern Recognition and Computer Vision - 8th Chinese Conference, PRCV 2025, Proceedings

A2 - Kittler, Josef

A2 - Xiong, Hongkai

A2 - Lin, Weiyao

A2 - Yang, Jian

A2 - Chen, Xilin

A2 - Lu, Jiwen

A2 - Yu, Jingyi

A2 - Zheng, Weishi

PB - Springer

CY - Singapore

Y2 - 15 October 2025 through 18 October 2025

ER -

I Can Still Steal Your Encoder: A Defense-Penetrating Encoder-Stealing Attack

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this