Detect. Deceive. Document.
Real-time attack simulation — the dashboard detects an extraction attempt, activates the honey trap, and logs blockchain evidence within seconds.
Machine Learning models deployed as APIs represent high-value intellectual property — but public API exposure makes them vulnerable to model extraction attacks, where adversaries systematically query an API to clone the model's behavior.
SecureML is the first framework to unify three previously isolated defenses into a single production-ready pipeline:
| Layer | Mechanism | What it does |
|---|---|---|
| 🔍 Detect | Isolation Forest (unsupervised ML) | Identifies extraction behavior via 9-dimensional behavioral fingerprinting |
| 🍯 Deceive | Honey Trap Engine | Silently poisons attacker's collected data — without alerting them |
| 📜 Document | Ethereum Blockchain (Solidity) | Stores cryptographic SHA-256 evidence on-chain for tamper-proof forensics |
- 100% detection rate at query #8–10 across all tested datasets
- Stolen model accuracy collapsed from 99.95% → 0.1% (Credit Card Fraud task)
- Blockchain forensic records generated within 13.2 seconds of detection
Traditional defenses like rate limiting or IP blocking suffer from a fatal flaw: they reveal that detection occurred, prompting attackers to adapt. SecureML takes a different approach — it lets attackers believe they're succeeding, while silently corrupting everything they collect.
Traditional: Detect → Block ❌ Attacker knows, changes strategy
SecureML: Detect → Deceive → Document ✅ Attacker leaves with a useless model
┌─────────────────────────────────────────────────────────┐
│ Incoming API Request │
└──────────────────────────┬──────────────────────────────┘
│
┌──────▼──────┐
│ Flask API │ ← Session tracking, MD5 hashing
│ Gateway │
└──────┬──────┘
│
┌────────────▼────────────┐
│ Behavioral Monitor │ ← 9-dim feature extraction
│ (Layer 4–5) │ per session
└────────────┬────────────┘
│
┌────────────▼────────────┐
│ Isolation Forest │ ← Anomaly score < -0.1?
│ Detection Engine │
└────────────┬────────────┘
│
┌────────────▼────────────┐
│ Attack Detected? │
└────────┬────────┬───────┘
│ YES │ NO
┌───────────▼─┐ ┌─▼──────────────┐
│ Honey Trap │ │ Normal Response│
│ Activated │ └────────────────┘
└───────┬─────┘
│
┌──────────▼──────────┐
│ Blockchain Logger │ ← SHA-256 hash → Sepolia testnet
└──────────┬──────────┘
│
┌──────────▼──────────┐
│ Streamlit Dashboard│ ← Real-time monitoring + GeoIP
└─────────────────────┘
Every API session is characterized by a 9-dimensional feature vector:
v = [nq, g̅, σg, gmin, gmax, rq, ρ, b10, Hp]| Feature | Description | Attack Signal |
|---|---|---|
nq |
Total query count | High volumes = extraction |
g̅ |
Mean inter-query gap | Low values = automated scripting |
σg |
Std. dev. of gaps | Low variance = machine-generated |
ρ |
Regularity score (σg/g̅) | Robotic "pulsing" pattern |
b10 |
Burst count (last 10s) | DoS-style extraction bursts |
rq |
Queries per minute | Attackers exceed 15 req/min |
Hp |
Prediction entropy | Attackers cover full input space |
The unsupervised Isolation Forest learns normal behavior from 600 legitimate sessions and flags anomalies:
Anomaly Score s(x,n) = 2^(-E[h(x)] / c(n))
Sessions with score < -0.1 → classified as malicious
A rule-based pre-filter runs in parallel, immediately flagging obvious high-rate attacks without waiting for the Isolation Forest cycle.
Once detected, the session is silently added to HONEY_TRAP_SESSIONS. All future responses are poisoned:
# Binary classification
poisoned_pred = 1 - real_pred
poisoned_proba = [real_proba[1], real_proba[0]] # flip with preserved confidence
# Multi-class (generalizable)
poisoned_pred = (real_pred + 1) % n_classesThe response format is identical to real responses — confidence scores, structure, everything. The attacker trains their surrogate model on hundreds of these inverted labels, learning the opposite of the true decision boundary.
H_evidence = SHA-256(JSON({session_id, attack_type, timestamp, query_count, confidence, last_5_logs}))This hash is submitted to a Solidity smart contract (AttackEvidenceLogger) on the Ethereum Sepolia testnet via Web3.py. Each record is publicly verifiable on Etherscan.
function logAttack(string memory evidenceHash) public {
// Stores immutable attack record
// Emits AttackLogged event with Keccak-256 verified transaction hash
}| Dataset | Target Model Acc. | Undefended Surrogate | Defended Surrogate | Reduction | Detection Point |
|---|---|---|---|---|---|
| Credit Card Fraud | 99.95% | 98.40% | 0.10% | 99.8% | Query #8 |
| Iris Classification | 100.0% | 96.00% | 6.70% | 93.3% | Query #10 |
| Breast Cancer | 97.40% | 94.20% | 3.50% | 96.3% | Query #10 |
| Algorithm | Accuracy | F1-Score | Latency | RAM |
|---|---|---|---|---|
| Isolation Forest ✅ | 89.0% | 0.85 | 47 ms | 150 MB |
| One-Class SVM | 81.0% | 0.74 | 480 ms | 336 MB |
| Local Outlier Factor | 79.5% | 0.71 | 112 ms | 210 MB |
| Operation | Gas Used | Avg. Latency | Integrity |
|---|---|---|---|
| Evidence Hashing | N/A | <0.05 ms | SHA-256 (256-bit) |
| Contract Submission | 45,000 | 13.2 s | Keccak-256 |
| Etherscan Verification | N/A | 0.63 s | Publicly Verifiable |
The Streamlit + Plotly monitoring dashboard provides:
- 📊 Live query activity timeline (legitimate vs. malicious)
- 🎯 Circular threat confidence gauge (0–100%, color-coded green → red)
- 🌍 GeoIP world map with attacker origin visualization (TOR, VPN, Cloud, High-Risk classification)
- ⛓️ Blockchain evidence cards with direct Etherscan links
- 📄 Automated PDF forensic report generator (SOC-style incident reports)
SecureML/
│
├── api/
│ └── app.py # Flask API gateway + honey trap logic
│
├── detection/
│ ├── detector_model.pkl # Trained Isolation Forest model
│ └── feature_extractor.py # 9-dimensional behavioral fingerprinting
│
├── blockchain/
│ ├── AttackEvidenceLogger.sol # Solidity smart contract
│ └── blockchain_logger.py # Web3.py integration
│
├── dashboard/
│ └── dashboard.py # Streamlit real-time monitoring UI
│
├── model/
│ ├── fraud_model.pkl # Trained Random Forest classifier
│ └── scaler.pkl # Fitted StandardScaler
│
├── simulation/
│ └── attack_simulation.py # Knockoff Net-style extraction simulator
│
├── assets/
│ └── demo.gif # Live demo recording
│
├── requirements.txt
└── README.md
- Python 3.12+
- MetaMask wallet (for blockchain features)
- Sepolia testnet ETH (free from faucets)
git clone https://github.com/Shrau1711/SecureML.git
cd SecureML
pip install -r requirements.txt# 1. Start the Flask API
python api/app.py
# 2. In a separate terminal, launch the dashboard
streamlit run dashboard/dashboard.py
# 3. (Optional) Simulate an extraction attack
python simulation/attack_simulation.pyThe API will be available at http://localhost:5000/predict
import requests
response = requests.post("http://localhost:5000/predict", json={
"features": [0.1, -1.3, 0.5, ...] # 30 credit card features
})
print(response.json())
# {"prediction": 0, "confidence": 0.97, "label": "Legitimate"}| Dataset | Features | Samples | Task | Source |
|---|---|---|---|---|
| Credit Card Fraud (Primary) | 30 | 284,807 | Binary | Kaggle |
| Iris Classification | 4 | 150 | Multi-class | UCI ML Repository |
| Breast Cancer Wisconsin | 30 | 569 | Binary | UCI ML Repository |
- Blockchain logging currently operates on Sepolia testnet (not Ethereum mainnet)
- Honey trap binary inversion could theoretically be detected by an attacker querying with known-label inputs — stochastic poisoning is a planned improvement
- Low-and-slow extraction attacks may evade the current Isolation Forest implementation
- Ethereum mainnet deployment for legally persistent forensic records
- LSTM-based sequence modeling for multi-session, distributed attack detection
- Adaptive stochastic poisoning strategies
- Multi-tenant API key authentication layer
- Real-time threat intelligence feed integration
- Tramer et al. — Stealing Machine Learning Models via Prediction APIs (USENIX Security 2016)
- Liu et al. — Isolation Forest (IEEE ICDM 2008)
- Juuti et al. — PRADA: Protecting Against DNN Model Stealing Attacks (EuroS&P 2019)
"Detect. Deceive. Document."
SecureML — Protecting AI Intellectual Property at the API Layer