This study systematically investigates the evolving real-world vulnerability of mainstream ML-as-a-Service (MLaaS) platforms to model extraction (ME) attacks over time. Method: Leveraging black-box query-driven surrogate model training, cross-year dataset comparisons, and multi-platform empirical evaluation, we conduct the first longitudinal study (2020–2024) to establish a dynamic ME vulnerability analysis paradigm. Contribution/Results: We find that platform vulnerability has not significantly decreased despite ongoing defense enhancements; current API-level protections suffer from limited practical efficacy; and several attack effectiveness patterns contradict prior findings. We propose a joint evaluation framework balancing functional fidelity and attack success rate, and provide actionable recommendations for robustness improvement. Our work delivers the first empirically grounded, time-series vulnerability benchmark and methodology for MLaaS security governance.

Model extraction (ME) attacks represent one major threat to Machine-Learning-as-a-Service (MLaaS) platforms by "stealing" the functionality of confidential machine-learning models through querying black-box APIs. Over seven years have passed since ME attacks were first conceptualized in the seminal work [75]. During this period, substantial advances have been made in both ME attacks and MLaaS platforms, raising the intriguing question: How has the vulnerability of MLaaS platforms to ME attacks been evolving? In this work, we conduct an in-depth study to answer this critical question. Specifically, we characterize the vulnerability of current, mainstream MLaaS platforms to ME attacks from multiple perspectives including attack strategies, learning techniques, surrogatemodel design, and benchmark tasks. Many of our findings challenge previously reported results, suggesting emerging patterns of ME vulnerability. Further, by analyzing the vulnerability of the same MLaaS platforms using historical datasets from the past four years, we retrospectively characterize the evolution of ME vulnerability over time, leading to a set of interesting findings. Finally, we make suggestions about improving the current practice of MLaaS in terms of attack robustness. Our study sheds light on the current state of ME vulnerability in the wild and points to several promising directions for future research.