Security researchers from North Carolina State University have unveiled the first practical defense against cryptanalytic attacks that target AI systems by stealing their core model parameters. These attacks, which exploit mathematical vulnerabilities in neural networks, allow adversaries to reverse-engineer an AI model’s internal structure and replicate it without authorization. The breakthrough, led by Ph.D. student Ashley Kurian and Associate Professor Aydin Aysu, introduces a novel training-based defense that significantly disrupts the effectiveness of such attacks. According to the researchers, cryptanalytic parameter extraction attacks are already in use and growing more efficient, making proactive protection essential. At the heart of the issue are neural networks—the dominant architecture behind most commercial AI systems, including large language models like ChatGPT. These models rely on millions of parameters that define how they process information. Cryptanalytic attacks work by analyzing input-output patterns from a deployed model and using mathematical techniques to deduce the underlying parameters, effectively enabling intellectual property theft. The researchers discovered a critical vulnerability in these attacks: they depend on detecting differences between neurons within the same layer of a neural network. The greater the variation among neurons, the easier it is for attackers to extract parameters. To counter this, the team developed a defense strategy that trains neural networks to make neurons within the same layer more similar to one another. This creates what they call a "barrier of similarity," which fundamentally disrupts the mathematical pathways attackers rely on. The defense can be applied to the first layer, multiple layers, or selected neurons within a layer. Crucially, the method preserves the model’s performance. In testing, AI systems protected by the defense showed less than a 1% change in accuracy—sometimes even improving slightly. When subjected to aggressive cryptanalytic attacks that previously extracted parameters in under four hours, the protected models resisted extraction attempts lasting for days. The researchers also created a theoretical framework to estimate the likelihood of successful attacks without needing to run them extensively. This enables developers to assess their model’s security posture efficiently. The work, titled "Train to Defend: First Defense Against Cryptanalytic Neural Network Parameter Extraction Attacks," will be presented at the NeurIPS 2025 conference in San Diego. The team emphasizes that while no defense is ever completely foolproof, this approach represents a major step forward in securing AI systems. They are open to collaborating with industry partners to implement the solution and are calling for continued investment in AI security research to stay ahead of evolving threats.