CERBEROS: Compression-based Efficient and Robust Optimized Security for Model Stealing Defense

Model stealing attacks pose an increasing threat to the confidentiality and intellectual property of artificial intelligence (AI) models. Existing defenses–such as query monitoring, output perturbation, multi-model output variation, and post hoc verification–fall short in on-device applications where models must run under strict memory and computation budgets. These approaches typically incur high memory or latency overhead due to their reliance on auxiliary models or additional inference-time processing. To address these limitations, we propose CERBEROS, a defense framework designed to achieve security against model stealing with deployability in resource-constrained environments. At its core, CERBEROS introduces a novel neural architecture with multiple classification heads trained jointly for output diversification, while sharing a single feature extraction backbone to minimize unnecessary memory usage. At inference, CERBEROS reveals the prediction of a randomly selected head, thereby misleading adversaries while preserving test accuracy for legitimate users, without requiring separate models or costly output modification. In addition, we integrate structured pruning into training to compress the backbone while retaining the classification heads. This ensures that functional diversity across heads remains achievable even under tight resource constraints. Our experiments show that CERBEROS effectively mitigates model replication attacks while consistently maintaining task performance across widely used convolutional neural networks and benchmark datasets. Furthermore, it achieves significant reductions in memory consumption and inference latency compared to prior defenses, offering a practical and efficient solution for securing on-device AI models.