This work addresses the vulnerability of existing AI-based intrusion detection systems (IDS) in energy systems to data-free model extraction attacks, particularly under distributed Sybil attacks or when only hard-label outputs are available—scenarios where current defenses like PRADA fail. To counter this, the authors propose a novel query-agnostic defense mechanism that models the manifold structure of legitimate network traffic using Continuous Normalizing Flows and leverages log-likelihood scores to identify out-of-distribution or synthetically generated queries. This approach is the first to achieve robustness against both hard-label deployments and large-scale distributed attacks, maintaining stable detection performance under both single-client and 100-client attack settings, whereas baseline methods exhibit complete failure (0% detection rate) under distributional shift.

Artificial Intelligence (AI)-based Intrusion Detection Systems (IDS) deployed in energy infrastructure are vulnerable to model theft attacks, which allow adversaries to create evasive traffic offline. Current defences against model extraction rely either on identity-bound query monitoring, which is ineffective against distributed attackers (Sybil), or on prediction poisoning through soft-label perturbation, which is inapplicable to hard-label IDS deployments. Therefore, we propose FlowGuard, an identity-independent defence based on flow matching that classifies incoming queries as out-of-distribution (OOD) prior to IDS processing. This approach exploits the fact that queries generated synthetically for data-free model stealing attacks occupy a lower-dimensional manifold than real network traffic. This results in measurably lower log-likelihoods when using a Continuous Normalizing Flow that has been trained on legitimate data. We evaluate our method against PRADA and FDINet using MAZE and DisGUIDE attacks in single-client and distributed (100-client Sybil) settings. While PRADA's detection rate dropped to 0% when the distribution changed, our defence maintained a stable detection rate across both settings without relying on identity information. We discuss the scope and limitations of the approach, and outline potential applications to data-dependent attacks.