Black-Box Inference of LLM Architectural Properties with Restrictive API Access
Summary
NightVision is an attack tool designed to infer architectural properties of large language models (LLMs) using only restrictive black-box API access. Despite commercial LLM providers limiting APIs to expose only single logits per decoded token and removing logit bias functions, NightVision successfully estimates an LLM's hidden dimension, depth, and parameter count. The tool employs a novel common set prompting technique, where multiple prompts expose log probabilities for the same output tokens, followed by spectral analysis to infer the hidden dimension. It further utilizes end-to-end time to first token (TTFT) measurements and the estimated hidden dimension to determine depth and parameter count. Evaluated on 32 open-source LLMs, NightVision achieved an average relative error of 23% for hidden dimension (9% for MoE models) and 53% for depth and parameter count on models exceeding three billion parameters. These findings indicate that current LLM APIs remain insufficient for fully obfuscating underlying architectural details.
Key takeaway
For LLM providers concerned with intellectual property protection and API security, your current restrictive API designs are not fully obfuscating underlying architectural details. You should re-evaluate your API security posture, as tools like NightVision can still infer critical parameters such as hidden dimension, depth, and parameter count. This persistent vulnerability necessitates exploring more robust obfuscation techniques or accepting the risk of architectural inference by external parties.
Key insights
Restrictive LLM APIs still permit black-box inference of architectural properties like hidden dimension, depth, and parameter count.
Principles
- LLM architectural details are recoverable via black-box API access.
- Common set prompting enables log probability exposure for spectral analysis.
- TTFT measurements, with hidden dimension, estimate depth and parameter count.
Method
NightVision employs common set prompting to gather log probabilities for shared output tokens, using spectral analysis to infer hidden dimension. This is combined with TTFT measurements to estimate depth and parameter count.
In practice
- Implement common set prompting for log probability data.
- Apply spectral analysis to infer hidden dimensions.
- Utilize TTFT measurements for depth and parameter estimation.
Topics
- LLM Architecture Inference
- Black-Box API Security
- NightVision Attack
- Spectral Analysis
- Time to First Token
- Model Obfuscation
Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, Machine Learning Engineer, AI Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.