Black-Box Inference of LLM Architectural Properties with Restrictive API Access

· Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

NightVision is an attack tool designed to infer architectural properties of large language models (LLMs) using only restrictive black-box API access. Despite commercial LLM providers limiting APIs to expose only single logits per decoded token and removing logit bias functions, NightVision successfully estimates an LLM's hidden dimension, depth, and parameter count. The tool employs a novel common set prompting technique, where multiple prompts expose log probabilities for the same output tokens, followed by spectral analysis to infer the hidden dimension. It further utilizes end-to-end time to first token (TTFT) measurements and the estimated hidden dimension to determine depth and parameter count. Evaluated on 32 open-source LLMs, NightVision achieved an average relative error of 23% for hidden dimension (9% for MoE models) and 53% for depth and parameter count on models exceeding three billion parameters. These findings indicate that current LLM APIs remain insufficient for fully obfuscating underlying architectural details.

Key takeaway

For LLM providers concerned with intellectual property protection and API security, your current restrictive API designs are not fully obfuscating underlying architectural details. You should re-evaluate your API security posture, as tools like NightVision can still infer critical parameters such as hidden dimension, depth, and parameter count. This persistent vulnerability necessitates exploring more robust obfuscation techniques or accepting the risk of architectural inference by external parties.

Key insights

Restrictive LLM APIs still permit black-box inference of architectural properties like hidden dimension, depth, and parameter count.

Principles

Method

NightVision employs common set prompting to gather log probabilities for shared output tokens, using spectral analysis to infer hidden dimension. This is combined with TTFT measurements to estimate depth and parameter count.

In practice

Topics

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, Machine Learning Engineer, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.