Saved in:
Bibliographic Details
Main Authors: Carlini, Nicholas, Nasr, Milad
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2410.17175
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916448940589056
author Carlini, Nicholas
Nasr, Milad
author_facet Carlini, Nicholas
Nasr, Milad
contents Scaling up language models has significantly increased their capabilities. But larger models are slower models, and so there is now an extensive body of work (e.g., speculative sampling or parallel decoding) that improves the (average case) efficiency of language model generation. But these techniques introduce data-dependent timing characteristics. We show it is possible to exploit these timing differences to mount a timing attack. By monitoring the (encrypted) network traffic between a victim user and a remote language model, we can learn information about the content of messages by noting when responses are faster or slower. With complete black-box access, on open source systems we show how it is possible to learn the topic of a user's conversation (e.g., medical advice vs. coding assistance) with 90%+ precision, and on production systems like OpenAI's ChatGPT and Anthropic's Claude we can distinguish between specific messages or infer the user's language. We further show that an active adversary can leverage a boosting attack to recover PII placed in messages (e.g., phone numbers or credit card numbers) for open source systems. We conclude with potential defenses and directions for future work.
format Preprint
id arxiv_https___arxiv_org_abs_2410_17175
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Remote Timing Attacks on Efficient Language Model Inference
Carlini, Nicholas
Nasr, Milad
Cryptography and Security
Machine Learning
Scaling up language models has significantly increased their capabilities. But larger models are slower models, and so there is now an extensive body of work (e.g., speculative sampling or parallel decoding) that improves the (average case) efficiency of language model generation. But these techniques introduce data-dependent timing characteristics. We show it is possible to exploit these timing differences to mount a timing attack. By monitoring the (encrypted) network traffic between a victim user and a remote language model, we can learn information about the content of messages by noting when responses are faster or slower. With complete black-box access, on open source systems we show how it is possible to learn the topic of a user's conversation (e.g., medical advice vs. coding assistance) with 90%+ precision, and on production systems like OpenAI's ChatGPT and Anthropic's Claude we can distinguish between specific messages or infer the user's language. We further show that an active adversary can leverage a boosting attack to recover PII placed in messages (e.g., phone numbers or credit card numbers) for open source systems. We conclude with potential defenses and directions for future work.
title Remote Timing Attacks on Efficient Language Model Inference
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2410.17175