Guardado en:
Detalles Bibliográficos
Autores principales: Wei, Jiankun, Abdulrazzag, Abdulrahman, Zhang, Tianchen, Muursepp, Adel, Saileshwar, Gururaj
Formato: Preprint
Publicado: 2024
Materias:
Acceso en línea:https://arxiv.org/abs/2411.01076
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
_version_ 1866911438779449344
author Wei, Jiankun
Abdulrazzag, Abdulrahman
Zhang, Tianchen
Muursepp, Adel
Saileshwar, Gururaj
author_facet Wei, Jiankun
Abdulrazzag, Abdulrahman
Zhang, Tianchen
Muursepp, Adel
Saileshwar, Gururaj
contents Deployed large language models (LLMs) often rely on speculative decoding, a technique that generates and verifies multiple candidate tokens in parallel, to improve throughput and latency. In this work, we reveal a new side-channel whereby input-dependent patterns of correct and incorrect speculations can be inferred by monitoring per-iteration token counts or packet sizes. In evaluations using research prototypes and production-grade vLLM serving frameworks, we show that an adversary monitoring these patterns can fingerprint user queries (from a set of 50 prompts) with over 75% accuracy across four speculative-decoding schemes at temperature 0.3: REST (100%), LADE (91.6%), BiLD (95.2%), and EAGLE (77.6%). Even at temperature 1.0, accuracy remains far above the 2% random baseline - REST (99.6%), LADE (61.2%), BiLD (63.6%), and EAGLE (24%). We also show the capability of the attacker to leak confidential datastore contents used for prediction at rates exceeding 25 tokens/sec. To defend against these, we propose and evaluate a suite of mitigations, including packet padding and iteration-wise token aggregation.
format Preprint
id arxiv_https___arxiv_org_abs_2411_01076
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle When Speculation Spills Secrets: Side Channels via Speculative Decoding In LLMs
Wei, Jiankun
Abdulrazzag, Abdulrahman
Zhang, Tianchen
Muursepp, Adel
Saileshwar, Gururaj
Computation and Language
Artificial Intelligence
Cryptography and Security
Distributed, Parallel, and Cluster Computing
Machine Learning
Deployed large language models (LLMs) often rely on speculative decoding, a technique that generates and verifies multiple candidate tokens in parallel, to improve throughput and latency. In this work, we reveal a new side-channel whereby input-dependent patterns of correct and incorrect speculations can be inferred by monitoring per-iteration token counts or packet sizes. In evaluations using research prototypes and production-grade vLLM serving frameworks, we show that an adversary monitoring these patterns can fingerprint user queries (from a set of 50 prompts) with over 75% accuracy across four speculative-decoding schemes at temperature 0.3: REST (100%), LADE (91.6%), BiLD (95.2%), and EAGLE (77.6%). Even at temperature 1.0, accuracy remains far above the 2% random baseline - REST (99.6%), LADE (61.2%), BiLD (63.6%), and EAGLE (24%). We also show the capability of the attacker to leak confidential datastore contents used for prediction at rates exceeding 25 tokens/sec. To defend against these, we propose and evaluate a suite of mitigations, including packet padding and iteration-wise token aggregation.
title When Speculation Spills Secrets: Side Channels via Speculative Decoding In LLMs
topic Computation and Language
Artificial Intelligence
Cryptography and Security
Distributed, Parallel, and Cluster Computing
Machine Learning
url https://arxiv.org/abs/2411.01076