Saved in:
Bibliographic Details
Main Authors: Rinberg, Roy, Karvonen, Adam, Hoover, Alexander, Reuter, Daniel, Warr, Keri
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2511.02620
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911510646751232
author Rinberg, Roy
Karvonen, Adam
Hoover, Alexander
Reuter, Daniel
Warr, Keri
author_facet Rinberg, Roy
Karvonen, Adam
Hoover, Alexander
Reuter, Daniel
Warr, Keri
contents As large AI models become increasingly valuable assets, the risk of model weight exfiltration from inference servers grows accordingly. An attacker controlling an inference server may exfiltrate model weights by hiding them within ordinary model responses, a strategy known as steganography. This work investigates how to verify LLM model inference to defend against such attacks and, more broadly, to detect anomalous or buggy behavior during inference. We formalize model weight exfiltration as a security game, propose a verification framework that can provably mitigate steganographic exfiltration, and specify the trust assumptions associated with our scheme. To enable verification, we characterize valid sources of non-determinism in large language model inference and introduce two practical estimators for them. We evaluate our detection framework on several open-weight models ranging from 3B to 30B parameters. On MOE-Qwen-30B, our detector reduces exfiltratable information to <0.5% with false-positive rate of <0.01%, corresponding to a >200x slowdown for adversaries. Overall, this work further establishes a foundation for defending against model weight exfiltration and demonstrates that strong protection can be achieved with minimal additional cost to inference providers. Our code is made public at: https://github.com/RoyRin/inference_verification_for_model_weight_exfiltration .
format Preprint
id arxiv_https___arxiv_org_abs_2511_02620
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Verifying LLM Inference to Detect Model Weight Exfiltration
Rinberg, Roy
Karvonen, Adam
Hoover, Alexander
Reuter, Daniel
Warr, Keri
Cryptography and Security
Machine Learning
As large AI models become increasingly valuable assets, the risk of model weight exfiltration from inference servers grows accordingly. An attacker controlling an inference server may exfiltrate model weights by hiding them within ordinary model responses, a strategy known as steganography. This work investigates how to verify LLM model inference to defend against such attacks and, more broadly, to detect anomalous or buggy behavior during inference. We formalize model weight exfiltration as a security game, propose a verification framework that can provably mitigate steganographic exfiltration, and specify the trust assumptions associated with our scheme. To enable verification, we characterize valid sources of non-determinism in large language model inference and introduce two practical estimators for them. We evaluate our detection framework on several open-weight models ranging from 3B to 30B parameters. On MOE-Qwen-30B, our detector reduces exfiltratable information to <0.5% with false-positive rate of <0.01%, corresponding to a >200x slowdown for adversaries. Overall, this work further establishes a foundation for defending against model weight exfiltration and demonstrates that strong protection can be achieved with minimal additional cost to inference providers. Our code is made public at: https://github.com/RoyRin/inference_verification_for_model_weight_exfiltration .
title Verifying LLM Inference to Detect Model Weight Exfiltration
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2511.02620