Saved in:
Bibliographic Details
Main Authors: Ganesh, Mukkesh, Iyer, Kaushik, Ananthan, Arun Baalaaji Sankar
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2511.12752
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866912713049899008
author Ganesh, Mukkesh
Iyer, Kaushik
Ananthan, Arun Baalaaji Sankar
author_facet Ganesh, Mukkesh
Iyer, Kaushik
Ananthan, Arun Baalaaji Sankar
contents The Key Value(KV) cache is an important component for efficient inference in autoregressive Large Language Models (LLMs), but its role as a representation of the model's internal state makes it a potential target for integrity attacks. This paper introduces "History Swapping," a novel block-level attack that manipulates the KV cache to steer model generation without altering the user-facing prompt. The attack involves overwriting a contiguous segment of the active generation's cache with a precomputed cache from a different topic. We empirically evaluate this method across 324 configurations on the Qwen 3 family of models, analyzing the impact of timing, magnitude, and layer depth of the cache overwrite. Our findings reveal that only full-layer overwrites can successfully hijack the conversation's topic, leading to three distinct behaviors: immediate and persistent topic shift, partial recovery, or a delayed hijack. Furthermore, we observe that high-level structural plans are encoded early in the generation process and local discourse structure is maintained by the final layers of the model. This work demonstrates that the KV cache is a significant vector for security analysis, as it encodes not just context but also topic trajectory and structural planning, making it a powerful interface for manipulating model behavior.
format Preprint
id arxiv_https___arxiv_org_abs_2511_12752
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Whose Narrative is it Anyway? A KV Cache Manipulation Attack
Ganesh, Mukkesh
Iyer, Kaushik
Ananthan, Arun Baalaaji Sankar
Cryptography and Security
Artificial Intelligence
The Key Value(KV) cache is an important component for efficient inference in autoregressive Large Language Models (LLMs), but its role as a representation of the model's internal state makes it a potential target for integrity attacks. This paper introduces "History Swapping," a novel block-level attack that manipulates the KV cache to steer model generation without altering the user-facing prompt. The attack involves overwriting a contiguous segment of the active generation's cache with a precomputed cache from a different topic. We empirically evaluate this method across 324 configurations on the Qwen 3 family of models, analyzing the impact of timing, magnitude, and layer depth of the cache overwrite. Our findings reveal that only full-layer overwrites can successfully hijack the conversation's topic, leading to three distinct behaviors: immediate and persistent topic shift, partial recovery, or a delayed hijack. Furthermore, we observe that high-level structural plans are encoded early in the generation process and local discourse structure is maintained by the final layers of the model. This work demonstrates that the KV cache is a significant vector for security analysis, as it encodes not just context but also topic trajectory and structural planning, making it a powerful interface for manipulating model behavior.
title Whose Narrative is it Anyway? A KV Cache Manipulation Attack
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2511.12752