Stealing Part of a Production Language Model

• URL: http://arxiv.org/abs/2403.06634v2
• Date: Tue, 9 Jul 2024 17:44:00 GMT
• Title: Stealing Part of a Production Language Model
• Authors: Nicholas Carlini, Daniel Paleka, Krishnamurthy Dj Dvijotham, Thomas Steinke, Jonathan Hayase, A. Feder Cooper, Katherine Lee, Matthew Jagielski, Milad Nasr, Arthur Conmy, Itay Yona, Eric Wallace, David Rolnick, Florian Tramèr,
• Abstract summary: We introduce the first model-stealing attack that extracts precise, nontrivial information from production language models. For under $20 USD, our attack extracts the entire projection matrix of OpenAI's Ada and Babbage language models.
• Score: 99.33245067682984
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: We introduce the first model-stealing attack that extracts precise, nontrivial information from black-box production language models like OpenAI's ChatGPT or Google's PaLM-2. Specifically, our attack recovers the embedding projection layer (up to symmetries) of a transformer model, given typical API access. For under \$20 USD, our attack extracts the entire projection matrix of OpenAI's Ada and Babbage language models. We thereby confirm, for the first time, that these black-box models have a hidden dimension of 1024 and 2048, respectively. We also recover the exact hidden dimension size of the gpt-3.5-turbo model, and estimate it would cost under $2,000 in queries to recover the entire projection matrix. We conclude with potential defenses and mitigations, and discuss the implications of possible future work that could extend our attack.

Related papers

• Confidence Elicitation: A New Attack Vector for Large Language Models [32.22764815262567]
  Large language models (LLMs) with billions of parameters suffer from adversarial attacks just like their earlier, smaller counterparts. With the introduction of closed-source models, no information about the model is available apart from the generated output. This means that current black-box attacks can only utilize the final prediction to detect if an attack is successful. In this work, we investigate and demonstrate the potential of attack guidance, akin to using output probabilities, while having only black-box access in a classification setting.
  arXiv  Detail & Related papers  (2025-02-07T04:07:36Z)
• DREAM: Domain-agnostic Reverse Engineering Attributes of Black-box Model [50.94236887900527]
  We present a new problem of black-box reverse engineering, without requiring the availability of the target model's training dataset. We learn a domain-agnostic meta-model to infer the attributes of the target black-box model with unknown training data.
  arXiv  Detail & Related papers  (2024-12-08T07:37:05Z)
• Exploiting the Vulnerability of Large Language Models via Defense-Aware Architectural Backdoor [0.24335447922683692]
  We introduce a new type of backdoor attack that conceals itself within the underlying model architecture. The add-on modules of model architecture layers can detect the presence of input trigger tokens and modify layer weights. We conduct extensive experiments to evaluate our attack methods using two model architecture settings on five different large language datasets.
  arXiv  Detail & Related papers  (2024-09-03T14:54:16Z)
• Scalable Extraction of Training Data from (Production) Language Models [93.7746567808049]
  This paper studies extractable memorization: training data that an adversary can efficiently extract by querying a machine learning model without prior knowledge of the training dataset. We show an adversary can extract gigabytes of training data from open-source language models like Pythia or GPT-Neo, semi-open models like LLaMA or Falcon, and closed models like ChatGPT.
  arXiv  Detail & Related papers  (2023-11-28T18:47:03Z)
• DREAM: Domain-free Reverse Engineering Attributes of Black-box Model [51.37041886352823]
  We propose a new problem of Domain-agnostic Reverse Engineering the Attributes of a black-box target model. We learn a domain-agnostic model to infer the attributes of a target black-box model with unknown training data.
  arXiv  Detail & Related papers  (2023-07-20T16:25:58Z)
• Reinforcement Learning-Based Black-Box Model Inversion Attacks [23.30144908939099]
  Model inversion attacks reconstruct private data used to train a machine learning model. White-box model inversion attacks leveraging Generative Adversarial Networks (GANs) to distill knowledge from public datasets have been receiving great attention. We propose a reinforcement learning-based black-box model inversion attack.
  arXiv  Detail & Related papers  (2023-04-10T14:41:16Z)
• Backdoor Attacks on Crowd Counting [63.90533357815404]
  Crowd counting is a regression task that estimates the number of people in a scene image. In this paper, we investigate the vulnerability of deep learning based crowd counting models to backdoor attacks.
  arXiv  Detail & Related papers  (2022-07-12T16:17:01Z)
• How to Robustify Black-Box ML Models? A Zeroth-Order Optimization Perspective [74.47093382436823]
  We address the problem of black-box defense: How to robustify a black-box model using just input queries and output feedback? We propose a general notion of defensive operation that can be applied to black-box models, and design it through the lens of denoised smoothing (DS) We empirically show that ZO-AE-DS can achieve improved accuracy, certified robustness, and query complexity over existing baselines.
  arXiv  Detail & Related papers  (2022-03-27T03:23:32Z)
• MEGEX: Data-Free Model Extraction Attack against Gradient-Based Explainable AI [1.693045612956149]
  Deep neural networks deployed in Machine Learning as a Service (ML) face the threat of model extraction attacks. A model extraction attack is an attack to violate intellectual property and privacy in which an adversary steals trained models in a cloud using only their predictions. In this paper, we propose MEGEX, a data-free model extraction attack against a gradient-based explainable AI.
  arXiv  Detail & Related papers  (2021-07-19T14:25:06Z)
• Imitation Attacks and Defenses for Black-box Machine Translation Systems [86.92681013449682]
  Black-box machine translation (MT) systems have high commercial value and errors can be costly. We show that MT systems can be stolen by querying them with monolingual sentences and training models to imitate their outputs. We propose a defense that modifies translation outputs in order to misdirect the optimization of imitation models.
  arXiv  Detail & Related papers  (2020-04-30T17:56:49Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.