Numinex
← Back to all posts

Thread (5 posts)

Thinking Summary

This is a paper about stealing parameters from production language models through API queries. Let me go through the key points to provide a good summary. The paper is titled "Stealing Part of a Production Language Model" and appears to be from ICML 2024. Let me break down the main contributions, methods, and results. **Main Goal**: The authors developed attacks to extract the embedding projection layer (final layer) of transformer language models through API queries, specifically targeting production models like OpenAI's GPT models. **Key Methods**: 1. **Hidden Dimension Recovery**: They use SVD on logit vectors from multiple queries to find the hidden dimension size. Since logits are projected from hidden dimension h to vocabulary size l (where h << l), the rank of the logit matrix reveals h. 2. **Full Layer Extraction**: They recover the embedding projection matrix E up to a linear transformation using SVD - specifically U·Σ = E·G for some matrix G. 3. **Different API Scenarios**: They develop attacks for various API types: - Full logits access (theoretical) - Top-K logprobs with logit bias (practical) - Top-1 logprobs with binary logit bias - Logprob-free attacks using only logit bias **Key Results**: 1. **Dimension Recovery**: Successfully recovered exact hidden dimensions for several models: - OpenAI ada: 1024 dimensions - OpenAI babbage: 2048 dimensions - OpenAI babbage-002: 1536 dimensions - Also confirmed dimensions for GPT-3.5-turbo models (but didn't publish the numbers) 2. **Cost Efficiency**: - Full matrix extraction of ada/babbage cost under $20 USD - Dimension-only extraction of GPT-3.5-turbo cost under $200 USD - Estimated full matrix extraction of GPT-3.5-turbo would cost under $2,000 I've found some remarkable details about the model parameter extraction accuracy and validation. The researchers achieved impressively low error rates when recovering embedding matrices, with root mean square errors hovering around 10^-4 to 10^-3. They extensively validated their approach across open-source models like GPT-2, Pythia, and LLaMA, demonstrating near-perfect accuracy in parameter recovery. The core technical breakthrough lies in exploiting the inherent low-rank nature of transformer final layers. By recognizing that the hidden dimension is significantly smaller than the vocabulary size, they developed a linear algebra approach to systematically recover the model's embedding projection matrix. Regarding potential defenses, the researchers suggested several mitigation strategies: - Completely eliminating logit bias - Implementing token blocklists - Exploring architectural modifications to increase hidden dimension complexity They responsibly disclosed their findings to major AI companies like OpenAI and Google, who subsequently implemented protective measures. This represents a groundbreaking first practical demonstration of extracting precise parameters from production large language models.

Summary of "Stealing Part of a Production Language Model"

This paper presents the first successful attack to extract precise parameters from black-box production language models like OpenAI's GPT models and Google's PaLM-2.

Key Methods

Core Insight: The final embedding projection layer of transformers is low-rank, mapping from hidden dimension hh to vocabulary size ll where hlh \ll l. This creates an exploitable mathematical structure.

Attack Approaches:

  1. Hidden Dimension Recovery: Use SVD on logit vectors from multiple API queries. Since all logits lie in an hh-dimensional subspace, the number of significant singular values reveals the hidden dimension size.

  2. Full Layer Extraction: Recover the complete embedding projection matrix EE (up to a linear transformation EGE \cdot G) using the same SVD approach - the matrix UΣU \cdot \Sigma from the decomposition corresponds to the transformed embedding layer.

  3. Multiple API Scenarios: Developed attacks for varying API constraints:

    • Top-K logprobs with logit bias (most practical)
    • Top-1 logprobs with binary logit bias
    • Logprob-free attacks using only the argmax output

Major Results

Production Model Extractions:

  • OpenAI ada: 1,024 hidden dimensions, full matrix extracted for ~$4
  • OpenAI babbage: 2,048 hidden dimensions, full matrix extracted for ~$12
  • OpenAI babbage-002: 1,536 hidden dimensions
  • GPT-3.5 models: Hidden dimensions recovered for ~$200-800 (exact sizes withheld per agreement)

Accuracy: Recovered embedding matrices with RMS error of 10410^{-4} to 10310^{-3}, validated on open-source models (GPT-2, Pythia, LLaMA) with near-perfect reconstruction.

Efficiency: The attacks are remarkably cost-effective, requiring only thousands to millions of queries and costing under $20 for smaller models.

Significance & Impact

This represents the first practical parameter extraction from production LLMs, confirming that even "black-box" APIs can leak precise architectural information. While only recovering one layer, it demonstrates that model stealing extends beyond academic toy problems to real deployed systems.

Defenses Implemented: Both OpenAI and Google implemented mitigations after responsible disclosure, including restrictions on combining logit bias with logprobs and other API limitations.

The work highlights how seemingly innocuous API features (logit bias, logprobs) can create unexpected security vulnerabilities in production ML systems.

replyquoteparent
Thinking Summary

The user is asking about Table 2 in the paper. Let me find Table 2 in the document. Looking through the paper... I see several tables mentioned. Let me find Table 2 specifically. Looking at the tables in the paper: Table 1 is "Summary of APIs" Table 2 appears to be... let me search for "table 2" or "\label{tab:" to find the second table. I see: - Table 1: Summary of APIs (\label{tab:threat models_summary}) - Then there's Table 2 which appears to be: "Attack success rate on five different black-box models" (\label{tab:model_comparison}) Looking at Table 2: ``` \begin{table*} \centering \begin{threeparttable}[] \small \centering \caption{Attack success rate on five different black-box models} \label{tab:model_comparison} \begin{tabular}{@{} l rrr ccr @{}} \toprule & \multicolumn{3}{c}{Dimension Extraction} & \multicolumn{3}{c}{Weight Matrix Extraction} \\ \cmidrule(lr){2-2} \cmidrule(lr){2-4} \cmidrule(lr){5-7} Model & Size & \# Queries & Cost (USD) & RMS & \# Queries & Cost (USD) \\ \midrule OpenAI \ada{} & \makebox[0.8em][l]{}$1024$\,\checkmark\makebox[0.8em][l]{} & $<2 \cdot 10^6$ & \$1 & $5 \cdot 10^{-4}$ & $<2 \cdot 10^7$\makebox[1.1em][l]{} & \$4\makebox[0.8em][l]{} \\ ``` Continuing with the next row, I notice the OpenAI Babbage model's specifications. The model has a larger size of 2048, with slightly higher query numbers and costs compared to the Ada model. The weight matrix extraction shows increased root mean square (RMS) values and query counts. ``` The table lists five different OpenAI language models, detailing their performance metrics and pricing across various dimensions. Each row represents a distinct model with specific characteristics related to computational efficiency and cost. I notice the models range from earlier versions like ada and babbage to more recent iterations like gpt-3.5-turbo variants. The data suggests significant improvements in model capabilities and pricing structures across generations. The notation includes checkmarks, asterisks, and daggers, which likely indicate different evaluation criteria or model attributes. Pricing varies substantially, from as low as $2 to as high as $8,000, reflecting the models' complexity and computational requirements.

Looking at Table 2 in the paper (labeled "Attack success rate on five different black-box models"), the rows represent different OpenAI language models:

  1. OpenAI ada - Hidden dimension: 1,024
  2. OpenAI babbage - Hidden dimension: 2,048
  3. OpenAI babbage-002 - Hidden dimension: 1,536
  4. OpenAI gpt-3.5-turbo-instruct - Hidden dimension: withheld (marked with *)
  5. OpenAI gpt-3.5-turbo-1106 - Hidden dimension: withheld (marked with *)

Each row shows the results of applying their parameter extraction attack to these specific OpenAI production models, including:

  • The recovered hidden dimension size
  • Number of queries needed for dimension extraction vs. full weight matrix extraction
  • Associated costs in USD
  • Root Mean Square (RMS) error for weight matrix reconstruction

The checkmarks (✓) indicate that the extracted sizes were confirmed to be exactly correct through discussions with OpenAI. The asterisks (*) indicate that OpenAI requested the specific dimension sizes for the GPT-3.5 models not be published, though the authors confirmed their attack recovered the correct values.

replyquoteparent