Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

TransLinkGuard: Safeguarding Transformer Models Against Model Stealing in Edge Deployment

Qinfeng Li, Zhiqiang Shen, Zhenghan Qin, Yangfan Xie, Xuhong Zhang, Tianyu Du, Jianwei Yin

TL;DR

TransLinkGuard is proposed, a plug-and-play model protection approach against model stealing on edge devices that achieves the same security as the black-box guarantees with negligible overhead.

Abstract

Proprietary large language models (LLMs) have been widely applied in various scenarios. Additionally, deploying LLMs on edge devices is trending for efficiency and privacy reasons. However, edge deployment of proprietary LLMs introduces new security challenges: edge-deployed models are exposed as white-box accessible to users, enabling adversaries to conduct effective model stealing (MS) attacks. Unfortunately, existing defense mechanisms fail to provide effective protection. Specifically, we identify four critical protection properties that existing methods fail to simultaneously satisfy: (1) maintaining protection after a model is physically copied; (2) authorizing model access at request level; (3) safeguarding runtime reverse engineering; (4) achieving high security with negligible runtime overhead. To address the above issues, we propose TransLinkGuard, a plug-and-play model protection approach against model stealing on edge devices. The core part of TransLinkGuard is a lightweight authorization module residing in a secure environment, e.g., TEE. The authorization module can freshly authorize each request based on its input. Extensive experiments show that TransLinkGuard achieves the same security protection as the black-box security guarantees with negligible overhead.

TransLinkGuard: Safeguarding Transformer Models Against Model Stealing in Edge Deployment

TL;DR

TransLinkGuard is proposed, a plug-and-play model protection approach against model stealing on edge devices that achieves the same security as the black-box guarantees with negligible overhead.

Abstract

Proprietary large language models (LLMs) have been widely applied in various scenarios. Additionally, deploying LLMs on edge devices is trending for efficiency and privacy reasons. However, edge deployment of proprietary LLMs introduces new security challenges: edge-deployed models are exposed as white-box accessible to users, enabling adversaries to conduct effective model stealing (MS) attacks. Unfortunately, existing defense mechanisms fail to provide effective protection. Specifically, we identify four critical protection properties that existing methods fail to simultaneously satisfy: (1) maintaining protection after a model is physically copied; (2) authorizing model access at request level; (3) safeguarding runtime reverse engineering; (4) achieving high security with negligible runtime overhead. To address the above issues, we propose TransLinkGuard, a plug-and-play model protection approach against model stealing on edge devices. The core part of TransLinkGuard is a lightweight authorization module residing in a secure environment, e.g., TEE. The authorization module can freshly authorize each request based on its input. Extensive experiments show that TransLinkGuard achieves the same security protection as the black-box security guarantees with negligible overhead.
Paper Structure (45 sections, 9 equations, 3 figures, 5 tables, 1 algorithm)

This paper contains 45 sections, 9 equations, 3 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Problem Statement
  3. Background
  4. TEE
  5. PTSE Sloutions
  6. One Time Pad
  7. Threat Model
  8. Defender's Goal
  9. Adversary's Capability
  10. Model Stealing Attack
  11. Attack Pipeline
  12. Design of TransLinkGuard
  13. Approach Overview
  14. Model Lockdown
  15. Attention Block Formalization
  16. ...and 30 more sections

Figures (3)

  • Figure 1: Paradigms of interacting with LLMs. (a) API-based access: users send data to the model owner. (b) Direct edge deployment: the model is straightforwardly deployed in a normal environment. (c) TransLinkGuard: deploy the locked models in a normal environment and the corresponding authorization module in a secure environment.
  • Figure 2: An overview of TransLinkGuard. (a) Model lockdown: TransLinkGuard uses permutation matrices to permute each transformer layer in $M_{ori}$, creating a locked model $M_{vic}$. (b) Inference authorization: as a prerequisite, the input features of the permuted layers must be authorized before they can be processed by the permuted layer. To facilitate this, the authorization process is integrated within the MLP block of the preceding transformer layer.
  • Figure 3: Comparison of TransLinkGuard and the black-box protection against MS attacks with different sizes of dataset.