Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SLIP: Securing LLMs IP Using Weights Decomposition

Yehonathan Refael, Adam Hakim, Lev Greenberg, Satya Lokam, Tal Aviv, Ben Fishman, Shachar Seidman, Racchit Jain, Jay Tenenbaum

TL;DR

SLIP addresses the risk of IP theft when deploying large language models on edge devices by partitioning model weights between a secure resource and a cost-efficient, insecure device using a SVD-based decomposition. The secure side retains top-k singular components to protect IP, while the remainder is offloaded, with a provably secure masking protocol that preserves accuracy and introduces minimal latency. The framework defines four core guarantees—Usefulness, Safety, Security, and Efficiency—and demonstrates applicability to MLPs, CNNs, and transformers, with experimental validation on GPT-2, Phi-2, and LLaMA2-7B showing robust IP protection even under fine-tuning attempts. This work provides a practical path for edge-enabled, IP-safe LLM deployment, balancing cost, latency, and security without sacrificing model quality.

Abstract

Large language models (LLMs) have recently seen widespread adoption in both academia and industry. As these models grow, they become valuable intellectual property (IP), reflecting substantial investments by their owners. The high cost of cloud-based deployment has spurred interest in running models on edge devices, but this risks exposing parameters to theft and unauthorized use. Existing approaches to protect model IP on the edge trade off practicality, accuracy, or deployment requirements. We introduce SLIP, a hybrid inference algorithm designed to protect edge-deployed models from theft. SLIP is, to our knowledge, the first hybrid protocol that is both practical for real-world applications and provably secure, while incurring zero accuracy degradation and minimal latency overhead. It partitions the model across two computing resources: one secure but expensive, and one cost-effective but vulnerable. Using matrix decomposition, the secure resource retains the most sensitive portion of the model's IP while performing only a small fraction of the computation; the vulnerable resource executes the remainder. The protocol includes security guarantees that prevent attackers from using the partition to infer the protected information. Finally, we present experimental results that demonstrate the robustness and effectiveness of our method, positioning it as a compelling solution for protecting LLMs.

SLIP: Securing LLMs IP Using Weights Decomposition

TL;DR

SLIP addresses the risk of IP theft when deploying large language models on edge devices by partitioning model weights between a secure resource and a cost-efficient, insecure device using a SVD-based decomposition. The secure side retains top-k singular components to protect IP, while the remainder is offloaded, with a provably secure masking protocol that preserves accuracy and introduces minimal latency. The framework defines four core guarantees—Usefulness, Safety, Security, and Efficiency—and demonstrates applicability to MLPs, CNNs, and transformers, with experimental validation on GPT-2, Phi-2, and LLaMA2-7B showing robust IP protection even under fine-tuning attempts. This work provides a practical path for edge-enabled, IP-safe LLM deployment, balancing cost, latency, and security without sacrificing model quality.

Abstract

Large language models (LLMs) have recently seen widespread adoption in both academia and industry. As these models grow, they become valuable intellectual property (IP), reflecting substantial investments by their owners. The high cost of cloud-based deployment has spurred interest in running models on edge devices, but this risks exposing parameters to theft and unauthorized use. Existing approaches to protect model IP on the edge trade off practicality, accuracy, or deployment requirements. We introduce SLIP, a hybrid inference algorithm designed to protect edge-deployed models from theft. SLIP is, to our knowledge, the first hybrid protocol that is both practical for real-world applications and provably secure, while incurring zero accuracy degradation and minimal latency overhead. It partitions the model across two computing resources: one secure but expensive, and one cost-effective but vulnerable. Using matrix decomposition, the secure resource retains the most sensitive portion of the model's IP while performing only a small fraction of the computation; the vulnerable resource executes the remainder. The protocol includes security guarantees that prevent attackers from using the partition to infer the protected information. Finally, we present experimental results that demonstrate the robustness and effectiveness of our method, positioning it as a compelling solution for protecting LLMs.
Paper Structure (30 sections, 4 theorems, 28 equations, 6 figures, 4 tables)

This paper contains 30 sections, 4 theorems, 28 equations, 6 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Our contributions
  3. Background and related works
  4. General Framework: Model Decomposition and Hybrid Inference Protocol
  5. What Makes a Good Decomposition and Protocol
  6. Applying Our Framework to LLMs: A Roadmap
  7. Model decomposition via SVD
  8. Layer-wise Decomposition
  9. Full-Model Decomposition
  10. Secure Hybrid Inference Protocol
  11. Why Naïve Hybrid Inference Leaks IP
  12. IP Protection via Masking
  13. Full Model Inference Protocol Pi
  14. Ensuring Integrity by Probabilistic Verification
  15. Putting things together: Secure Hybrid Inference on a Decomposition
  16. ...and 15 more sections

Key Result

Theorem 1

Let a discrete random variable $s\in\mathbb{Z}^d$ and random noise $n\sim{\bf U}[0,L-1]^d$, and denote the masked variable by $s_n = \text{mod}(s + n, L).$ Then $s_n \sim {\bf U}[0,L-1]^d,$ and $s_n$ and $s$ are independent.

Figures (6)

  • Figure 1: The proposed framework, consisting of the Model Decomposition and the Hybrid Inference Protocol
  • Figure 2: Singular values of the weight matrices of each model, quickly decreasing from largest to smallest.
  • Figure 3: Performance degradation of the LLMs when bypassing windows of 1, 3, 5, or 7 consecutive decoder blocks, compared to the baseline model. The x-axis represents the center block of each window, while the y-axis shows the perplexity (lower perplexity is better).
  • Figure 4: Perplexity scores for all three models, after removing various numbers of singular components from different layer types in a single decoder block. Results are averaged across all possible blocks.
  • Figure 5: Impact of fine-tuning on various decomposition configurations. Left: list of experimented configurations, with % of offloaded computation to David, number of top singular values retained by Charlie from each layer, and the number of sensitive layers (blocks) in the beginning and end of the model. Right: the perplexity after decomposition (red) and after retraining (green). The experiment starting from randomized weights is dotted, and the baseline perplexity is in gray.
  • ...and 1 more figures

Theorems & Definitions (14)

  • Definition 1: Model Decomposition
  • Definition 2: Hybrid Inference Protocol
  • Definition 3: Usefulness
  • Definition 4: Safety
  • Definition 5: Security
  • Definition 6: Efficiency
  • Theorem 1: Perfectly secure masking
  • Lemma 2
  • proof
  • proof
  • ...and 4 more