Prompt Inference Attack on Distributed Large Language Model Inference Frameworks
Xinjian Luo, Ting Yu, Xiaokui Xiao
TL;DR
This work investigates prompt privacy in distributed LLM inference by proposing three black-box prompt inference attacks that reconstruct input prompts from intermediate embeddings. The attacks span unlimited and limited query budgets and include a classifier-based, data augmentation, and a semi-supervised three-phase framework with nearest-neighbor, classifier, and beam search components. Across multiple decoder-only LLMs and datasets, the authors observe reconstruction accuracies exceeding 90% for the first two attacks and typically above 50% for the third, with early-layer embeddings being most vulnerable. The findings underscore significant privacy risks in distributed inference frameworks and motivate defenses such as encryption and differential privacy, while highlighting practical considerations for deployment and future research directions.
Abstract
The inference process of modern large language models (LLMs) demands prohibitive computational resources, rendering them infeasible for deployment on consumer-grade devices. To address this limitation, recent studies propose distributed LLM inference frameworks, which employ split learning principles to enable collaborative LLM inference on resource-constrained hardware. However, distributing LLM layers across participants requires the transmission of intermediate outputs, which may introduce privacy risks to the original input prompts - a critical issue that has yet to be thoroughly explored in the literature. In this paper, we rigorously examine the privacy vulnerabilities of distributed LLM inference frameworks by designing and evaluating three prompt inference attacks aimed at reconstructing input prompts from intermediate LLM outputs. These attacks are developed under various query and data constraints to reflect diverse real-world LLM service scenarios. Specifically, the first attack assumes an unlimited query budget and access to an auxiliary dataset sharing the same distribution as the target prompts. The second attack also leverages unlimited queries but uses an auxiliary dataset with a distribution differing from the target prompts. The third attack operates under the most restrictive scenario, with limited query budgets and no auxiliary dataset available. We evaluate these attacks on a range of LLMs, including state-of-the-art models such as Llama-3.2 and Phi-3.5, as well as widely-used models like GPT-2 and BERT for comparative analysis. Our experiments show that the first two attacks achieve reconstruction accuracies exceeding 90%, while the third achieves accuracies typically above 50%, even under stringent constraints. These findings highlight privacy risks in distributed LLM inference frameworks, issuing a strong alert on their deployment in real-world applications.