Aggressive Compression Enables LLM Weight Theft
Davis Brown, Juan-Pablo Rivera, Dan Hendrycks, Mantas Mazeika
TL;DR
The paper analyzes weight exfiltration risk for large language models by showing that extreme compression of model weights, if decompression constraints are relaxed, can dramatically accelerate theft. It introduces a simple quantitative model using $T = \frac{M c}{E N s}$ and $P_{\text{success}} = (1 - p)^T$ to connect compression, usage profiles, and detection to exfiltration feasibility, and demonstrates that $16\times$ to $100\times$ compression is achievable with minimal degradation. A novel compression method, VQ-then-train, achieves substantially higher compression than prior schemes and improves exfiltration feasibility under realistic attacker assumptions. The study also evaluates defenses, finding that forensic watermarking offers effective, low-cost attribution while other defenses (compressibility resistance and moving-target strategies) have mixed effectiveness due to adaptive attacks such as canonicalisation. Overall, the work highlights a critical security risk for weight theft and suggests actionable defense directions to mitigate exfiltration in deployed LLM systems.
Abstract
As frontier AIs become more powerful and costly to develop, adversaries have increasing incentives to steal model weights by mounting exfiltration attacks. In this work, we consider exfiltration attacks where an adversary attempts to sneak model weights out of a datacenter over a network. While exfiltration attacks are multi-step cyber attacks, we demonstrate that a single factor, the compressibility of model weights, significantly heightens exfiltration risk for large language models (LLMs). We tailor compression specifically for exfiltration by relaxing decompression constraints and demonstrate that attackers could achieve 16x to 100x compression with minimal trade-offs, reducing the time it would take for an attacker to illicitly transmit model weights from the defender's server from months to days. Finally, we study defenses designed to reduce exfiltration risk in three distinct ways: making models harder to compress, making them harder to 'find,' and tracking provenance for post-attack analysis using forensic watermarks. While all defenses are promising, the forensic watermark defense is both effective and cheap, and therefore is a particularly attractive lever for mitigating weight-exfiltration risk.
