Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Trusting What You Cannot See: Auditable Fine-Tuning and Inference for Proprietary AI

Heng Jin, Chaoyu Zhang, Hexuan Yu, Shanghao Shi, Ning Zhang, Y. Thomas Hou, Wenjing Lou

TL;DR

This work presents AFTUNE, an auditable and verifiable framework that ensures the computation integrity of cloud-based fine-tuning and inference, and incorporates a lightweight recording and spot-check mechanism that produces verifiable traces of execution.

Abstract

Cloud-based infrastructures have become the dominant platform for deploying large models, particularly large language models (LLMs). Fine-tuning and inference are increasingly delegated to cloud providers for simplified deployment and access to proprietary models, yet this creates a fundamental trust gap: although cryptographic and TEE-based verification exist, the scale of modern LLMs renders them prohibitive, leaving clients unable to practically audit these processes. This lack of transparency creates concrete security risks that can silently compromise service integrity. We present AFTUNE, an auditable and verifiable framework that ensures the computation integrity of cloud-based fine-tuning and inference. AFTUNE incorporates a lightweight recording and spot-check mechanism that produces verifiable traces of execution. These traces enable clients to later audit whether the training and inference processes followed the agreed configurations. Our evaluation shows that AFTUNE imposes practical computation overhead while enabling selective and efficient verification, demonstrating that trustworthy model services are achievable in today's cloud environments.

Trusting What You Cannot See: Auditable Fine-Tuning and Inference for Proprietary AI

TL;DR

This work presents AFTUNE, an auditable and verifiable framework that ensures the computation integrity of cloud-based fine-tuning and inference, and incorporates a lightweight recording and spot-check mechanism that produces verifiable traces of execution.

Abstract

Cloud-based infrastructures have become the dominant platform for deploying large models, particularly large language models (LLMs). Fine-tuning and inference are increasingly delegated to cloud providers for simplified deployment and access to proprietary models, yet this creates a fundamental trust gap: although cryptographic and TEE-based verification exist, the scale of modern LLMs renders them prohibitive, leaving clients unable to practically audit these processes. This lack of transparency creates concrete security risks that can silently compromise service integrity. We present AFTUNE, an auditable and verifiable framework that ensures the computation integrity of cloud-based fine-tuning and inference. AFTUNE incorporates a lightweight recording and spot-check mechanism that produces verifiable traces of execution. These traces enable clients to later audit whether the training and inference processes followed the agreed configurations. Our evaluation shows that AFTUNE imposes practical computation overhead while enabling selective and efficient verification, demonstrating that trustworthy model services are achievable in today's cloud environments.
Paper Structure (38 sections, 12 equations, 10 figures, 5 tables, 1 algorithm)

This paper contains 38 sections, 12 equations, 10 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Threat Model
  4. Overview
  5. Design
  6. Notation and Problem Formulation
  7. Two-Dimensional Block Structure
  8. Map-Reduce Hashing Scheme
  9. Recomputation-Based Verification Protocol
  10. Inference Verification Protocol
  11. Storage Optimization via Sparse Checkpointing
  12. Sampling-Based Spot-Check and Strategies
  13. Evaluation
  14. Experimental Setup
  15. System Overhead Analysis
  16. ...and 23 more sections

Figures (10)

  • Figure 1: Each rectangle represents the full model at one training step. The red dashed border indicates blocks that will be independently verified, each of which contains only a portion of the training procedure.
  • Figure 2: AFTUNE workflow overview. The system operates through setup and negotiation, fine-tuning, and inference phases. During execution, the provider commits boundary state hashes to the client and stores boundary states in cloud storage. Clients can verify training or inference computations on-demand through TEE-based selective recomputation of sampled regions.
  • Figure 3: Two-dimensional block structure organizing the training procedure. The dashed border shows a single block spanning 4 layers and 3 steps. AFTUNE records only boundary states: activations and gradients at layer block edges, parameters and optimizer states at step block boundaries. Each block serves as an atomic, independently verifiable unit.
  • Figure 4: Training overhead composition across different models with the second configuration from Table \ref{['tab:comprehensive_overhead']}. Top row: Time overhead proportions for Qwen2.5-14B, Llama-3.1-8B, DINOv2-Giant, ViT-Large (left to right), followed by legend showing hash computation, I/O, and other AFTUNE operations. Bottom row: Storage proportions for the same models, followed by legend showing activations, gradients, and parameters.
  • Figure 5: Training verification accuracy: parameter relative $L_2$ error across layer block sizes and step block sizes.
  • ...and 5 more figures