defense 2025

Attacks and Defenses Against LLM Fingerprinting

Kevin Kurian , Ethan Holland , Sean Oesch

Oak Ridge National Laboratory

0 citations
α

Published on arXiv

2508.09021

Model Theft

OWASP ML Top 10 — ML05

Model Theft

OWASP LLM Top 10 — LLM10

Key Finding

RL-optimized 3-query fingerprinting outperforms random 3-query selection; secondary-LLM output filtering reduces fingerprinting accuracy while preserving semantic integrity.

RL-optimized query selection + semantic-preserving output filtering

Novel technique introduced

As large language models are increasingly deployed in sensitive environments, fingerprinting attacks pose significant privacy and security risks. We present a study of LLM fingerprinting from both offensive and defensive perspectives. Our attack methodology uses reinforcement learning to automatically optimize query selection, achieving better fingerprinting accuracy with only 3 queries compared to randomly selecting 3 queries from the same pool. Our defensive approach employs semantic-preserving output filtering through a secondary LLM to obfuscate model identity while maintaining semantic integrity. The defensive method reduces fingerprinting accuracy across tested models while preserving output quality. These contributions show the potential to improve fingerprinting tools capabilities while providing practical mitigation strategies against fingerprinting attacks.

Key Contributions

  • RL-based attack that optimizes query selection to achieve higher LLM fingerprinting accuracy using only 3 queries, outperforming random selection from the same pool
  • Semantic-preserving output filtering defense using a secondary LLM to obfuscate model identity while maintaining output quality
  • Empirical evaluation demonstrating improved attack accuracy and measurable defense effectiveness across multiple LLMs

🛡️ Threat Analysis

Model Theft

LLM fingerprinting targets model identity as intellectual property — determining which model is deployed behind an API is a model IP disclosure threat. The defense directly protects against this by obfuscating model identity, which falls squarely within the model theft / model IP protection scope of ML05.

Details

Domains
nlp
Model Types
llmrl
Threat Tags
black_boxinference_time
Applications
llm api servicesmodel identity protection
Read PDF arXiv

Similar Papers

defense

TZ-LLM: Protecting On-Device Large Language Models with Arm TrustZone

2025 2 cit.
Model Theft
92%
defense

RegionMarker: A Region-Triggered Semantic Watermarking Framework for Embedding-as-a-Service Copyright Protection

2025 0 cit.
Model Theft
86%
defense

SecureInfer: Heterogeneous TEE-GPU Architecture for Privacy-Critical Tensors for Large Language Model Deployment

2025 1 cit.
Model Theft
86%
defense

EditMF: Drawing an Invisible Fingerprint for Your Large Language Models

2025 0 cit.
Model Theft
86%
defense

From Essence to Defense: Adaptive Semantic-aware Watermarking for Embedding-as-a-Service Copyright Protection

2025 0 cit.
Model Theft
86%
defense

Reading Between the Lines: Towards Reliable Black-box LLM Fingerprinting via Zeroth-order Gradient Estimation

2025 0 cit.
Model Theft
86%
defense

FNF: Functional Network Fingerprint for Large Language Models

2026 0 cit.
Model Theft
86%
defense

Towards Distillation-Resistant Large Language Models: An Information-Theoretic Perspective

2026 0 cit.
Model Theft
86%