Aggressive Compression Enables LLM Weight Theft

As frontier AIs become more powerful and costly to develop, adversaries have increasing incentives to steal model weights by mounting exfiltration attacks. In this work, we consider exfiltration attacks where an adversary attempts to sneak model weights out of a datacenter over a network. While exfiltration attacks are multi-step cyber attacks, we demonstrate that a single factor, the compressibility of model weights, significantly heightens exfiltration risk for large language models (LLMs). We tailor compression specifically for exfiltration by relaxing decompression constraints and demonstrate that attackers could achieve 16x to 100x compression with minimal trade-offs, reducing the time it would take for an attacker to illicitly transmit model weights from the defender's server from months to days. Finally, we study defenses designed to reduce exfiltration risk in three distinct ways: making models harder to compress, making them harder to 'find,' and tracking provenance for post-attack analysis using forensic watermarks. While all defenses are promising, the forensic watermark defense is both effective and cheap, and therefore is a particularly attractive lever for mitigating weight-exfiltration risk.

Key Contributions

• Demonstrates that tailored aggressive compression (relaxing decompression constraints) achieves 16x–100x compression of LLM weights with minimal quality trade-offs, reducing exfiltration time from months to days
• Introduces an exfiltration-optimized compression methodology that treats decompression cost as irrelevant, unlike standard compression use cases
• Evaluates three defensive countermeasures — compression resistance, model obfuscation, and forensic watermarking — finding forensic watermarks to be the most cost-effective mitigation

🛡️ Threat Analysis

Details

Similar Papers