Model Leeching is a novel extraction attack targeting Large Language Models (LLMs), capable of distilling task-specific knowledge from a target LLM into a reduced parameter model. We demonstrate the effectiveness of our attack by extracting task capability from ChatGPT-3.5-Turbo, achieving 73% Exact Match (EM) similarity, and SQuAD EM and F1 accuracy scores of 75% and 87%, respectively for only $50 in API cost. We further demonstrate the feasibility of adversarial attack transferability from an extracted model extracted via Model Leeching to perform ML attack staging against a target LLM, resulting in an 11% increase to attack success rate when applied to ChatGPT-3.5-Turbo.
Large Language Models (LLMs) have seen rapid adoption given their proficiency in handling complex natural language processing (NLP) tasks. LLMs leverage Deep Learning (DL) algorithms to process and understand a variety of natural language tasks spanning text completion, Question & Answering, and summarization [1]. While production LLMs such as ChatGPT, BARD, and LLaMA [2] [3] [4] have garnered substantial attention, their uptake has also highlighted pressing concerns on growing their exposure to adversarial attacks [4]. Studies on adversarial attacks against LLMs are limited, with urgent need to investigate their risk to data leakage, model stealing (extraction), and attack transferability across models [5] [6].
In this paper we propose Model Leeching, an extraction attack against LLMs capable of creating an extracted model via distilling task knowledge from a target LLM. Our attack is performed by designing an automated prompt generation system [7] targeting specific tasks within LLMs. The prompt system is used to create an extracted model by extracting and copying task-specific data characteristics from a target model [8]. Model Leeching attack is applicable to any LLM with a public API endpoint, and can be successfully achieved at minimal economic cost. Moreover, we demonstrate how Model Leeching can be exploited to perform ML attack staging onto other LLMs (including the original target LLM). Our contributions are: dataset (SQuAD) into a Roberta-Large base model. Our findings demonstrate that a large QA dataset can be successfully labelled and leveraged to create an extracted model with 73% EM similarity to ChatGPT-3.5-Turbo, and achieve SQuAD EM and F1 accuracy scores of 75% and 87%, respectively at $50 cost.
β’ We study the capability to exploit an extracted model derived from Model Leeching to perform further ML attack staging upon a production LLM. Our results show that a language attack [10] optimized for an extracted model can be successfully transferred into ChatGPT-3.5-Turbo with an 11% attack success increase. Our results highlight evidence of adversarial attack transferability between user-created models and production LLMs.
Model extraction is the process of extracting the fundamental characteristics of a DL model [11].
An extracted model is created via extracting specific characteristics (architecture, parameters, and hyper-parameters [12]) from a target model of interest, which are then used to perform model recreation [13]. Once the attacker has established an extracted model, further adversarial attacks can be staged encompassing model inversion, membership inference, leaking privacy data, and model intellectual property theft [14].
State-of-the-art LLMs leveraging the transformer architecture [15] typically comprise hundreds of billions of parameters [16]. Using the established taxonomy of adversaries against DL models [17], our proposed attacks assume a weak adversary capable of providing model input via an LLM API endpoint, and a model output requiring generated text from a target LLM. The adversary has no knowledge of the target architecture or training data used to construct the underlying LLM parameters. Note that the threat model assumptions pertaining to potential rate limiting, or limited access to the target API can be relaxed due the ability to distribute data generation across multiple API keys.
Model Leeching is a black-box adversarial attack which seeks to create an extracted copy of the target LLM within a specific task. The attack comprises a four-phases approach as shown in Figure 1: (
Performing Model Leeching successfully requires correct prompt design. Adversaries must design well-structured prompts that accurately define the relevancy and depth of the necessary generated responses in order to identify task-specific knowledge of interest. Depending on the use case, prompt design is achieved manually or through automated methods [8]. Model Leeching leverages the following three-stage prompt design process:
1. Knowledge Discovery. An adversary first defines the type of task knowledge to extract.
Once defined, an adversary assesses specific target LLM prompt responses to ascertain its affinity to generate task knowledge. This assessment encompasses domain (NLP, image, audio, etc.), response patterns, comprehension limitations, and instruction adherence for particular knowledge domains [18,19,20]. Following successful completion of this assessment, the adversary is able to devise an effective strategy to extract desired characteristics. 2. Construction. Subsequently, the adversary crafts a prompt template that integrates an instruction set reflecting the strategy formulated during the knowledge discovery stage. Template design encompasses distinctive response structure of the target LLM, its recognized limitations, and task-specific knowledge identified for extraction. This template facilitates dynamic prompt generation within the Model Leeching process. 3. Validation. The adversary validates the created prompt and response generated from the target LLM. Validation entails ensuring the LLM responds reliably to prompts, represented as a consistent response structure and ability to carry out given instructions. Ensuring that the target LLM is capable enough to carry out the required task, that it can process and action upon its given instructions. This validation activity enables the Model Leeching method to generate responses that can be used to effectively train local models with extracted task-specific knowledge.
The prompt design process follows an iterative approach, typically requiring multiple variations and refinements to devise the most effective instructions and styles for obtaining desired results from a specific LLM for a given task [20].
Once a suitable prompt has been designed, the adversary targets the given LLM (π π‘πππππ‘ ). This refined prompt is specified to capture desired LLM purpose and task (e.g. Summarization, Chat, Question & Answers, etc.) to be instilled within the extracted model [21]. Given a ground truth dataset (π· π‘ππ’π‘β ), all examples are processed into prompts recognized as valid target LLM inputs. Once all queries have been processed by the target LLM, we generate an adversarial dataset (π· πππ£ ) combining inputs with received LLM replies, as well as automated validation (removing API request errors, failed, or erroneous prompts). This process can be distributed and parallelised to minimize collection time as well as mitigate the impact of rate-limiting and/or detection by filtering systems when interacting with the web-based LLM API [22].
Using (π· πππ£ ), data is split into train (π΄ππ£ π‘ππππ ) and evaluation (π΄ππ£ ππ£ππ ) sets used for extracted model training and attack success evaluation. A pre-trained or empty base model (π πππ π ) is selected for distilling knowledge from the target LLM. This base model is then trained upon (π΄ππ£ π‘ππππ ) with selected hyper-parameters producing an extracted model (π ππ₯π‘ππππ‘ππ ). Using evaluation set (π΄ππ£ ππ£ππ ), similarity and accuracy in a given task can be evaluated and compared using answers generated by (π ππ₯π‘ππππ‘ππ ) and (π π‘πππππ‘ ).
Access to an extracted model (local to an adversary) created from a target LLM facilitates the execution of augmented adversarial attacks. This extracted model allows an adversary to perform unrestricted model querying to test, modify or tailor adversarial attack(s) to discover exploits and vulnerabilities against a target LLM [10]. Furthermore, access to an extracted model enables an adversary to operate in a sandbox environment to conduct adversarial attacks prior to executing the same attack(s) against the target LLM in production (and of particular concern, whilst minimizing the likelihood of detection by the provider).
To demonstrate the effectiveness of Model Leeching, we created a set of extracted models using ChatGPT-3.5-Turbo as the target model, with Question & Answers as the target task. Taskspecific prompts were designed and generated using the Stanford Question Answering 1.1 Dataset (SQuAD) containing 100k examples (85k to 15k evaluation split), representing a context and set of questions and associated answers [23].
A comprehensive array of prompts, encompassing the entirety of the SQuAD dataset was produced. These prompts adhere to a template containing the specific SQuAD question and context, enabling ChatGPT-3.5-Turbo to efficiently process and respond to the given task. As seen in Figure 2, each rule instructs the target LLM to produce an output desired by the adversary ensuring effective capture of task-specific knowledge. The template comprises:
1. Target LLM is specifically directed to provide only the precise answer to the assigned SQuAD question, drawn solely from the provided SQuAD context. This stipulation is
Can you answer this question briefly: "{{SQuAD Question}}".
Rules: 1). Only include the exact answer which exists within the context, with no additional explanation or text.
2). Additionally include the sentence where the answer occurred.
3). Format your response as a JSON object using these two keys "answer", "sentence".
4). If you are unsure or cannot answer the question then reply with UNSURE as the answer. crucial due to the inherent tendency of general chat-style LLMs (such as ChatGPT-3.5-Turbo) to produce more verbose responses than necessary. In the scope of SQuAD score assessment, only the exact answer is pertinent, negating the need for any additional content. 2. By including the sentence where the answer occurred, the LLM is required to demonstrate a degree of contextual comprehension beyond simple fact extraction, for valid data generation that contains the correct task knowledge. This requirement ensures that the model is not limited to identifying keywords, but understands the broader text semantic structure. In the case of assessing model performance on ChatGPT-3.5-Turbo, the index in which an answer is found within the context is required. 3. Use of a standardized JSON format for responses facilitates efficient and uniform data handling. The keys answer and sentence provide a clear and concise structure, making the model output easier to process and compare algorithmically and manually. 4. Ability to respond with 'UNSURE' provides a safeguard for quality control of model response. By acknowledging its own uncertainty, the LLM avoids disseminating potentially incorrect or misleading information, and assists in parsing prompts that it was unable to complete.
To evaluate the effectiveness of Model Leeching, we selected three different base model architectures and several variants (with models parameter sizes ranging from between 14 to 123 million) to create an extracted model of our target LLM. These six model architectures include Bert [24], Albert [25], and Roberta [26], were selected due to their parameter size and respective performance upon our selected task [26]. The intention of selecting these architectures as candidate extracted models is to to evaluate wether: 1) more sophisticated models (parameters, architecture) are more effective at learning target LLM characteristics; and 2) low parameter models (i.e. 100x smaller vs. ChatGPT-3.5-Turbo) can learn sufficient characteristics from a target LLM, while achieving comparable performance a specific task. Using these candidate model architectures, we train two sets of models for the purposes of evaluation, 1) extracted models; trained upon generated π΄ππ£ π‘ππππ dataset, and 2) baseline models; for performance comparison, trained directly upon the ground-truth SQuAD dataset.
We created and deployed an adversarial attack derived from AddSent [10] that generates an adversarial context by adding a non-factual yet semantically and syntactically correct sentences to the original context from a SQuAD entry (Figure 3). The goal of this attack is to cause a QA model to incorrectly answer a question when given an adversarial context. We further modified this attack to generate a larger variety of adversarial context, selectively chosen based on their success upon our extracted model, which is then sent to the target LLM for improved misclassification likelihood.
We demonstrate the effectiveness of Model Leeching by targeting ChatGPT-3.5-Turbo with a pre-trained Roberta-Large base architecture [26]. Using SQuAD as described in 4.1, we generate a new labelled adversarial dataset through automated prompt generation querying ChatGPT-3.5-Turbo, which is trained upon the base architecture to create an extracted model. We evaluate attack performance by measuring the extracted model performance to a baseline model directly trained on SQuAD with ground truth answers. We demonstrate the feasibility of attack transferability across models by applying the AddSent attack [10] upon the extracted model, generating adversarial perturbations that can be further staged upon the target LLM. In order to explore feasibility of transferability of adversarial vulnerabilities across models. We leverage three metrics for evaluation: Exact Match (EM), and F1 Score used to measure the performance/similarity of our extracted model and ChatGPT-3.5-Turbo [23], and attack success rate for further attack staging representing successful adversarial prompts.
Figure 4 shows that each extracted model performed more similarly to ChatGPT-3.5-Turbo compared to their baseline counterpart, with each model EM and F1 similarity score being up to 10.49% and 5% higher, respectively. Roberta Large achieved the highest ChatGPT-3.5-Turbo similarity, with a 0.73 EM and 0.87 F1 score denoting high similarity to the target LLM [27]. Similarity of the baseline models to ChatGPT-3.5-Turbo is lower than the extracted model, due to being trained using the original SQuAD dataset, whereas the extracted models used a dataset derived from ChatGPT-3.5-Turbo.
Extracted model task performance was evaluated by comparing the SQuAD EM and F1 scores to baseline models and ChatGPT-3.5-Turbo. Figure 5 shows that extracted models exhibit similar performance for SQuAD when compared with their respective baselines, with EM and F1 scores. Evaluating our extracted models against ChatGPT-3.5-Turbo, we observed that Roberta Large achieved the highest similarity to ChatGPT-3.5-Turbo performance exhibiting EM and F1 scores, achieving an EM/F1 score of 0.75/0.87 compared to 0.74/0.87 respectively. Extracted model performance from ChatGPT-3.5-Turbo is sufficiently comparable in performance to state-of-theart literature on QA tasks, where with the hyperparameters used in Roberta Large are more performant than the other architectures [26].
Roberta Large was used to evaluate the attack success of AddSent upon the extracted model and ChatGPT-3.5-Turbo given its high SQuAD accuracy and similarity. AddSent exhibited an attack success of 0.28 and 0.26 upon the extracted model and ChatGPT-3.5-Turbo, respectively. Leveraging access to our extracted model, we selected and sent the best performing 7,205 adversarial examples to ChatGPT-3.5-Turbo. Our results indicate that adversarial examples augmented by AddSent increased attack success by 26% for the extracted model, and 11% to ChatGPT-3.5-Turbo (Figure 6). Attack effectiveness is reduced across models due to ChatGPT-3.5-Turbo being 100x larger in parameter size than local models, and leveraging advanced training methods such as reinforcement learning from human feedback, not used on our local models. While ChatGPT-3.5-Turbo is more task capable and less likely to be evaded by adversarial prompts compared to a local model. However, despite increased adversarial robustness, our results highlight attack transferability exists between an extracted model and its target, demonstrating the feasibility of leveraging distilled knowledge to further stage and subsequently launch improved adversarial attacks upon a production LLM.
Using the SQuAD dataset containing 100k examples, we successfully labelled 83,335 using ChatGPT-3.5-Turbo (see Section 5.1). In total, this process cost $50 and required 48 hours to complete. Compared to using labelling services such as Amazon SageMaker Data Labeling [28], the estimated cost of labelling would be $0.036 per example of data, totalling $3,600, demonstrating a significant reduction in cost when using generative LLMs to label datasets. We additionally note that the success of labelling datasets can be increased by 1) further prompt engineering and optimization to package multiple SQuAD examples into one efficient query enabling reduction in query cost and time; and 2) re-sending of failed SQuAD examples to achieve higher amount of successful labelled examples.
Extracted models derived from Model Leeching demonstrate the ability to effectively learn the characteristics of the target model. Highlighted within Section 5.2, noticeable deviations between our extracted models, and baseline equivalents, against their EM/F1 similarity to the target, demonstrate extracted models contain similarly learned knowledge to the target compared to baseline models. The extracted model responses closely align with those of ChatGPT-3.5-Turbo's, exhibiting similar success and error rates in how they semantically and syntactically answer questions. This finding underscoring the capacity of our model to replicate the behaviour of the target, especially in the given task.
Our findings showcase the possibility of not only extracting knowledge from a LLM, but also transferring this knowledge effectively to a model with significantly fewer parameters. ChatGPT-3.5-Turbo comprises 175 billion parameters, whilst our local models are 100x smaller (See Section 5.3). These smaller local models when trained with the extracted dataset demonstrated the ability to perform the given task effectively. Comparing our extracted model performance upon SQuAD to ChatGPT-3.5-Turbo we observed at worst a 13.2%/12.04% EM/F1 score difference and our best-performing extracted model, Roberta Large, achieving identical SQuAD scores to ChatGPT-3.5-Turbo.
Demonstrated within Section 5.4, it is feasible to utilize an extracted model within an adversaries' local environment to conduct further adversarial attack staging. By having unfettered query access to this extracted model, it facilitates the enhancement of attack success. The potency of the AddSent attack on the model extracted by Model Leeching was increased by 26%, which consequently led to an 11% increase when launched against ChatGPT-3.5-Turbo. This highlights the vulnerability of a target LLM to subsequent machine learning attacks once adversaries acquire an extracted model. By having access to this 'sandbox' model, adversaries can refine or innovate their attack strategies. Consequently, LLMs deployed and served over publicly accessible APIs are at significant risk to further attack staging.
Further work includes conducting Model Leeching against a larger array of LLM(s) such as BARD, LLaMA and available variations of GPT models from OpenAI. Taking these models and exploring how they respond to Model Leeching and their vulnerability to follow-up attacks. Such a study would demonstrate the possibility to generate ensemble models that inherit characteristics from multiple target LLMs. Enabling the optimization of a local model by task-specific performance from the best-performing target would aim to maximise the local model capability.
Multiple open-source versions of popular LLMs have been produced by the ML community. This includes examples such as GPT4All [29] and Llama [1] that can be deployed on consumergrade devices. These models typically leverage training sets, architectures and prompts used to develop the LLM they are aiming to extract and replicate. If these models share significant characteristics with the original LLM, it may be feasible for an adversary to conduct Model Leeching and then deploy an improved attack against a target LLM it didn't interact with before attack deployment.
There has been limited work to defend against attacks on LLMs. Previous research into defending against model extraction attacks for smaller NLP models has been explored, utilizing techniques such as Membership Classification [30], and Model Watermarking [31]. However given the rapid development of new state-of-the-art adversarial attacks against LLMs, it is important that the effectiveness of currently proposed defense techniques within literature are evaluated with newer LLMs. Exploring if the characteristics from applied defense techniques are captured within extracted knowledge from the target model, and further detectable within a distilled extracted model.
In this paper we have proposed a new state-of-the-art extraction attack Model Leeching as a cost-effective means to generate an extracted model with shared characteristics to a target LLM. Furthermore, we demonstrated that it is feasible to conduct adversarial attack staging against a production LLM via interrogating an extracted model derived from a target LLM within a sandbox environment. Our findings suggest that extracted models can be derived with a high similarity and task accuracy with low query costs, and constitute the basis of attack transferability to execute further successful adversarial attacks utilizing data leaked from the target LLM.