Stealing the Decoding Algorithms of Language Models
This exposes a security vulnerability for owners of language models who rely on proprietary decoding algorithms, revealing an incremental but practical threat.
The authors demonstrated that an adversary can steal the type and hyperparameters of decoding algorithms from language models via API access at low cost, showing feasibility with examples like $0.8 to $40 for GPT-3 versions.
A key component of generating text from modern language models (LM) is the selection and tuning of decoding algorithms. These algorithms determine how to generate text from the internal probability distribution generated by the LM. The process of choosing a decoding algorithm and tuning its hyperparameters takes significant time, manual effort, and computation, and it also requires extensive human evaluation. Therefore, the identity and hyperparameters of such decoding algorithms are considered to be extremely valuable to their owners. In this work, we show, for the first time, that an adversary with typical API access to an LM can steal the type and hyperparameters of its decoding algorithms at very low monetary costs. Our attack is effective against popular LMs used in text generation APIs, including GPT-2, GPT-3 and GPT-Neo. We demonstrate the feasibility of stealing such information with only a few dollars, e.g., $\$0.8$, $\$1$, $\$4$, and $\$40$ for the four versions of GPT-3.