Fingerprinting Inference Systems of Large Language Models
For security researchers and LLM service providers, this work reveals a new side-channel vulnerability that exposes inference system details, with implications for privacy and intellectual property.
The paper shows that numerical deviations in LLM inference systems (engine, attention backend, hardware) propagate to textual outputs, enabling reliable fingerprinting of these components even at non-zero temperature. The authors demonstrate that preventing such fingerprinting is fundamentally hard and propose partial mitigations.
The behavior of LLMs does not depend solely on the model itself. Components of the inference system, such as the inference engine, attention backend, and hardware platform, subtly influence how inputs are processed. These components differ in their implementations and thereby induce small numerical deviations across systems when running the same model. While prior work has established the theoretical existence of such deviations, their security implications have remained unexplored. In this paper, we show that these deviations are characteristic of specific components and propagate to observable textual outputs, exposing the inference system to any party that can query the model. Building on this observation, we introduce a fingerprinting method that analyzes the prompt-response behavior of LLMs to identify components of the inference system. Our empirical evaluation demonstrates that the inference engine, attention backend, and underlying hardware platform can be identified reliably, even when the LLM is operated at non-zero temperature. We show that preventing fingerprinting is fundamentally hard, as it would require eliminating numerical differences between hardware and software stacks. We therefore propose partial mitigations and discuss their impact.