Stealing the Decoding Algorithms of Language Models

TL;DR

This paper demonstrates that an attacker can cheaply and effectively steal the decoding algorithms and their hyperparameters from popular language models via API access, posing security concerns.

Contribution

It introduces the first method showing how to steal decoding algorithms and hyperparameters from language models with minimal cost and effort.

Findings

Successful theft of decoding algorithms from GPT-2, GPT-3, and GPT-Neo.

Low-cost attacks costing less than a few dollars per model.

Effective attack across multiple popular language models.

Abstract

A key component of generating text from modern language models (LM) is the selection and tuning of decoding algorithms. These algorithms determine how to generate text from the internal probability distribution generated by the LM. The process of choosing a decoding algorithm and tuning its hyperparameters takes significant time, manual effort, and computation, and it also requires extensive human evaluation. Therefore, the identity and hyperparameters of such decoding algorithms are considered to be extremely valuable to their owners. In this work, we show, for the first time, that an adversary with typical API access to an LM can steal the type and hyperparameters of its decoding algorithms at very low monetary costs. Our attack is effective against popular LMs used in text generation APIs, including GPT-2, GPT-3 and GPT-Neo. We demonstrate the feasibility of stealing such information with only a few dollars, e.g., $\$0.8$, $\$1$, $\$4$, and $\$40$ for the four versions of GPT-3.