Proprietary large language models (LLMs) have been widely applied in various scenarios. Additionally, deploying LLMs on edge devices is trending for efficiency and privacy reasons. However, edge deployment of proprietary LLMs introduces new security challenges: edge-deployed models are exposed as white-box accessible to users, enabling adversaries to conduct effective model stealing (MS) attacks. Unfortunately, existing defense mechanisms fail to provide effective protection. Specifically, we identify four critical protection properties that existing methods fail to simultaneously satisfy: (1) maintaining protection after a model is physically copied; (2) authorizing model access at request level; (3) safeguarding runtime reverse engineering; (4) achieving high security with negligible runtime overhead. To address the above issues, we propose TransLinkGuard, a plug-and-play model protection approach against model stealing on edge devices. The core part of TransLinkGuard is a lightweight authorization module residing in a secure environment, e.g., TEE. The authorization module can freshly authorize each request based on its input. Extensive experiments show that TransLinkGuard achieves the same security protection as the black-box security guarantees with negligible overhead.

翻译：专有大型语言模型（LLMs）已广泛应用于各类场景。此外，出于效率和隐私考虑，将LLMs部署在边缘设备上正成为趋势。然而，专有LLMs的边缘部署引入了新的安全挑战：边缘部署的模型以白盒方式向用户暴露，使得攻击者能够实施有效的模型窃取攻击。遗憾的是，现有防御机制无法提供有效保护。具体而言，我们指出现有方法无法同时满足四个关键保护特性：（1）模型被物理复制后仍保持保护；（2）在请求级别对模型访问进行授权；（3）防范运行时逆向工程；（4）以可忽略的运行时开销实现高安全性。为解决上述问题，我们提出TransLinkGuard——一种即插即用的模型保护方法，用于防御边缘设备上的模型窃取。TransLinkGuard的核心是一个轻量级授权模块，该模块驻留在安全环境（如TEE）中。授权模块可根据每个请求的输入对其进行实时授权。大量实验表明，TransLinkGuard能够在达到与黑盒安全机制同等保护水平的同时，仅引入可忽略的开销。