LLM Edit Fingerprint Leak

Description: A side-channel information leakage vulnerability exists in the "locate-then-edit" paradigm of Large Language Model (LLM) knowledge editing, specifically affecting algorithms such as ROME, MEMIT, and AlphaEdit. The parameter update matrix ($\Delta W$) generated during the editing process preserves the algebraic structure of the edited data. Specifically, the row space of the parameter difference matrix encodes a mathematical fingerprint of the key vectors associated with the edited subjects. An attacker with access to the model weights before and after an edit (white-box access) can leverage this structure via spectral analysis (Singular Value Decomposition) to reconstruct the linear subspace spanned by the edited knowledge. This allows the attacker to reverse-engineer the specific subjects (e.g., entities, names) involved in the edit and, through entropy reduction analysis, recover the semantic prompts (context) used, thereby extracting the sensitive information the edit was intended to modify or erase.

Examples: To reproduce the KSTER (KeySpaceReconsTruction-then-EntropyReduction) attack:

1. Subject Inference:

• Obtain the weight update matrix $\Delta W$ from a model edited using MEMIT.
• Compute the Singular Value Decomposition (SVD) of the matrix product $\Delta W \mathbf{C}$ (where $\mathbf{C}$ is the covariance matrix).
• Extract the top-$N$ right singular vectors to form the subspace $V_N$.
• Project candidate subject vectors (e.g., hidden states of subjects from a dataset like CounterFact) onto $V_N$.
• Candidates with high projection coefficients (close to 1.0) are the edited subjects.

2. Prompt Recovery:

• For an identified subject, evaluate a set of candidate prompt templates.
• Calculate the entropy of the next-token distribution for both the pre-edit and post-edit models.
• Select the prompt that exhibits the maximal relative entropy reduction.

For the complete attack implementation code and reproduction scripts, see the repository: https://github.com/reanatom/EditingAtk.git

For specific experimental setups and candidate libraries used to validate the vulnerability, refer to the "CounterFact" and "zsRE" datasets mentioned in the repository and paper.

Impact: This vulnerability compromises the confidentiality of the model editing process. It allows attackers to recover sensitive, private, or safety-critical information that was supposedly redacted or updated. For example, if a model is edited to remove a specific individual's private data or hazardous instructions, an attacker can analyze the weight updates to precisely identify who was removed and what context was associated with them, negating the privacy or safety goals of the edit.

Affected Systems:

• Large Language Models (e.g., GPT-J, Llama-3, Qwen-2.5) that utilize parameter-modifying editing algorithms.
• Specific editing algorithms:
• ROME (Rank-One Model Editing)
• MEMIT (Mass-Editing Memory in a Transformer)
• AlphaEdit

Mitigation Steps:

• Implement Subspace Camouflage: As proposed in the paper, modify the editing algorithm to inject "semantic decoys" into the update subspace.
• Construct an aggregated camouflage key matrix by perturbing the true key matrix $\mathbf{K}$ with a decoy key matrix $\mathbf{K}_{decoy}$ (derived from unrelated subjects).
• Compute the weight update such that it satisfies the edit constraints for the true subjects while expanding the row space to include the decoys.
• This obfuscates the spectral fingerprint, preventing attackers from isolating the true edited subjects via subspace analysis.
• Restrict Weight Access: Prevent public access to high-frequency weight updates or the specific parameter differences ($\Delta \theta$) resulting from granular edits.