- The paper demonstrates that fingerprint spoofing can be achieved through parameter-efficient fine-tuning techniques, allowing weak models to mimic strong ones under limited query audits.
- The authors analyze both theoretical and empirical vulnerabilities, showing that finite query budgets and lightweight verification methods enable economic fraud in LLM services.
- Empirical evaluations reveal high spoofing success rates across major LLM families, underscoring the urgent need for more robust model authentication and verification mechanisms.
Exposing Fingerprint Spoofing Risks in LLM Inference Services
Introduction
The increasing reliance on commercial LLM APIs for various downstream applications and academic evaluations has raised crucial concerns around model integrity and trust verification. The prevailing standard for verifying LLM model identity in black-box settings is response fingerprinting, where a user-side mechanism applies a small set of queries and lightweight classifiers to audit model behavior. This work formalizes and exposes a critical vulnerability: the possibility for malicious providers to perform fingerprint spoofing, whereby a weak model is fine-tuned in a parameter-efficient way to mimic the responses of a strong model and evade fingerprint-based verification, thus enabling economic fraud at scale.
The paper systematically examines the limitations of current fingerprinting techniques, both theoretically—proving how user-side constraints inherently leave them vulnerable—and empirically—demonstrating successful spoofing on state-of-the-art fingerprinting pipelines across multiple model families.
Figure 1: The economic incentive for LLM API spoofing, illustrating the profit motive of substituting a fine-tuned weak model for the advertised strong model.
Theoretical Foundations of Fingerprint Spoofing
A core contribution of the paper is the analysis of when fingerprint spoofing is provably feasible. The authors first confirm the impossibility of universal spoofing: a weak model constrained by scaling laws and PEFT cannot globally emulate all behaviors of a much larger model for arbitrary queries, especially when the auditing party possesses unlimited compute and the ability to utilize strong classifiers. However, two fundamental vulnerabilities are exposed:
- Finite Query Budgets: Realistic audits employ small, structured query sets, often with low effective rank, due to cost and access limitations.
- Weak Verification Mechanisms: Verification must use lightweight statistical tests or low-capacity classifiers due to user-side constraints.
Under these constraints, the paper proves that spoofing can be made efficient and effective: fine-tuning for a limited set of audit queries allows a weak model’s decision manifold to intersect with the strong model’s under the test distribution and within the weak classifier’s discriminative power. These theoretical insights formally explain how local, rather than global, spoofing can be achieved in practice.
The GhostPrint Attack Framework
To operationalize these vulnerabilities, the paper introduces GhostPrint, a cost-effective attack pipeline for fingerprint spoofing. GhostPrint’s framework involves:
Empirical Evaluation and Results
GhostPrint is instantiated on three major open-source LLM families (Gemma, Qwen2, Phi-3), with weak-to-strong spoofing settings and rigorous utility preservation checks. Evaluations are performed against leading black-box fingerprints: LLMmap (multi-class identity probes), LLM-idio (response style classifier), and MET (distributional hypothesis test).
Key empirical findings include:
- High ASR Under Parameter Constraints: GhostPrint attains attack success rates (ASR) as high as 95% on LLMmap, 71% on LLM-idio, and 40% on MET with Gemma-2B spoofing Gemma-7B, outperforming non-fine-tuning baselines by large margins.
- Strong Utility Retention: General model utility (as measured by MMLU, GSM8K, ARC-C) is preserved, indicating no catastrophic forgetting.
- Robustness to Cross-Family Spoofing: Though more challenging due to architectural gaps, GhostPrint achieves non-trivial ASRs even when spoofing models across distinct families (e.g., Gemma to Qwen2), exposing the limits of response-style-based verification.
- Effectiveness of RAFT and KD: Ablations show that adding RAFT examples (50% mix) and using the large model as a KD anchor both improve ASR, with KD coefficient α robustly optimal near 0.25.
- Continual Spoofing with MoLA: The mixture-of-experts approach delivers strong performance across evolving fingerprints (multi-auditor settings), achieving only mild utility or ASR regression as more fingerprints are integrated.
Figure 3: Ablation over knowledge distillation anchor and loss weight; utility-optimized KD improves spoofing rates, with stability across families.
Figure 4: MET sample complexity curves, demonstrating that practical audit query budgets are insufficient to reliably detect GhostPrint-based spoofing.
Implications
Practical Implications
This work exposes a fundamental security and trust gap in current LLM API verification practice. Black-box fingerprinting, especially when restricted to resource-limited audit regimes, is insufficient for robust provenance guarantees against adaptive adversaries. Service providers can economically deploy weak but fine-tuned models, reliably evading audits and thereby defrauding users, with little risk of detection if users employ typical audit strategies. The findings strongly motivate the development of new provider authentication and attestation strategies, potentially requiring cryptographic or white-box protocols, and highlight the urgency for the research community and industry to treat model identity as a first-class, actively-defended property.
Theoretical Implications
The precise characterization of when spoofing is fundamentally possible under model and classifier scaling gaps calls for more rigorous analysis of the inherent limits of output-based verification. Response similarity is shown to be insufficient under adversarial adaptation—a notable contradiction to the assumptions underpinning most practical fingerprint pipelines.
Speculation on Future Developments
Anticipated defenses may move toward:
- Stronger intrusive fingerprinting or cryptographic attestation mechanisms, possibly requiring cooperation from model vendors.
- Adaptive, high-budget auditing strategies that escalate in sophistication on suspicious findings.
- Enhanced watermarking, probabilistic queries, or ensemble-based verification approaches that increase the cost and complexity for would-be spoofers.
Research in adversarial model detection, robust provenance, and model accountability—particularly in black-box, third-party-composable API settings—will become increasingly vital in light of these findings.
Conclusion
The paper fundamentally challenges current assumptions about LLM fingerprinting robustness, presenting both a theoretical framework and a demonstrably effective, economically feasible attack (GhostPrint) that exposes the inadequacy of today’s black-box verification under realistic adversarial pressures. These insights raise the bar for the design of trustworthy LLM API infrastructure and demand a rethinking of both the security model for API consumers and the technical underpinnings of model auditing systems.