MoEcho: Exposing User Privacy Risks in Mixture-of-Experts AI

TLDR: MoEcho is a new framework that demonstrates how the efficient Mixture-of-Experts (MoE) architecture in large AI models (LLMs, VLMs) can inadvertently leak sensitive user data. By monitoring subtle hardware execution patterns (side-channels) on CPUs and GPUs, attackers can infer private information from user prompts, reconstruct model responses, and even deduce visual attributes or reconstruct images, highlighting a critical need for enhanced privacy safeguards in modern AI systems.

Modern artificial intelligence, especially large language models (LLMs), has made incredible strides, but this progress often comes with a trade-off: computational efficiency. To tackle this, many advanced AI systems now use a design called Mixture-of-Experts (MoE). While MoE models are great at balancing performance and cost by selectively activating specialized subnetworks, new research reveals a significant privacy vulnerability inherent in their design.

A new study introduces ‘MoEcho,’ a framework that uncovers how the dynamic way MoE models operate can inadvertently expose sensitive user information. Imagine an AI model processing your private health query or analyzing a personal image. MoEcho demonstrates that the specific ‘experts’ activated within the MoE architecture leave behind unique digital ‘footprints’ that can be tracked and exploited by attackers.

The Hidden Footprints of AI

The core of the MoEcho attack lies in observing these ‘footprints’ during two key phases of an AI model’s operation:

• Expert Load: When an AI model first processes an entire input (like a long prompt), it distributes parts of that input among its various experts. The number of times each expert is used creates a unique ‘load’ pattern.
• Expert Sequence: As the AI model generates its response token by token, it activates a specific sequence of experts for each new piece of information. This sequence can be highly indicative of the output being generated.

These patterns, while seemingly innocuous, are highly correlated with the user’s input and the model’s output, making them a goldmine for privacy breaches.

How Attackers Listen In: Side-Channel Exploitation

MoEcho leverages what are known as ‘side-channel attacks.’ Instead of directly hacking the AI’s code, these attacks observe subtle, indirect information leaked during the system’s execution. The researchers developed four novel architectural side-channels:

• On CPUs: They used ‘Cache Occupancy Channels’ to measure how much each expert uses the processor’s temporary memory (cache), inferring the ‘expert load.’ For the ‘expert sequence,’ they employed ‘Pageout+Reload’ attacks, which involve monitoring how quickly expert-specific memory pages are reloaded after being temporarily removed from memory.
• On GPUs: For graphics processing units, ‘Performance Counters’ were used to track the number of computational threads each expert utilized, revealing the ‘expert load.’ To capture the ‘expert sequence,’ a ‘TLB Evict+Reload’ attack was devised, which monitors the Translation Lookaside Buffer (TLB), a special cache for memory addresses.

These techniques allow an attacker, even if co-located on the same physical machine (e.g., in a cloud environment), to stealthily gather information about which experts are active and for how long.

Four Ways Your Privacy Can Be Compromised

Based on these leaked execution patterns, MoEcho proposes four powerful privacy attacks:

1. Prompt Inference Attack (PIA): This attack aims to uncover sensitive attributes from user inputs, such as a patient’s illness, age, or gender from a healthcare query. For example, the study achieved a 99.8% success rate in inferring private patient inputs in healthcare records using templated inputs.
2. Response Reconstruction Attack (RRA): Here, the attacker can reconstruct the AI model’s entire output, word for word. This could expose sensitive information from revised emails or personal documents. The research showed a 92.8% success rate in reconstructing LLM responses.
3. Visual Inference Attack (VIA): For AI models that process images (Vision-Language Models or VLMs), this attack can deduce visual attributes like facial features or even identify individuals from input images.
4. Visual Reconstruction Attack (VRA): This advanced attack can reconstruct parts of an input image, even if the user only provided a masked version, by using the leaked expert load information to guide a generative model.

The researchers evaluated MoEcho on several open-source MoE models, including DeepSeek-V2 Lite and DeepSeek-VL2, demonstrating the widespread applicability and effectiveness of these attacks in real-world scenarios.

Also Read:

• Protecting Privacy in Advanced Language Models
• Decoding Deception: Special Character Attacks Challenge AI Safety in Language Models

Protecting AI’s Future

The findings from MoEcho highlight a critical security and privacy threat in the rapidly evolving landscape of AI. As MoE architectures become more common for their efficiency, it’s crucial to implement safeguards. Potential mitigations include:

• Robust Training: Introducing randomness or differential privacy during the training of MoE routers to obscure expert decisions.
• Secure Deployment: Randomizing the execution order of experts or distributing them across multiple devices to make tracking harder.
• General Side-Channel Defenses: Adapting existing defenses like balancing computation to hide load variations, restricting access to sensitive system tools, and rigorously isolating shared hardware resources.

This groundbreaking work is the first to conduct a run-time, architecture-level security analysis of the popular MoE structure, urging developers and users to consider these privacy implications. For more in-depth technical details, you can read the full research paper here.