New Attack Infers LLM Architecture from Restrictive APIs

Christopher Ellis, Shreyas Chaudhari, Mei-Yu Wang, Leighton Barnes, Giulia Fanti, Jos\'e M. F. Moura· July 3, 2026 View original

Summary

Researchers have developed "NightVision," an attack that can estimate the hidden dimension, depth, and parameter count of Large Language Models (LLMs) even with highly restricted black-box API access. This method uses a novel common set prompting technique and spectral analysis of log probabilities, along with time-to-first-token measurements.

A new research paper introduces "NightVision," an innovative attack designed to infer the architectural specifics of Large Language Models (LLMs) even when API access is severely limited. Previous methods for recovering architectural details, such as hidden dimensions, relied on access to top-k logits or logit bias functions, which most commercial LLM providers have since restricted. NightVision overcomes these restrictions by employing a novel "common set prompting" technique. This involves crafting multiple prompts that expose log probabilities for the same set of output tokens. A subsequent spectral analysis of these results allows for the inference of the LLM's hidden dimension. Additionally, the attack leverages end-to-end time-to-first-token (TTFT) measurements, combined with the estimated hidden dimension, to further estimate the model's depth and total parameter count. Empirical evaluations on 32 open-source LLMs demonstrated that NightVision can recover hidden dimensions with an average relative error of 23% (9% for MoE models) and depth/parameter count within 53% for models exceeding three billion parameters, suggesting that current API restrictions are insufficient to fully obscure underlying model architectures.

Why it matters

This research highlights a significant security and intellectual property concern for LLM providers, as proprietary architectural details can be inferred even with limited API access. It also informs users about the potential for reverse engineering models.

How to implement this in your domain

  1. 1Review current API security practices for LLM deployments, especially regarding logit exposure and response timing.
  2. 2Investigate methods to further obfuscate architectural properties beyond current API restrictions.
  3. 3Conduct internal red-teaming exercises to test the resilience of proprietary LLM architectures against inference attacks like NightVision.
  4. 4Stay informed about new research in black-box model inference to anticipate future vulnerabilities.
  5. 5Consider the implications for intellectual property protection when deploying LLMs via APIs.

Who benefits

SoftwareCloud ServicesCybersecurityAI Development

Key takeaways

  • LLM architectural properties can be inferred even with highly restricted black-box API access.
  • "NightVision" uses common set prompting and spectral analysis to estimate hidden dimensions.
  • Time-to-first-token measurements can help estimate model depth and parameter count.
  • Current API restrictions may not be sufficient to fully protect proprietary LLM architectures.

Original post by Christopher Ellis, Shreyas Chaudhari, Mei-Yu Wang, Leighton Barnes, Giulia Fanti, Jos\'e M. F. Moura

"arXiv:2607.01313v1 Announce Type: new Abstract: In practice, most commercial LLM providers do not publicly release details of underlying LLM architectures. However, prior work has shown that given limited API access to an LLM (namely, top-$k$ logits and/or a logit bias function),…"

View on X

Originally posted by Christopher Ellis, Shreyas Chaudhari, Mei-Yu Wang, Leighton Barnes, Giulia Fanti, Jos\'e M. F. Moura on X · view source

Want to go deeper?

Turn these trends into skills with Learnijoy's hands-on AI & tech courses.

Explore courses