Mistletoe: A Stealthy Acceleration Collapse Attack on Speculative Decoding

Mistletoe is a new stealthy attack method targeting speculative decoding. By exploiting the imperfect match between the draft model and the target model, it significantly reduces the draft token acceptance rate while maintaining output quality, thus collapsing the inference acceleration effect. This article will detail the background, method, effects, and security implications of this attack.

Speculative decoding is a mainstream LLM inference acceleration scheme. Its core is to generate candidate tokens in parallel via a lightweight draft model, then validate them with the target model. Efficiency depends on the average acceptance length τ. Its hidden vulnerability lies in the imperfect match between the draft model and the target model: small perturbations can keep the target model's output unchanged while significantly reducing the draft token acceptance rate, making the attack highly stealthy.

Mistletoe uses a dual-target optimization framework: Target 1 is to degrade the consistency between the draft model and the target model (reduce draft acceptance probability), Target 2 is to maintain semantic consistency (unchanged output distribution). To resolve the conflict between these targets, a null space projection mechanism is introduced, which projects the degradation gradient into the null space of the semantic preservation direction, achieving a stealthy attack effect.

Experiments were evaluated on multiple speculative decoding systems. Key results include: the average acceptance length τ dropped sharply to nearly 1, causing the acceleration effect to collapse; throughput was significantly reduced to the level without speculative decoding; output quality (perplexity) remained basically the same as before the attack, with no impact.

Mistletoe reveals that speculative decoding has a mechanism-level attack surface (beyond traditional output robustness). Defense recommendations: Strengthen the acceptance mechanism to improve perturbation robustness; establish real-time monitoring of abnormal acceptance rates; develop detection and mitigation defense mechanisms; consider adversarial scenarios when designing speculative decoding systems.

Current limitations: Assumes the attacker can manipulate inputs; mainly targets model-based speculative decoding; defense mechanisms are not fully explored. Future directions: Develop defense mechanisms against Mistletoe; explore the possibility of attacks on other inference acceleration technologies; design more robust speculative decoding architectures.

The Mistletoe attack reveals a key security vulnerability in speculative decoding technology. By stealthily collapsing the acceleration effect through model mismatch, it has important security significance and provides a new research direction for designing more robust LLM inference systems.