GhostPrint: Exposing Fingerprint Spoofing Attack Risks in LLM Inference Services

The research team proposes a new attack threat called "fingerprint spoofing", which uses parameter-efficient fine-tuning to make weak models mimic strong models to bypass client-side fingerprint recognition. The GhostPrint framework successfully deceives existing fingerprint detection methods at low cost while maintaining practicality, exposing critical vulnerabilities in LLM API verification mechanisms.

Original Authors and Source

• Original Author/Team: AI Security and Model Verification Research Team
• Source Platform: arXiv
• Original Paper Title: Your "Pro" LLM Subscription May Actually Be "Free": Exposing Fingerprint Spoofing Risks in LLM Inference Services
• Original Paper Link: http://arxiv.org/abs/2606.16100v1
• Publication Date: 2026-06-15

LLM APIs have become core infrastructure for AI services, but how can users be sure that the paid "Pro" model they use is a real high-performance model instead of a cheap alternative? Model fingerprinting technology emerged as a solution: it verifies model identity by analyzing response characteristics from specific test queries, achieving high accuracy based on differences in output distributions between models. However, existing solutions have a critical blind spot—they assume service providers are honest and do not consider malicious providers actively manipulating models to deceive detection systems.

Objective of fingerprint spoofing attack: To make weak models (e.g., lightweight open-source models) appear as strong models (e.g., GPT-4) in fingerprint detection, tricking users into paying for Pro services while receiving free-tier services. Attack scenarios include: API provider fraud (claiming to use GPT-4 but actually using fine-tuned Llama3 8B), model downgrade attacks, and compliance bypass (using strong models during regulatory checks but weak models in daily operations).

Theoretical analysis reveals current fingerprinting vulnerabilities: Limited query budgets on the client side (cannot send unlimited verification requests) and weak classifier constraints (insufficient discriminative ability due to training on limited samples) lead to the existence of a "spoofing region", where weak models can enter via fine-tuning to bypass detection.

The GhostPrint attack framework consists of three core components:

1. Proxy Modeling: Build a proxy model to simulate the behavior of the target strong model (collect public output samples to train an imitation model);
2. Reward-Ranked Fine-Tuning: The weak model generates candidate responses, uses the proxy model to evaluate similarity, and prioritizes optimizing similar responses (no paired training data required);
3. Knowledge Distillation: Transfer knowledge from the proxy model (soft label learning, feature alignment).

Key feature: Parameter efficiency—fine-tuning <1% of total parameters via techniques like LoRA, resulting in extremely low attack cost.

Experimental evaluation results:

• Static Detection: After fine-tuning, weak models consistently pass representative fingerprint detection while maintaining downstream task performance, with low fine-tuning cost (a few GPU hours + <1% parameters);
• Continuous Detection: Maintain high deception success rate through query generalization (learning the target model's style) and adaptive updates (incremental fine-tuning to handle new queries);
• Specific Examples: Llama3 8B successfully impersonates GPT-4, Mistral7B successfully simulates Claude's response characteristics.

Client-Side Defense:

1. Dynamic fingerprint queries (randomize unpredictable query sets);
2. Multi-dimensional verification (side-channel information such as response latency, memory usage);
3. Task performance verification (standard benchmark tests);
4. Third-party audits (regular independent verification).

Industry-Level Recommendations:

1. Model signing (embed invisible digital signatures);
2. Transparency commitments (publicize model versions and update logs);
3. Regulatory frameworks (establish industry standards to penalize fraud).

Technical Significance: First to reveal the feasibility of fingerprint spoofing attacks, provide a theoretical framework for model verification limitations, and guide the design of robust verification mechanisms. Industry Impact: Remind attention to LLM API verification issues, influence pricing strategies based on model identity, and promote strict verification standards. Limitations: Requires certain computing resources, has delays in adapting to new queries under continuous detection, and may experience performance degradation in complex tasks. Future Directions: Develop anti-spoofing verification mechanisms, study multi-modal attacks, explore blockchain-based identity verification, and design adaptive AI-driven detection systems.