KV-Cache & Inference-State Side Channels
mediumInfrastructure & internalsDefinition
To go faster, servers reuse work between users who share the same opening text. That shortcut can leak clues — timing differences that reveal what someone else's prompt contained.
Where it attaches
The system components this risk arises at.
Detection signals
- ▸ Measurable timing differences correlated with cache hits
- ▸ State unexpectedly shared across sessions/tenants
- ▸ Anomalous latency patterns under adversarial probing
Controls & guardrails that address this
11Grouped by control function, with the AI lifecycle stage(s) to apply each and the other risks it addresses. Filter by control category below.
Design query rate limiting and RBAC for the model inference API at design stage to limit attack surface.
Implement query pattern detection to identify systematic inference attack behaviour (high-volume queries, membership probing).
Train PII-bearing models with DP-SGD under a documented epsilon/delta budget. Approve the budget against the enterprise epsilon-ceiling policy before training.
source: NIST SP 800-226 Guidelines for Evaluating Differential Privacy Guarantees; Abadi et al. 'Deep Learning with Differential Privacy' (DP-SGD); MITRE ATLAS AML.M0007 (Sanitize Training Data)Strip raw logits, quantise confidence scores and block training-record echoes at the inference gateway. Keep the output-filter policy under change control.
source: MITRE ATLAS AML.T0024.001 (Invert ML Model); Jia et al. MemGuard (output perturbation defence); OWASP Top 10 for LLM Apps LLM02:2025 Sensitive Information DisclosureMaking sure the machinery running the model — and the template used to stamp out new agents — is the real, unmodified version, and that one user's data can't leak into another's through shared shortcuts.
Penetration test the model inference API to identify exploitable access control weaknesses and rate limiting bypass vectors.
Conduct periodic inference attack vulnerability assessments as new attack methods emerge. Monitor query pattern anomalies.
Attack each candidate model with membership-, attribute-, and inversion-inference harnesses before promotion. Block release when attack advantage exceeds the agreed ceiling.
source: MITRE ATLAS AML.T0024.000 (Infer Training Data Membership); Carlini et al. 'Membership Inference Attacks From First Principles' (LiRA); NIST AI RMF MEASURE 2.7Configure per-principal budgets and probing-detection rules on the gateway before exposure. Verify enforcement with synthetic attack traffic.
source: MITRE ATLAS AML.M0004 (Restrict Number of ML Model Queries), AML.T0024 (Exfiltration via ML Inference API); NIST SP 800-53 SI-4, AU-6Live dashboards and alarms that notice unusual behaviour — spikes in errors, weird actions, sudden data access.
Conduct targeted red team exercises for inference attack categories (membership inference, model extraction, attribute inference) before deployment.
Define the minimum response surface and test it with membership/attribute-inference probes pre-release. Block promotion if any probe recovers raw confidence signals.
source: MITRE ATLAS AML.T0024.001 (Invert ML Model); Jia et al. MemGuard (output perturbation defence); OWASP Top 10 for LLM Apps LLM02:2025 Sensitive Information DisclosureMeter inference traffic per principal and flag probing signatures with behavioural analytics. Throttle, step-up, or suspend flagged sessions.
source: MITRE ATLAS AML.M0004 (Restrict Number of ML Model Queries), AML.T0024 (Exfiltration via ML Inference API); NIST SP 800-53 SI-4, AU-6Framework mappings
- LLM02:2025 Sensitive Information Disclosure
- MEASURE 2.10
Real-world cases
1Actual published events that illustrate this risk — click through for the writeup and sources.
Browse all real-world cases →