
TLDR
- What: A black-box behavioral fingerprinting and verification protocol for LLMs that uses the empirical distribution of single-token responses to simple "random-choice" prompts to detect model substitution and quantization.
- Who's at risk: Enterprise API consumers, multi-provider aggregators (e.g., OpenRouter), and applications utilizing LLM routing where downstream providers may secretly substitute cheaper, older, or heavily quantized models.
- Key number: A biometric-style verification protocol that achieves a 7.3% Equal Error Rate (EER) using a 40-cell probe battery, and 10.6% EER using just 8 probe cells (costing less than $0.01 per audit).
As the enterprise AI stack shifts toward multi-provider aggregators and complex routing layers to query frontier models like GPT-4o or Llama 3, a structural security vulnerability has emerged: the client has no technical means to verify that the model answering their API call is actually the model advertised. Recent audits have revealed that up to a third of commercial endpoints deviate from their reference weights, driven by the strong economic incentives of quantization and model substitution. This post analyzes a novel black-box fingerprinting technique that turns an inherent defect of LLMs—their idiosyncratic inability to generate truly random numbers or words—into a high-precision, low-cost forensic instrument.
Threat Model
The protocol addresses a setting where a client pays an untrusted, third-party serving provider or aggregator for access to a declared model . The provider controls the entire inference pipeline, opening up several avenues for manipulation:
| Attacker | Untrusted API provider or router with full control over the serving stack. |
| Victim | Client application or an auditor acting on behalf of clients. |
| Goal | Minimize serving costs by silently substituting a cheaper model , serving an aggressively quantized version , or rolling back to an older model version, while evading detection. |
| Budget | Oblivious (T1): Substitutes silently without traffic inspection.Filtering (T2): Inspects prompts to detect audits and route them to genuine models.Auditor Budget: Minimal cost (cents, not dollars) requiring no log-probability or logit access. |
Background & Related Work
Verifying model identity in a black-box setting is historically expensive, requiring long text generation or privileged access to model outputs. The paper compares its single-token behavioral fingerprint against several existing paradigms:
| Method | Mechanism | API Requirements | Vulnerable to Prompt Filtering (T2)? | Operational Cost |
|---|---|---|---|---|
| Cooperative Watermarking (e.g., Kirchenbauer et al. [4]) | Embeds cryptographic biases in the decoding step. | Requires model owner/provider cooperation. | No | Low |
| Classifier-Based Attribution (e.g., Sun et al. [8]) | Classifies long text generations using specialized models. | Text-only output (long sequences). | No | High (requires long output generation) |
| Active Engineered Probes (e.g., LLMmap [9], TRAP [10]) | Uses optimized, highly distinct prompts to trigger unique behaviors. | Text-only output. | Yes (engineered strings are easily recognized and blacklisted/whitelisted). | Moderate |
| Statistical Equality Testing (e.g., Gao et al. [1]) | Compares empirical distributions of long generated strings. | Text-only output. | No | High (requires complete string sampling and reference calibration) |
| Single-Token Fingerprinting (This Work) | Measures empirical distribution of single-token answers to trivial "randomness" questions. | Text-only output (first token only). | No (prompts are innocuous, open-ended, and easily paraphrased). | Extremely Low (costs exactly 1 output token per query; ~$0.21 per model) |
Methodology
The core insight of this technique—imported from LLM behavioral literature—is that when asked to name a "random" object, LLMs exhibit highly stable, idiosyncratic biases. These biases are influenced by tokenizer structures, pre-training corpus frequencies, and RLHF alignment. Because these biases are reflected in the very first token of the output, the auditor can extract a rich fingerprint using exactly one output token per query.
1. The Probe Battery
As described in Section IV-A and Table I, the fingerprint is constructed by crossing 10 distinct tasks with 4 languages (English, Russian, Chinese, Arabic) to create a battery of 40 "probe cells".
The 10 tasks include:
random number 1–100(closed space of 100)random number 1–10(closed space of 10)favorite number(open numeric)random letter(closed alphabet)random word(open)random color(open, canonicalized)favorite color(open, canonicalized)random animal(open)random city(open)coin flip(closed space of 2)
2. Prompting and Parsing
For each cell , the auditor queries the endpoint times at temperature with a strict system prompt to enforce a single-word answer and a hard cap of max_tokens=16 (to prevent verbose conversational wrappers). Optional provider-side reasoning features (such as OpenAI's thinking budgets) must be explicitly disabled to isolate the raw, single-pass softmax distribution.
Raw responses are normalized deterministically (case-folding, punctuation stripping, Unicode normalization, and mapping regional digit systems to Latin digits).
3. Divergence Metrics
To compare the fingerprint of an audited endpoint against a trusted reference model , the protocol calculates the average Jensen-Shannon Divergence (JSD) across all valid cells:
where represents the subset of probe cells containing at least 10 valid samples.
4. Verification Protocol
The audit is executed via the following algorithm:
import numpy as np
def compute_jsd(p, q):
"""Computes Jensen-Shannon Divergence between two distributions."""
m = 0.5 * (p + q)
# Assume p, q, m are normalized numpy arrays representing the categorical distribution
kl_p = np.sum(p * np.log2(p / m, where=(p != 0)))
kl_q = np.sum(q * np.log2(q / m, where=(q != 0)))
return 0.5 * (kl_p + kl_q)
def audit_endpoint(endpoint_samples, reference_fingerprint, threshold=0.25):
"""
Verifies if endpoint samples match the reference fingerprint.
endpoint_samples: Dict mapping (task, lang) -> list of normalized responses
reference_fingerprint: Dict mapping (task, lang) -> dict of token probabilities
"""
jsd_scores = []
for (task, lang), samples in endpoint_samples.items():
if len(samples) < 10:
continue
# Compute empirical distribution from endpoint
unique, counts = np.unique(samples, return_counts=True)
emp_dist = dict(zip(unique, counts / len(samples)))
# Align vocabularies between empirical and reference distributions
ref_dist = reference_fingerprint.get((task, lang), {})
all_tokens = list(set(emp_dist.keys()) | set(ref_dist.keys()))
p = np.array([emp_dist.get(t, 0.0) for t in all_tokens])
q = np.array([ref_dist.get(t, 0.0) for t in all_tokens])
jsd_scores.append(compute_jsd(p, q))
mean_jsd = np.mean(jsd_scores)
# Reject endpoint if mean JSD exceeds the calibrated threshold
is_genuine = mean_jsd <= threshold
return is_genuine, mean_jsd
Key Results
The evaluation spanned 165 models served on OpenRouter across 53 providers, totaling 326,047 API requests.
The paper's results (detailed in Section VI and Figures 3 and 4) prove that single-token outputs are highly non-uniform (median cell entropy of only 1.00 bit, compared to a uniform baseline of 6.64 bits for the 1–100 number task).
1. Verification Accuracy vs. Query Budget
Table III details how the Equal Error Rate (EER) scales when restricting the audit to a random subset of cells:
| Number of Probe Cells () | Total Output Tokens (at ) | Equal Error Rate (EER) | 90% Confidence Band |
|---|---|---|---|
| 1 (e.g., English numbers only) | 15 | 23.3% | 14% – 40% |
| 4 | 60 | 13.2% | 9% – 18% |
| 8 | 120 | 10.6% | 8% – 14% |
| 16 | 240 | 9.5% | 8% – 12% |
| 32 | 480 | 8.4% | 7% – 10% |
| 40 (Full Battery) | 600 | 7.3% | — |
2. Lineage Recovery (Nearest Neighbor)
Using average-linkage hierarchical clustering (shown in Figure 2), the authors evaluated if family origins could be parsed from the fingerprint.
- Leave-One-Out 1-NN Classification Accuracy: 59.5% against an 18.4% random baseline.
- glm lineage precision: 1.00 (Recall: 0.83).
- gpt lineage precision: 0.70 (Recall: 0.90).
3. Real-World Ecosystem Anomalies Uncovered
When applied to production deployments on OpenRouter, the fingerprint exposed several stark deviations (Section VI-D):
| Target Endpoint | Claimed Identity | Nearest Fingerprint Match | Observed JSD | Status / Interpretation |
|---|---|---|---|---|
writer/palmyra-x5 |
Proprietary, in-house flagship | qwen/qwen3-235b-a22b-2507 |
0.141 | Identity Anomaly: Distributionally indistinguishable from Qwen. Lies well within the genuine same-model distance median (0.140). |
deepcogito/cogito-v2.1-671b |
Unlabeled lineage | DeepSeek V3 checkpoints | 0.268 – 0.308 | Lineage Confirmed: Confirms undocumented base weights are DeepSeek. |
meta-llama/llama-3.2-3b-instruct |
Cloudflare deployment vs. Parasail | Self (Different provider) | 0.716 | Deployment Anomaly: Exceeds the 5th percentile of different-model (impostor) distances. |
openai/gpt-4 |
Azure Hosted vs. OpenAI First-Party | Self (Different provider) | 0.392 | Deployment Anomaly: Significant structural shifts introduced by host-specific configurations. |
Limitations & Open Questions
While highly efficient, the protocol suffers from several notable constraints that safety teams and security auditors must keep in mind:
- The Reasoning Model Blindspot: The method relies on direct, single-pass completions. For frontier reasoning models (such as OpenAI's o-series), enforcing a strict
max_tokens=16cap or disabling reasoning is either rejected by the API or forces the model into a completely different operational state. Fingerprinting these models on their final answer requires a much larger token budget to bypass the intermediate chain-of-thought phase. - Serving-Stack Jitter: As demonstrated by the
gpt-4Azure-vs-OpenAI anomaly (JSD = 0.392), minor differences in infrastructure, such as hardware-level quantization, system prompt parsing engines, or custom decoding parameters, can shift fingerprint distributions. This raises the false positive rate for multi-cloud deployments unless reference fingerprints are registered for every specific host. - Temporal Drift: Behavioral fingerprints drift over time as providers deploy stealthy, unannounced weight updates or alignment patches. Auditors must continuously rebuild reference profiles to maintain calibration.
- Lineage Erasure via Alignment: As shown by
nvidia/llama-3.3-nemotron-super-49b-v1.5(which clustered closer to Qwen than Llama, exhibiting a JSD of 0.303), intensive post-training can entirely overwrite a base model's behavioral priors. Lineage tracking cannot, therefore, be guaranteed for highly customized derivatives.
What Practitioners Should Do
If you are running production operations over third-party API aggregators or managing a high-volume LLM routing stack, you should implement the following steps:
1. Build an Automated Audit Pipeline
Integrate a weekly, low-frequency cron job that queries your critical providers using an 8-cell subset of the random-choice battery (at per cell, costing less than a penny). Maintain a moving average of the JSD. If JSD spikes past the calibrated threshold (e.g., ), trigger an alert for potential backend model substitution.
2. Enforce Strict Decoding Controls
When running audits, explicitly override provider-side defaults to ensure you are sampling the raw output distribution:
- Hard-code
temperature=1.0. - Set
max_tokens=16to minimize generated output. - Pass explicit headers or body fields to disable optional reasoning modes.
3. Implement Cache-Busting Mechanisms
As detailed in Section VII-C, response-level caching can artificially collapse your observed output distributions. Ensure your audit queries bypass provider filters and caches by sampling from an open-ended paraphrase family of the prompts, rather than querying the exact same string repeatedly:
import random
# Illustrative conceptual example of paraphrased prompts for the same task
paraphrases = [
"Name a random number between 1 and 100.",
"Give me a random number from 1 to 100.",
"Pick a random number between 1 and 100.",
"Choose a random number from 1 to 100."
]
prompt = random.choice(paraphrases)
4. Monitor Latency Signatures
Cross-reference your distributional audits with latency metrics. A sudden drop in median response latency coupled with a collapse in distribution variance indicates that the provider is serving cached responses or substituting a highly distilled/smaller model variant.
The Takeaway
Model behavior is a highly sensitive, low-cost forensic signature. In an era where commercial LLM APIs are completely opaque, ensuring model integrity does not require access to protected weights or expensive long-form generations. By auditing the statistical quirks of single-token outputs, enterprise consumers can cheaply force dishonest providers to choose between maintaining serving integrity or getting caught red-handed.
Den's Take
I love the sheer elegance of this approach. Instead of burning compute on long text generations or demanding logit access—which commercial API aggregators rarely grant anyway—this protocol exploits LLMs' inherent, idiosyncratic inability to produce true randomness. Grounding the verification in the first-token distribution of trivial, random-choice questions is a clever way to bypass prompt filtering attacks, as these queries look entirely innocuous.
The economics are incredibly compelling for real-world deployments. Achieving a 10.6% Equal Error Rate (EER) with just 8 probes for less than $0.01 per audit makes continuous validation highly viable for high-throughput applications.
However, we must be realistic about the limitations. Even scaling up to a 40-cell probe battery only drops the EER to 7.3%. A 7.3% error rate is still far too high for automated, zero-tolerance enforcement; you will face frequent false positives that disrupt service if you trigger automatic circuit breakers based on these audits alone.
I've previously explored how deep neural networks can be backdoor-corrupted, which underscores why we need lightweight, black-box validation techniques to ensure providers aren't quietly serving degraded weights. Ultimately, this is a highly practical diagnostic tool for the AI security stack, but we need further statistical optimization before we can rely on it as a standalone, automated security gate.