A security detection method and system for a large language model key-value cache

By constructing a token tree and combining iterative generation of the shadow large language model and the target large language model with time-side channel signal evaluation, the problems of error accumulation and network noise impact in the existing technology are solved, and efficient, stable and secure detection of large language model key-value caching is achieved.

CN122153968AActive Publication Date: 2026-06-05SHANDONG UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHANDONG UNIV
Filing Date
2026-04-30
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

In the security detection of key-value caches in large language models, the greedy search strategy of existing technologies leads to rapid accumulation of errors over long sequences, resulting in decreased detection accuracy. Furthermore, network traffic analysis is susceptible to jitter and latency fluctuations, resulting in low robustness and efficiency.

Method used

An initial token tree is constructed and iteratively generated using a shadow large language model and a target large language model. Security is evaluated by combining time-side channel signals. Multiple candidate path search replaces greedy decision-making, reducing dependence on network traffic temporal characteristics. Weights are dynamically adjusted to cope with network noise.

Benefits of technology

It significantly improves detection accuracy and robustness in long text and complex network environments, enhances the privacy protection of key-value caches for large language models, and ensures the stability of security assessment in multi-tenant shared environments.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122153968A_ABST
    Figure CN122153968A_ABST
Patent Text Reader

Abstract

The application provides a security detection method and system for a large language model key-value cache, relates to the field of artificial intelligence information security, and comprises the following steps: obtaining original request text input by a user, intercepting a prefix from the original request text, taking the prefix as a root node Token, and constructing an initial Token tree; with the aid of a target large language model to be detected and a locally deployed shadow large language model, performing downward iteration generation on the initial Token tree until a stopping condition is met, and obtaining a complete Token tree; selecting a path with the highest security score in the Token tree, comparing the matching degree with the original request text, and quantitatively evaluating the privacy protection strength of the large language model key-value cache; and with the aid of candidate Tokens generated by the shadow large language model and the first character generation delay detected by the target large language model, the security defense capability of the large language model key-value cache in a multi-tenant shared environment is evaluated.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of artificial intelligence information security, specifically to a security detection method and system for key-value caching of large language models. Background Technology

[0002] In recent years, large-scale language models (LLMs) based on the Transformer architecture (such as Llama and Deepseek) have made significant progress and have been widely used in privacy-sensitive fields such as medical consultation and financial analysis. These models generate responses token-by-token through autoregression, demonstrating powerful knowledge processing and question-answering capabilities. However, as the scale of model parameters continues to expand, the demand for computing resources and GPU memory in the inference process also increases dramatically, which has become a major bottleneck restricting the large-scale deployment of LLMs.

[0003] To address the issues of high inference latency and limited throughput, modern high-efficiency inference service frameworks (such as SGLang and vLLM) have introduced a series of system-level optimization mechanisms. Among them, key-value cache (KV Cache) sharing technology is one of the core optimization methods. In the Transformer architecture, when the model generates a new token, it needs to calculate the key and value matrix of all historical tokens. To avoid repetitive calculations that grow quadratically with the sequence length, the system adopts a "space-for-time" strategy, storing historical states in GPU memory. Especially in multi-tenant environments, the RadixAttention mechanism, implemented using data structures such as Radix Trees, allows different user requests to reuse KV caches with the same prefix (such as system prompts or common templates). This mechanism significantly reduces the computational overhead of the prefill stage, greatly reduces the first-letter latency (TTFT), and improves the overall service efficiency of the system.

[0004] While key-value cache sharing significantly improves inference performance, this sharing of physical resources in a multi-tenant environment also introduces potential side-channel risks. When different requests share the same underlying hardware resources, cache hits and cache misses can lead to significant differences in computational load, which are reflected in observable temporal characteristics such as inference latency and token generation intervals. External observers may exploit these millisecond-level time differences to infer contextual information within the shared environment. Furthermore, LLMs commonly employ streaming output mechanisms; even with TLS encryption, the packet sizes and arrival time intervals (IAT) of response packets still exhibit specific statistical patterns with the token sequence, potentially leaking semantically relevant content.

[0005] Existing security detection methods typically simulate the perspective of an external observer. However, these technologies face two major challenges in practical applications. First, most existing sequence recovery detection methods employ a greedy search strategy, determining tokens one by one. But when processing long texts (such as complex system prompts), if the inference of preceding tokens is flawed, the subsequent key-value cache states will deviate completely from the true path, leading to a rapid accumulation of errors and a precipitous drop in detection accuracy as the sequence length increases. Second, when it comes to network traffic analysis, the jitter and latency fluctuations prevalent in real-world networks often mask the true traffic characteristics, making it difficult for analysis methods relying solely on traffic metadata to maintain stability and efficiency in complex network environments.

[0006] Therefore, existing technologies suffer from low analysis efficiency and poor robustness in complex long sequence environments, making it difficult to improve the privacy protection level and system robustness of LLM services. Summary of the Invention

[0007] To address the aforementioned issues, this invention proposes a security detection method and system for key-value caches of large language models. By leveraging candidate tokens generated by a shadow large language model and the initial character generation delay detected by the target large language model, the security defense capability of key-value caches of large language models in a multi-tenant shared environment is evaluated.

[0008] According to some embodiments, the present invention adopts the following technical solution: A security detection method for key-value caching in large language models includes: Obtain the original request text input by the user, extract the prefix from the original request text, use it as the token of the root node, and build the initial token tree; Using the target large language model to be detected and the locally deployed shadow large language model, the initial token tree is iteratively generated downwards until the stopping condition is met, and a complete token tree is obtained. The path with the highest security score in the Token tree is selected, and the privacy protection strength of the large language model key-value cache is quantitatively evaluated by comparing its matching degree with the original request text.

[0009] According to some embodiments, the present invention adopts the following technical solution: A security detection system for key-value caching in large language models includes: The acquisition module is configured to: acquire the original request text input by the user, extract the prefix from the original request text, use it as the token of the root node, and build the initial token tree; The iteration module is configured to iteratively generate the initial token tree downwards using the target large language model to be detected and the locally deployed shadow large language model, until the stopping condition is met to obtain the complete token tree. The comparison module is configured to: select the path with the highest security score in the Token tree, and quantitatively evaluate the privacy protection strength of the large language model key-value cache by comparing its matching degree with the original request text.

[0010] According to some embodiments, the present invention adopts the following technical solution: A computer program product includes a computer program that, when executed by a processor, implements the aforementioned security detection method for key-value caches of large language models.

[0011] According to some embodiments, the present invention adopts the following technical solution: A non-transitory computer-readable storage medium is provided for storing computer instructions, which, when executed by a processor, implement the aforementioned security detection method for key-value caches of large language models.

[0012] According to some embodiments, the present invention adopts the following technical solution: An electronic device includes a processor, a memory, and a computer program; wherein the processor is connected to the memory, the computer program is stored in the memory, and when the electronic device is running, the processor executes the computer program stored in the memory to enable the electronic device to perform a security detection method for key-value caching of large language models.

[0013] Compared with the prior art, the beneficial effects of the present invention are as follows: To address the shortcomings of existing greedy search strategies in processing long sequences, such as rapid error accumulation due to inference bias in preceding tokens and a precipitous drop in detection accuracy with increasing sequence length, this invention constructs an initial token tree and iteratively generates a complete tree-like search structure using a target large language model and a locally deployed shadow large language model. Then, it selects the path with the highest security score and compares its matching degree with the original request text. This multi-candidate path search mechanism replaces the greedy decision-making of a single path, effectively preventing single-point errors from being amplified step by step. Therefore, it significantly improves the security of key-value caching in scenarios with long texts and complex prefixes. The accuracy of detection and the robustness of sequence recovery are improved. Furthermore, addressing the issues of existing technologies that rely solely on traffic metadata and are susceptible to network jitter and latency fluctuations, resulting in low analysis efficiency and poor stability in complex network environments, this invention introduces a locally deployed shadow large language model to generate candidate tokens. It then combines this with the actual response of the target large language model for tree iteration and path security scoring. This reduces the reliance on the temporal characteristics of network traffic, enabling the detection method to maintain stable detection efficiency and reliability even in complex environments with network noise. This comprehensively enhances the evaluation capability of the privacy protection strength of large language model key-value caches in multi-tenant shared environments. Attached Figure Description

[0014] The accompanying drawings, which form part of this invention, are used to provide a further understanding of the invention. The illustrative embodiments of the invention and their descriptions are used to explain the invention and do not constitute an improper limitation of the invention.

[0015] Figure 1 This is a flowchart of a security detection method for key-value caching of a large language model, as shown in Example 1. Detailed Implementation

[0016] The present invention will be further described below with reference to the accompanying drawings and embodiments.

[0017] It should be noted that the following detailed descriptions are exemplary and intended to provide further illustration of the invention. Unless otherwise specified, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains.

[0018] It should be noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of exemplary embodiments according to the invention. As used herein, the singular form is intended to include the plural form as well, unless the context clearly indicates otherwise. Furthermore, it should be understood that when the terms "comprising" and / or "including" are used in this specification, they indicate the presence of features, steps, operations, devices, components, and / or combinations thereof.

[0019] Example 1 One embodiment of the present invention provides a security detection method for key-value caching of large language models. By leveraging candidate tokens generated by a shadow large language model and the initial character generation delay detected by the target large language model, the security defense capability of the key-value caching of large language models in a multi-tenant shared environment is evaluated. This embodiment involves two terminals: a security detection terminal and a target large language model to be detected. The security detection terminal interacts with and detects the target large language model using a locally deployed shadow large language model with the same architecture as the target large language model. Figure 1 As shown, it includes: Deploying S0: Preparation The target large language model to be tested is usually a private large model service deployed within an enterprise or a multi-tenant API service on a public cloud, responsible for handling requests from various users. The underlying Radix Tree is used to share a key-value cache to accelerate inference.

[0020] For example, deploy inference frameworks (such as SGLang or vLLM) that support the RadixAttention mechanism on high-performance computing nodes. These frameworks manage key-value caches (KV caches) through Radix Trees to achieve prefix sharing and optimize inference performance. A representative large language model (such as Llama-3 or the DeepSeek series) is selected as the target large language model. The security detection end communicates with the target large language model through a standard API interface. The aim is to evaluate the state isolation security of the target large language model under complex concurrent requests through a non-intrusive observation method.

[0021] A shadow big model, which is based on the same architecture as the target big language model, is deployed locally as a reference predictor. This big model is used to accurately simulate the language generation probability of the target big language model, thereby generating candidate tokens in a targeted manner.

[0022] Step S1: Obtain the original request text input by the user, extract the prefix from the original request text, use it as the Token of the root node, and construct the initial Token tree.

[0023] To make it easier to understand, let's take a specific example. The user's complete input request is: "Imagine a scenario where you are a financial advisor. How to invest 1000 dollars?" The security detection end extracts the prefix "Imagine a scenario" from the input request.

[0024] Construct an initial Token tree with only one root node, and use the prefix "Imagine a scenario" as the Token value of the root node.

[0025] Step S2: Using the target large language model to be detected and the locally deployed shadow large language model, the initial token tree is iteratively generated downwards, and the security score of the path corresponding to each node is calculated until the stopping condition is met, and the complete token tree is obtained.

[0026] Each iteration of the downward iteration traverses all leaf nodes of the current token tree, generating a new child node for each leaf node. Taking the current node L as an example, the specific steps are as follows: Step S21: Based on the path from the root node to the current node L, construct a request for the shadow large language model, thereby generating a candidate token set for the current leaf node L.

[0027] Specifically, each node in the path from the root node to the leaf node has its own Token value. The Token values ​​of all nodes in the path are concatenated in order to obtain a request text. The request text is input into the locally deployed shadow big language model. The local model calculates the probability distribution of the next word (i.e., the prediction confidence). The prediction confidence is sorted from largest to smallest, and the top K candidate Tokens are selected to form a candidate Token set.

[0028] The size K of the candidate token set differs from a fixed-width search strategy. In this embodiment, the size K of the candidate set is dynamically adjusted based on the prediction confidence of the shadow large language model. When the prediction confidence is high, i.e., below a preset threshold (in the prediction set), only the Top tokens are selected. Kmin The system selects candidate tokens to improve detection efficiency; when the model's prediction is uncertain (i.e., not lower than a preset threshold, indicating fuzzy prediction), it automatically expands to the Top Tokens. Kmax A number of candidate tokens are provided to prevent the failure to detect the real path due to local model bias.

[0029] The shadow big language model takes the request text as input and the predicted next word and confidence level as output, thereby simulating the language generation probability of the target big language model and generating candidate tokens accordingly. The shadow big language model is pre-trained on a dataset to enhance its understanding of semantic information.

[0030] Using the example from step 1, for the initial token tree built in step 1, input the token value "Imagine a scenario" of the root node into the locally deployed large model to obtain a candidate token set with a size of K=5, for example: Candidate Token 1: “Where”, with a predicted confidence level of 0.75; Candidate Token 2: “In”, with a prediction confidence level of 0.10; Candidate Token 3: "Is", with a prediction confidence level of 0.05; Candidate Token 4: “That”, with a prediction confidence level of 0.09; Candidate Token 5: “About”, with a prediction confidence level of 0.01.

[0031] Step S22: Construct a probe request to the target large language model for each candidate token, and calculate the temporal probability score of each candidate token by utilizing the first character generation delay of the request.

[0032] First, based on the time-side channel signal, a baseline modeling of the temporal distribution of the target large language model is performed. The security detection terminal then sends a known prefix to the target large language model. For the i-th request, record the first character generation delay in both the "hit" and "miss" states of the KV Cache. and Simultaneously, the acquired time delay difference is analyzed using an exponential normalization function with temperature scaling. Normalization is performed, and a regression method is used to establish a mapping model from latency to cache hit probability, with the cache hit probability used as the temporal probability score. This step provides a quantitative basis for subsequent automated analysis, expressed by the formula:

[0033]

[0034] in, prefix The time probability score; the larger the value, the stronger the prefix. The higher the probability of hitting the target large language model KV cache, the better; I( >0) is the indicator function, when the observed time delay difference When the value is greater than 0, the function takes the value of 1, and the activation probability is calculated; when... When the function takes a value of 0, it represents the prefix. They are automatically pruned and do not proceed to subsequent search iterations; This is a latency feature that reflects the speedup achieved by the target large language model when processing the request; Let e ​​be the exponential term with base e, where It is a smoothing factor used to adjust the system's robustness to network latency fluctuations.

[0035] Based on the above mapping model, each token is probed to obtain its corresponding time probability score, specifically: Concatenate the token values ​​of all nodes along the path from the root node to the current leaf node L in sequence to obtain a request text. Finally, concatenate the token value to be probed to obtain a probe request for that token value. Send this request to the target large language model and record the delay from inputting into the target large language model to the generation of the first character of the first token. Delay the generation of the first character in the missing state. Subtracting them gives the time delay difference. Substituting this into the mapping model yields the time probability score. .

[0036] Delay in first character generation under missing conditions The process involves concatenating the token values ​​of all nodes along the path from the root node to the current leaf node L in sequence to obtain a request text. Finally, a common missed token value, such as the letter 'a', is appended to this request, resulting in a probe request for the missing state. This request is then sent to the target large language model to obtain the initial character generation delay. .

[0037] For example, performing a probe request on the candidate token set of size 5 obtained in step S22 yields the following result: "Where": Prediction confidence level is 0.75, latency difference is 0.52s, and time probability score is 82.8%; "In": Prediction confidence level is 0.10, latency difference is 0.49s, and time probability score is 16.7%; "Is": Prediction confidence level is 0.05, latency difference is 0.47, and time probability score is 0.5%; "That": The prediction confidence is 0.09, the delay difference is 0.29s, and the time probability score is close to 0; "About": Prediction confidence is 0.01, latency difference is 0.21s, and time probability score is forced to 0.

[0038] Step S23: Based on the predicted confidence and time probability score of each candidate token, calculate the security score of each candidate token, sort them from largest to smallest according to the security score, select the top B candidate tokens, and construct B new leaf nodes with the current leaf node L as the parent node.

[0039] The formula for the security score is:

[0040] in, Represents the current set of candidate tokens The final security score corresponding to the i-th candidate token; The confidence level of the shadow large language model in predicting the candidate token; The temporal probability score, calculated based on the initial character generation delay, is used to quantify the likelihood that the token will hit the target model's key-value cache (KV Cache). and The weights are dynamically assigned, representing the contributions of the semantic information of the language model and the temporal side-channel signal to the decision, respectively. This is the penalty intensity coefficient.

[0041] Here k i Let k be the cumulative number of prediction errors for the path with the i-th candidate token as the leaf node (i.e., the number of times the model makes a high prediction confidence prediction but a cache miss occurs). i The process of incrementing the "cumulative prediction error count of the leaf node's parent node" can only proceed if the following two conditions are met: (1) The prediction confidence of the i-th candidate token It exceeds the preset gating threshold (e.g., 0.45).

[0042] (2) If the latency difference of the probe request of the i-th candidate Token is not greater than the set latency threshold (e.g., 0), it indicates that the candidate Token has not hit the KV cache.

[0043] This embodiment is based on the highest prediction confidence level in the current candidate token set. Dynamically adjust to the preset threshold range and The weights are as follows: when When the value is greater than 0.9, the model is extremely confident and focuses primarily on semantics. = 0.85, = 0.15; When 0.7 < <0.9: = 0.75, = 0.25; When 0.5 < When <0.7: =0.65, = 0.35; When 0.45 < When the value is less than 0.5, the semantic confidence is low and tends to favor time signals. = 0.40, =0.60; when When the value is less than 0.45, the prediction of the local large language model is considered unreliable, and a forced default is imposed. = 0, which completely hands over the decision-making power to the time-side channel signal.

[0044] To address the inaccuracies caused by large model time differences due to network latency feedback, this embodiment proposes for the first time a backtracking correction mechanism based on state feedback. Specifically, if all B candidate tokens exhibit low probability / cache-missing states during probing, and the average security score of all candidate tokens at the current level is lower than a preset security reliability threshold Γ, then the current search is deemed to have entered an error zone. Probing downwards is stopped, and the system automatically backtracks to the sibling node of the current leaf node L to re-extract the path. Through this dynamic correction mechanism, the system can effectively correct analysis errors caused by local model biases, ensuring the continuity and accuracy of long-sequence security analysis.

[0045] Step S3: Select the path with the highest security score in the Token tree, and quantitatively evaluate the privacy protection strength of the large language model key-value cache by comparing its matching degree with the original request text.

[0046] Specifically, the original request text is segmented to obtain a token sequence. The path with the highest security score is matched with the token sequence. The ratio of the number of successfully matched tokens to the total number of tokens is used as the token recovery accuracy to quantitatively evaluate the privacy protection strength of the large language model key-value cache. For example, the token sequence of the original request text is Where, you, are, a, financial, advisor, ., [EOS] (6 tokens in total). The selected paths are: Where, you, are, a, financial, expert (the real state was not hit here), .., [EOS]. After comparison, due to a very small semantic shift in the third to last step of the algorithm, a total of 5 tokens were successfully matched. Based on this, the token recovery accuracy of this detection is calculated to be: 5 / 6 = 82.3.5%.

[0047] To verify the effectiveness of the security detection method for key-value caches in large language models, this embodiment conducted a systematic security evaluation on different open-source large language models (such as Llama-3.1-8B, DeepSeek-7B, etc.). Table 1 shows the accuracy of the security detection method for KV cache state identification under different sequence lengths: Table 1. Security detection accuracy under different models

[0048] As can be seen from the comparative data in Table 1, the security detection method proposed in this embodiment demonstrates superior accuracy compared to the benchmark method across different model architectures. In the Llama-3.1-8B model, for sequences of length 20 tokens, this method improves the security identification accuracy from 82% to 87%. The performance improvement is particularly significant in the DeepSeek-7B model, with accuracy increasing dramatically from 72% to 84%, a 12 percentage point improvement. This indicates that this method, through adaptive leaf node construction and temporal probabilistic discrimination, can more effectively identify the micro-latency features caused by cache sharing during model inference.

[0049] In summary, the data in Table 1 validates the core advantages of this security detection method in improving detection efficiency and accuracy. Through such high-precision state recognition, LLM service providers can more clearly define which sensitive sequences are susceptible to side-channel analysis. This provides crucial data support for subsequent targeted implementation of differentiated privacy protections (such as masking key tokens or adjusting the RadixAttention matching threshold), thereby fundamentally enhancing the security of the LLM system without significantly sacrificing inference performance.

[0050] Example 2 One embodiment of the present invention provides a security detection system for key-value caching of large language models, comprising: The acquisition module is configured to: acquire the original request text input by the user, extract the prefix from the original request text, use it as the token of the root node, and build the initial token tree; The iteration module is configured to iteratively generate the initial token tree downwards using the target large language model to be detected and the locally deployed shadow large language model, until the stopping condition is met to obtain the complete token tree. The comparison module is configured to: select the path with the highest security score in the Token tree, and quantitatively evaluate the privacy protection strength of the large language model key-value cache by comparing its matching degree with the original request text.

[0051] Example 3 One embodiment of the present invention provides a computer program product, including a computer program that, when executed by a processor, implements the aforementioned security detection method for key-value caching of large language models.

[0052] Example 4 In one embodiment of the present invention, a non-transitory computer-readable storage medium is provided for storing computer instructions. When the computer instructions are executed by a processor, they implement the security detection method for key-value caching of large language models.

[0053] Example 5 One embodiment of the present invention provides an electronic device, including: a processor, a memory, and a computer program; wherein the processor is connected to the memory, the computer program is stored in the memory, and when the electronic device is running, the processor executes the computer program stored in the memory to enable the electronic device to implement the security detection method for key-value caching of large language models.

[0054] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0055] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0056] While the specific embodiments of the present invention have been described above in conjunction with the accompanying drawings, this is not intended to limit the scope of protection of the present invention. Those skilled in the art should understand that various modifications or variations that can be made by those skilled in the art without creative effort based on the technical solutions of the present invention are still within the scope of protection of the present invention.

Claims

1. A security detection method for key-value caching in large language models, characterized in that, include: Obtain the original request text input by the user, extract the prefix from the original request text, use it as the token of the root node, and build the initial token tree; Using the target large language model to be detected and the locally deployed shadow large language model, the initial token tree is iteratively generated downwards until the stopping condition is met, and a complete token tree is obtained. The path with the highest security score in the Token tree is selected, and the privacy protection strength of the large language model key-value cache is quantitatively evaluated by comparing its matching degree with the original request text.

2. The security detection method for key-value caching of large language models as described in claim 1, characterized in that, The locally deployed shadow big language model is a predictor deployed locally by the security detection terminal. It uses a shadow big model with the same architecture as the target big language model as a reference to simulate the language generation probability of the target big language model, thereby generating candidate tokens.

3. The security detection method for key-value caching of large language models as described in claim 2, characterized in that, The iterative generation of the initial token tree downwards involves traversing each leaf node of the current token tree, taking each leaf node as the current node, and performing the following operations: For each current node, a request to generate candidate tokens is constructed. Several candidate tokens are generated through the shadow big language model, and the confidence score of each candidate token is obtained. A probe request is constructed for each candidate token, and the temporal probability score of each candidate token is obtained by taking into account the initial character generation delay of the target large language model. Based on confidence level and time probability score, calculate the security score of each candidate token, and select several candidate tokens by passing the security score threshold; For each candidate token selected, construct a new leaf node with the current leaf node as its parent node.

4. The security detection method for key-value caching of large language models as described in claim 3, characterized in that, The process of constructing a request to generate a candidate token for each current node is based on the path from the root node to the current leaf node, and the tokens of all nodes on the path are concatenated in order to construct a new request.

5. The security detection method for key-value caching of large language models as described in claim 3, characterized in that, For each candidate token, a probe request is constructed. This is based on the path from the root node to the current leaf node, by concatenating the tokens of all nodes along the path in order, and finally concatenating the candidate token to form the probe request.

6. The security detection method for key-value caching of large language models as described in claim 3, characterized in that, The time probability score is determined by using the first character generation delay of the probe request to determine whether the cache is hit. The measured first character generation delay is converted into a normalized time probability score using an exponential normalization function with temperature scaling.

7. A security detection system for key-value caching of large language models, characterized in that, include: The acquisition module is configured to: acquire the original request text input by the user, extract the prefix from the original request text, use it as the token of the root node, and build the initial token tree; The iteration module is configured to iteratively generate the initial token tree downwards using the target large language model to be detected and the locally deployed shadow large language model, until the stopping condition is met to obtain the complete token tree. The comparison module is configured to: select the path with the highest security score in the Token tree, and quantitatively evaluate the privacy protection strength of the large language model key-value cache by comparing its matching degree with the original request text.

8. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by the processor, it implements the security detection method for key-value cache of large language models as described in any one of claims 1-6.

9. A non-transitory computer-readable storage medium, characterized in that, The non-transitory computer-readable storage medium is used to store computer instructions, which, when executed by a processor, implement a security detection method for key-value caches of large language models as described in any one of claims 1-6.

10. An electronic device, characterized in that, include: The device includes a processor, a memory, and a computer program; wherein the processor is connected to the memory, the computer program is stored in the memory, and when the electronic device is running, the processor executes the computer program stored in the memory to enable the electronic device to perform a security detection method for key-value caching of a large language model as described in any one of claims 1-6.