Introduction

Large Language Models (LLMs) have become part of daily life. People use AI assistants to write emails, generate code, summarize documents, conduct research, and answer questions. As these systems become more common in homes, businesses, and government environments, protecting the privacy of user interactions has become increasingly important.

Many users assume that encryption completely hides their AI conversations from outside observers. While encryption protects the contents of prompts and responses, metadata such as packet sizes, timing patterns, and traffic volume can still reveal information about user activity. 

Think of it like watching two people communicate through sealed envelopes. Although the envelopes cannot be opened, an observer may still learn something from how many envelopes are exchanged, how large they are, and how quickly they move back and forth. Over time, these patterns can reveal surprising details about the nature of the conversation.

Whisper Leak demonstrates that metadata surrounding AI communications can itself become a source of information leakage. By analyzing traffic patterns generated during interactions with large language models, researchers demonstrated that machine-learning models can infer likely conversation categories under certain conditions by analyzing encrypted traffic patterns. 

This report examines the Whisper Leak attack, its underlying techniques, potential attack scenarios, security implications, and available mitigation strategies.

What Is Whisper Leak?

Whisper Leak is a side-channel attack that allows attackers to infer the topic of encrypted conversations with Large Language Models (LLMs) without decrypting the traffic itself. Rather than attacking the AI model directly or breaking the encryption protecting the communication, the attack analyzes patterns in network traffic generated during interactions with AI systems.

To understand the concept, imagine two people exchanging sealed envelopes. An observer cannot read the contents of the envelopes, but they can still notice details such as how many envelopes are exchanged, how large they are, and how quickly they move between the two parties. While the actual message remains hidden, these patterns can reveal important clues about the nature of the conversation.

Whisper Leak applies this same principle to AI communications. When a user interacts with an LLM, the conversation is typically protected by encryption. However, the encrypted traffic still produces observable characteristics, including:

• Packet sizes

• Packet counts

• Response timing

• Token streaming patterns

• Traffic bursts during model generation

These characteristics create a unique traffic fingerprint that can reveal information about the interaction.

Researchers demonstrated that different conversation categories often generate different traffic patterns. For example, discussions involving software development, healthcare, finance, legal matters, education, or general knowledge may produce distinguishable communication behaviors. By collecting and analyzing these patterns, attackers can train machine learning models capable of identifying the likely topic of a conversation.

Unlike traditional attacks, Whisper Leak does not require access to the user's prompt, the model's response, or the encryption keys protecting the communication. The attacker only needs visibility into the encrypted network traffic exchanged between the user and the AI service.

What makes this attack significant is that it challenges a common assumption about privacy. Many users believe that encryption completely hides their interactions from observers. While encryption protects the contents of a conversation, Whisper Leak demonstrates that metadata surrounding the communication can still reveal meaningful information.

This makes the attack particularly concerning in environments where confidentiality is important. Business discussions, legal consultations, medical inquiries, research activities, and other sensitive interactions may have their topics inferred even when the underlying conversation remains encrypted.

Whisper Leak is not a vulnerability in a specific AI model or implementation. Instead, it arises from the way modern AI services communicate over networks and how observable traffic patterns can unintentionally leak information. As AI adoption continues to grow, protecting both content and communication metadata will become an increasingly important part of securing AI systems.

Technical Breakdown of Whisper Leak

To understand Whisper Leak, it is important to understand how modern AI services communicate with users. Unlike traditional web applications that typically return a complete response at once, many Large Language Models (LLMs) generate and stream responses incrementally as tokens are produced.

Although these communications are protected by TLS encryption, certain characteristics of the traffic remain visible to network observers. Whisper Leak exploits these observable characteristics to infer information about a conversation without decrypting it.

How LLM Communication Works

A typical interaction with an AI assistant follows several steps:

1. A user submits a prompt to the AI service.

2. The request is transmitted through an encrypted connection.

3. The model processes the prompt and generates a response.

4. The response is streamed back to the user as a sequence of tokens.

5. The client application displays the response as it arrives.

While the content of the communication remains encrypted, the transmission still produces observable metadata.

The Metadata Exposure Problem

Encryption protects message contents but does not completely hide communication patterns.

An observer can typically measure:

• Packet sizes

• Packet counts

• Response duration

• Transmission timing

• Traffic volume

• Streaming behavior

Individually, these signals reveal little information. When analyzed together, however, they can create a distinctive traffic fingerprint for a particular interaction.

Building Traffic Fingerprints

Different categories of prompts often generate different response characteristics.

For example:

• Programming requests may generate lengthy code blocks.

• Legal or technical questions may produce structured responses.

• Simple factual questions may result in shorter outputs.

• Creative writing prompts may generate long continuous streams of text.

These differences influence packet counts, response length, streaming duration, and timing patterns. The resulting metadata can be captured and converted into traffic fingerprints.

Feature Extraction and Analysis

After collecting encrypted traffic, an attacker extracts measurable features from the communication.

Common examples include:

• Average packet size

• Packet size variance

• Total bytes transferred

• Number of packets

• Response duration

• Timing intervals between packets

These features are transformed into numerical data that can be analyzed using statistical and machine-learning techniques.

Machine Learning Classification

The core of Whisper Leak is traffic classification.

Researchers demonstrated that machine-learning models can be trained on traffic collected from known prompt categories. Once trained, these models can compare newly observed traffic against previously learned patterns and estimate the most likely topic of a conversation.

Rather than recovering prompts or responses, the system generates a probability-based prediction of the conversation category.

Why the Attack Works

Whisper Leak succeeds because AI-generated responses often produce consistent communication patterns. Although encryption prevents observers from reading the contents of a conversation, it does not completely conceal how that conversation is transmitted.

The attack demonstrates that metadata alone can contain enough information to reveal statistical characteristics of an interaction. This allows attackers to infer likely conversation topics without breaking encryption or accessing the AI model itself.

Key Limitation

Whisper Leak does not recover prompts, responses, credentials, or conversation contents. The attack is limited to inference based on observable metadata and relies heavily on access to traffic data, sufficient training samples, and accurate classification models.

Attack Scenarios

Whisper Leak does not require attackers to decrypt AI conversations or compromise the AI service itself. Instead, the attack relies on access to encrypted network traffic and the ability to analyze metadata such as packet sizes, timing patterns, response duration, and traffic volume.

The feasibility of the attack depends largely on where the attacker can observe network communications.

Potential Observation Points

Public and Shared Networks

Users frequently access AI services through public Wi-Fi networks in airports, hotels, coffee shops, and conference centers. An attacker with visibility into network traffic may collect metadata from encrypted AI sessions and analyze the resulting traffic patterns. While the conversation contents remain protected by TLS encryption, the observable characteristics of the communication may provide clues about the type of interaction taking place.

Enterprise Networks

Many organizations deploy network monitoring tools, proxies, firewalls, and traffic analytics platforms to improve security and operational visibility. Individuals with access to these systems may be able to collect metadata associated with employee interactions with AI services. Over time, this data could potentially be used to infer whether users are engaging in activities such as software development, legal review, financial analysis, or research.

Internet Service Providers and Telecommunications Infrastructure

Internet Service Providers and telecommunications operators routinely handle encrypted traffic flowing between users and online services. Although they cannot view the contents of encrypted AI conversations, they can observe traffic characteristics that remain visible at the network layer. In theory, large-scale traffic analysis could be used to identify patterns associated with specific categories of AI interactions.

Cloud and Network Infrastructure

Traffic between users and AI platforms often passes through gateways, load balancers, content delivery networks, and other networking components. If an attacker gains access to metadata collected within these environments, they may be able to analyze large numbers of AI sessions and build traffic fingerprints for classification purposes.

Why These Scenarios Matter

The significance of Whisper Leak is not that it exposes prompts or model responses. Instead, it demonstrates that encrypted AI communications may still reveal meaningful information through metadata. Under the right conditions, attackers may be able to infer the likely topic of a conversation without ever accessing its contents.

For individuals, this may expose sensitive interests or activities. For organizations, it may reveal patterns related to software development, legal work, financial planning, research projects, or incident response operations. While topic inference is less severe than full content disclosure, it can still provide valuable intelligence to an observer with sufficient visibility and analytical capabilities.

Topic Inference Methods

Whisper Leak does not recover the exact contents of an AI conversation. Instead, it allows attackers to infer the likely topic of a conversation by analyzing encrypted network traffic patterns. While this may seem less severe than recovering the actual prompt or response, topic disclosure alone can reveal sensitive information about a user's activities, interests, and intentions.

The attack works by identifying patterns in encrypted traffic that correlate with specific categories of AI interactions. Researchers demonstrated that these patterns can be analyzed using machine learning techniques to classify conversations without ever decrypting the underlying communication.

The following methods illustrate how topic inference is achieved.

1. Traffic Fingerprinting

Every AI interaction produces a unique pattern of network activity.

As responses are generated and streamed back to the user, observable characteristics emerge, including:

• Packet sizes

• Packet counts

• Response duration

• Transmission timing

• Traffic bursts

Together, these characteristics form a traffic fingerprint. Different categories of conversations often produce different fingerprints. For example, a programming request that generates lengthy code may produce a significantly different traffic pattern from a simple factual question that requires only a short response.

By collecting and analyzing these fingerprints, attackers can begin associating specific traffic patterns with specific conversation categories.

2. Feature Extraction and Classification

Once traffic has been collected, attackers extract measurable characteristics from the captured data.

Common features include:

• Average packet size

• Packet size variance

• Total bytes transferred

• Number of packets

• Response generation time

• Burst frequency

These features are then used to build machine learning models capable of identifying similarities between observed traffic and previously labeled training data.

Rather than reading the conversation itself, the attacker uses statistical relationships between traffic characteristics and known topics.

3. Machine Learning-Based Topic Prediction

The core of Whisper Leak relies on machine learning classification. Researchers first collect traffic samples associated with known conversation categories. These samples are labeled and used to train classification models.

When new encrypted traffic is observed, the model compares the traffic characteristics against previously learned patterns and estimates the most likely conversation topic.

Possible classifications may include:

• Software development

• Healthcare

• Finance

• Legal matters

• Education

• Research

• General assistance

The attacker never sees the actual prompt or response. Instead, they obtain a probability score indicating which topic category is most likely.

4. Session-Level Analysis

Individual requests may not provide enough information for accurate classification. However, many users interact with AI systems repeatedly over time.

By analyzing multiple sessions from the same user, attackers can build a more complete picture of behavior and interests.

For example, repeated observations may reveal that a user frequently discusses:

• Medical topics

• Software development

• Financial planning

• Legal issues

• Academic research

Over time, the confidence of topic predictions can improve significantly.

5. Multi-Feature Correlation

The most effective attacks do not rely on a single traffic characteristic.

Instead, multiple features are analyzed together, including:

• Packet sizes

• Timing patterns

• Response duration

• Request frequency

• Session behavior

Individually, these signals may reveal little information. Combined, they can create highly distinctive fingerprints that improve classification accuracy.

Why Topic Inference Is Effective

The effectiveness of Whisper Leak stems from several factors:

1. AI-generated responses often produce predictable traffic patterns.

2. Different prompt categories generate different response structures and lengths.

3. Metadata remains visible even when communication is encrypted.

4. Machine learning models can identify subtle relationships that are difficult for humans to notice.

5. Repeated observations improve classification accuracy over time.

   
   

This is what makes Whisper Leak significant. The attack does not break encryption or recover conversation contents. Instead, it demonstrates that metadata surrounding AI communications can reveal meaningful information about what users are discussing, even when the actual conversation remains protected.

Impact Assessment

The impact of Whisper Leak is not that it decrypts AI conversations or exposes prompts and responses directly. Instead, the attack demonstrates that metadata surrounding encrypted AI communications can reveal meaningful information about what users are discussing.

In many situations, knowing the likely topic of a conversation may be valuable even without access to the actual content. The potential consequences range from individual privacy concerns to organizational intelligence gathering and large-scale surveillance.

Individual Privacy Risks

Many people use AI assistants to discuss sensitive subjects, including healthcare, legal matters, financial decisions, education, career planning, and personal research.

Although Whisper Leak cannot recover the exact contents of these conversations, traffic analysis may allow an observer to infer the general category of discussion. For example, an attacker may be able to distinguish between medical, legal, financial, or software-related interactions based on traffic characteristics alone.

For most users, topic disclosure is less severe than full conversation disclosure. However, in some situations, knowledge of the topic itself may reveal sensitive information about a person's interests, concerns, or activities.

Organizational Risks

Organizations increasingly rely on AI systems for software development, research, legal review, strategic planning, financial analysis, and internal documentation.

If an attacker can infer the types of interactions employees are having with AI systems, they may gain valuable intelligence about organizational activities without ever accessing the underlying conversations.

Potential consequences include:

• Competitive intelligence gathering

• Corporate espionage

• Exposure of research and development efforts

• Visibility into legal or financial activities

• Increased operational security risks

For businesses and government agencies, repeated observations of AI usage patterns may reveal information about ongoing projects, investigations, product development efforts, or strategic initiatives.

Large-Scale Surveillance and Intelligence Gathering

One of the most concerning aspects of Whisper Leak is its potential to operate at scale. Organizations with access to large amounts of network metadata may be able to analyze traffic from many users simultaneously and identify broader behavioral patterns.

Potential observers may include:

• Internet service providers

• Network operators

• Cloud infrastructure providers

• Government monitoring systems

• Threat actors with access to network infrastructure

For journalists, activists, researchers, whistleblowers, and other high-risk individuals, topic disclosure alone may create operational security concerns. Even without access to conversation contents, identifying what subjects are being researched or discussed can provide valuable intelligence.

Why the Impact Matters

Whisper Leak highlights an important limitation of encrypted communications. Encryption successfully protects the contents of AI conversations, but it does not automatically protect the metadata generated by those conversations.

The research demonstrates that traffic patterns alone may reveal meaningful information about user behavior and discussion topics. As AI adoption continues to grow across personal, business, and government environments, protecting communication metadata will become an increasingly important part of AI security and privacy.

Difficulty and Complexity

Understanding the difficulty of Whisper Leak helps separate realistic threats from exaggerated ones. While the attack does not require breaking encryption or compromising AI models directly, it does require a combination of network visibility, data collection, and machine learning expertise.

Whisper Leak is not something that an inexperienced attacker can perform casually. At the same time, it does not require rare hardware, expensive equipment, or advanced cryptographic breakthroughs. The attack sits somewhere in the middle, making it a credible concern for well-resourced attackers, researchers, and organizations with access to network telemetry.

The difficulty largely depends on one factor:

How much visibility the attacker has into encrypted AI traffic.

To better understand the challenge, it helps to examine the attack from three perspectives: technical complexity, practical complexity, and operational complexity.

1. Technical Complexity – Medium to High

From a technical perspective, Whisper Leak requires knowledge of:

• Network traffic analysis

• Encrypted communication protocols

• Traffic fingerprinting techniques

• Statistical analysis

• Machine learning classification

• AI response streaming behavior

The attacker must understand how AI services generate and transmit responses and how observable traffic characteristics can be transformed into meaningful features.

For example, an attacker may need to:

• Capture encrypted traffic

• Extract packet-level features

• Measure timing relationships

• Build training datasets

• Train classification models

This requires more expertise than basic network monitoring, but it remains within the capabilities of experienced security researchers, machine learning practitioners, and advanced threat actors.

The attack does not require breaking TLS encryption or compromising the AI model itself. Instead, it relies on understanding what information remains visible even after encryption is applied.

As a result, the technical complexity is best described as medium to high.

2. Practical Complexity – Moderate

Practical complexity depends largely on the attacker's ability to observe traffic.

Whisper Leak becomes possible when an attacker can access network metadata through locations such as:

• Public Wi-Fi networks

• Enterprise monitoring systems

• Internet service providers

• Network gateways and proxies

• Telecommunications infrastructure

If an attacker cannot observe the traffic, the attack cannot be performed.

However, once traffic visibility is obtained, collecting metadata becomes relatively straightforward because the communication remains observable even though its contents are encrypted.

Some examples that reduce practical difficulty include:

• Access to enterprise network telemetry

• ISP-level monitoring capabilities

• Long-term collection of user traffic

• Access to cloud networking infrastructure

The attack therefore becomes more practical in environments where network visibility already exists.

3. Operational Complexity – Moderate

Operational complexity refers to how difficult it is to transform collected traffic into useful intelligence.

Unlike traditional attacks that recover sensitive data directly, Whisper Leak focuses on statistical inference.

This means attackers must:

• Collect sufficient training data

• Label conversation categories

• Train classification models

• Validate prediction accuracy

• Continuously improve models over time

The attacker is not recovering exact prompts or responses. Instead, they are estimating the most likely topic being discussed.

While this process requires effort, it benefits from modern machine learning techniques that can identify subtle patterns across large datasets.

As more data becomes available, prediction accuracy often improves.

This makes operational complexity moderate rather than high.

Combined Difficulty Rating

When the three layers are combined, Whisper Leak can be characterized as having:

Medium overall difficulty.

In simple terms:

The difficult part: obtaining network visibility and building accurate classification models.

The easier part: applying those models to classify newly observed traffic.

The attack becomes increasingly effective when attackers have access to large amounts of traffic and sufficient training data.

Why This Complexity Level Matters

Whisper Leak is not a purely theoretical attack.

Researchers demonstrated that meaningful information can be inferred from encrypted AI traffic without breaking encryption or accessing the underlying conversations.

At the same time, the attack is not trivial. It requires planning, data collection, and technical expertise.

This balance between feasibility and complexity is what makes Whisper Leak significant. It is realistic enough to concern security professionals, privacy advocates, enterprises, and governments, yet sophisticated enough that successful exploitation requires more than casual observation.

As AI adoption grows and encrypted AI traffic becomes more common, the value of traffic-analysis techniques will likely increase, making attacks like Whisper Leak an important area of ongoing security research.

Detection and Monitoring

Detecting Whisper Leak directly is extremely difficult because the attack does not exploit a software vulnerability, compromise an AI model, or generate obvious indicators of compromise. Instead, it relies on collecting and analyzing metadata from encrypted network communications.

As a result, organizations should focus on detecting traffic collection, metadata aggregation, and unauthorized analysis activities that could enable traffic-analysis attacks.

Monitor for Unauthorized Traffic Collection

Whisper Leak depends on access to large amounts of network metadata. Security teams should monitor for unauthorized packet capture and traffic collection activities across their environment.

Potential indicators include:

• Installation of packet capture tools such as tcpdump, Wireshark, or custom sniffers

• Unexpected packet mirroring or SPAN port configurations

• Unauthorized network taps

• Excessive collection of NetFlow or IPFIX records

• Long-term storage of packet captures

Organizations should regularly audit systems capable of collecting network traffic and restrict access to approved personnel.

Audit Access to Network Telemetry

Network telemetry platforms often contain the metadata required for traffic-analysis attacks.

Examples include:

• NetFlow records

• Zeek logs

• Firewall logs

• Proxy logs

• Traffic analytics platforms

Security teams should monitor for unusual access patterns, bulk exports, or unauthorized queries against these systems. Sudden increases in telemetry access may indicate attempts to build traffic-analysis datasets.

Monitor AI Traffic Profiling Activities

Attackers attempting to classify AI conversations often require large numbers of traffic samples collected over extended periods.

Warning signs may include:

• Repeated analysis of connections to AI platforms

• Correlation of multiple AI sessions from the same users

• Bulk aggregation of traffic metadata

• Long-term retention of AI-related communication records

• Custom analytics targeting AI service traffic

While these activities do not confirm Whisper Leak, they may indicate preparation for traffic-fingerprinting operations.

Establish Baselines for AI Communications

Organizations should understand how AI-related traffic normally behaves within their environment.

Useful monitoring data includes:

• Typical session duration

• Average traffic volume

• Frequency of AI service usage

• Common destinations and endpoints

• Metadata retention practices

Establishing a baseline makes it easier to identify new systems or users attempting to collect and analyze AI communication metadata.

Audit Network Infrastructure

Because Whisper Leak depends on visibility into network traffic, organizations should regularly review infrastructure that processes or stores communication metadata.

This includes:

• Firewalls

• Proxies

• Load balancers

• Network monitoring platforms

• Traffic analytics systems

The goal is to identify where metadata is collected, who can access it, and how long it is retained. Reducing unnecessary metadata exposure significantly limits opportunities for traffic-analysis attacks.

Detection Limitations

It is important to recognize that Whisper Leak leaves few traditional forensic artifacts. There are no malicious payloads, exploit attempts, or suspicious model interactions to detect. The attack operates by observing legitimate network communications and extracting information from metadata patterns.

For this reason, prevention and metadata protection are generally more effective than attempting to detect the attack after traffic collection has already occurred.

Mitigation

Whisper Leak is challenging to mitigate because the attack exploits metadata rather than the contents of communication. Traditional encryption remains effective at protecting prompts and responses, but additional measures may be required to reduce information leakage through traffic patterns.

1. Traffic Padding

One of the most effective mitigations is traffic padding.

This involves adding extra data to communications so that packet sizes appear more uniform.

Benefits include:

• Reduced visibility into response size

• Less distinctive traffic fingerprints

• Increased difficulty for classification models

The tradeoff is higher bandwidth consumption.

2. Response Batching

Many AI systems stream responses token by token.

While this improves user experience, it also creates recognizable timing patterns.

Organizations can reduce this exposure by:

• Sending larger response chunks

• Delaying token delivery

• Batching generated content

This makes traffic analysis more difficult by reducing observable streaming behavior.

3. Timing Obfuscation

Attackers often rely on response timing to distinguish between conversation categories.

Introducing controlled timing variations can reduce the usefulness of these signals.

Examples include:

• Random transmission delays

• Variable response intervals

• Artificial timing noise

The goal is to make traffic patterns less predictable.

4. Limiting Metadata Exposure

Organizations should carefully evaluate where traffic metadata is collected and stored.

Recommended practices include:

• Restricting access to network telemetry

• Minimizing metadata retention

• Auditing monitoring systems

• Applying strict access controls

Reducing available metadata directly reduces the attack surface.

5. Using Privacy-Preserving Communication Architectures

Future AI systems may incorporate additional privacy protections such as:

• Fixed-size message transmission

• Metadata minimization techniques

• Privacy-preserving routing

• Confidential networking technologies

Although some of these approaches remain experimental, they represent promising long-term defenses.

6. Continuous Monitoring and Threat Modeling

Organizations using AI systems should include traffic-analysis attacks in their threat models.

Security teams should evaluate:

• Who can observe traffic

• What metadata is exposed

• How long telemetry is retained

• Whether AI communications are distinguishable from other traffic

Regular reviews help identify potential exposure points before attackers can exploit them.

Conclusion

Whisper Leak demonstrates that encryption alone does not guarantee complete privacy. While encrypted AI communications successfully protect prompts and responses from direct observation, metadata surrounding those communications can still reveal meaningful information.

Researchers showed that characteristics such as packet size, response timing, traffic volume, and streaming behavior may allow attackers to infer the topics of AI conversations without decrypting the underlying communication.

The attack does not recover prompts, responses, or conversation contents. Instead, it highlights how observable communication patterns can become a source of information leakage.

As AI systems become increasingly integrated into personal, business, and government workflows, protecting metadata will become just as important as protecting the content itself. Addressing this challenge will require a combination of improved communication designs, stronger privacy protections, and ongoing research into defenses against traffic-analysis attacks.

Whisper Leak serves as an important reminder that security is not only about protecting what is said, but also about protecting what can be inferred from how communication occurs.

References

Microsoft Security Blog. (2025, November 7). Whisper Leak: A novel side-channel attack on remote language models. https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/

The Hacker News. (2025, November 8). Microsoft uncovers “Whisper Leak” attack that identifies AI chat topics in encrypted traffic. https://thehackernews.com/2025/11/microsoft-uncovers-whisper-leak-attack.html

CSO Online. (2025, November 10). Whisper Leak uses a side-channel attack to eavesdrop on encrypted AI conversations. https://www.csoonline.com/article/4087335/whisper-leak-uses-a-side-channel-attack-to-eavesdrop-on-encrypted-ai-conversations.html

Security Affairs. (2025, November 9). AI chat privacy at risk: Microsoft details Whisper Leak side-channel attack. https://securityaffairs.com/184372/hacking/ai-chat-privacy-at-risk-microsoft-details-whisper-leak-side-channel-attack.html

McDonald, G., & Bar-Or, J. (2025). Whisper Leak: A side-channel attack on large language models (Version 1). arXiv. https://arxiv.org/abs/2511.03675

Cybernews. (2025, November 11). New side-channel attack “Whisper Leak” snoops on encrypted conversations with LLMs. https://cybernews.com/security/whisper-leak-microsoft-llm-encryption-spying/

SecurityWeek. (2025, November 11). “Whisper Leak” LLM side-channel attack infers user prompt topics. https://www.securityweek.com/whisper-leak-llm-side-channel-attack-infers-user-prompt-topics/

Fang, Z., Wang, T., Zhao, L., Zhang, S., Li, B., & Wang, Q. (2024). Zero-query adversarial attack on black-box automatic speech recognition systems (Version 1). arXiv. https://arxiv.org/abs/2406.19311

Yao, W., Yang, J., He, Y., Liu, J., & Wen, W. (2024). Imperceptible rhythm backdoor attacks: Exploring rhythm transformation for embedding undetectable vulnerabilities on speech recognition (Version 1). arXiv. https://arxiv.org/abs/2406.10932

Chang, J.-W., Sun, K., Xia, D., Zhang, X., & Koushanfar, F. (2024). EveGuard: Defeating vibration-based side-channel eavesdropping with audio adversarial perturbations (Version 1). arXiv. https://arxiv.org/abs/2411.10034

Zhao, Z. N., Morrison, A., Fletcher, C. W., & Torrellas, J. (2024). Last-level cache side-channel attacks are feasible in the modern public cloud. In Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS ’24). https://zzrcxb.me/files/papers/ASPLOS24-LLCFeasible.pdf

Taheritajar, A., et al. (2024). A survey on acoustic side-channel attacks on keyboards. In Proceedings of the International Conference on Information and Communications Security (ICICS 2024). https://icics2024.aegean.gr/wp-content/uploads/2024/08/150560095.pdf

Yang, K. (2025). ASIDS: Acoustic side-channel based intrusion detection system for industrial robotic arms. Computers & Security, 141, Article 103233. https://www.sciencedirect.com/science/article/abs/pii/S0167404825002755

Park, S., Seo, A., Cheong, M., Kim, H., Kim, J., & Son, Y. (2025). Evaluating the vulnerability of hiding techniques in cyber-physical systems against deep learning-based side-channel attacks. Applied Sciences, 15(13), 6981. https://www.mdpi.com/2076-3417/15/13/6981

Huang, H., et al. (2025). Deep learning-based improved side-channel attacks using InceptionNet architecture. Journal of Cryptographic Engineering. https://pmc.ncbi.nlm.nih.gov/articles/PMC11981128/

Yuan, J. (2024). A survey of side-channel attacks and mitigation for interconnects and systems-on-chip. Applied Sciences, 14(15), 6699. https://www.mdpi.com/2076-3417/14/15/6699

Weiss, R. (2024). Known-plaintext attacks on large language models: Token inference attacks (Version 1). arXiv. https://arxiv.org/pdf/2403.09751