Securing the LLM Stack – Cisco Blogs

Securing the LLM Stack – Cisco Blogs

A number of months in the past, I wrote concerning the safety of AI fashions, fine-tuning strategies, and the usage of Retrieval-Augmented Generation (RAG) in a Cisco Security Blog put up. In this weblog put up, I’ll proceed the dialogue on the essential significance of studying easy methods to safe AI programs, with a particular give attention to present LLM implementations and the “LLM stack.”

I additionally lately printed two books. The first e-book is titled “The AI Revolution in Networking, Cybersecurity, and Emerging Technologies” the place my co-authors and I cowl the way in which AI is already revolutionizing networking, cybersecurity, and rising applied sciences. The second e-book, “Beyond the Algorithm: AI, Security, Privacy, and Ethics,” co-authored with Dr. Petar Radanliev of Oxford University, presents an in-depth exploration of essential topics together with crimson teaming AI fashions, monitoring AI deployments, AI provide chain safety, and the appliance of privacy-enhancing methodologies akin to federated studying and homomorphic encryption. Additionally, it discusses methods for figuring out and mitigating bias inside AI programs.

For now, let’s discover a few of the key elements in securing AI implementations and the LLM Stack.

What is the LLM Stack?

The “LLM stack” usually refers to a stack of applied sciences or parts centered round Large Language Models (LLMs). This “stack” can embrace a variety of applied sciences and methodologies geared toward leveraging the capabilities of LLMs (e.g., vector databases, embedding fashions, APIs, plugins, orchestration libraries like LangChain, guardrail instruments, and so forth.).

Many organizations are attempting to implement Retrieval-Augmented Generation (RAG) these days. This is as a result of RAG considerably enhances the accuracy of LLMs by combining the generative capabilities of those fashions with the retrieval of related data from a database or information base. I launched RAG on this article, however in brief, RAG works by first querying a database with a query or immediate to retrieve related data. This data is then fed into an LLM, which generates a response based mostly on each the enter immediate and the retrieved paperwork. The result’s a extra correct, knowledgeable, and contextually related output than what could possibly be achieved by the LLM alone.

Let’s go over the everyday “LLM stack” parts that make RAG and different purposes work. The following determine illustrates the LLM stack.

diagram showing the Large Language Models (LLM ) stack components that make Retrieval Augmented Retrieval Generation (RAG) and applications work

Vectorizing Data and Security

Vectorizing knowledge and creating embeddings are essential steps in getting ready your dataset for efficient use with RAG and underlying instruments. Vector embeddings, also called vectorization, contain reworking phrases and various kinds of knowledge into numerical values, the place every bit of knowledge is depicted as a vector inside a high-dimensional area.  OpenAI affords totally different embedding fashions that can be utilized by way of their API.  You also can use open supply embedding fashions from Hugging Face. The following is an instance of how the textual content “Example from Omar for this blog” was transformed into “numbers” (embeddings) utilizing the text-embedding-3-small mannequin from OpenAI.


  "object": "listing",
  "knowledge": [
      "object": "embedding",
      "index": 0,
      "embedding": [
<output omitted for brevity>
  "mannequin": "text-embedding-3-small",
  "utilization": {
    "prompt_tokens": 6,
    "total_tokens": 6

The first step (even earlier than you begin creating embeddings) is knowledge assortment and ingestion. Gather and ingest the uncooked knowledge from totally different sources (e.g., databases, PDFs, JSON, log information and different data from Splunk, and so forth.) right into a centralized knowledge storage system known as a vector database.

Note: Depending on the kind of knowledge you will have to scrub and normalize the information to take away noise, akin to irrelevant data and duplicates.

Ensuring the safety of the embedding creation course of entails a multi-faceted strategy that spans from the choice of embedding fashions to the dealing with and storage of the generated embeddings. Let’s begin discussing some safety concerns within the embedding creation course of.

Use well-known, business or open-source embedding fashions which have been completely vetted by the neighborhood. Opt for fashions which can be broadly used and have a powerful neighborhood help. Like any software program, embedding fashions and their dependencies can have vulnerabilities which can be found over time. Some embedding fashions could possibly be manipulated by risk actors. This is why provide chain safety is so necessary.

You must also validate and sanitize enter knowledge. The knowledge used to create embeddings could comprise delicate or private data that must be protected to adjust to knowledge safety rules (e.g., GDPR, CCPA). Apply knowledge anonymization or pseudonymization strategies the place doable. Ensure that knowledge processing is carried out in a safe atmosphere, utilizing encryption for knowledge at relaxation and in transit.

Unauthorized entry to embedding fashions and the information they course of can result in knowledge publicity and different safety points. Use sturdy authentication and entry management mechanisms to limit entry to embedding fashions and knowledge.

Indexing and Storage of Embeddings

Once the information is vectorized, the following step is to retailer these vectors in a searchable database or a vector database akin to ChromaDB, pgvector, MongoDB Atlas, FAISS (Facebook AI Similarity Search), or Pinecone. These programs enable for environment friendly retrieval of comparable vectors.

Did you understand that some vector databases don’t help encryption? Make positive that the answer you utilize helps encryption.

Orchestration Libraries and Frameworks like LangChain

In the diagram I used earlier, you’ll be able to see a reference to libraries like LangChain and LlamaIndex. LangChain is a framework for growing purposes powered by LLMs. It permits context-aware and reasoning purposes, offering libraries, templates, and a developer platform for constructing, testing, and deploying purposes. LangChain consists of a number of elements, together with libraries, templates, LangServe for deploying chains as a REST API, and LangSmith for debugging and monitoring chains. It additionally affords a LangChain Expression Language (LCEL) for composing chains and supplies customary interfaces and integrations for modules like mannequin I/O, retrieval, and AI brokers. I wrote an article about quite a few LangChain sources and associated instruments which can be additionally obtainable at certainly one of my GitHub repositories.

Many organizations use LangChain helps many use circumstances, akin to private assistants, query answering, chatbots, querying tabular knowledge, and extra. It additionally supplies instance code for constructing purposes with an emphasis on extra utilized and end-to-end examples.

Langchain can work together with exterior APIs to fetch or ship knowledge in real-time to and from different purposes. This functionality permits LLMs to entry up-to-date data, carry out actions like reserving appointments, or retrieve particular knowledge from net providers. The framework can dynamically assemble API requests based mostly on the context of a dialog or question, thereby extending the performance of LLMs past static information bases. When integrating with exterior APIs, it’s essential to make use of safe authentication strategies and encrypt knowledge in transit utilizing protocols like HTTPS. API keys and tokens ought to be saved securely and by no means hard-coded into the appliance code.

AI Front-end Applications

AI front-end purposes confer with the user-facing a part of AI programs the place interplay between the machine and people takes place. These purposes leverage AI applied sciences to offer clever, responsive, and personalised experiences to customers. The entrance finish for chatbots, digital assistants, personalised suggestion programs, and plenty of different AI-driven purposes will be simply created with libraries like Streamlit, Vercel, Streamship, and others.

The implementation of conventional net utility safety practices is important to guard in opposition to a variety of vulnerabilities, akin to damaged entry management, cryptographic failures, injection vulnerabilities like cross-site scripting (XSS), server-side request forgery (SSRF), and plenty of different vulnerabilities.

LLM Caching

LLM caching is a way used to enhance the effectivity and efficiency of LLM interactions. You can use implementations like SQLite Cache, Redis, and GPTCache. LangChain supplies examples of how these caching strategies could possibly be leveraged.

The fundamental concept behind LLM caching is to retailer beforehand computed outcomes of the mannequin’s outputs in order that if the identical or related inputs are encountered once more, the mannequin can shortly retrieve the saved output as a substitute of recomputing it from scratch. This can considerably cut back the computational overhead, making the mannequin extra responsive and cost-effective, particularly for ceaselessly repeated queries or widespread patterns of interplay.

Caching methods should be fastidiously designed to make sure they don’t compromise the mannequin’s potential to generate related and up to date responses, particularly in situations the place the enter context or the exterior world information modifications over time. Moreover, efficient cache invalidation methods are essential to forestall outdated or irrelevant data from being served, which will be difficult given the dynamic nature of information and language.

LLM Monitoring and Policy Enforcement Tools

Monitoring is among the most necessary parts of LLM stack safety. There are many open supply and business LLM monitoring instruments akin to MLFlow.  There are additionally a number of instruments that may assist shield in opposition to immediate injection assaults, akin to Rebuff. Many of those work in isolation. Cisco lately introduced

Motific enhances your potential to implement each predefined and tailor-made controls over Personally Identifiable Information (PII), toxicity, hallucination, matters, token limits, immediate injection, and knowledge poisoning. It supplies complete visibility into operational metrics, coverage flags, and audit trails, guaranteeing that you’ve a transparent oversight of your system’s efficiency and safety. Additionally, by analyzing person prompts, Motific allows you to grasp person intents extra precisely, optimizing the utilization of basis fashions for improved outcomes.

Cisco additionally supplies an LLM safety safety suite inside Panoptica.  Panoptica is Cisco’s cloud utility safety answer for code to cloud. It supplies seamless scalability throughout clusters and multi-cloud environments.

AI Bill of Materials and Supply Chain Security

The want for transparency, and traceability in AI improvement has by no means been extra essential. Supply chain safety is top-of-mind for a lot of people within the business. This is why AI Bill of Materials (AI BOMs) are so necessary. But what precisely are AI BOMs, and why are they so necessary? How do Software Bills of Materials (SBOMs) differ from AI Bills of Materials (AI BOMs)? SBOMs serve a vital function within the software program improvement business by offering an in depth stock of all parts inside a software program utility. This documentation is important for understanding the software program’s composition, together with its libraries, packages, and any third-party code. On the opposite hand, AI BOMs cater particularly to synthetic intelligence implementations. They supply complete documentation of an AI system’s many parts, together with mannequin specs, mannequin structure, supposed purposes, coaching datasets, and extra pertinent data. This distinction highlights the specialised nature of AI BOMs in addressing the distinctive complexities and necessities of AI programs, in comparison with the broader scope of SBOMs in software program documentation.

I printed a paper with Oxford University, titled “Toward Trustworthy AI: An Analysis of Artificial Intelligence (AI) Bill of Materials (AI BOMs)”, that explains the idea of AI BOMs. Dr. Allan Friedman (CISA), Daniel Bardenstein, and I introduced in a webinar describing the function of AI BOMs. Since then, the Linux Foundation SPDX and OWASP CycloneDX have began engaged on AI BOMs (in any other case generally known as AI profile SBOMs).

Securing the LLM stack is important not just for defending knowledge and preserving person belief but in addition for guaranteeing the operational integrity, reliability, and moral use of those highly effective AI fashions. As LLMs turn out to be more and more built-in into varied facets of society and business, their safety turns into paramount to forestall potential unfavourable impacts on people, organizations, and society at giant.

Sign up for Cisco U. | Join the Cisco Learning Network.

Follow Cisco Learning & Certifications

Twitter | Facebook | LinkedIn | Instagram | YouTube

Use #CiscoU and #CiscoCert to hitch the dialog.



Please enter your comment!
Please enter your name here