MoPe: Model Perturbation based Privacy Attacks on Language Models (2023.emnlp-main)
Copied to clipboard
| Challenge: | Recent work shows that Large Language Models can unintentionally leak sensitive information . a new method to identify with high confidence if a given text is in training data is proposed . |
| Approach: | They propose a method to detect if a given text is in a pre-trained language model . they show that MoPe is more effective than existing loss-based attacks . |
| Outcome: | The proposed method is more effective than loss-based attacks and perturbation-based methods. |
Similar Papers
Quantifying Privacy Risks of Masked Language Models Using Membership Inference Attacks (2022.emnlp-main)
Copied to clipboard
| Challenge: | Prior attempts at measuring leakage of MLMs via membership inference attacks have been inconclusive, implying potential robustness of Mlms to privacy attacks. |
| Approach: | They propose a stronger membership inference attack based on likelihood ratio hypothesis testing that involves an additional MLM to more accurately quantify the privacy risks of memorization in MLMs. |
| Outcome: | The proposed attack improves the AUC of prior membership inference attacks from 0.66 to an alarmingly high 0.90 level on models trained on medical notes. |
Investigating How Pre-training Data Leakage Affects Models’ Reproduction and Detection Capabilities (2025.emnlp-main)
Copied to clipboard
| Challenge: | Existing studies do not examine how leaked instances in training datasets influence LLMs’ output and detection capabilities. |
| Approach: | They conduct an experimental survey to examine the relationship between data leakage in training datasets and its effects on the generation and detection by Large Language Models (LLMs). |
| Outcome: | The results show that enhancing leakage detection through few-shot learning can help mitigate the impact of the leakage rate in the training data on detection performance. |
User Inference Attacks on Large Language Models (2024.emnlp-main)
Copied to clipboard
| Challenge: | a large amount of data written by humans is used to train and fine-tune large language models. |
| Approach: | They propose to infer if a user's data was used to train an LLM by using example-level differential privacy. |
| Outcome: | The proposed attacks are easy to employ and only require black-box access to an LLM and a few samples from the user. |
Knowledge Unlearning for Mitigating Privacy Risks in Language Models (2023.acl-long)
Copied to clipboard
| Challenge: | Recent work shows that an adversary can extract training data from Pretrained Language Models including Personally Identifiable Information (PII) such as names, phone numbers, and email addresses. |
| Approach: | They propose to use knowledge unlearning to reduce privacy risks for LMs by performing gradient ascent on target token sequences instead of trying to unlearn all the data at once. |
| Outcome: | The proposed method can give a stronger empirical privacy guarantee in scenarios where the data vulnerable to extraction attacks are known a priori while being much more efficient and robust. |
DPDLLM: A Black-box Framework for Detecting Pre-training Data from Large Language Models (2024.findings-acl)
Copied to clipboard
Baohang Zhou, Zezhong Wang, Lingzhi Wang, Hongru Wang, Ying Zhang, Kehui Song, Xuhui Sui, Kam-Fai Wong
| Challenge: | Existing methods to detect pretraining data from large language models are unrealistic to them. |
| Approach: | They propose to detect pre-training data from LLM in a black-box way by using GPT-2 as reference model and feed it with sequence probabilities to detect whether it was used to train it. |
| Outcome: | The proposed framework outperforms existing methods on the benchmark datasets and shows that it is effective on different popular LLMs. |
Powerful Training-Free Membership Inference Against Fine-Tuned Autoregressive Language Models (2026.acl-long)
Copied to clipboard
| Challenge: | Existing methods for auditing fine-tuned language models have limited detection rates . membership inference attacks aim to determine if a specific record was in a model's training set . |
| Approach: | They propose a membership inference attack that exploits memorization at error positions . EZ-MIA achieves 3.8 higher detection than previous state-of-the-art . |
| Outcome: | The proposed attack achieves 3.8 higher detection than previous state-of-the-art models . EZ-MIA achieves 8 higher detectability than prior work, requiring no model training . |
Adaptive Backtracking for Privacy Protection in Large Language Models (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing privacy protection methods are prone to privacy leakage, but they are not effective in ensuring the privacy of users. |
| Approach: | They propose to capture latent leakage tendency of large language models during generation process and to construct a new benchmark for personal information. |
| Outcome: | The proposed method improves privacy by up to 14% over strong baselines against adversarial attacks, avoiding the degradation of response utility. |
Context-Aware Membership Inference Attacks against Pre-trained Large Language Models (2025.emnlp-main)
Copied to clipboard
| Challenge: | Prior Membership Inference Attacks on pre-trained Large Language Models fail at LLMs due to ignoring the generative nature of LLM data. |
| Approach: | They propose a method that adapts MIA statistical tests to the perplexity dynamics of subsequences within a data point. |
| Outcome: | The proposed method significantly outperforms prior approaches, revealing context-dependent memorization patterns in pre-trained LLMs. |
Unintended Memorization of Sensitive Information in Fine-Tuned Language Models (2026.eacl-long)
Copied to clipboard
Marton Szep, Jorge Marin Ruiz, Georgios Kaissis, Paulina Seidl, Rüdiger von Eisenhart-Rothe, Florian Hinterwimmer, Daniel Rueckert
| Challenge: | Large Language Models (LLMs) on sensitive datasets carry a substantial risk of unintended memorization and leakage of Personally Identifiable Information (PII) prior studies have analyzed memorizing dynamics in LLMs during pre-training and fine-tuning. |
| Approach: | They investigate the vulnerability of PII that appears only in model inputs, not in training targets. |
| Outcome: | The proposed methods show that post-training methods provide more consistent privacy-utility trade-offs . |
Selective Differential Privacy for Language Modeling (2022.naacl-main)
Copied to clipboard
| Challenge: | Existing methods to protect sensitive data from leaking are over-pessimistic and undifferentiated. |
| Approach: | They propose a new privacy notion, selective differential privacy, to provide rigorous privacy guarantees on the sensitive portion of the data to improve model utility. |
| Outcome: | The proposed privacy-preserving mechanism achieves better utility while remaining safe under various privacy attacks compared to baselines. |