Challenge: Existing studies have shown that pre-trained LLMs emit training data up to 150 more often than in regular operation.
Approach: They propose a black-box prompt optimization method where an attacker LLM agent uncovers higher levels of memorization in a victim agent .
Outcome: The proposed method shows 23.7% more overlap with training data compared to state-of-the-art baselines.

Similar Papers

Controlling the Extraction of Memorized Data from Large Language Models via Prompt-Tuning (2023.acl-short)

Copied to clipboard

Challenge: Large Language Models memorize significant portions of training data, which poses privacy risk.
Approach: They propose a prompt-tuning approach to control the extraction rates of memorized content in large language models.
Outcome: The proposed techniques yield 9.3% increase in extraction rate compared to baseline model . the proposed defense achieves 97.7% reduction with a perplexity increase of 16.9% .
Retracing the Past: LLMs Emit Training Data When They Get Lost (2025.emnlp-main)

Copied to clipboard

Challenge: Existing methods for extracting training data from large language models exhibit limited success . existing methods offer limited insight into the fundamental drivers of memorization leakage .
Approach: They propose a framework for extracting memorized data by maximizing model uncertainty . they propose mismatched fine-tuning to weaken alignment and induce confusion .
Outcome: The proposed attacks outperform baselines on unaligned and aligned LLMs . the proposed attacks exploit the model uncertainty of the input snippets induced by the model entropy spike .
An Empirical Analysis of Memorization in Fine-tuned Autoregressive Language Models (2022.emnlp-main)

Copied to clipboard

Challenge: Large language models are shown to present privacy risks through memorization of training data, but little attention has been given to the fine-tuning phase.
Approach: They empirically study memorization of fine-tuning methods using membership inference and extraction attacks and show that fine-timing the head of the model has the highest susceptibility to attacks.
Outcome: The proposed methods have the highest memorization risk, whereas the smaller adapters are less vulnerable to known extraction attacks.
Context-Aware Membership Inference Attacks against Pre-trained Large Language Models (2025.emnlp-main)

Copied to clipboard

Challenge: Prior Membership Inference Attacks on pre-trained Large Language Models fail at LLMs due to ignoring the generative nature of LLM data.
Approach: They propose a method that adapts MIA statistical tests to the perplexity dynamics of subsequences within a data point.
Outcome: The proposed method significantly outperforms prior approaches, revealing context-dependent memorization patterns in pre-trained LLMs.
Unlocking Memorization in Large Language Models with Dynamic Soft Prompting (2024.emnlp-main)

Copied to clipboard

Challenge: Pretrained large language models excel in a variety of natural language processing tasks . however, they pose significant security risks due to their tendency to memorize training data .
Approach: They propose a method to estimate LLM memorization using dynamic, prefix-dependent soft prompts.
Outcome: The proposed method can achieve maximum relative improvement of 135.3% and 39.8% over baseline compared to state-of-the-art methods.
LLM Sensitivity Challenges in Abusive Language Detection: Instruction-Tuned vs. Human Feedback (2025.coling-main)

Copied to clipboard

Challenge: Existing studies show that instruction-tuned LLMs under-predict positive classes . however, they are overly sensitive and can be applied for abuse detection without fine-tuning .
Approach: They show that instruction-tuned LLMs tend to under-predict positive classes . they also show that label frequency in the prompt helps with the significant over-prediction .
Outcome: The proposed models under-predict positive classes in social media, whereas they are overly sensitive.
Exploring Memorization in Fine-tuned Language Models (2024.acl-long)

Copied to clipboard

Challenge: Existing studies have shown that pre-trained langauge models tend to memorize and regenerate segments of their pre-training corpus when prompted appropriately.
Approach: They conduct the first comprehensive analysis to explore language models’ memorization during fine-tuning across tasks.
Outcome: The proposed analysis shows that memorization presents a strong disparity among different fine-tuning tasks.
Iterative Self-Tuning LLMs for Enhanced Jailbreaking Capabilities (2025.naacl-long)

Copied to clipboard

Challenge: Recent research shows that Large Language Models (LLMs) are vulnerable to automated jailbreak attacks.
Approach: They propose a framework that crafts adversarial LLMs with enhanced jailbreak ability.
Outcome: ADV-LLM significantly reduces the computational cost of generating adversarial suffixes while achieving nearly 100% ASR on various open-source LLMs.
Attention Tracker: Detecting Prompt Injection Attacks in LLMs (2025.findings-naacl)

Copied to clipboard

Challenge: Large Language Models (LLMs) are vulnerable to prompt injection attacks, where malicious inputs manipulate the model into ignoring original instructions and executing designated actions.
Approach: They propose a training-free method that tracks attention patterns on instruction to detect prompt injection attacks without additional inference.
Outcome: The proposed method shows an improvement of up to 10.0% over existing methods and performs well even on small LLMs.
A Comprehensive Study of Jailbreak Attack versus Defense for Large Language Models (2024.findings-acl)

Copied to clipboard

Challenge: Large Language Models (LLMs) have demonstrated capabilities for generating content that could be deemed harmful.
Approach: They conduct a comprehensive analysis of existing studies on jailbreaking LLMs and their defense techniques.
Outcome: The proposed techniques underperform existing white-box attacks and include special tokens significantly affects the likelihood of successful attacks.

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations