ALPACA AGAINST VICUNA: Using LLMs to Uncover Memorization of LLMs (2025.naacl-long)
Copied to clipboard
Aly M. Kassem, Omar Mahmoud, Niloofar Mireshghallah, Hyunwoo Kim, Yulia Tsvetkov, Yejin Choi, Sherif Saad, Santu Rana
| Challenge: | Existing studies have shown that pre-trained LLMs emit training data up to 150 more often than in regular operation. |
| Approach: | They propose a black-box prompt optimization method where an attacker LLM agent uncovers higher levels of memorization in a victim agent . |
| Outcome: | The proposed method shows 23.7% more overlap with training data compared to state-of-the-art baselines. |
Similar Papers
Controlling the Extraction of Memorized Data from Large Language Models via Prompt-Tuning (2023.acl-short)
Copied to clipboard
Mustafa Ozdayi, Charith Peris, Jack FitzGerald, Christophe Dupuy, Jimit Majmudar, Haidar Khan, Rahil Parikh, Rahul Gupta
| Challenge: | Large Language Models memorize significant portions of training data, which poses privacy risk. |
| Approach: | They propose a prompt-tuning approach to control the extraction rates of memorized content in large language models. |
| Outcome: | The proposed techniques yield 9.3% increase in extraction rate compared to baseline model . the proposed defense achieves 97.7% reduction with a perplexity increase of 16.9% . |
Retracing the Past: LLMs Emit Training Data When They Get Lost (2025.emnlp-main)
Copied to clipboard
| Challenge: | Existing methods for extracting training data from large language models exhibit limited success . existing methods offer limited insight into the fundamental drivers of memorization leakage . |
| Approach: | They propose a framework for extracting memorized data by maximizing model uncertainty . they propose mismatched fine-tuning to weaken alignment and induce confusion . |
| Outcome: | The proposed attacks outperform baselines on unaligned and aligned LLMs . the proposed attacks exploit the model uncertainty of the input snippets induced by the model entropy spike . |
An Empirical Analysis of Memorization in Fine-tuned Autoregressive Language Models (2022.emnlp-main)
Copied to clipboard
| Challenge: | Large language models are shown to present privacy risks through memorization of training data, but little attention has been given to the fine-tuning phase. |
| Approach: | They empirically study memorization of fine-tuning methods using membership inference and extraction attacks and show that fine-timing the head of the model has the highest susceptibility to attacks. |
| Outcome: | The proposed methods have the highest memorization risk, whereas the smaller adapters are less vulnerable to known extraction attacks. |
Context-Aware Membership Inference Attacks against Pre-trained Large Language Models (2025.emnlp-main)
Copied to clipboard
| Challenge: | Prior Membership Inference Attacks on pre-trained Large Language Models fail at LLMs due to ignoring the generative nature of LLM data. |
| Approach: | They propose a method that adapts MIA statistical tests to the perplexity dynamics of subsequences within a data point. |
| Outcome: | The proposed method significantly outperforms prior approaches, revealing context-dependent memorization patterns in pre-trained LLMs. |
Unlocking Memorization in Large Language Models with Dynamic Soft Prompting (2024.emnlp-main)
Copied to clipboard
Zhepeng Wang, Runxue Bao, Yawen Wu, Jackson Taylor, Cao Xiao, Feng Zheng, Weiwen Jiang, Shangqian Gao, Yanfu Zhang
| Challenge: | Pretrained large language models excel in a variety of natural language processing tasks . however, they pose significant security risks due to their tendency to memorize training data . |
| Approach: | They propose a method to estimate LLM memorization using dynamic, prefix-dependent soft prompts. |
| Outcome: | The proposed method can achieve maximum relative improvement of 135.3% and 39.8% over baseline compared to state-of-the-art methods. |
LLM Sensitivity Challenges in Abusive Language Detection: Instruction-Tuned vs. Human Feedback (2025.coling-main)
Copied to clipboard
| Challenge: | Existing studies show that instruction-tuned LLMs under-predict positive classes . however, they are overly sensitive and can be applied for abuse detection without fine-tuning . |
| Approach: | They show that instruction-tuned LLMs tend to under-predict positive classes . they also show that label frequency in the prompt helps with the significant over-prediction . |
| Outcome: | The proposed models under-predict positive classes in social media, whereas they are overly sensitive. |
Exploring Memorization in Fine-tuned Language Models (2024.acl-long)
Copied to clipboard
Shenglai Zeng, Yaxin Li, Jie Ren, Yiding Liu, Han Xu, Pengfei He, Yue Xing, Shuaiqiang Wang, Jiliang Tang, Dawei Yin
| Challenge: | Existing studies have shown that pre-trained langauge models tend to memorize and regenerate segments of their pre-training corpus when prompted appropriately. |
| Approach: | They conduct the first comprehensive analysis to explore language models’ memorization during fine-tuning across tasks. |
| Outcome: | The proposed analysis shows that memorization presents a strong disparity among different fine-tuning tasks. |
Iterative Self-Tuning LLMs for Enhanced Jailbreaking Capabilities (2025.naacl-long)
Copied to clipboard
Chung-En Sun, Xiaodong Liu, Weiwei Yang, Tsui-Wei Weng, Hao Cheng, Aidan San, Michel Galley, Jianfeng Gao
| Challenge: | Recent research shows that Large Language Models (LLMs) are vulnerable to automated jailbreak attacks. |
| Approach: | They propose a framework that crafts adversarial LLMs with enhanced jailbreak ability. |
| Outcome: | ADV-LLM significantly reduces the computational cost of generating adversarial suffixes while achieving nearly 100% ASR on various open-source LLMs. |
Attention Tracker: Detecting Prompt Injection Attacks in LLMs (2025.findings-naacl)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) are vulnerable to prompt injection attacks, where malicious inputs manipulate the model into ignoring original instructions and executing designated actions. |
| Approach: | They propose a training-free method that tracks attention patterns on instruction to detect prompt injection attacks without additional inference. |
| Outcome: | The proposed method shows an improvement of up to 10.0% over existing methods and performs well even on small LLMs. |
A Comprehensive Study of Jailbreak Attack versus Defense for Large Language Models (2024.findings-acl)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) have demonstrated capabilities for generating content that could be deemed harmful. |
| Approach: | They conduct a comprehensive analysis of existing studies on jailbreaking LLMs and their defense techniques. |
| Outcome: | The proposed techniques underperform existing white-box attacks and include special tokens significantly affects the likelihood of successful attacks. |