Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Sampling-based Pseudo-Likelihood for Membership Inference Attacks

Masahiro Kaneko, Youmi Ma, Yuki Wata, Naoaki Okazaki

TL;DR

The paper addresses leakage risk in LLMs by targeting membership inference attacks (MIA) in settings where model likelihoods are unavailable. It introduces SaMIA, a likelihood-free detector that samples multiple continuations from an LLM given a target prefix and uses ROUGE-$N$ recall against the target's reference to form a pseudo-likelihood; optionally, SaMIA*zlib multiplies the ROUGE score by a zlib-based information content measure to downweight repetitive text. Across four public LLMs and WikiMIA, SaMIA (and SaMIA*zlib) achieves competitive or state-of-the-art performance without access to likelihoods, especially as target text length increases. The results demonstrate practical feasibility of leakage detection on proprietary models and provide insights into the effects of $n$-gram order, sampling size, and prefix length on detection effectiveness.

Abstract

Large Language Models (LLMs) are trained on large-scale web data, which makes it difficult to grasp the contribution of each text. This poses the risk of leaking inappropriate data such as benchmarks, personal information, and copyrighted texts in the training data. Membership Inference Attacks (MIA), which determine whether a given text is included in the model's training data, have been attracting attention. Previous studies of MIAs revealed that likelihood-based classification is effective for detecting leaks in LLMs. However, the existing methods cannot be applied to some proprietary models like ChatGPT or Claude 3 because the likelihood is unavailable to the user. In this study, we propose a Sampling-based Pseudo-Likelihood (\textbf{SPL}) method for MIA (\textbf{SaMIA}) that calculates SPL using only the text generated by an LLM to detect leaks. The SaMIA treats the target text as the reference text and multiple outputs from the LLM as text samples, calculates the degree of $n$-gram match as SPL, and determines the membership of the text in the training data. Even without likelihoods, SaMIA performed on par with existing likelihood-based methods.

Sampling-based Pseudo-Likelihood for Membership Inference Attacks

TL;DR

The paper addresses leakage risk in LLMs by targeting membership inference attacks (MIA) in settings where model likelihoods are unavailable. It introduces SaMIA, a likelihood-free detector that samples multiple continuations from an LLM given a target prefix and uses ROUGE- recall against the target's reference to form a pseudo-likelihood; optionally, SaMIA*zlib multiplies the ROUGE score by a zlib-based information content measure to downweight repetitive text. Across four public LLMs and WikiMIA, SaMIA (and SaMIA*zlib) achieves competitive or state-of-the-art performance without access to likelihoods, especially as target text length increases. The results demonstrate practical feasibility of leakage detection on proprietary models and provide insights into the effects of -gram order, sampling size, and prefix length on detection effectiveness.

Abstract

Large Language Models (LLMs) are trained on large-scale web data, which makes it difficult to grasp the contribution of each text. This poses the risk of leaking inappropriate data such as benchmarks, personal information, and copyrighted texts in the training data. Membership Inference Attacks (MIA), which determine whether a given text is included in the model's training data, have been attracting attention. Previous studies of MIAs revealed that likelihood-based classification is effective for detecting leaks in LLMs. However, the existing methods cannot be applied to some proprietary models like ChatGPT or Claude 3 because the likelihood is unavailable to the user. In this study, we propose a Sampling-based Pseudo-Likelihood (\textbf{SPL}) method for MIA (\textbf{SaMIA}) that calculates SPL using only the text generated by an LLM to detect leaks. The SaMIA treats the target text as the reference text and multiple outputs from the LLM as text samples, calculates the degree of -gram match as SPL, and determines the membership of the text in the training data. Even without likelihoods, SaMIA performed on par with existing likelihood-based methods.
Paper Structure (30 sections, 11 equations, 5 figures, 5 tables)

This paper contains 30 sections, 11 equations, 5 figures, 5 tables.

Table of Contents

  1. Introduction
  2. SaMIA
  3. Definition of the MIA Task
  4. SPL
  5. Detection by SaMIA Based on SPL
  6. Improving SaMIA Using the Information Content
  7. Experiments
  8. Existing Methods
  9. LOSS DBLP:conf/csfw/YeomGFJ18
  10. Lowercase DBLP:conf/uss/CarliniTWJHLRBS21
  11. PPL/zlib DBLP:conf/uss/CarliniTWJHLRBS21
  12. Min-$k$% Prob shi2023detecting
  13. Settings
  14. Models
  15. Implementation Details
  16. ...and 15 more sections

Figures (5)

  • Figure 1: MIA using SPL based on the degree of $n$-gram between sampled candidate texts and a reference text.
  • Figure 2: AUC scores of SaMIA on WikiMIA when using ROUGE-1 and ROUGE-2.
  • Figure 3: AUC scores of SaMIA on WikiMIA with different sampling sizes. The target LLM for leakage detection is OPT-6.7B.
  • Figure 4: AUC scores of SaMIA on WikiMIA with different prefix ratios. The target LLM for leakage detection is OPT-6.7B.
  • Figure 5: ROUGE-1 scores of texts generated from OPT-6.7B, using the original texts in WikiMIA as references. Red bars show the distribution of leaked texts and blue bars show that of unleaked ones.