Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Rethinking LLM Memorization through the Lens of Adversarial Compression

Avi Schwarzschild, Zhili Feng, Pratyush Maini, Zachary C. Lipton, J. Zico Kolter

TL;DR

<3-5 sentence high-level summary> Addresses the memorization vs generalization question in LLMs and proposes Adversarial Compression Ratio (ACR) to quantify memorized strings via minimal adversarial prompts, enabling practical auditing for data usage compliance. Critiques existing memorization notions as inadequate for practical auditing and argues for an adversarial compression perspective to robustly assess memorization and unlearning implications. Introduces MiniPrompt, a gradient-based prompt-optimization approach to approximate the shortest prompts that elicit training-data outputs, and validates it across multiple data categories and model scales, showing larger models memorize more and unlearning can be incomplete. The work includes case studies (TOFU, Harry Potter) and discusses limitations and broader regulatory implications, aiming to provide a quantitative tool for regulators, practitioners, and courts to reason about data usage and copyright concerns in LLMs.

Abstract

Large language models (LLMs) trained on web-scale datasets raise substantial concerns regarding permissible data usage. One major question is whether these models "memorize" all their training data or they integrate many data sources in some way more akin to how a human would learn and synthesize information. The answer hinges, to a large degree, on how we define memorization. In this work, we propose the Adversarial Compression Ratio (ACR) as a metric for assessing memorization in LLMs. A given string from the training data is considered memorized if it can be elicited by a prompt (much) shorter than the string itself -- in other words, if these strings can be "compressed" with the model by computing adversarial prompts of fewer tokens. The ACR overcomes the limitations of existing notions of memorization by (i) offering an adversarial view of measuring memorization, especially for monitoring unlearning and compliance; and (ii) allowing for the flexibility to measure memorization for arbitrary strings at a reasonably low compute. Our definition serves as a practical tool for determining when model owners may be violating terms around data usage, providing a potential legal tool and a critical lens through which to address such scenarios.

Rethinking LLM Memorization through the Lens of Adversarial Compression

TL;DR

<3-5 sentence high-level summary> Addresses the memorization vs generalization question in LLMs and proposes Adversarial Compression Ratio (ACR) to quantify memorized strings via minimal adversarial prompts, enabling practical auditing for data usage compliance. Critiques existing memorization notions as inadequate for practical auditing and argues for an adversarial compression perspective to robustly assess memorization and unlearning implications. Introduces MiniPrompt, a gradient-based prompt-optimization approach to approximate the shortest prompts that elicit training-data outputs, and validates it across multiple data categories and model scales, showing larger models memorize more and unlearning can be incomplete. The work includes case studies (TOFU, Harry Potter) and discusses limitations and broader regulatory implications, aiming to provide a quantitative tool for regulators, practitioners, and courts to reason about data usage and copyright concerns in LLMs.

Abstract

Large language models (LLMs) trained on web-scale datasets raise substantial concerns regarding permissible data usage. One major question is whether these models "memorize" all their training data or they integrate many data sources in some way more akin to how a human would learn and synthesize information. The answer hinges, to a large degree, on how we define memorization. In this work, we propose the Adversarial Compression Ratio (ACR) as a metric for assessing memorization in LLMs. A given string from the training data is considered memorized if it can be elicited by a prompt (much) shorter than the string itself -- in other words, if these strings can be "compressed" with the model by computing adversarial prompts of fewer tokens. The ACR overcomes the limitations of existing notions of memorization by (i) offering an adversarial view of measuring memorization, especially for monitoring unlearning and compliance; and (ii) allowing for the flexibility to measure memorization for arbitrary strings at a reasonably low compute. Our definition serves as a practical tool for determining when model owners may be violating terms around data usage, providing a potential legal tool and a critical lens through which to address such scenarios.
Paper Structure (31 sections, 2 equations, 13 figures, 1 table, 3 algorithms)

This paper contains 31 sections, 2 equations, 13 figures, 1 table, 3 algorithms.

Table of Contents

  1. Introduction
  2. Do We Really Need Another Notion of Memorization?
  3. Membership is not memorization
  4. Perplexity is sensitive and hackable
  5. How to Measure Memorization with Adversarial Compression
  6. A New Definition of Memorization
  7. MiniPrompt: A Practical Algorithm for Compressible Memorization
  8. Compressible Memorization in Practice
  9. The Illusion of Compliance
  10. TOFU: Unlearning and Memorization with Author Profiles
  11. Trying to Forget Harry Potter
  12. Bigger Models Memorize More
  13. Validation of MiniPrompt with Four Categories of Data
  14. Random Sequences
  15. Associated Press November 2023
  16. ...and 16 more sections

Figures (13)

  • Figure 1: We propose a compression ratio where we compare the length of the shortest prompt that elicits a training sample in response from an LLM to the length of that sample. If a string in the training data can be compressed, i.e. the minimal prompt is shorter than the sample, then we call it memorized. Our test is an easy-to-describe tool that is useful in the effort to gauge the misuse of data.
  • Figure 2: In-Context Unlearning (ICUL) fools completion not compression. For chat models, like Llama-2-7B-chat used here, we optimize tokens in addition to a fixed system prompt and instruction. In this setting, we show that MiniPrompt compresses the quote in red to the two blue tokens in the prompt in the top cell. Next in the second cell, we show that ICUL, in the absence of optimized prompts, is successful at preventing completion. Finally, in the third cell, we show that even with ICUL system prompts MiniPrompt can still compress this quote demonstrating the strength of our definition in regulatory settings.
  • Figure 3: Left: Completion vs compression on TOFU data, unlearning Phi-1.5 with gradient ascent. Right: Generation after 20 unlearning steps.
  • Figure 4: Negative log-likelihood (normalized to $[0,1]$) of true and false answers given a Harry Potter question. Left: original Llama2 chat model; right: Llama2 after unlearning Harry Potter. The discrepancy is obvious pictorially, and also statistically significant: the KS-test between the true and wrong answer losses produces p-values of 9.7e-24 and 5.9e-14, respectively.
  • Figure 5: Memorization in Pythia models. Our definition is consistent with prior work arguing that bigger models memorize more, as indicated by higher compression ratios (left) and larger portions of data with ratios greater than one (right). These figures are from the Famous Quotes dataset.
  • ...and 8 more figures

Theorems & Definitions (4)

  • Definition 1: Discoverable Memorization carlini2023quantifying
  • Definition 2: Extractable Memorization nasr2023scalable
  • Definition 3: Counterfactual Memorization zhang2023counterfactual
  • Definition 4: $\tau$-Compressible Memorization