Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Why Are My Prompts Leaked? Unraveling Prompt Extraction Threats in Customized Large Language Models

Zi Liang, Haibo Hu, Qingqing Ye, Yaxin Xiao, Haoyang Li

TL;DR

This study investigates prompt leakage (prompt memorization) in customized LLM services, revealing that leakage scales with model size and prompt form and can occur despite safety alignments. It identifies two underlying mechanisms: prompt familiarity (low perplexity) and a parallel translation path in self-attention, evidenced by attention-based indicators and case studies. The authors define a formal benchmark for prompt extraction, evaluate explicit and implicit adversarial prompts, and demonstrate that current alignments (e.g., GPT-4) remain vulnerable. They propose inference-time defenses based on increasing prompt perplexity and blocking attention-based translations, achieving substantial reductions in the uncovered rate ($UR$) with limited impact on prompt efficacy. The work provides practical guidance and open-source code for assessing and mitigating prompt leakage in downstream LLM customization.

Abstract

The drastic increase of large language models' (LLMs) parameters has led to a new research direction of fine-tuning-free downstream customization by prompts, i.e., task descriptions. While these prompt-based services (e.g. OpenAI's GPTs) play an important role in many businesses, there has emerged growing concerns about the prompt leakage, which undermines the intellectual properties of these services and causes downstream attacks. In this paper, we analyze the underlying mechanism of prompt leakage, which we refer to as prompt memorization, and develop corresponding defending strategies. By exploring the scaling laws in prompt extraction, we analyze key attributes that influence prompt extraction, including model sizes, prompt lengths, as well as the types of prompts. Then we propose two hypotheses that explain how LLMs expose their prompts. The first is attributed to the perplexity, i.e. the familiarity of LLMs to texts, whereas the second is based on the straightforward token translation path in attention matrices. To defend against such threats, we investigate whether alignments can undermine the extraction of prompts. We find that current LLMs, even those with safety alignments like GPT-4, are highly vulnerable to prompt extraction attacks, even under the most straightforward user attacks. Therefore, we put forward several defense strategies with the inspiration of our findings, which achieve 83.8\% and 71.0\% drop in the prompt extraction rate for Llama2-7B and GPT-3.5, respectively. Source code is avaliable at https://github.com/liangzid/PromptExtractionEval.

Why Are My Prompts Leaked? Unraveling Prompt Extraction Threats in Customized Large Language Models

TL;DR

This study investigates prompt leakage (prompt memorization) in customized LLM services, revealing that leakage scales with model size and prompt form and can occur despite safety alignments. It identifies two underlying mechanisms: prompt familiarity (low perplexity) and a parallel translation path in self-attention, evidenced by attention-based indicators and case studies. The authors define a formal benchmark for prompt extraction, evaluate explicit and implicit adversarial prompts, and demonstrate that current alignments (e.g., GPT-4) remain vulnerable. They propose inference-time defenses based on increasing prompt perplexity and blocking attention-based translations, achieving substantial reductions in the uncovered rate () with limited impact on prompt efficacy. The work provides practical guidance and open-source code for assessing and mitigating prompt leakage in downstream LLM customization.

Abstract

The drastic increase of large language models' (LLMs) parameters has led to a new research direction of fine-tuning-free downstream customization by prompts, i.e., task descriptions. While these prompt-based services (e.g. OpenAI's GPTs) play an important role in many businesses, there has emerged growing concerns about the prompt leakage, which undermines the intellectual properties of these services and causes downstream attacks. In this paper, we analyze the underlying mechanism of prompt leakage, which we refer to as prompt memorization, and develop corresponding defending strategies. By exploring the scaling laws in prompt extraction, we analyze key attributes that influence prompt extraction, including model sizes, prompt lengths, as well as the types of prompts. Then we propose two hypotheses that explain how LLMs expose their prompts. The first is attributed to the perplexity, i.e. the familiarity of LLMs to texts, whereas the second is based on the straightforward token translation path in attention matrices. To defend against such threats, we investigate whether alignments can undermine the extraction of prompts. We find that current LLMs, even those with safety alignments like GPT-4, are highly vulnerable to prompt extraction attacks, even under the most straightforward user attacks. Therefore, we put forward several defense strategies with the inspiration of our findings, which achieve 83.8\% and 71.0\% drop in the prompt extraction rate for Llama2-7B and GPT-3.5, respectively. Source code is avaliable at https://github.com/liangzid/PromptExtractionEval.
Paper Structure (28 sections, 19 equations, 15 figures, 12 tables)

This paper contains 28 sections, 19 equations, 15 figures, 12 tables.

Table of Contents

  1. Introduction
  2. Supplemental Related Work
  3. Instruction-following Inference
  4. Prompt-based Attacks
  5. Definitions and Evaluation Settings
  6. Definitions
  7. Settings
  8. Factors Influencing Prompt Extraction
  9. Model Size
  10. Prompt Length
  11. Instructions vs. Function Callings.
  12. Empirical Analysis
  13. Which Prompts are More Susceptible to Leakage under Adversarial Prompts?
  14. How Does an LLM Leak Prompts?
  15. Derived Defenses
  16. ...and 13 more sections

Figures (15)

  • Figure 1: An overview of prompt extraction in customized LLMs: Instead of fine-tuning, existing LLM platforms concatenate the developer-specified properties into a single prompt, which is then used as a prefix for inputs.
  • Figure 2: Prompt extraction performance across different model sizes.
  • Figure 3: The relationship between prompt length and prompt uncover rate.
  • Figure 4: Comparison of prompt extraction between two types of prompts: function callings and natural language.
  • Figure 5: The distribution of uncover rate across varying perplexities.
  • ...and 10 more figures

Theorems & Definitions (4)

  • Definition 1: Exact Prompt Extraction
  • Definition 2: $n$-gram Fragment Extraction
  • Definition 3: $\rho$-fuzzy Prompt Extraction
  • Definition 4: $\delta-(\theta,\mathcal{D}_{P},\mathcal{M}_{P})$ Soft Extraction