DOMBA: Double Model Balancing for Access-Controlled Language Models via Minimum-Bounded Aggregation

TL;DR

...

Abstract

The utility of large language models (LLMs) depends heavily on the quality and quantity of their training data. Many organizations possess large data corpora that could be leveraged to train or fine-tune LLMs tailored to their specific needs. However, these datasets often come with access restrictions that are based on user privileges and enforced by access control mechanisms. Training LLMs on such datasets could result in exposure of sensitive information to unauthorized users. A straightforward approach for preventing such exposure is to train a separate model for each access level. This, however, may result in low utility models due to the limited amount of training data per model compared to the amount in the entire organizational corpus. Another approach is to train a single LLM on all the data while limiting the exposure of unauthorized information. However, current exposure-limiting methods for LLMs are ineffective for access-controlled data, where sensitive information appears frequently across many training examples. We propose DOMBA - double model balancing - a simple approach for training and deploying LLMs that provides high utility and access-control functionality with security guarantees. DOMBA aggregates the probability distributions of two models, each trained on documents with (potentially many) different access levels, using a "min-bounded" average function (a function that is bounded by the smaller value, e.g., harmonic mean). A detailed mathematical analysis and extensive evaluation show that DOMBA safeguards restricted information while offering utility comparable to non-secure models.

Figures (3)

• Figure 1: Two main phases of our proposed method. (a) Training: Documents are grouped and divided into two partitions according to their access levels (each access level is depicted in a different color). Training includes two steps: DOMBA-INIT: A submodel is trained on each partition, resulting in $M_1$ and $M_2$. DOMBA-FT: To achieve a model dedicated to access level B (AL-B), $M_2$ is fine-tuned on AL-B documents, resulting in $M_2^B$ (note that AL-B documents are included in the training sets of both $M_1$ and $M_2^B$). (b) Inference: Given a context and access level, the corresponding submodels are selected, and their probability distributions are aggregated using a "min-bounded" aggregation function $f_{MB}$.
• Figure 2: Exposure (log scale, lower is better) of different models with 1, 2, or 4 training epochs. The colored bars represent the 99th percentile exposure, while the dashed bars represent the maximal observed exposure.
• Figure 3: Utility-security trade-off (for both metrics lower is better, with the security metric on a log scale). Each line represents a model trained for different numbers of epochs (1, 2, and 4). The point representing 1 epoch is always the leftmost and highest point on the line.

Theorems & Definitions (23)

• Definition 1: Geometric mean
• Definition 2: TPR
• Definition 3: Token exposure
• Definition 4: Typical and relative probability
• Lemma 1
• proof
• Lemma 2: Token exposure multiplicity
• proof
• Definition 5: Proper-avg function
• Definition 6: Min-bounded function