Con-ReCall: Detecting Pre-training Data in LLMs via Contrastive Decoding

TL;DR

The paper tackles the privacy and security risks arising from memorization in large language models by focusing on detecting pre-training data (membership inference). It introduces Con-ReCall, a contrastive decoding approach that prefixes target text with both member and non-member contexts and combines the resulting log-likelihoods via $s(x,\mathcal{M}) = \dfrac{LL(x|P_{non-member}) - \gamma \cdot LL(x|P_{member})}{LL(x)}$, leveraging asymmetric distributional shifts to improve detection while requiring only token probabilities (gray-box access). Empirical results on WikiMIA show state-of-the-art performance, with notable gains in AUC and especially TPR@5%FPR, and the method remains robust to common text manipulations; results on MIMIR corroborate its competitive performance across datasets and model scales. The work also investigates robustness and practical member data approximation, demonstrating the method's applicability even when direct member data access is limited, and discusses ethical considerations and limitations surrounding potential misuse and prefix-selection strategies.

Abstract

The training data in large language models is key to their success, but it also presents privacy and security risks, as it may contain sensitive information. Detecting pre-training data is crucial for mitigating these concerns. Existing methods typically analyze target text in isolation or solely with non-member contexts, overlooking potential insights from simultaneously considering both member and non-member contexts. While previous work suggested that member contexts provide little information due to the minor distributional shift they induce, our analysis reveals that these subtle shifts can be effectively leveraged when contrasted with non-member contexts. In this paper, we propose Con-ReCall, a novel approach that leverages the asymmetric distributional shifts induced by member and non-member contexts through contrastive decoding, amplifying subtle differences to enhance membership inference. Extensive empirical evaluations demonstrate that Con-ReCall achieves state-of-the-art performance on the WikiMIA benchmark and is robust against various text manipulation techniques.

Figures (7)

• Figure 1: AUC performance on WikiMIA-32 dataset. Our Con-ReCall significantly outperforms the current state-of-the-art baselines.
• Figure 2: Overview of three MIA methods. Our method refines the previous membership score by incorporating contrastive information when prefixing target text with members and non-members.
• Figure 3: Distribution shifts induced by three methods. (a) Loss directly uses log-likelihoods, resulting in no shift. (b) ReCall examines the shift caused by non-member prefixes. (c) Our Con-ReCall enhances the distinction by contrasting with both member and non-member prefixes.
• Figure 4: Visualization of membership score distributions. Min-max normalized distributions are shown for log-likelihood (left), ReCall (middle), and Con-ReCall (right). Con-ReCall achieves the largest separation between members and non-members.
• Figure 5: Signed Wasserstein distances between original and prefixed distributions across varying shot numbers. The plot illustrates how the distributional shift, measured by signed Wasserstein distance, changes for member and non-member data when prefixed with different contexts (M: member, NM: non-member).