Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

PSY: Posterior Sampling Based Privacy Enhancer in Large Language Models

Yulian Sun, Li Duan, Yong Li

TL;DR

This research introduces PSY, a Posterior Sampling based PrivacY enhancer that can be used in LoRA and proposes a simple yet effective realization of PSY using posterior sampling, which effectively prevents privacy leakage from intermediate information and, in turn, preserves the privacy of data owners.

Abstract

Privacy vulnerabilities in LLMs, such as leakage from memorization, have been constantly identified, and various mitigation proposals have been proposed. LoRA is usually used in fine-tuning LLMs and a good entry point to insert privacy-enhancing modules. In this ongoing research, we introduce PSY, a Posterior Sampling based PrivacY enhancer that can be used in LoRA. We propose a simple yet effective realization of PSY using posterior sampling, which effectively prevents privacy leakage from intermediate information and, in turn, preserves the privacy of data owners. We evaluate LoRA extended with PSY against state-of-the-art membership inference and data extraction attacks. The experiments are executed on three different LLM architectures fine-tuned on three datasets with LoRA. In contrast to the commonly used differential privacy method, we find that our proposed modification consistently reduces the attack success rate. Meanwhile, our method has almost no negative impact on model fine-tuning or final performance. Most importantly, PSY reveals a promising path toward privacy enhancement with latent space extensions.

PSY: Posterior Sampling Based Privacy Enhancer in Large Language Models

TL;DR

This research introduces PSY, a Posterior Sampling based PrivacY enhancer that can be used in LoRA and proposes a simple yet effective realization of PSY using posterior sampling, which effectively prevents privacy leakage from intermediate information and, in turn, preserves the privacy of data owners.

Abstract

Privacy vulnerabilities in LLMs, such as leakage from memorization, have been constantly identified, and various mitigation proposals have been proposed. LoRA is usually used in fine-tuning LLMs and a good entry point to insert privacy-enhancing modules. In this ongoing research, we introduce PSY, a Posterior Sampling based PrivacY enhancer that can be used in LoRA. We propose a simple yet effective realization of PSY using posterior sampling, which effectively prevents privacy leakage from intermediate information and, in turn, preserves the privacy of data owners. We evaluate LoRA extended with PSY against state-of-the-art membership inference and data extraction attacks. The experiments are executed on three different LLM architectures fine-tuned on three datasets with LoRA. In contrast to the commonly used differential privacy method, we find that our proposed modification consistently reduces the attack success rate. Meanwhile, our method has almost no negative impact on model fine-tuning or final performance. Most importantly, PSY reveals a promising path toward privacy enhancement with latent space extensions.

Paper Structure

This paper contains 16 sections, 2 equations, 2 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Mitigating Leakage from Memorization
  3. Hints from Defenses Against Related Attacks
  4. Construbution
  5. Other Related Work
  6. Membership Inference Attack (MIA).
  7. Data Extraction Attack (DEA).
  8. Defenses Using Structural and Internal Randomness.
  9. Methodology
  10. $\mathsf{PSY}$
  11. General Idea
  12. Experiments
  13. Setup and Baselines
  14. Results
  15. Conclusion and Future Work
  16. ...and 1 more sections

Figures (2)

  • Figure 1: LoRA usage example, the location and structure of LoRA in a LLM for specific task. LoRA freezes the pre-trained model weights $W^d$ and simulates the amount of parameter changes through low-rank decomposition with $BA$, which greatly reduces the number of trainable parameters for downstream tasks.
  • Figure 2: Structure of Posterior Sampling in between $A$ and $B$.