Efficient and Private: Memorisation under differentially private parameter-efficient fine-tuning in language models

TL;DR

This work investigates Parameter-Efficient Fine-Tuning (PEFT) methods under DP constraints and shows that PEFT methods achieve comparable performance to standard fine-tuning while requiring fewer parameters and significantly reducing privacy leakage.

Abstract

Fine-tuning large language models (LLMs) for specific tasks introduces privacy risks, as models may inadvertently memorise and leak sensitive training data. While Differential Privacy (DP) offers a solution to mitigate these risks, it introduces significant computational and performance trade-offs, particularly with standard fine-tuning approaches. Previous work has primarily focused on full-parameter updates, which are computationally intensive and may not fully leverage DPs potential in large models. In this work, we address these shortcomings by investigating Parameter-Efficient Fine-Tuning (PEFT) methods under DP constraints. We show that PEFT methods achieve comparable performance to standard fine-tuning while requiring fewer parameters and significantly reducing privacy leakage. Furthermore, we incorporate a data poisoning experiment involving intentional mislabelling to assess model memorisation and directly measure privacy risks. Our findings indicate that PEFT methods not only provide a promising alternative but also serve as a complementary approach for privacy-preserving, resource-efficient fine-tuning of LLMs.

Figures (5)

• Figure 1: An overview of our method. Firstly, the pre-trained models are initialised, followed by the application of either PEFT methods or standard fine-tuning techniques. Secondly, the models are fine-tuned with/out DP. The final phase includes multiple evaluations: the poisoning attack to quantify memorisation, the parameter variation experiment to assess PEFT scalability, and performance assessment, covering accuracy, memory usage, training time, and vulnerability to MIAs.
• Figure 2: AUC heatmaps for IMDb and QNLI datasets. These show the AUC values (last epoch) for different models and PEFT methods under non-DP and DP settings ($\varepsilon = 1.0, 4.0, 8.0$). The left heatmap corresponds to the IMDb dataset, while the right heatmap corresponds to QNLI. Darker shades represent higher AUC values, indicating greater privacy leakage and lighter shades represent lower AUC values, suggesting reduced memorisation.
• Figure 3: Memorisation of IMDB and QNLI datasets. These heatmaps show AUC values (last epoch) for different models and PEFT methods under non-DP and DP settings on IMDb (left) and QNLI (right) datasets. Data poisoning experiments were used to assess memorisation risks, where higher AUC values indicate greater memorisation of mislabelled data. Darker shades represent higher memorisation.
• Figure 4: Training accuracy on the flipped subsets for IMDb and QNLI. This figure plots the training accuracy over epochs on poisoned subsets of the IMDb (left) and QNLI (right) datasets, comparing DistilBERT, Adapter, LoRA, and (IA)$^3$, highlights the model’s tendency to memorise mislabeled data.
• Figure 5: AUC results with increasing parameter count on IMDB and QNLI. The Adapter plot (left) shows AUC scores with varying bottleneck sizes, which control the intermediate feature size within Adapter layers, inserted into FF layers. The LoRA plot (right) shows AUC scores across different rank r values, which define the low-rank matrices dimensionalities added to attention layers.