Automatic Calibration for Membership Inference Attack on Large Language Models
Saleh Zare Zade, Yao Qiang, Xiangyu Zhou, Hui Zhu, Mohammad Amin Roshani, Prashant Khanduri, Dongxiao Zhu
TL;DR
Automatic Calibration Membership Inference Attack (ACMIA) introduces a tunable temperature to reshape token-output probabilities and calibrate scores for MIA on large language models, addressing high false positives and external-reference dependencies. By deriving a Temperature-Scaled Probability (TSP) and offering three variants (AC, DerivAC, NormAC), ACMIA achieves state-of-the-art AUROC and TPR@5%FPR across WikiMIA, MIMIR, and PatentMIA on multiple open-source LLMs without requiring external reference models. The method is supported by theoretical grounding in implicit score matching and practical ablations showing robustness to temperature, model size, and text length; AC/DerivAC work with limited access, while NormAC leverages full log-prob distributions. Overall, ACMIA provides a principled, practical red-teaming tool for privacy auditing in LLMs with broad applicability and minimal external dependencies.
Abstract
Membership Inference Attacks (MIAs) have recently been employed to determine whether a specific text was part of the pre-training data of Large Language Models (LLMs). However, existing methods often misinfer non-members as members, leading to a high false positive rate, or depend on additional reference models for probability calibration, which limits their practicality. To overcome these challenges, we introduce a novel framework called Automatic Calibration Membership Inference Attack (ACMIA), which utilizes a tunable temperature to calibrate output probabilities effectively. This approach is inspired by our theoretical insights into maximum likelihood estimation during the pre-training of LLMs. We introduce ACMIA in three configurations designed to accommodate different levels of model access and increase the probability gap between members and non-members, improving the reliability and robustness of membership inference. Extensive experiments on various open-source LLMs demonstrate that our proposed attack is highly effective, robust, and generalizable, surpassing state-of-the-art baselines across three widely used benchmarks. Our code is available at: \href{https://github.com/Salehzz/ACMIA}{\textcolor{blue}{Github}}.
