Exploring Cross-Client Memorization of Training Data in Large Language Models for Federated Learning
Tinnakit Udsa, Can Udomcharoenchaikit, Patomporn Payoungkhamdee, Sarana Nutanong, Norrathep Rattanavipanon
TL;DR
The paper addresses privacy risks from memorization in Federated Learning by adapting cross-sample memorization methods from Centralized Learning to a cross-client setting. It introduces a cross-client memorization framework that measures intra- and inter-client leakage via sampled prefixes and suffixes, using a PAN2014-based discriminator to detect memorization. Experiments across summarization, dialog, QA, and classification with Qwen2.5-3B and Llama-3.2 show memorization persists in FL, with intra-client leakage usually stronger than inter-client leakage, and that decoding method, prefix length, and FL algorithm modulate the extent of leakage; there is no consistent advantage of FL over CL in reducing memorization, emphasizing privacy considerations in decentralized training and suggesting avenues for theoretical analysis and broader empirical validation across models, tasks, and data distributions.
Abstract
Federated learning (FL) enables collaborative training without raw data sharing, but still risks training data memorization. Existing FL memorization detection techniques focus on one sample at a time, underestimating more subtle risks of cross-sample memorization. In contrast, recent work on centralized learning (CL) has introduced fine-grained methods to assess memorization across all samples in training data, but these assume centralized access to data and cannot be applied directly to FL. We bridge this gap by proposing a framework that quantifies both intra- and inter-client memorization in FL using fine-grained cross-sample memorization measurement across all clients. Based on this framework, we conduct two studies: (1) measuring subtle memorization across clients and (2) examining key factors that influence memorization, including decoding strategies, prefix length, and FL algorithms. Our findings reveal that FL models do memorize client data, particularly intra-client data, more than inter-client data, with memorization influenced by training and inferencing factors.