Window-based Membership Inference Attacks Against Fine-tuned Large Language Models
Yuetian Chen, Yuntao Du, Kaiyuan Zhang, Ashish Kundu, Charles Fleming, Bruno Ribeiro, Ninghui Li
TL;DR
This work tackles privacy risks in fine-tuned LLMs by showing that traditional membership inference attacks fail to detect sparse, localized memorization signals when relying on global loss statistics. It introduces Window-Based Comparison (WBC), a sliding-window, sign-based aggregation attack that compares per-token losses between a target fine-tuned model and a reference model across multiple window sizes and ensembles the results. Through empirical analyses and extensive experiments on eleven datasets and multiple model architectures, WBC significantly outperforms baselines in AUC and low-FPR regimes, revealing strong privacy vulnerabilities that scale with model size and persist under several defenses. The findings highlight the need for defense strategies that can disrupt localized memorization patterns, and the work provides a practical, reproducible framework for evaluating such defenses in real-world settings.
Abstract
Most membership inference attacks (MIAs) against Large Language Models (LLMs) rely on global signals, like average loss, to identify training data. This approach, however, dilutes the subtle, localized signals of memorization, reducing attack effectiveness. We challenge this global-averaging paradigm, positing that membership signals are more pronounced within localized contexts. We introduce WBC (Window-Based Comparison), which exploits this insight through a sliding window approach with sign-based aggregation. Our method slides windows of varying sizes across text sequences, with each window casting a binary vote on membership based on loss comparisons between target and reference models. By ensembling votes across geometrically spaced window sizes, we capture memorization patterns from token-level artifacts to phrase-level structures. Extensive experiments across eleven datasets demonstrate that WBC substantially outperforms established baselines, achieving higher AUC scores and 2-3 times improvements in detection rates at low false positive thresholds. Our findings reveal that aggregating localized evidence is fundamentally more effective than global averaging, exposing critical privacy vulnerabilities in fine-tuned LLMs.
