Table of Contents
Fetching ...

Powerful Training-Free Membership Inference Against Autoregressive Language Models

David Ilić, David Stanojević, Kostadin Cvejoski

TL;DR

EZ-MIA addresses privacy auditing for fine-tuned language models by exploiting memorization signals concentrated at error positions. It introduces the Error Zone score $EZ(\boldsymbol{x}) = P/N$, computed with two forward passes against a pretrained reference and no shadow-model training, enabling efficient and scalable membership inference. Empirically, EZ-MIA substantially outperforms prior attacks across GPT-2, GPT-J, and Llama-2 configurations on text and code domains, with large gains at low false-positive rates and a strong dependence on fine-tuning method (full fine-tuning vs LoRA). The work highlights that privacy risks are greater than previously understood, emphasizes the importance of methodology-aware auditing, and provides a practical baseline for evaluating defenses and deployment choices.

Abstract

Fine-tuned language models pose significant privacy risks, as they may memorize and expose sensitive information from their training data. Membership inference attacks (MIAs) provide a principled framework for auditing these risks, yet existing methods achieve limited detection rates, particularly at the low false-positive thresholds required for practical privacy auditing. We present EZ-MIA, a membership inference attack that exploits a key observation: memorization manifests most strongly at error positions, specifically tokens where the model predicts incorrectly yet still shows elevated probability for training examples. We introduce the Error Zone (EZ) score, which measures the directional imbalance of probability shifts at error positions relative to a pretrained reference model. This principled statistic requires only two forward passes per query and no model training of any kind. On WikiText with GPT-2, EZ-MIA achieves 3.8x higher detection than the previous state-of-the-art under identical conditions (66.3% versus 17.5% true positive rate at 1% false positive rate), with near-perfect discrimination (AUC 0.98). At the stringent 0.1% FPR threshold critical for real-world auditing, we achieve 8x higher detection than prior work (14.0% versus 1.8%), requiring no reference model training. These gains extend to larger architectures: on AG News with Llama-2-7B, we achieve 3x higher detection (46.7% versus 15.8% TPR at 1% FPR). These results establish that privacy risks of fine-tuned language models are substantially greater than previously understood, with implications for both privacy auditing and deployment decisions. Code is available at https://github.com/JetBrains-Research/ez-mia.

Powerful Training-Free Membership Inference Against Autoregressive Language Models

TL;DR

EZ-MIA addresses privacy auditing for fine-tuned language models by exploiting memorization signals concentrated at error positions. It introduces the Error Zone score , computed with two forward passes against a pretrained reference and no shadow-model training, enabling efficient and scalable membership inference. Empirically, EZ-MIA substantially outperforms prior attacks across GPT-2, GPT-J, and Llama-2 configurations on text and code domains, with large gains at low false-positive rates and a strong dependence on fine-tuning method (full fine-tuning vs LoRA). The work highlights that privacy risks are greater than previously understood, emphasizes the importance of methodology-aware auditing, and provides a practical baseline for evaluating defenses and deployment choices.

Abstract

Fine-tuned language models pose significant privacy risks, as they may memorize and expose sensitive information from their training data. Membership inference attacks (MIAs) provide a principled framework for auditing these risks, yet existing methods achieve limited detection rates, particularly at the low false-positive thresholds required for practical privacy auditing. We present EZ-MIA, a membership inference attack that exploits a key observation: memorization manifests most strongly at error positions, specifically tokens where the model predicts incorrectly yet still shows elevated probability for training examples. We introduce the Error Zone (EZ) score, which measures the directional imbalance of probability shifts at error positions relative to a pretrained reference model. This principled statistic requires only two forward passes per query and no model training of any kind. On WikiText with GPT-2, EZ-MIA achieves 3.8x higher detection than the previous state-of-the-art under identical conditions (66.3% versus 17.5% true positive rate at 1% false positive rate), with near-perfect discrimination (AUC 0.98). At the stringent 0.1% FPR threshold critical for real-world auditing, we achieve 8x higher detection than prior work (14.0% versus 1.8%), requiring no reference model training. These gains extend to larger architectures: on AG News with Llama-2-7B, we achieve 3x higher detection (46.7% versus 15.8% TPR at 1% FPR). These results establish that privacy risks of fine-tuned language models are substantially greater than previously understood, with implications for both privacy auditing and deployment decisions. Code is available at https://github.com/JetBrains-Research/ez-mia.
Paper Structure (62 sections, 7 equations, 2 figures, 5 tables)

This paper contains 62 sections, 7 equations, 2 figures, 5 tables.

Figures (2)

  • Figure 1: TPR@0.1%FPR comparison across datasets and models. All methods evaluated under identical experimental conditions. GPT-2 uses full fine-tuning; GPT-J and Llama-2 use LoRA. EZ-MIA achieves up to 9$\times$ higher detection rates than prior work at this stringent threshold critical for privacy auditing.
  • Figure 2: EZ-MIA performance over training epochs on XSum/GPT-2-XL. Privacy leakage emerges early (epoch 1: AUC = 0.895) and increases with continued training. Error bars show 95% bootstrap confidence intervals (1,000 resamples of evaluation sequences).