Table of Contents
Fetching ...

When Reasoning Leaks Membership: Membership Inference Attack on Black-box Large Reasoning Models

Ruihan Hu, Yu-Ming Shang, Wei Luo, Ye Tao, Xi Zhang

TL;DR

This work shows that intermediate reasoning traces exposed by black-box Large Reasoning Models leak membership information about training data. It introduces BlackSpectrum, a three-part framework that encodes traces, builds a recall–inference axis in latent space, and projects traces to predict membership, revealing a Recall–Inference Spectrum that correlates familiarity with membership risk. By evaluating on two new datasets (arXivReasoning and BookReasoning) and several commercial LRMs, the approach yields substantial gains over prior MIAs in accuracy, AUC, and low-FPR detection. The results underscore a critical privacy-vs-transparency tension in modern LRMs and motivate mitigation strategies such as trace compression or privacy-preserving reasoning disclosures, with implications for API design and policy.

Abstract

Large Reasoning Models (LRMs) have rapidly gained prominence for their strong performance in solving complex tasks. Many modern black-box LRMs expose the intermediate reasoning traces through APIs to improve transparency (e.g., Gemini-2.5 and Claude-sonnet). Despite their benefits, we find that these traces can leak membership signals, creating a new privacy threat even without access to token logits used in prior attacks. In this work, we initiate the first systematic exploration of Membership Inference Attacks (MIAs) on black-box LRMs. Our preliminary analysis shows that LRMs produce confident, recall-like reasoning traces on familiar training member samples but more hesitant, inference-like reasoning traces on non-members. The representations of these traces are continuously distributed in the semantic latent space, spanning from familiar to unfamiliar samples. Building on this observation, we propose BlackSpectrum, the first membership inference attack framework targeting the black-box LRMs. The key idea is to construct a recall-inference axis in the semantic latent space, based on representations derived from the exposed traces. By locating where a query sample falls along this axis, the attacker can obtain a membership score and predict how likely it is to be a member of the training data. Additionally, to address the limitations of outdated datasets unsuited to modern LRMs, we provide two new datasets to support future research, arXivReasoning and BookReasoning. Empirically, exposing reasoning traces significantly increases the vulnerability of LRMs to membership inference attacks, leading to large gains in attack performance. Our findings highlight the need for LRM companies to balance transparency in intermediate reasoning traces with privacy preservation.

When Reasoning Leaks Membership: Membership Inference Attack on Black-box Large Reasoning Models

TL;DR

This work shows that intermediate reasoning traces exposed by black-box Large Reasoning Models leak membership information about training data. It introduces BlackSpectrum, a three-part framework that encodes traces, builds a recall–inference axis in latent space, and projects traces to predict membership, revealing a Recall–Inference Spectrum that correlates familiarity with membership risk. By evaluating on two new datasets (arXivReasoning and BookReasoning) and several commercial LRMs, the approach yields substantial gains over prior MIAs in accuracy, AUC, and low-FPR detection. The results underscore a critical privacy-vs-transparency tension in modern LRMs and motivate mitigation strategies such as trace compression or privacy-preserving reasoning disclosures, with implications for API design and policy.

Abstract

Large Reasoning Models (LRMs) have rapidly gained prominence for their strong performance in solving complex tasks. Many modern black-box LRMs expose the intermediate reasoning traces through APIs to improve transparency (e.g., Gemini-2.5 and Claude-sonnet). Despite their benefits, we find that these traces can leak membership signals, creating a new privacy threat even without access to token logits used in prior attacks. In this work, we initiate the first systematic exploration of Membership Inference Attacks (MIAs) on black-box LRMs. Our preliminary analysis shows that LRMs produce confident, recall-like reasoning traces on familiar training member samples but more hesitant, inference-like reasoning traces on non-members. The representations of these traces are continuously distributed in the semantic latent space, spanning from familiar to unfamiliar samples. Building on this observation, we propose BlackSpectrum, the first membership inference attack framework targeting the black-box LRMs. The key idea is to construct a recall-inference axis in the semantic latent space, based on representations derived from the exposed traces. By locating where a query sample falls along this axis, the attacker can obtain a membership score and predict how likely it is to be a member of the training data. Additionally, to address the limitations of outdated datasets unsuited to modern LRMs, we provide two new datasets to support future research, arXivReasoning and BookReasoning. Empirically, exposing reasoning traces significantly increases the vulnerability of LRMs to membership inference attacks, leading to large gains in attack performance. Our findings highlight the need for LRM companies to balance transparency in intermediate reasoning traces with privacy preservation.
Paper Structure (33 sections, 12 equations, 13 figures, 7 tables, 1 algorithm)

This paper contains 33 sections, 12 equations, 13 figures, 7 tables, 1 algorithm.

Figures (13)

  • Figure 1: The real-world cases on Claude-sonnet-4 anthropic2025claude4, the intermediate reasoning traces disclosed by the LRM's API reveal membership cues. The member trace exhibits a certain recall-like reasoning mode, whereas the non-member trace exhibits an uncertain inferential reasoning mode.
  • Figure 2: PCA visualization of reasoning traces.
  • Figure 3: Overview of BlackSpectrum. It consists of three modules: (1) Reasoning trace encoder; (2) Recall-Inference axis builder; (3) Projection-based Membership Predictor.
  • Figure 4: The case of Claude-sonnet raw reasoning trace. The unpurified reasoning trace includes fragments (highlighted) from the specific input sequence.
  • Figure 5: Synthetic sequence construction workflow.
  • ...and 8 more figures