Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Quantifying Memorization and Privacy Risks in Genomic Language Models

Alexander Nemecek, Wenbiao Li, Xiaoqian Jiang, Jaideep Vaidya, Erman Ayday

TL;DR

The results establish that GLMs exhibit measurable memorization and that the degree of memorization varies across architectures and training regimes, and reveal that no single attack vector captures the full scope of memorization risk.

Abstract

Genomic language models (GLMs) have emerged as powerful tools for learning representations of DNA sequences, enabling advances in variant prediction, regulatory element identification, and cross-task transfer learning. However, as these models are increasingly trained or fine-tuned on sensitive genomic cohorts, they risk memorizing specific sequences from their training data, raising serious concerns around privacy, data leakage, and regulatory compliance. Despite growing awareness of memorization risks in general-purpose language models, little systematic evaluation exists for these risks in the genomic domain, where data exhibit unique properties such as a fixed nucleotide alphabet, strong biological structure, and individual identifiability. We present a comprehensive, multi-vector privacy evaluation framework designed to quantify memorization risks in GLMs. Our approach integrates three complementary risk assessment methodologies: perplexity-based detection, canary sequence extraction, and membership inference. These are combined into a unified evaluation pipeline that produces a worst-case memorization risk score. To enable controlled evaluation, we plant canary sequences at varying repetition rates into both synthetic and real genomic datasets, allowing precise quantification of how repetition and training dynamics influence memorization. We evaluate our framework across multiple GLM architectures, examining the relationship between sequence repetition, model capacity, and memorization risk. Our results establish that GLMs exhibit measurable memorization and that the degree of memorization varies across architectures and training regimes. These findings reveal that no single attack vector captures the full scope of memorization risk, underscoring the need for multi-vector privacy auditing as a standard practice for genomic AI systems.

Quantifying Memorization and Privacy Risks in Genomic Language Models

TL;DR

The results establish that GLMs exhibit measurable memorization and that the degree of memorization varies across architectures and training regimes, and reveal that no single attack vector captures the full scope of memorization risk.

Abstract

Genomic language models (GLMs) have emerged as powerful tools for learning representations of DNA sequences, enabling advances in variant prediction, regulatory element identification, and cross-task transfer learning. However, as these models are increasingly trained or fine-tuned on sensitive genomic cohorts, they risk memorizing specific sequences from their training data, raising serious concerns around privacy, data leakage, and regulatory compliance. Despite growing awareness of memorization risks in general-purpose language models, little systematic evaluation exists for these risks in the genomic domain, where data exhibit unique properties such as a fixed nucleotide alphabet, strong biological structure, and individual identifiability. We present a comprehensive, multi-vector privacy evaluation framework designed to quantify memorization risks in GLMs. Our approach integrates three complementary risk assessment methodologies: perplexity-based detection, canary sequence extraction, and membership inference. These are combined into a unified evaluation pipeline that produces a worst-case memorization risk score. To enable controlled evaluation, we plant canary sequences at varying repetition rates into both synthetic and real genomic datasets, allowing precise quantification of how repetition and training dynamics influence memorization. We evaluate our framework across multiple GLM architectures, examining the relationship between sequence repetition, model capacity, and memorization risk. Our results establish that GLMs exhibit measurable memorization and that the degree of memorization varies across architectures and training regimes. These findings reveal that no single attack vector captures the full scope of memorization risk, underscoring the need for multi-vector privacy auditing as a standard practice for genomic AI systems.
Paper Structure (30 sections, 3 equations, 3 figures, 9 tables)

This paper contains 30 sections, 3 equations, 3 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Memorization and Data Extraction in Language Models
  4. Membership Inference Attacks
  5. Privacy Risks and Defenses for Genomic Data
  6. Threat Model
  7. Data Sensitivity Assumption
  8. Adversarial Model
  9. Objectives
  10. Scope and Exclusions
  11. Methodology
  12. Model Configurations
  13. Datasets
  14. Risk Quantification Protocol
  15. Canary Design
  16. ...and 15 more sections

Figures (3)

  • Figure 1: Overview of the memorization risk quantification framework. Genomic training data is augmented with canary sequences at controlled repetition rates (left), used to fine-tune a genomic language model (center), and evaluated through three complementary vectors: perplexity-based detection, canary sequence extraction, and membership inference (right). The outputs are combined into a maximum vulnerability score (bottom).
  • Figure 2: Canary extraction success rate as a function of repetition tier across four datasets (average across seeds). Each line represents one model architecture. Evo (LoRA) achieves near-complete extraction on real genomic data regardless of repetition count, while DNABERT-2 remains resistant.
  • Figure 3: $S_{\text{config}}$ per seed for each model-dataset configuration. Each point represents one seed. Evo (LoRA) separates sharply on real genomic datasets while exhibiting high variance on synthetic data. The remaining models cluster tightly with low cross-seed variance.