Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Combating Data Laundering in LLM Training

Muxing Li, Zesheng Ye, Sharon Li, Feng Liu

Abstract

Data rights owners can detect unauthorized data use in large language model (LLM) training by querying with proprietary samples. Often, superior performance (e.g., higher confidence or lower loss) on a sample relative to the untrained data implies it was part of the training corpus, as LLMs tend to perform better on data they have seen during training. However, this detection becomes fragile under data laundering, a practice of transforming the stylistic form of proprietary data, while preserving critical information to obfuscate data provenance. When an LLM is trained exclusively on such laundered variants, it no longer performs better on originals, erasing the signals that standard detections rely on. We counter this by inferring the unknown laundering transformation from black-box access to the target LLM and, via an auxiliary LLM, synthesizing queries that mimic the laundered data, even if rights owners have only the originals. As the search space of finding true laundering transformations is infinite, we abstract such a process into a high-level transformation goal (e.g., "lyrical rewriting") and concrete details (e.g., "with vivid imagery"), and introduce synthesis data reversion (SDR) that instantiates this abstraction. SDR first identifies the most probable goal for synthesis to narrow the search; it then iteratively refines details so that synthesized queries gradually elicit stronger detection signals from the target LLM. Evaluated on the MIMIR benchmark against diverse laundering practices and target LLM families (Pythia, Llama2, and Falcon), SDR consistently strengthens data misuse detection, providing a practical countermeasure to data laundering.

Combating Data Laundering in LLM Training

Abstract

Data rights owners can detect unauthorized data use in large language model (LLM) training by querying with proprietary samples. Often, superior performance (e.g., higher confidence or lower loss) on a sample relative to the untrained data implies it was part of the training corpus, as LLMs tend to perform better on data they have seen during training. However, this detection becomes fragile under data laundering, a practice of transforming the stylistic form of proprietary data, while preserving critical information to obfuscate data provenance. When an LLM is trained exclusively on such laundered variants, it no longer performs better on originals, erasing the signals that standard detections rely on. We counter this by inferring the unknown laundering transformation from black-box access to the target LLM and, via an auxiliary LLM, synthesizing queries that mimic the laundered data, even if rights owners have only the originals. As the search space of finding true laundering transformations is infinite, we abstract such a process into a high-level transformation goal (e.g., "lyrical rewriting") and concrete details (e.g., "with vivid imagery"), and introduce synthesis data reversion (SDR) that instantiates this abstraction. SDR first identifies the most probable goal for synthesis to narrow the search; it then iteratively refines details so that synthesized queries gradually elicit stronger detection signals from the target LLM. Evaluated on the MIMIR benchmark against diverse laundering practices and target LLM families (Pythia, Llama2, and Falcon), SDR consistently strengthens data misuse detection, providing a practical countermeasure to data laundering.

Paper Structure

This paper contains 33 sections, 1 equation, 3 figures, 25 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Unauthorized Data Detection
  3. Reverse-engineering the Laundering Transformation
  4. Synthesis Data Reversion
  5. Experiments and Results
  6. Experiments Setting
  7. Experiments Result
  8. Improving Unauthorized Data Detection with SDR
  9. Transferability
  10. Ablation Study
  11. Conclusion
  12. Mathematical Notation
  13. Register Taxonomy
  14. Average Token-level Confidence
  15. The Objective and Threat Model
  16. ...and 18 more sections

Figures (3)

  • Figure 1: Illustration of how data laundering undermines existing unauthorized training data detections. When unauthorized data is directly used for training, LLMs tend to memorize the unauthorized training data. Training samples exhibit lower loss than non-training data, as shown in Part A. The log-likelihood distributions of training and non-training samples diverge clearly, enabling identification. However, when trained on laundered unauthorized data, as shown in Part B, the distributions of the unauthorized data and non-training samples no longer diverge, preventing reliable identification.
  • Figure 2: Pipeline of the SDR framework. In the goal identification stage (left part), SDR tries to find the register that is closely aligned with the laundering goal (See Algorithm. \ref{['alg:directive']}). The details inference stage (right part) tries to infer the remaining details in the laundering process (See Algorithm. \ref{['alg:condition']}).
  • Figure 3: Ablation study on the effectiveness of each stage in SDR. Results are reported as the average performance of unauthorized training data detections across different inside prompts. Removing the directive identification stage (w/o stage 1) or the detailed prompt condition inference stage (w/o stage 2) leads to noticeable degradation, while the full SDRconsistently achieves the best performance.