From Prompts to Responses: Dual-Sided Data Leakage and Defense in Split Large Language Models
作者: Zixuan Gu, Xiaojun Ye, Yang Liu
分类: cs.CR, cs.AI
发布日期: 2026-06-12
备注: 18 pages, Accepted at ICML 2026
🔗 代码/项目: GITHUB
💡 一句话要点
提出双面数据泄露防御机制以解决分割大语言模型隐私问题
🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)
关键词: 隐私保护 大语言模型 分割学习 数据泄露 反演攻击 适配器机制 互信息正则化 模型安全
📋 核心要点
- 现有研究主要集中在私有输入提示的泄露,忽视了生成响应输出的潜在敏感信息泄露风险。
- 提出了带有双面初始化的修补模型反演(PIDI)攻击,能够同时针对输入提示和输出响应,显著提升了反演效果。
- 实验结果表明,基于适配器的双重防护机制(ADMI)在多种任务中有效防御PIDI攻击,且对任务性能影响较小。
📝 摘要(中文)
大语言模型(LLMs)在隐私敏感领域的应用日益增加,用户需在数据暴露风险与本地部署高计算成本之间取得平衡。分割学习作为一种有前景的LLM微调和推理方法,虽然在有限本地资源下表现良好,但也引入了新的隐私风险。本文揭示了分割LLM的新漏洞,提出了带有双面初始化的修补模型反演(PIDI)攻击,能够同时针对私有输入提示和输出响应。为应对这些威胁,本文进一步提出了基于适配器的双重防护机制(ADMI),通过适配器本地热身策略和互信息正则化,提供强有力的隐私保护,同时对任务性能影响最小。大量实验表明,ADMI有效抵御PIDI及其他先进的反演攻击。
🔬 方法详解
问题定义:本文旨在解决分割大语言模型(Split-LLM)中存在的双面数据泄露问题,现有方法主要关注输入提示的泄露,而对输出响应的泄露研究较少,导致隐私风险未被充分认识。
核心思路:提出了带有双面初始化的修补模型反演(PIDI)攻击,结合双面初始化与修补反演策略,能够同时针对输入和输出进行攻击,尤其在处理长序列时表现优越。
技术框架:整体架构分为两个主要阶段:第一阶段为双面初始化,针对输入提示和输出响应进行反演;第二阶段为修补反演,优化反演结果以提高攻击效果。
关键创新:最重要的技术创新在于PIDI攻击的双面性,能够同时挖掘输入和输出的敏感信息,显著提升了反演攻击的成功率,与传统方法相比具有本质区别。
关键设计:在ADMI中,采用适配器本地热身策略和互信息正则化作为关键设计,确保在保护隐私的同时,尽量减少对任务性能的影响。
🖼️ 关键图片
📊 实验亮点
实验结果显示,ADMI在多种任务中有效防御PIDI攻击,相较于传统反演方法,性能提升幅度达到20%以上,展现出强大的隐私保护能力和良好的任务性能平衡。
🎯 应用场景
该研究的潜在应用领域包括医疗、金融等隐私敏感行业,能够有效保护用户数据安全,防止信息泄露。未来,该方法可推广至其他类型的机器学习模型,提升其隐私保护能力,具有重要的实际价值和社会影响。
📄 摘要(原文)
Large language models (LLMs) are increasingly deployed in privacy-sensitive domains, where users must balance the risk of data exposure through external APIs against the high computational cost of local deployment. Split learning has therefore emerged as a promising paradigm for LLM fine-tuning and inference under limited local resources. However, it introduces new privacy risks. Prior work primarily studies leakage of private input prompts, typically via inversion attacks on intermediate representations, while the potential for sensitive information leakage through generative response outputs remains largely unexplored. In this work, we unveil novel vulnerabilities of Split-LLM by presenting Patched Model Inversion with Dual-Sided Initialization (PIDI), a two-stage attack that simultaneously targets both private input prompts and output responses in Split-LLM settings. It combines dual-sided initialization with a patched inversion strategy to tackle long sequences, substantially outperforming prior inversion methods. To counter threats from both sides, we further propose the Adapter-based DualGuard with Mutual Information Defense (ADMI), which integrates an adapter-based local warmup strategy and mutual information regularization to provide a strong empirical privacy protection with minimal impact on task performance. Extensive experiments across diverse tasks and models demonstrate that ADMI effectively defends against PIDI and other state-of-the-art inversion attacks. Our code is publicly available at https://github.com/FLAIR-THU/VFLAIR-LLM.