Practical Membership Inference Attacks against Fine-tuned Large Language Models via Self-prompt Calibration

📄 arXiv: 2311.06062v4 📥 PDF

作者: Wenjie Fu, Huandong Wang, Chen Gao, Guanghua Liu, Yong Li, Tao Jiang

分类: cs.CL, cs.CR, cs.LG

发布日期: 2023-11-10 (更新: 2024-11-26)

备注: Repo: https://github.com/tsinghua-fib-lab/NeurIPS2024_SPV-MIA

期刊: The Thirty-eighth Annual Conference on Neural Information Processing Systems (NeurIPS 2024)

🔗 代码/项目: GITHUB


💡 一句话要点

提出自校准概率变异的成员推断攻击以解决大语言模型隐私问题

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 成员推断攻击 大语言模型 隐私保护 自提示方法 概率变异

📋 核心要点

  1. 现有的成员推断攻击方法在实际应用中面临高假阳性率的问题,尤其是在大语言模型中。
  2. 本文提出了一种新的攻击方法SPV-MIA,通过自提示构建数据集并引入概率变异来提高攻击的准确性。
  3. 实验结果显示,SPV-MIA在多个数据集上将AUC从0.7提升至0.9,显著提高了攻击性能。

📝 摘要(中文)

成员推断攻击(MIA)旨在推断目标数据记录是否用于模型训练。现有针对大语言模型的MIA方法分为无参考和基于参考的攻击。尽管基于参考的攻击在性能上表现良好,但其隐私风险的假设依赖于与训练集相似的参考数据集。本文提出了一种基于自校准概率变异的成员推断攻击(SPV-MIA),通过自提示方法构建数据集以微调参考模型,从而收集具有相似分布的数据。实验结果表明,SPV-MIA在三个数据集和四个示例LLM上的AUC从0.7显著提升至0.9。

🔬 方法详解

问题定义:本文解决的是成员推断攻击在大语言模型中的有效性问题,现有方法依赖于过拟合假设,导致高假阳性率。

核心思路:提出SPV-MIA方法,通过自提示构建与目标模型相似的数据集,并引入基于记忆的概率变异信号,以提高攻击的可靠性。

技术框架:整体流程包括自提示数据集构建、参考模型微调和概率变异信号提取三个主要模块。首先,通过提示目标LLM生成数据集,然后微调参考模型,最后计算概率变异以进行成员推断。

关键创新:SPV-MIA的核心创新在于利用自提示方法生成数据集,并通过概率变异信号替代传统的过拟合假设,从而提高了攻击的准确性。

关键设计:在设计中,使用了自提示生成数据集的策略,确保数据分布与目标模型相似,同时在损失函数中引入了基于记忆的信号以增强模型的泛化能力。

🖼️ 关键图片

fig_0
fig_1
fig_2

📊 实验亮点

实验结果表明,SPV-MIA在三个不同数据集上的AUC值从0.7显著提升至0.9,显示出其在成员推断攻击中的优越性能。这一提升不仅验证了方法的有效性,也为大语言模型的隐私保护提供了新的思路。

🎯 应用场景

该研究的潜在应用领域包括数据隐私保护、模型安全性评估和对抗性机器学习。通过提高成员推断攻击的有效性,可以帮助研究人员和企业更好地理解和防范模型泄露用户数据的风险,从而增强模型的安全性和隐私保护措施。

📄 摘要(原文)

Membership Inference Attacks (MIA) aim to infer whether a target data record has been utilized for model training or not. Existing MIAs designed for large language models (LLMs) can be bifurcated into two types: reference-free and reference-based attacks. Although reference-based attacks appear promising performance by calibrating the probability measured on the target model with reference models, this illusion of privacy risk heavily depends on a reference dataset that closely resembles the training set. Both two types of attacks are predicated on the hypothesis that training records consistently maintain a higher probability of being sampled. However, this hypothesis heavily relies on the overfitting of target models, which will be mitigated by multiple regularization methods and the generalization of LLMs. Thus, these reasons lead to high false-positive rates of MIAs in practical scenarios. We propose a Membership Inference Attack based on Self-calibrated Probabilistic Variation (SPV-MIA). Specifically, we introduce a self-prompt approach, which constructs the dataset to fine-tune the reference model by prompting the target LLM itself. In this manner, the adversary can collect a dataset with a similar distribution from public APIs. Furthermore, we introduce probabilistic variation, a more reliable membership signal based on LLM memorization rather than overfitting, from which we rediscover the neighbour attack with theoretical grounding. Comprehensive evaluation conducted on three datasets and four exemplary LLMs shows that SPV-MIA raises the AUC of MIAs from 0.7 to a significantly high level of 0.9. Our code and dataset are available at: https://github.com/tsinghua-fib-lab/NeurIPS2024_SPV-MIA