Controlling the Extraction of Memorized Data from Large Language Models via Prompt-Tuning

TL;DR

This paper introduces prompt-tuning methods to control the extraction of memorized data from large language models, enabling both attack and defense strategies to manage privacy risks effectively.

Contribution

It presents novel prompt-tuning strategies to increase or decrease data extraction rates from LLMs, offering a new way to balance privacy and utility.

Findings

Attack increases extraction rate by 9.3 percentage points.

Defense reduces extraction rate by up to 97.7%.

Trade-offs between privacy and utility are tunable via hyperparameters.

Abstract

Large Language Models (LLMs) are known to memorize significant portions of their training data. Parts of this memorized content have been shown to be extractable by simply querying the model, which poses a privacy risk. We present a novel approach which uses prompt-tuning to control the extraction rates of memorized content in LLMs. We present two prompt training strategies to increase and decrease extraction rates, which correspond to an attack and a defense, respectively. We demonstrate the effectiveness of our techniques by using models from the GPT-Neo family on a public benchmark. For the 1.3B parameter GPT-Neo model, our attack yields a 9.3 percentage point increase in extraction rate compared to our baseline. Our defense can be tuned to achieve different privacy-utility trade-offs by a user-specified hyperparameter. We achieve an extraction rate reduction of up to 97.7% relative to our baseline, with a perplexity increase of 16.9%.