Deconstructing Classifiers: Towards A Data Reconstruction Attack Against Text Classification Models

TL;DR

This paper introduces the Mix And Match attack, a novel method exploiting language models' structure to reconstruct training data from text classifiers, revealing significant privacy vulnerabilities.

Contribution

It proposes a new targeted data reconstruction attack specifically designed for text classification models based on large language models, demonstrating its effectiveness.

Findings

The attack successfully reconstructs training data using both random and organic canaries.

It exposes privacy risks inherent in LLM-based classifiers.

The study highlights potential data leakage vulnerabilities in current NLP models.

Abstract

Natural language processing (NLP) models have become increasingly popular in real-world applications, such as text classification. However, they are vulnerable to privacy attacks, including data reconstruction attacks that aim to extract the data used to train the model. Most previous studies on data reconstruction attacks have focused on LLM, while classification models were assumed to be more secure. In this work, we propose a new targeted data reconstruction attack called the Mix And Match attack, which takes advantage of the fact that most classification models are based on LLM. The Mix And Match attack uses the base model of the target model to generate candidate tokens and then prunes them using the classification head. We extensively demonstrate the effectiveness of the attack using both random and organic canaries. This work highlights the importance of considering the privacy risks associated with data reconstruction attacks in classification models and offers insights into possible leakages.