Noisy Neighbors: Efficient membership inference attacks against LLMs
Filippo Galli, Luca Melis, Tommaso Cucinotta
TL;DR
This paper presents a new, efficient method for membership inference attacks on large language models that uses noisy neighbors in embedding space, avoiding complex training and enabling practical privacy auditing.
Contribution
It introduces a novel noisy neighbors technique for MIAs that operates solely in inference mode, reducing computational costs compared to traditional shadow model approaches.
Findings
Method closely matches shadow model effectiveness
Operates solely in inference mode
Enables practical privacy auditing
Abstract
The potential of transformer-based LLMs risks being hindered by privacy concerns due to their reliance on extensive datasets, possibly including sensitive information. Regulatory measures like GDPR and CCPA call for using robust auditing tools to address potential privacy issues, with Membership Inference Attacks (MIA) being the primary method for assessing LLMs' privacy risks. Differently from traditional MIA approaches, often requiring computationally intensive training of additional models, this paper introduces an efficient methodology that generates \textit{noisy neighbors} for a target sample by adding stochastic noise in the embedding space, requiring operating the target model in inference mode only. Our findings demonstrate that this approach closely matches the effectiveness of employing shadow models, showing its usability in practical privacy auditing scenarios.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Privacy-Preserving Technologies in Data · Blockchain Technology Applications and Security