Membership Inference Attack against Long-Context Large Language Models

TL;DR

This paper demonstrates that Long-Context Large Language Models are vulnerable to membership inference attacks, revealing sensitive data in their extended contexts with high accuracy, thus exposing privacy risks.

Contribution

The study introduces the first set of membership inference attack strategies tailored for Long-Context LLMs and evaluates their effectiveness across multiple models.

Findings

Achieved up to 90.66% attack F1-score on multi-document QA datasets.

LCLMs are susceptible to membership leakage, posing privacy risks.

Proposed strategies effectively infer document membership in LCLMs contexts.

Abstract

Recent advances in Large Language Models (LLMs) have enabled them to overcome their context window limitations, and demonstrate exceptional retrieval and reasoning capacities on longer context. Quesion-answering systems augmented with Long-Context Language Models (LCLMs) can automatically search massive external data and incorporate it into their contexts, enabling faithful predictions and reducing issues such as hallucinations and knowledge staleness. Existing studies targeting LCLMs mainly concentrate on addressing the so-called lost-in-the-middle problem or improving the inference effiencicy, leaving their privacy risks largely unexplored. In this paper, we aim to bridge this gap and argue that integrating all information into the long context makes it a repository of sensitive information, which often contains private data such as medical records or personal identities. We further investigate the membership privacy within LCLMs external context, with the aim of determining whether a given document or sequence is included in the LCLMs context. Our basic idea is that if a document lies in the context, it will exhibit a low generation loss or a high degree of semantic similarity to the contents generated by LCLMs. We for the first time propose six membership inference attack (MIA) strategies tailored for LCLMs and conduct extensive experiments on various popular models. Empirical results demonstrate that our attacks can accurately infer membership status in most cases, e.g., 90.66% attack F1-score on Multi-document QA datasets with LongChat-7b-v1.5-32k, highlighting significant risks of membership leakage within LCLMs input contexts. Furthermore, we examine the underlying reasons why LCLMs are susceptible to revealing such membership information.