ExpShield: Safeguarding Web Text from Unauthorized Crawling and LLM Exploitation

TL;DR

ExpShield introduces a proactive, invisible perturbation method to protect web text from unauthorized use in training large language models, effectively reducing memorization and privacy risks without compromising readability.

Contribution

The paper presents a novel defense mechanism, ExpShield, that employs targeted perturbations and a new metric to mitigate text memorization in models, addressing limitations of existing protections.

Findings

Defense reduces membership inference attack success from 0.95 to 0.55 AUC.

Instance exploitation approaches near zero effectiveness.

Effective across language and vision-to-language models.

Abstract

As large language models increasingly memorize web-scraped training content, they risk exposing copyrighted or private information. Existing protections require compliance from crawlers or model developers, fundamentally limiting their effectiveness. We propose ExpShield, a proactive self-guard that mitigates memorization while maintaining readability via invisible perturbations, and we formulate it as a constrained optimization problem. Due to the lack of an individual-level risk metric for natural text, we first propose instance exploitation, a metric that measures how much training on a specific text increases the chance of guessing that text from a set of candidates-with zero indicating perfect defense. Directly solving the problem is infeasible for defenders without sufficient knowledge, thus we develop two effective proxy solutions: single-level optimization and synthetic perturbation. To enhance the defense, we reveal and verify the memorization trigger hypothesis, which can help to identify key tokens for memorization. Leveraging this insight, we design targeted perturbations that (i) neutralize inherent trigger tokens to reduce memorization and (ii) introduce artificial trigger tokens to misdirect model memorization. Experiments validate our defense across attacks, model scales, and tasks in language and vision-to-language modeling. Even with privacy backdoor, the Membership Inference Attack (MIA) AUC drops from 0.95 to 0.55 under the defense, and the instance exploitation approaches zero. This suggests that compared to the ideal no-misuse scenario, the risk of exposing a text instance remains nearly unchanged despite its inclusion in the training data.