Be Careful When Fine-tuning On Open-Source LLMs: Your Fine-tuning Data Could Be Secretly Stolen!

TL;DR

This paper uncovers a significant privacy risk in fine-tuning open-source LLMs, where creators can extract proprietary data from models with black-box access, demonstrating high success rates and discussing defenses.

Contribution

It reveals a novel backdoor attack that enables extraction of proprietary fine-tuning data from open-source LLMs, highlighting a critical privacy vulnerability.

Findings

Up to 76.3% of fine-tuning data can be extracted in practical settings.

Success rate of data extraction can reach 94.9% in ideal conditions.

Detection-based defenses can be bypassed with improved attacks.

Abstract

Fine-tuning on open-source Large Language Models (LLMs) with proprietary data is now a standard practice for downstream developers to obtain task-specific LLMs. Surprisingly, we reveal a new and concerning risk along with the practice: the creator of the open-source LLMs can later extract the private downstream fine-tuning data through simple backdoor training, only requiring black-box access to the fine-tuned downstream model. Our comprehensive experiments, across 4 popularly used open-source models with 3B to 32B parameters and 2 downstream datasets, suggest that the extraction performance can be strikingly high: in practical settings, as much as 76.3% downstream fine-tuning data (queries) out of a total 5,000 samples can be perfectly extracted, and the success rate can increase to 94.9% in more ideal settings. We also explore a detection-based defense strategy but find it can be bypassed with improved attack. Overall, we highlight the emergency of this newly identified data breaching risk in fine-tuning, and we hope that more follow-up research could push the progress of addressing this concerning risk. The code and data used in our experiments are released at https://github.com/thu-coai/Backdoor-Data-Extraction.