Win-k: Improved Membership Inference Attacks on Small Language Models

TL;DR

This paper introduces win-k, a novel membership inference attack that significantly improves privacy breach effectiveness on small language models compared to existing methods.

Contribution

The paper proposes win-k, a new MIA that enhances attack success on small language models, especially smaller ones, outperforming previous attacks across multiple metrics.

Findings

win-k outperforms existing MIAs in AUROC, TPR @ 1% FPR, and FPR @ 99% TPR

win-k is especially effective on smaller language models

the study provides comprehensive evaluation across datasets and models

Abstract

Small language models (SLMs) are increasingly valued for their efficiency and deployability in resource-constrained environments, making them useful for on-device, privacy-sensitive, and edge computing applications. On the other hand, membership inference attacks (MIAs), which aim to determine whether a given sample was used in a model's training, are an important threat with serious privacy and intellectual property implications. In this paper, we study MIAs on SLMs. Although MIAs were shown to be effective on large language models (LLMs), they are relatively less studied on emerging SLMs, and furthermore, their effectiveness decreases as models get smaller. Motivated by this finding, we propose a new MIA called win-k, which builds on top of a state-of-the-art attack (min-k). We experimentally evaluate win-k by comparing it with five existing MIAs using three datasets and eight SLMs. Results show that win-k outperforms existing MIAs in terms of AUROC, TPR @ 1% FPR, and FPR @ 99% TPR metrics, especially on smaller models.