EL-MIA: Quantifying Membership Inference Risks of Sensitive Entities in LLMs

TL;DR

This paper introduces EL-MIA, a framework for assessing the risk of sensitive entity membership inference in large language models, revealing current methods' limitations and the need for stronger adversaries.

Contribution

The paper proposes a novel entity-level membership inference framework, constructs a benchmark dataset, and systematically evaluates existing and new MIA methods for LLMs.

Findings

Existing MIA methods have limited effectiveness at entity-level inference.

Entity membership susceptibility correlates with model scale and training epochs.

Simple methods can outline entity-level risks, indicating a need for stronger adversarial testing.

Abstract

Membership inference attacks (MIA) aim to infer whether a particular data point is part of the training dataset of a model. In this paper, we propose a new task in the context of LLM privacy: entity-level discovery of membership risk focused on sensitive information (PII, credit card numbers, etc). Existing methods for MIA can detect the presence of entire prompts or documents in the LLM training data, but they fail to capture risks at a finer granularity. We propose the ``EL-MIA'' framework for auditing entity-level membership risks in LLMs. We construct a benchmark dataset for the evaluation of MIA methods on this task. Using this benchmark, we conduct a systematic comparison of existing MIA techniques as well as two newly proposed methods. We provide a comprehensive analysis of the results, trying to explain the relation of the entity level MIA susceptability with the model scale, training epochs, and other surface level factors. Our findings reveal that existing MIA methods are limited when it comes to entity-level membership inference of the sensitive attributes, while this susceptibility can be outlined with relatively straightforward methods, highlighting the need for stronger adversaries to stress test the provided threat model.