Detecting Data Contamination in Large Language Models

TL;DR

This paper evaluates the effectiveness of state-of-the-art black-box Membership Inference Attacks on large language models, finding they are generally unreliable in detecting training data membership.

Contribution

It compares existing MIAs under unified conditions and introduces a new method called Familiarity Ranking for black-box membership inference.

Findings

All methods achieved an AUC-ROC of approximately 0.5, indicating unreliable detection.

Higher TPR and FPR in advanced LLMs suggest increased reasoning capabilities.

Black-box MIAs struggle to reliably detect data membership in large language models.

Abstract

Large Language Models (LLMs) utilize large amounts of data for their training, some of which may come from copyrighted sources. Membership Inference Attacks (MIA) aim to detect those documents and whether they have been included in the training corpora of the LLMs. The black-box MIAs require a significant amount of data manipulation; therefore, their comparison is often challenging. We study state-of-the-art (SOTA) MIAs under the black-box assumptions and compare them to each other using a unified set of datasets to determine if any of them can reliably detect membership under SOTA LLMs. In addition, a new method, called the Familiarity Ranking, was developed to showcase a possible approach to black-box MIAs, thereby giving LLMs more freedom in their expression to understand their reasoning better. The results indicate that none of the methods are capable of reliably detecting membership in LLMs, as shown by an AUC-ROC of approximately 0.5 for all methods across several LLMs. The higher TPR and FPR for more advanced LLMs indicate higher reasoning and generalizing capabilities, showcasing the difficulty of detecting membership in LLMs using black-box MIAs.