pith. sign in

arxiv: 2606.20553 · v1 · pith:QWJI6A3Wnew · submitted 2026-06-18 · 💻 cs.CR

From Efficiency to Leakage -- Privacy Backdoor in Federated Language Model Fine-Tuning

Pith reviewed 2026-06-26 16:48 UTC · model grok-4.3

classification 💻 cs.CR
keywords federated learningprivacy attackparameter-efficient fine-tuningdata reconstructionmemorization backdoorlanguage model fine-tuningadversarial server
0
0 comments X

The pith

A malicious federated server can corrupt PEFT adapters into backdoors that memorize and reconstruct up to 79 percent of client fine-tuning samples.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that parameter-efficient fine-tuning in federated learning creates an opening for a dishonest central server to turn the adapter into a privacy backdoor. By assigning each training sample its own neuron and updating that neuron only once during local training, the server isolates per-sample parameter changes that avoid mixing from batches or optimizers. These isolated changes can later be inverted in closed form to recover the original token sequences from the embeddings. The attack succeeds on BERT, GPT-2, Qwen2, and Llama3.2 across four different datasets, recovering 59 to 79 percent of samples at high semantic fidelity without hurting model accuracy. This demonstrates that efficiency techniques intended to protect client data can instead be turned against them.

Core claim

NeuroImprint assigns a dedicated memorization neuron to each training sample and constrains that each neuron is updated at most once along the local fine-tuning trajectory. This design mitigates both cross-sample collisions and cross-step mixing introduced by large local batches and stateful optimizers. After fine-tuning, the resulting isolated per-sample updates can be analytically inverted in closed form to recover text embeddings, which are then deterministically mapped back to token sequences.

What carries the argument

NeuroImprint attack that stores each sample as an isolated per-sample parameter update in a dedicated memorization neuron, updated at most once during local fine-tuning.

If this is right

  • The attack applies unchanged to BERT, GPT-2, Qwen2, and Llama3.2.
  • Recovery rates of 59 to 79 percent hold across four fine-tuning datasets from different domains.
  • Model utility remains intact while the backdoor is active.
  • The same neuron-isolation technique works for both adapter-based and other parameter-efficient methods.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same isolation trick could be adapted to full fine-tuning if the server can still control which weights receive single updates.
  • Detection might require clients to monitor per-neuron activation patterns that deviate from normal training dynamics.
  • Future defenses could add noise to each local update step to break the closed-form invertibility.

Load-bearing premise

The rule that each memorization neuron is updated at most once prevents mixing from batches or optimizers and keeps the per-sample updates separable for later inversion.

What would settle it

A run on the same models and datasets where each neuron is allowed to be updated more than once or where batch size is increased shows reconstruction rate falling below 20 percent.

Figures

Figures reproduced from arXiv: 2606.20553 by Chaoyu Zhang, Heng Jin, Ning Zhang, Shanghao Shi, Wenjing Lou, William Yeoh, Yang Xiao, Yevgeniy Vorobeychik, Y. Thomas Hou.

Figure 1
Figure 1. Figure 1: Serial, parallel, and low-rank adapters. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: NeuroImprint threat model. We remove the super￾script r that represents the FL round number because Neu￾roImprint can be accomplished within one round. [7], whose fundamental technique is to add zero-sum cryp￾tographic masks to individual clients’ model updates. As a result, the curious server can only obtain the aggregated model updates and cannot infer individual information. Be￾yond vanilla secure aggre… view at source ↗
Figure 3
Figure 3. Figure 3: NeuroImprint activation pattern: Transforming from pyramid activation to linear activation to adapt for the Adam/AdamW optimizer. 3. Unlike the conventional pyramid-shaped activation pat￾tern, which co-activates multiple samples in shared neurons, linear activation avoids mixing and keeps the final update invertible under Adam/AdamW. In the following sections, we first introduce our detailed design to achi… view at source ↗
Figure 4
Figure 4. Figure 4: NeuroImprint detailed attack flow. Our privacy backdoor is crafted from a legitimate parallel adapter. NeuroImprint only modifies the embedding block, leaving the transformer blocks and their adapters unchanged. a reference, in the BERT model, the original hidden dimen￾sion h = 768 and reduced dimension hˆ = 64. Such a setting ensures that the dimension is significantly reduced, while also preserving enoug… view at source ↗
Figure 5
Figure 5. Figure 5: NeuroImprint reconstruction examples on the SQuAD dataset. Text 1 corresponds to fine-tuning with SGD; Text 2 corresponds to fine-tuning with AdamW. SGD yields nearly perfect reconstruction, while AdamW leads to approximated recovery with minor distortions. To improve their readability and semantic coherence, the adversary could further refine the reconstructed samples by leveraging LLMs to rephrase the co… view at source ↗
Figure 6
Figure 6. Figure 6: The semantic similarity distribution of reconstructed samples for Qwen2-1.5B. [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: NeuroImprint reconstruction performance across different reconstruction bin sizes under the GPT-2 model. 400 600 800 1000 1200 Data Number d 0% 20% 40% 60% 80% 100% ASR SGD AdamW (a) Rate/Data Size 400 600 800 1000 1200 Data Number d 0.0 0.2 0.4 0.6 0.8 1.0 Mean Cosine Similarity SGD AdamW (b) Semantic Sim./Data Size [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: NeuroImprint reconstruction performance across different local data sizes under the GPT-2 model. that the reconstruction rates decrease when the target data size increases. However, the reconstruction semantic sim￾ilarity scores are very stable across different data settings. As a conclusion for the two Sections, we find that the recon￾struction rate is not decided by either the bin number m or the target … view at source ↗
Figure 11
Figure 11. Figure 11: GPT-2’s performance with and without NeuroImprint on the AGNews dataset [PITH_FULL_IMAGE:figures/full_fig_p012_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: NeuroImprint reconstruction examples on the AGNews, GSM8K, and EMRQA-mSQuAD datasets. 20 [PITH_FULL_IMAGE:figures/full_fig_p020_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: The semantic similarity distribution of re [PITH_FULL_IMAGE:figures/full_fig_p021_13.png] view at source ↗
read the original abstract

Federated learning (FL) enables multiple parties to collaboratively fine-tune language models for domain-specific tasks without sharing raw data. Since full model fine-tuning is often prohibitively expensive for FL clients, parameter-efficient fine-tuning (PEFT) has become the de facto approach in practice, freezing the base model and training only a small set of adapters. In this paper, we show that a malicious parameter server can stealthily corrupt a PEFT adapter into a privacy backdoor that implicitly memorizes the client's training samples as isolated per-sample parameter updates stored in separate neurons, without degrading model utility. Concretely, our attack, NeuroImprint, assigns a dedicated memorization neuron to each training sample and constrains that each neuron is updated at most once along the local fine-tuning trajectory. This design mitigates both cross-sample collisions and cross-step mixing introduced by large local batches and stateful optimizers (e.g., Adam/AdamW) in language-model fine-tuning. After fine-tuning, the resulting isolated per-sample updates can be analytically inverted in closed form to recover text embeddings, which are then deterministically mapped back to token sequences. To understand the generality of our method, we implemented NeuroImprint on multiple language models (BERT, GPT-2, Qwen2, and Llama3.2) and evaluated it across four fine-tuning datasets spanning diverse domains. The results demonstrate that our attack can reconstruct 59% to 79% of all finetuning samples with high semantic fidelity.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper proposes NeuroImprint, a privacy backdoor attack on federated parameter-efficient fine-tuning (PEFT) of language models. A malicious server injects dedicated 'memorization neurons' into the adapter such that each training sample produces an isolated per-sample parameter update (enforced by updating each neuron at most once). After local fine-tuning, these updates are analytically inverted in closed form from the final adapter weights to recover token sequences, achieving 59-79% reconstruction rates with high semantic fidelity. The attack is evaluated on BERT, GPT-2, Qwen2, and Llama3.2 across four datasets without degrading utility.

Significance. If the isolation mechanism is shown to survive realistic client-side batching and optimizers, the result identifies a previously under-appreciated privacy risk in PEFT-based federated learning: adapters can be turned into stealthy memorization backdoors. The multi-model, multi-dataset evaluation supports generality, and the closed-form inversion is a concrete, falsifiable contribution that could motivate new defenses or auditing requirements for FL adapters.

major comments (2)
  1. [NeuroImprint design description] The NeuroImprint design (abstract and method description): the claim that constraining each memorization neuron to be updated at most once 'mitigates both cross-sample collisions and cross-step mixing introduced by large local batches and stateful optimizers (e.g., Adam/AdamW)' lacks any equation, pseudocode, or diagram showing how the PEFT adapter implements sample-specific routing that prevents gradient averaging over a batch. Without this, the closed-form inversion recovers a linear combination rather than an isolated embedding, directly undermining the 59-79% fidelity numbers.
  2. [Evaluation] Evaluation (abstract and results): reconstruction rates of 59-79% are reported without baselines (e.g., random or non-backdoored adapters), exact inversion procedure details, statistical significance, or ablation on batch size/optimizer, leaving moderate empirical support for the central reconstruction claim.
minor comments (1)
  1. [Abstract] The abstract and method would benefit from an explicit threat model diagram or table clarifying server vs. client capabilities and when the backdoor is injected.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive review. We address each major comment below and will revise the manuscript accordingly to improve clarity and empirical support.

read point-by-point responses
  1. Referee: [NeuroImprint design description] The NeuroImprint design (abstract and method description): the claim that constraining each memorization neuron to be updated at most once 'mitigates both cross-sample collisions and cross-step mixing introduced by large local batches and stateful optimizers (e.g., Adam/AdamW)' lacks any equation, pseudocode, or diagram showing how the PEFT adapter implements sample-specific routing that prevents gradient averaging over a batch. Without this, the closed-form inversion recovers a linear combination rather than an isolated embedding, directly undermining the 59-79% fidelity numbers.

    Authors: We agree that the manuscript would benefit from explicit implementation details to substantiate the isolation claim. The per-sample neuron assignment is realized by dynamically routing each training sample to a dedicated adapter neuron (via a sample-indexed mask) and enforcing a single-update constraint by zeroing gradients for that neuron after its first use. This prevents both intra-batch averaging and optimizer state mixing. We will add the corresponding equations for the masked update rule, pseudocode for the modified local training loop, and a diagram of the adapter routing mechanism in the revised method section. revision: yes

  2. Referee: [Evaluation] Evaluation (abstract and results): reconstruction rates of 59-79% are reported without baselines (e.g., random or non-backdoored adapters), exact inversion procedure details, statistical significance, or ablation on batch size/optimizer, leaving moderate empirical support for the central reconstruction claim.

    Authors: We acknowledge the need for stronger empirical grounding. The current rates reflect experiments under standard FL settings (batch size 8, AdamW), but we will expand the evaluation section to include: (i) baselines for random guessing and non-backdoored adapters, (ii) the closed-form inversion formula with derivation, (iii) statistical significance (e.g., confidence intervals over multiple runs), and (iv) ablations varying batch size (4-32) and optimizer (SGD vs. AdamW). These additions will be incorporated without altering the core results. revision: yes

Circularity Check

0 steps flagged

Empirical attack construction with no circular derivation

full rationale

The paper presents NeuroImprint as an attack that assigns per-sample neurons with an 'at most once' update constraint, then analytically inverts the resulting adapter weights to recover embeddings. All reported outcomes (59-79% reconstruction rates) are measured empirical results across BERT/GPT-2/Qwen2/Llama3.2 and four datasets. No equation or claim reduces a prediction to a fitted parameter, self-citation, or definitional tautology; the design choices are explicit construction steps whose effectiveness is validated externally rather than assumed by the equations themselves.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The attack rests on the domain assumption that single-update constraints on dedicated neurons produce invertible isolated updates; no free parameters or new physical entities are introduced.

axioms (1)
  • domain assumption Constraining each neuron to update at most once isolates per-sample parameter updates despite large batches and stateful optimizers
    This premise is required for the closed-form inversion step to succeed without collisions.
invented entities (1)
  • memorization neuron no independent evidence
    purpose: Dedicated neuron that stores an isolated per-sample update for later analytical recovery
    New construct introduced by the attack to achieve the backdoor property.

pith-pipeline@v0.9.1-grok · 5830 in / 1238 out tokens · 33242 ms · 2026-06-26T16:48:34.543161+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

66 extracted references · 9 linked inside Pith

  1. [1]

    Qwen technical report.arXiv preprint arXiv:2309.16609, 2023

    Jinze Bai, Shuai Bai, Yunfei Chu, Zeyu Cui, Kai Dang, Xiaodong Deng, Yang Fan, Wenbin Ge, Yu Han, Fei Huang, et al. Qwen technical report.arXiv preprint arXiv:2309.16609, 2023

  2. [2]

    Simple, scalable adap- tation for neural machine translation

    Ankur Bapna and Orhan Firat. Simple, scalable adap- tation for neural machine translation. InProceedings of the 2019 conference on empirical methods in natu- ral language processing and the 9th international joint conference on natural language processing (EMNLP- IJCNLP), pages 1538–1548, 2019

  3. [3]

    {ACORN}: input validation for secure aggregation

    James Bell, Adri `a Gasc´on, Tancr`ede Lepoint, Baiyu Li, Sarah Meiklejohn, Mariana Raykova, and Cathie Yun. {ACORN}: input validation for secure aggregation. In 32nd USENIX Security Symposium (USENIX Security 23), pages 4805–4822, 2023

  4. [4]

    Secure single-server aggregation with (poly) logarithmic over- head

    James Henry Bell, Kallista A Bonawitz, Adri `a Gasc´on, Tancr`ede Lepoint, and Mariana Raykova. Secure single-server aggregation with (poly) logarithmic over- head. InProceedings of the 2020 ACM SIGSAC Con- ference on Computer and Communications Security, pages 1253–1269, 2020

  5. [5]

    Scibert: A pretrained language model for scientific text.arXiv preprint arXiv:1903.10676, 2019

    Iz Beltagy, Kyle Lo, and Arman Cohan. Scibert: A pretrained language model for scientific text.arXiv preprint arXiv:1903.10676, 2019

  6. [6]

    A question-entailment approach to question answering

    Asma Ben Abacha and Dina Demner-Fushman. A question-entailment approach to question answering. BMC bioinformatics, 20(1):511, 2019

  7. [7]

    Practi- cal secure aggregation for privacy-preserving machine learning

    Keith Bonawitz, Vladimir Ivanov, Ben Kreuter, Anto- nio Marcedone, H Brendan McMahan, Sarvar Patel, Daniel Ramage, Aaron Segal, and Karn Seth. Practi- cal secure aggregation for privacy-preserving machine learning. Inproceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Secu- rity, pages 1175–1191, 2017. 14

  8. [8]

    Rofl: Attestable robustness for secure federated learning.arXiv e-prints, pages arXiv–2107, 2021

    Lukas Burkhalter, Hidde Lycklama, Alexander Viand, Nicolas K¨uchler, and Anwar Hithnawi. Rofl: Attestable robustness for secure federated learning.arXiv e-prints, pages arXiv–2107, 2021

  9. [9]

    Poisoning and backdooring contrastive learning

    Nicholas Carlini and Andreas Terzis. Poisoning and backdooring contrastive learning. InThe Tenth In- ternational Conference on Learning Representations, ICLR 2022, Virtual Event, April 25-29, 2022. OpenRe- view.net, 2022

  10. [10]

    Extracting training data from large language models

    Nicholas Carlini, Florian Tramer, Eric Wallace, Matthew Jagielski, Ariel Herbert-V oss, Katherine Lee, Adam Roberts, Tom Brown, Dawn Song, Ulfar Erlings- son, et al. Extracting training data from large language models. In30th USENIX security symposium (USENIX Security 21), pages 2633–2650, 2021

  11. [11]

    Extracting training data from diffusion models

    Nicolas Carlini, Jamie Hayes, Milad Nasr, Matthew Jagielski, Vikash Sehwag, Florian Tramer, Borja Balle, Daphne Ippolito, and Eric Wallace. Extracting training data from diffusion models. In32nd USENIX security symposium (USENIX Security 23), pages 5253–5270, 2023

  12. [12]

    Legal-bert: The muppets straight out of law school.arXiv preprint arXiv:2010.02559, 2020

    Ilias Chalkidis, Manos Fergadiotis, Prodromos Malakasiotis, Nikolaos Aletras, and Ion Androut- sopoulos. Legal-bert: The muppets straight out of law school.arXiv preprint arXiv:2010.02559, 2020

  13. [13]

    Targeted backdoor attacks on deep learn- ing systems using data poisoning.arXiv preprint arXiv:1712.05526, 2017

    Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. Targeted backdoor attacks on deep learn- ing systems using data poisoning.arXiv preprint arXiv:1712.05526, 2017

  14. [14]

    Training verifiers to solve math word problems.arXiv preprint arXiv:2110.14168, 2021

    Karl Cobbe, Vineet Kosaraju, Mohammad Bavarian, Mark Chen, Heewoo Jun, Lukasz Kaiser, Matthias Plappert, Jerry Tworek, Jacob Hilton, Reiichiro Nakano, Christopher Hesse, and John Schulman. Training verifiers to solve math word problems.arXiv preprint arXiv:2110.14168, 2021

  15. [15]

    Qlora: Efficient finetuning of quan- tized llms.Advances in neural information processing systems, 36:10088–10115, 2023

    Tim Dettmers, Artidoro Pagnoni, Ari Holtzman, and Luke Zettlemoyer. Qlora: Efficient finetuning of quan- tized llms.Advances in neural information processing systems, 36:10088–10115, 2023

  16. [16]

    Bert: Pre-training of deep bidi- rectional transformers for language understanding

    Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. Bert: Pre-training of deep bidi- rectional transformers for language understanding. In Proceedings of the 2019 conference of the North Amer- ican chapter of the association for computational lin- guistics: human language technologies, volume 1 (long and short papers), pages 4171–4186, 2019

  17. [17]

    Depth gives a false sense of privacy:{LLM}internal states inversion

    Tian Dong, Yan Meng, Shaofeng Li, Guoxing Chen, Zhen Liu, and Haojin Zhu. Depth gives a false sense of privacy:{LLM}internal states inversion. In34th USENIX Security Symposium (USENIX Security 25), pages 1629–1648, 2025

  18. [18]

    The llama 3 herd of models.arXiv e-prints, pages arXiv–2407, 2024

    Abhimanyu Dubey, Abhinav Jauhri, Abhinav Pandey, Abhishek Kadian, Ahmad Al-Dahle, Aiesha Letman, Akhil Mathur, Alan Schelten, Amy Yang, Angela Fan, et al. The llama 3 herd of models.arXiv e-prints, pages arXiv–2407, 2024

  19. [19]

    emrqa-msquad: A med- ical dataset structured with the squad v2

    Jimenez Eladio and Hao Wu. emrqa-msquad: A med- ical dataset structured with the squad v2. 0 frame- work, enriched with emrqa medical information.arXiv preprint arXiv:2404.12050, 2024

  20. [20]

    Privacy backdoors: Stealing data with corrupted pretrained models

    Shanglun Feng and Florian Tram`er. Privacy backdoors: Stealing data with corrupted pretrained models. InIn- ternational Conference on Machine Learning, pages 13326–13364. PMLR, 2024

  21. [21]

    Robbing the fed: Directly obtaining private data in federated learning with modi- fied models.arXiv preprint arXiv:2110.13057, 2021

    Liam Fowl, Jonas Geiping, Wojtek Czaja, Micah Gold- blum, and Tom Goldstein. Robbing the fed: Directly obtaining private data in federated learning with modi- fied models.arXiv preprint arXiv:2110.13057, 2021

  22. [22]

    Inverting gradients-how easy is it to break privacy in federated learning?Advances in Neural Information Processing Systems, 33:16937– 16947, 2020

    Jonas Geiping, Hartmut Bauermeister, Hannah Dr ¨oge, and Michael Moeller. Inverting gradients-how easy is it to break privacy in federated learning?Advances in Neural Information Processing Systems, 33:16937– 16947, 2020

  23. [23]

    Badnets: Identifying vulnerabilities in the ma- chine learning model supply chain.arXiv preprint arXiv:1708.06733, 2017

    Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. Badnets: Identifying vulnerabilities in the ma- chine learning model supply chain.arXiv preprint arXiv:1708.06733, 2017

  24. [24]

    V eri fl: Communication-efficient and fast verifiable aggrega- tion for federated learning.IEEE Transactions on Information Forensics and Security, 16:1736–1751, 2020

    Xiaojie Guo, Zheli Liu, Jin Li, Jiqiang Gao, Boyu Hou, Changyu Dong, and Thar Baker. V eri fl: Communication-efficient and fast verifiable aggrega- tion for federated learning.IEEE Transactions on Information Forensics and Security, 16:1736–1751, 2020

  25. [25]

    Gradvit: Gradient inversion of vision transformers

    Ali Hatamizadeh, Hongxu Yin, Holger R Roth, Wenqi Li, Jan Kautz, Daguang Xu, and Pavlo Molchanov. Gradvit: Gradient inversion of vision transformers. In Proceedings of the IEEE/CVF Conference on Com- puter Vision and Pattern Recognition, pages 10021– 10030, 2022

  26. [26]

    Towards a unified view of parameter-efficient transfer learning.arXiv preprint arXiv:2110.04366, 2021

    Junxian He, Chunting Zhou, Xuezhe Ma, Taylor Berg- Kirkpatrick, and Graham Neubig. Towards a unified view of parameter-efficient transfer learning.arXiv preprint arXiv:2110.04366, 2021

  27. [27]

    Model inversion attacks against collaborative inference

    Zecheng He, Tianwei Zhang, and Ruby B Lee. Model inversion attacks against collaborative inference. In Proceedings of the 35th annual computer security ap- plications conference, pages 148–162, 2019. 15

  28. [28]

    Parameter- efficient transfer learning for nlp

    Neil Houlsby, Andrei Giurgiu, Stanislaw Jastrzebski, Bruna Morrone, Quentin De Laroussilhe, Andrea Ges- mundo, Mona Attariyan, and Sylvain Gelly. Parameter- efficient transfer learning for nlp. InInternational conference on machine learning, pages 2790–2799. PMLR, 2019

  29. [29]

    Hsiang Hsu Hsu, Kuan-Chieh Yin, and C.-C. Jay Kuo. Measuring the effects of non-identical data distribu- tion for federated visual classification.arXiv preprint arXiv:1909.06335, 2019

  30. [30]

    Lora: Low-rank adaptation of large lan- guage models.ICLR, 1(2):3, 2022

    Edward J Hu, Yelong Shen, Phillip Wallis, Zeyuan Allen-Zhu, Yuanzhi Li, Shean Wang, Lu Wang, Weizhu Chen, et al. Lora: Low-rank adaptation of large lan- guage models.ICLR, 1(2):3, 2022

  31. [31]

    Llm-adapters: An adapter family for parameter-efficient fine-tuning of large language mod- els

    Zhiqiang Hu, Lei Wang, Yihuai Lan, Wanyu Xu, Ee- Peng Lim, Lidong Bing, Xing Xu, Soujanya Poria, and Roy Lee. Llm-adapters: An adapter family for parameter-efficient fine-tuning of large language mod- els. InProceedings of the 2023 conference on empirical methods in natural language processing, pages 5254– 5276, 2023

  32. [32]

    Finbert: A large language model for extracting information from financial text.Contemporary Accounting Research, 40(2):806–841, 2023

    Allen H Huang, Hui Wang, and Yi Yang. Finbert: A large language model for extracting information from financial text.Contemporary Accounting Research, 40(2):806–841, 2023

  33. [33]

    Clinicalbert: Modeling clinical notes and predicting hospital readmission.arXiv preprint arXiv:1904.05342, 2019

    Kexin Huang, Jaan Altosaar, and Rajesh Ran- ganath. Clinicalbert: Modeling clinical notes and predicting hospital readmission.arXiv preprint arXiv:1904.05342, 2019

  34. [34]

    Fastsecagg: Scal- able secure aggregation for privacy-preserving feder- ated learning.arXiv preprint arXiv:2009.11248, 2020

    Swanand Kadhe, Nived Rajaraman, O Ozan Koylu- oglu, and Kannan Ramchandran. Fastsecagg: Scal- able secure aggregation for privacy-preserving feder- ated learning.arXiv preprint arXiv:2009.11248, 2020

  35. [35]

    Kingma and Jimmy Ba

    Diederik P. Kingma and Jimmy Ba. Adam: A method for stochastic optimization.arXiv preprint arXiv:1412.6980, 2014

  36. [36]

    Finl- lama: Financial sentiment classification for algorithmic trading applications.arXiv preprint arXiv:2403.12285, 2024

    Thanos Konstantinidis, Giorgos Iacovides, Mingxue Xu, Tony G Constantinides, and Danilo Mandic. Finl- lama: Financial sentiment classification for algorithmic trading applications.arXiv preprint arXiv:2403.12285, 2024

  37. [37]

    Biobert: a pre-trained biomedical language representation model for biomedical text mining.Bioinformatics, 36(4):1234–1240, 2020

    Jinhyuk Lee, Wonjin Yoon, Sungdong Kim, Donghyeon Kim, Sunkyu Kim, Chan Ho So, and Jaewoo Kang. Biobert: a pre-trained biomedical language representation model for biomedical text mining.Bioinformatics, 36(4):1234–1240, 2020

  38. [38]

    Llava- med: Training a large language-and-vision assistant for biomedicine in one day.Advances in Neural Informa- tion Processing Systems, 36:28541–28564, 2023

    Chunyuan Li, Cliff Wong, Sheng Zhang, Naoto Usuyama, Haotian Liu, Jianwei Yang, Tristan Nau- mann, Hoifung Poon, and Jianfeng Gao. Llava- med: Training a large language-and-vision assistant for biomedicine in one day.Advances in Neural Informa- tion Processing Systems, 36:28541–28564, 2023

  39. [39]

    Fingpt: Democratizing internet-scale data for financial large language models.arXiv preprint arXiv:2307.10485, 2023

    Xiao-Yang Liu, Guoxuan Wang, Hongyang Yang, and Daochen Zha. Fingpt: Democratizing internet-scale data for financial large language models.arXiv preprint arXiv:2307.10485, 2023

  40. [40]

    Trojaning attack on neural networks

    Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang. Trojaning attack on neural networks. In25th Annual Network And Distributed System Security Symposium (NDSS 2018). Internet Soc, 2018

  41. [41]

    Decoupled weight decay regularization

    Ilya Loshchilov and Frank Hutter. Decoupled weight decay regularization. InInternational Conference on Learning Representations (ICLR), 2019

  42. [42]

    April: Finding the achilles’ heel on privacy for vision transformers

    Jiahao Lu, Xi Sheryl Zhang, Tianli Zhao, Xiangyu He, and Jian Cheng. April: Finding the achilles’ heel on privacy for vision transformers. InProceedings of the IEEE/CVF Conference on Computer Vision and Pat- tern Recognition, pages 10051–10060, 2022

  43. [43]

    Biogpt: generative pre-trained transformer for biomedical text generation and mining.Briefings in bioinformatics, 23(6):bbac409, 2022

    Renqian Luo, Liai Sun, Yingce Xia, Tao Qin, Sheng Zhang, Hoifung Poon, and Tie-Yan Liu. Biogpt: generative pre-trained transformer for biomedical text generation and mining.Briefings in bioinformatics, 23(6):bbac409, 2022

  44. [44]

    Flamingo: Multi- round single-server secure aggregation with applica- tions to private federated learning

    Yiping Ma, Jess Woods, Sebastian Angel, Antigoni Polychroniadou, and Tal Rabin. Flamingo: Multi- round single-server secure aggregation with applica- tions to private federated learning. In2023 IEEE Sym- posium on Security and Privacy (SP), pages 477–496. IEEE, 2023

  45. [45]

    Communication-efficient learning of deep networks from decentralized data

    Brendan McMahan, Eider Moore, Daniel Ram- age, Seth Hampson, and Blaise Aguera y Arcas. Communication-efficient learning of deep networks from decentralized data. InArtificial intelligence and statistics, pages 1273–1282. PMLR, 2017

  46. [46]

    Eluding secure aggregation in federated learning via model inconsistency

    Dario Pasquini, Danilo Francati, and Giuseppe Ate- niese. Eluding secure aggregation in federated learning via model inconsistency. InProceedings of the 2022 ACM SIGSAC Conference on Computer and Commu- nications Security, pages 2429–2443, 2022

  47. [47]

    Pseudo-private data guided model in- version attacks.Advances in Neural Information Pro- cessing Systems, 37:33338–33375, 2024

    Xiong Peng, Bo Han, Feng Liu, Tongliang Liu, and Mingyuan Zhou. Pseudo-private data guided model in- version attacks.Advances in Neural Information Pro- cessing Systems, 37:33338–33375, 2024. 16

  48. [48]

    Dager: Exact gra- dient inversion for large language models.Advances in Neural Information Processing Systems, 37:87801– 87830, 2024

    Ivo Petrov, Dimitar I Dimitrov, Maximilian Baader, Mark N M¨uller, and Martin Vechev. Dager: Exact gra- dient inversion for large language models.Advances in Neural Information Processing Systems, 37:87801– 87830, 2024

  49. [49]

    Adapterhub: A framework for adapting transformers.arXiv preprint arXiv:2007.07779, 2020

    Jonas Pfeiffer, Andreas R ¨uckl´e, Clifton Poth, Aishwarya Kamath, Ivan Vuli ´c, Sebastian Ruder, Kyunghyun Cho, and Iryna Gurevych. Adapterhub: A framework for adapting transformers.arXiv preprint arXiv:2007.07779, 2020

  50. [50]

    Prompt inversion attack against collaborative inference of large language models

    Wenjie Qu, Yuguang Zhou, Yongji Wu, Tingsong Xiao, Binhang Yuan, Yiming Li, and Jiaheng Zhang. Prompt inversion attack against collaborative inference of large language models. In2025 IEEE Symposium on Secu- rity and Privacy (SP), pages 1695–1712. IEEE, 2025

  51. [51]

    Language mod- els are unsupervised multitask learners.OpenAI blog, 1(8):9, 2019

    Alec Radford, Jeffrey Wu, Rewon Child, David Luan, Dario Amodei, Ilya Sutskever, et al. Language mod- els are unsupervised multitask learners.OpenAI blog, 1(8):9, 2019

  52. [52]

    Squad: 100,000+ questions for machine comprehension of text.arXiv preprint arXiv:1606.05250, 2016

    Pranav Rajpurkar, Jian Zhang, Konstantin Lopyrev, and Percy Liang. Squad: 100,000+ questions for machine comprehension of text.arXiv preprint arXiv:1606.05250, 2016

  53. [53]

    Elsa: Secure aggregation for fed- erated learning with malicious actors

    Mayank Rathee, Conghao Shen, Sameer Wagh, and Raluca Ada Popa. Elsa: Secure aggregation for fed- erated learning with malicious actors. In2023 IEEE Symposium on Security and Privacy (SP), pages 1961–

  54. [54]

    Sentence-bert: Sen- tence embeddings using siamese bert-networks.arXiv preprint arXiv:1908.10084, 2019

    Nils Reimers and Iryna Gurevych. Sentence-bert: Sen- tence embeddings using siamese bert-networks.arXiv preprint arXiv:1908.10084, 2019

  55. [55]

    Scale-mia: A scalable model inversion attack against secure fed- erated learning via latent space reconstruction.arXiv preprint arXiv:2311.05808, 2023

    Shanghao Shi, Ning Wang, Yang Xiao, Chaoyu Zhang, Yi Shi, Y Thomas Hou, and Wenjing Lou. Scale-mia: A scalable model inversion attack against secure fed- erated learning via latent space reconstruction.arXiv preprint arXiv:2311.05808, 2023

  56. [56]

    Congress

    U.S. Congress. Health insurance portability and ac- countability act of 1996.https://www.govinf o.gov/link/plaw/104/public/191, 1996. Public Law 104-191, 110 Stat. 1936, enacted August 21, 1996

  57. [57]

    Fishing for user data in large-batch federated learning via gradient magnifica- tion.arXiv preprint arXiv:2202.00580, 2022

    Yuxin Wen, Jonas Geiping, Liam Fowl, Micah Gold- blum, and Tom Goldstein. Fishing for user data in large-batch federated learning via gradient magnifica- tion.arXiv preprint arXiv:2202.00580, 2022

  58. [58]

    Privacy backdoors: Enhancing membership inference through poisoning pre-trained models.Advances in Neural In- formation Processing Systems, 37:83374–83396, 2024

    Yuxin Wen, Leo Marchyok, Sanghyun Hong, Jonas Geiping, Tom Goldstein, and Nicholas Carlini. Privacy backdoors: Enhancing membership inference through poisoning pre-trained models.Advances in Neural In- formation Processing Systems, 37:83374–83396, 2024

  59. [59]

    See through gradients: Image batch recovery via gradinversion

    Hongxu Yin, Arun Mallya, Arash Vahdat, Jose M Al- varez, Jan Kautz, and Pavlo Molchanov. See through gradients: Image batch recovery via gradinversion. In Proceedings of the IEEE/CVF Conference on Com- puter Vision and Pattern Recognition, pages 16337– 16346, 2021

  60. [60]

    Character-level convolutional networks for text classi- fication

    Xiang Zhang, Junbo Zhao, and Yann LeCun. Character-level convolutional networks for text classi- fication. InAdvances in Neural Information Processing Systems (NeurIPS), 2015

  61. [61]

    The secret revealer: Generative model-inversion attacks against deep neu- ral networks

    Yuheng Zhang, Ruoxi Jia, Hengzhi Pei, Wenxiao Wang, Bo Li, and Dawn Song. The secret revealer: Generative model-inversion attacks against deep neu- ral networks. InProceedings of the IEEE/CVF confer- ence on computer vision and pattern recognition, pages 253–261, 2020

  62. [62]

    idlg: Improved deep leakage from gradients.arXiv preprint arXiv:2001.02610, 2020

    Bo Zhao, Konda Reddy Mopuri, and Hakan Bilen. idlg: Improved deep leakage from gradients.arXiv preprint arXiv:2001.02610, 2020

  63. [63]

    Loki: Large-scale data reconstruction attack against federated learning through model manip- ulation

    Joshua C Zhao, Atul Sharma, Ahmed Roushdy Elko- rdy, Yahya H Ezzeldin, Salman Avestimehr, and Saurabh Bagchi. Loki: Large-scale data reconstruction attack against federated learning through model manip- ulation. In2024 IEEE Symposium on Security and Pri- vacy (SP), pages 1287–1305. IEEE, 2024

  64. [64]

    R-gap: Re- cursive gradient attack on privacy.arXiv preprint arXiv:2010.07733, 2020

    Junyi Zhu and Matthew Blaschko. R-gap: Re- cursive gradient attack on privacy.arXiv preprint arXiv:2010.07733, 2020

  65. [65]

    Deep leakage from gradients.Advances in neural information pro- cessing systems, 32, 2019

    Ligeng Zhu, Zhijian Liu, and Song Han. Deep leakage from gradients.Advances in neural information pro- cessing systems, 32, 2019

  66. [66]

    Counter-interference adapter for multilingual machine translation.arXiv preprint arXiv:2104.08154, 2021

    Yaoming Zhu, Jiangtao Feng, Chengqi Zhao, Mingx- uan Wang, and Lei Li. Counter-interference adapter for multilingual machine translation.arXiv preprint arXiv:2104.08154, 2021. 17 Appendix A. Adam Optimizer The Adam optimizer is an adaptive stochastic optimiza- tion algorithm that maintains exponential moving averages of both the first- and second-order mo...