pith. sign in

arxiv: 2305.18462 · v2 · pith:SUR23AOOnew · submitted 2023-05-29 · 💻 cs.CL · cs.CR· cs.LG

Membership Inference Attacks against Language Models via Neighbourhood Comparison

classification 💻 cs.CL cs.CRcs.LG
keywords attacksdatamodelmodelstrainingdistributionreferencereference-based
0
0 comments X
read the original abstract

Membership Inference attacks (MIAs) aim to predict whether a data sample was present in the training data of a machine learning model or not, and are widely used for assessing the privacy risks of language models. Most existing attacks rely on the observation that models tend to assign higher probabilities to their training samples than non-training points. However, simple thresholding of the model score in isolation tends to lead to high false-positive rates as it does not account for the intrinsic complexity of a sample. Recent work has demonstrated that reference-based attacks which compare model scores to those obtained from a reference model trained on similar data can substantially improve the performance of MIAs. However, in order to train reference models, attacks of this kind make the strong and arguably unrealistic assumption that an adversary has access to samples closely resembling the original training data. Therefore, we investigate their performance in more realistic scenarios and find that they are highly fragile in relation to the data distribution used to train reference models. To investigate whether this fragility provides a layer of safety, we propose and evaluate neighbourhood attacks, which compare model scores for a given sample to scores of synthetically generated neighbour texts and therefore eliminate the need for access to the training data distribution. We show that, in addition to being competitive with reference-based attacks that have perfect knowledge about the training data distribution, our attack clearly outperforms existing reference-free attacks as well as reference-based attacks with imperfect knowledge, which demonstrates the need for a reevaluation of the threat model of adversarial attacks.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 8 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. MRMMIA: Membership Inference Attacks on Memory in Chat Agents

    cs.CR 2026-05 unverdicted novelty 7.0

    MRMMIA is a multi-recall-probe membership inference attack that extracts signals from chat agent memory and outperforms baselines in black-, gray-, and white-box settings.

  2. Revisiting Privacy Leakage in Machine Unlearning: Membership Inference Beyond the Forgotten Set

    cs.CR 2026-05 unverdicted novelty 7.0

    Unlearning increases privacy leakage for the retain set, and a new tri-class membership inference attack distinguishes forget, retain, and unseen data using pre- and post-unlearning model outputs.

  3. Revisiting Privacy Leakage in Machine Unlearning: Membership Inference Beyond the Forgotten Set

    cs.CR 2026-05 unverdicted novelty 7.0

    TC-UMIA is a population-level attack using pre- and post-unlearning predictions to infer membership across forget, retain, and unseen sets, revealing added privacy leakage to retained data.

  4. Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents

    cs.CR 2024-10 unverdicted novelty 7.0

    ASB is a new benchmark that tests 10 prompt injection attacks, memory poisoning, a novel Plan-of-Thought backdoor attack, and 11 defenses on LLM agents across 13 models, finding attack success rates up to 84.3% and li...

  5. Unveiling Privacy Risks in Multi-modal Large Language Models: Task-specific Vulnerabilities and Mitigation Challenges

    cs.CR 2026-06 unverdicted novelty 6.0

    Introduces MM-Privacy dataset and evaluations showing MLLMs leak sensitive data from images in various tasks, highlighting task inconsistency effects.

  6. Pretraining Data Exposure in Large Language Models: A Survey of Membership Inference, Data Contamination, and Security Implications

    cs.CL 2026-05 unverdicted novelty 6.0

    First unified survey formalizing Pretraining Data Exposure across exposure levels and reviewing attack, defense, and contamination methods for LLMs.

  7. Auditing Data Membership in Reinforcement Learning With Verifiable Rewards

    cs.CR 2025-11 unverdicted novelty 6.0

    DIBA detects membership of prompts in RLVR training by measuring reward success changes and policy behavioral drift between pre- and post-RLVR model checkpoints.

  8. Auditing Training Data in Domain-adapted LLMs: LoRA-MINT

    cs.CL 2026-06 unverdicted novelty 5.0

    LoRA-MINT uses perplexity to perform membership inference on LoRA-fine-tuned LLMs, reporting 0.77-0.92 precision across four models and three datasets while outperforming baselines.