Memorization in NLP Fine-tuning Methods
This addresses privacy concerns for users and developers in the widely adopted 'pre-train and fine-tune' paradigm, though it is incremental as it builds on existing memorization studies.
The paper investigates how different fine-tuning methods in NLP models vary in their susceptibility to memorization risks, finding that fine-tuning the model head is most vulnerable to attacks, while using smaller adapters is less susceptible.
Large language models are shown to present privacy risks through memorization of training data, and several recent works have studied such risks for the pre-training phase. Little attention, however, has been given to the fine-tuning phase and it is not well understood how different fine-tuning methods (such as fine-tuning the full model, the model head, and adapter) compare in terms of memorization risk. This presents increasing concern as the "pre-train and fine-tune" paradigm proliferates. In this paper, we empirically study memorization of fine-tuning methods using membership inference and extraction attacks, and show that their susceptibility to attacks is very different. We observe that fine-tuning the head of the model has the highest susceptibility to attacks, whereas fine-tuning smaller adapters appears to be less vulnerable to known extraction attacks.