Targeted Attack on GPT-Neo for the SATML Language Model Data Extraction Challenge
This work addresses privacy risks in language models by improving targeted extraction efficiency, though it is incremental as it builds on existing attack methods for a specific challenge.
The authors tackled the problem of targeted data extraction from language models, specifically applying a two-step attack to the SATML2023 challenge, achieving a 34% improvement in recall over the baseline with a score of 0.405 recall at a 10% false positive rate.
Previous work has shown that Large Language Models are susceptible to so-called data extraction attacks. This allows an attacker to extract a sample that was contained in the training data, which has massive privacy implications. The construction of data extraction attacks is challenging, current attacks are quite inefficient, and there exists a significant gap in the extraction capabilities of untargeted attacks and memorization. Thus, targeted attacks are proposed, which identify if a given sample from the training data, is extractable from a model. In this work, we apply a targeted data extraction attack to the SATML2023 Language Model Training Data Extraction Challenge. We apply a two-step approach. In the first step, we maximise the recall of the model and are able to extract the suffix for 69% of the samples. In the second step, we use a classifier-based Membership Inference Attack on the generations. Our AutoSklearn classifier achieves a precision of 0.841. The full approach reaches a score of 0.405 recall at a 10% false positive rate, which is an improvement of 34% over the baseline of 0.301.