MoPe: Model Perturbation-based Privacy Attacks on Language Models
This addresses privacy risks in LLMs by providing a more effective attack method, though it is incremental as it builds on prior perturbation-based approaches.
The paper tackles the problem of identifying whether specific text is in the training data of language models by proposing MoPe, a model perturbation-based method that outperforms existing attacks across models from 70M to 12B parameters, showing that loss alone is insufficient to determine extractability.
Recent work has shown that Large Language Models (LLMs) can unintentionally leak sensitive information present in their training data. In this paper, we present Model Perturbations (MoPe), a new method to identify with high confidence if a given text is in the training data of a pre-trained language model, given white-box access to the models parameters. MoPe adds noise to the model in parameter space and measures the drop in log-likelihood at a given point $x$, a statistic we show approximates the trace of the Hessian matrix with respect to model parameters. Across language models ranging from $70$M to $12$B parameters, we show that MoPe is more effective than existing loss-based attacks and recently proposed perturbation-based methods. We also examine the role of training point order and model size in attack success, and empirically demonstrate that MoPe accurately approximate the trace of the Hessian in practice. Our results show that the loss of a point alone is insufficient to determine extractability -- there are training points we can recover using our method that have average loss. This casts some doubt on prior works that use the loss of a point as evidence of memorization or unlearning.