DocMIA: Document-Level Membership Inference Attacks against DocVQA Models
This work addresses privacy vulnerabilities for businesses using DocVQA models to automate document processing with sensitive information, though it is incremental as it adapts known attacks to a specific domain.
The authors tackled the problem of privacy risks in Document Visual Question Answering (DocVQA) models by introducing two novel membership inference attacks for white-box and black-box settings, which outperformed existing state-of-the-art attacks across various models and datasets.
Document Visual Question Answering (DocVQA) has introduced a new paradigm for end-to-end document understanding, and quickly became one of the standard benchmarks for multimodal LLMs. Automating document processing workflows, driven by DocVQA models, presents significant potential for many business sectors. However, documents tend to contain highly sensitive information, raising concerns about privacy risks associated with training such DocVQA models. One significant privacy vulnerability, exploited by the membership inference attack, is the possibility for an adversary to determine if a particular record was part of the model's training data. In this paper, we introduce two novel membership inference attacks tailored specifically to DocVQA models. These attacks are designed for two different adversarial scenarios: a white-box setting, where the attacker has full access to the model architecture and parameters, and a black-box setting, where only the model's outputs are available. Notably, our attacks assume the adversary lacks access to auxiliary datasets, which is more realistic in practice but also more challenging. Our unsupervised methods outperform existing state-of-the-art membership inference attacks across a variety of DocVQA models and datasets, demonstrating their effectiveness and highlighting the privacy risks in this domain.