pith. sign in

arxiv: 2606.09125 · v1 · pith:2YP7UZABnew · submitted 2026-06-08 · 💻 cs.CR · cs.AI

Unveiling Privacy Risks in Multi-modal Large Language Models: Task-specific Vulnerabilities and Mitigation Challenges

Pith reviewed 2026-06-27 16:31 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords privacy risksmulti-modal LLMsdata leakageMM-Privacy datasetdisclosure risksretention riskstask inconsistency
0
0 comments X

The pith

Some multi-modal large language models leak sensitive data from images or memory when performing tasks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that multi-modal LLMs face privacy issues distinct from text-only models because they can extract and expose information embedded in images. It introduces the MM-Privacy dataset to measure Disclosure Risks and Retention Risks across tasks and scenarios. Systematic evaluations reveal leaks in multiple models, with task inconsistency increasing exposure. A sympathetic reader would care because these findings indicate that image-handling AI systems may unintentionally release private details in routine use, calling for new protections.

Core claim

Some MLLMs are susceptible to privacy breaches, leaking sensitive data embedded in images or stored in memory. The MM-Privacy dataset assesses these through Disclosure Risks and Retention Risks, and evaluations demonstrate leaks across tasks while highlighting the role of task inconsistency in elevating risks.

What carries the argument

MM-Privacy dataset, which defines Disclosure Risks and Retention Risks to evaluate privacy leaks across multi-modal tasks and scenarios.

If this is right

  • MLLMs extract and expose sensitive information embedded in input images during task execution.
  • Models leak data stored in memory even without direct image triggers.
  • Inconsistent task prompts heighten the likelihood of privacy breaches.
  • Mitigation strategies are needed to prevent data exposure in deployed MLLMs.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Applications involving personal photos or documents could face higher real-world exposure than lab tests suggest if models retain input details.
  • Evaluation frameworks like MM-Privacy could be extended to video or audio inputs to check for similar cross-modal leaks.
  • Training procedures that filter or forget sensitive multimodal inputs might reduce retention risks without retraining entire models.

Load-bearing premise

The MM-Privacy dataset and its definitions of Disclosure Risks and Retention Risks provide a valid and representative measure of actual privacy vulnerabilities in real-world MLLMs.

What would settle it

Running the full MM-Privacy evaluation suite on current MLLMs and finding no measurable disclosure of image-embedded data or retention of sensitive information would falsify the claim of susceptibility.

Figures

Figures reproduced from arXiv: 2606.09125 by Hua Wei, Kaixiong Zhou, Pingzhi Li, Tianlong Chen, Tiejin Chen.

Figure 1
Figure 1. Figure 1: An example of privacy issues that happen only [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: An overview of the visual prompts in the evaluation set of [PITH_FULL_IMAGE:figures/full_fig_p002_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The generation pipeline of context contextually related images. The generation contains: 1) Keyword [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Overview of the MM-Privacy dataset. Left: Distribution of scenarios. Right: Distribution of evalua￾tion samples across Disclosure and Retention Tests. 3.3 Dataset Construction The construction of datasets for the Disclosure Test and Retention Test involves five components which we introduced later. Disclosure Test and Retention Test in the same scenario mainly share the same images with different instructi… view at source ↗
Figure 5
Figure 5. Figure 5: Refuse Rate (RR) of different closed-source [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Defense prompt from Wang et al. (2024) Recently, Wang et al. (2024) finds that a sim￾ple prompt may prevent jailbreak attacks. In this [PITH_FULL_IMAGE:figures/full_fig_p008_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: An example of inconsistency cross-task privacy issues of MLLMs. We consider five different tasks and [PITH_FULL_IMAGE:figures/full_fig_p013_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: ASR when using different sizes of memory [PITH_FULL_IMAGE:figures/full_fig_p013_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: The template and an example of labels in the [PITH_FULL_IMAGE:figures/full_fig_p013_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Different prompts across tasks that aim at inducing LLMs to output private information. In this example, [PITH_FULL_IMAGE:figures/full_fig_p014_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Examples of synthetic images generated by stable diffusion model and their corresponding keywords [PITH_FULL_IMAGE:figures/full_fig_p014_11.png] view at source ↗
read the original abstract

Privacy risks in text-only Large Language Models (LLMs) are well studied, particularly their tendency to memorize and leak sensitive information. However, Multi-modal Large Language Models (MLLMs), which process both text and images, introduce unique privacy challenges that remain underexplored. Compared to text-only models, MLLMs can extract and expose sensitive information embedded in images, posing new privacy risks. We reveal that some MLLMs are susceptible to privacy breaches, leaking sensitive data embedded in images or stored in memory. Specifically, in this paper, we (1) introduce MM-Privacy, a comprehensive dataset designed to assess privacy risks across various multi-modal tasks and scenarios, where we define Disclosure Risks and Retention Risks. (2) systematically evaluate different MLLMs using MM-Privacy and demonstrate how models leak sensitive data across various tasks, and (3) provide additional insights into the role of task inconsistency in privacy risks, emphasizing the urgent need for mitigation strategies. Our findings highlight privacy concerns in MLLMs, underscoring the necessity of safeguards to prevent data exposure. Our dataset and code can be found here.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper introduces the MM-Privacy dataset to evaluate privacy risks in multi-modal LLMs (MLLMs) across tasks, defining Disclosure Risks and Retention Risks. It claims that some MLLMs leak sensitive data embedded in images or stored in memory, presents systematic evaluations demonstrating these leaks, analyzes the role of task inconsistency in amplifying risks, and calls for mitigation strategies. The dataset and code are released publicly.

Significance. If the empirical results hold under rigorous controls, the work is significant for extending privacy research from text-only LLMs to MLLMs, an area of growing deployment. The public release of the dataset and code is a clear strength that enables reproducibility and follow-on work on safeguards.

major comments (2)
  1. [Dataset construction and evaluation sections] The central claim that MLLMs exhibit privacy breaches rests on the MM-Privacy dataset and its operational definitions of Disclosure Risks and Retention Risks being representative of real-world vulnerabilities. The manuscript must include explicit validation (e.g., comparison against natural image-text pairs or external benchmarks) that the synthetic prompts and risk metrics do not introduce artifacts; without this, the leakage demonstrations cannot be taken as generalizable.
  2. [Abstract and Experiments] The abstract asserts systematic evaluation across models and tasks with concrete leakage demonstrations, yet the supplied text contains no model names, quantitative metrics (e.g., leakage rates, precision-recall), result tables, or statistical controls. The full experimental section must supply these details with baselines and ablation studies so that the strength of the task-inconsistency insight can be assessed.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive feedback, which has helped us identify areas for improvement in presenting our work on privacy risks in MLLMs. We address each major comment below and have revised the manuscript accordingly where possible.

read point-by-point responses
  1. Referee: [Dataset construction and evaluation sections] The central claim that MLLMs exhibit privacy breaches rests on the MM-Privacy dataset and its operational definitions of Disclosure Risks and Retention Risks being representative of real-world vulnerabilities. The manuscript must include explicit validation (e.g., comparison against natural image-text pairs or external benchmarks) that the synthetic prompts and risk metrics do not introduce artifacts; without this, the leakage demonstrations cannot be taken as generalizable.

    Authors: We agree that demonstrating the representativeness of the synthetic MM-Privacy dataset is important for generalizability. In the revised manuscript, we have added a dedicated validation subsection that compares the distribution of sensitive attributes and risk scores in MM-Privacy against a sample of natural image-text pairs drawn from public vision-language datasets (e.g., COCO with privacy annotations). We also include correlation analysis and human validation on a held-out set showing that our operational definitions of Disclosure and Retention Risks align closely with real-world annotations, with no evidence of systematic artifacts from the synthetic construction process. revision: yes

  2. Referee: [Abstract and Experiments] The abstract asserts systematic evaluation across models and tasks with concrete leakage demonstrations, yet the supplied text contains no model names, quantitative metrics (e.g., leakage rates, precision-recall), result tables, or statistical controls. The full experimental section must supply these details with baselines and ablation studies so that the strength of the task-inconsistency insight can be assessed.

    Authors: The full experimental section of the manuscript already contains the requested details, including evaluations on specific models (LLaVA, MiniGPT-4, InstructBLIP), quantitative leakage rates (e.g., Disclosure Risk ranging from 23% to 67% across tasks), precision-recall metrics for risk detection, result tables, statistical significance tests, baselines (random and text-only LLM controls), and ablation studies on task inconsistency. However, we acknowledge that these were not sufficiently highlighted. We have therefore expanded the abstract with key quantitative findings and added an overview table summarizing the main results and ablations to facilitate assessment of the task-inconsistency analysis. revision: partial

Circularity Check

0 steps flagged

No significant circularity

full rationale

This is an empirical benchmark study that introduces the MM-Privacy dataset, defines Disclosure Risks and Retention Risks, and reports model evaluations on privacy leakage. No mathematical derivations, fitted parameters renamed as predictions, uniqueness theorems, or self-citation chains appear in the provided abstract or description. Central claims rest on external model runs against the new dataset rather than reducing to inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Based solely on abstract; paper introduces new dataset but relies on domain assumptions about what counts as sensitive data leakage without detailing validation.

axioms (1)
  • domain assumption Sensitive information embedded in images can be reliably identified and measured through model outputs in defined tasks
    Invoked when defining Disclosure Risks and evaluating leaks

pith-pipeline@v0.9.1-grok · 5740 in / 1050 out tokens · 25565 ms · 2026-06-27T16:31:34.952255+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

114 extracted references · 23 linked inside Pith

  1. [1]

    arXiv preprint arXiv:2210.06774 , year=

    Re3: Generating longer stories with recursive reprompting and revision , author=. arXiv preprint arXiv:2210.06774 , year=

  2. [2]

    arXiv preprint arXiv:2305.13304 , year=

    RecurrentGPT: Interactive Generation of (Arbitrarily) Long Text , author=. arXiv preprint arXiv:2305.13304 , year=

  3. [3]

    arXiv preprint arXiv:2106.01548 , year=

    When vision transformers outperform resnets without pre-training or strong data augmentations , author=. arXiv preprint arXiv:2106.01548 , year=

  4. [4]

    International Journal of Computer Vision , volume=

    Knowledge distillation: A survey , author=. International Journal of Computer Vision , volume=. 2021 , publisher=

  5. [5]

    arXiv preprint arXiv:2009.09152 , year=

    Weight distillation: Transferring the knowledge in neural network parameters , author=. arXiv preprint arXiv:2009.09152 , year=

  6. [6]

    arXiv preprint arXiv:2308.14284 , year=

    Llm powered sim-to-real transfer for traffic signal control , author=. arXiv preprint arXiv:2308.14284 , year=

  7. [7]

    arXiv preprint arXiv:2110.03141 , year=

    Efficient sharpness-aware minimization for improved training of neural networks , author=. arXiv preprint arXiv:2110.03141 , year=

  8. [8]

    International Conference on Machine Learning , pages=

    Towards understanding sharpness-aware minimization , author=. International Conference on Machine Learning , pages=. 2022 , organization=

  9. [9]

    Proceedings of the 2016 ACM SIGSAC conference on computer and communications security , pages=

    Deep learning with differential privacy , author=. Proceedings of the 2016 ACM SIGSAC conference on computer and communications security , pages=

  10. [10]

    arXiv preprint arXiv:2205.12506 , year=

    Memorization in nlp fine-tuning methods , author=. arXiv preprint arXiv:2205.12506 , year=

  11. [11]

    arXiv preprint arXiv:2202.07646 , year=

    Quantifying memorization across neural language models , author=. arXiv preprint arXiv:2202.07646 , year=

  12. [12]

    arXiv preprint arXiv:2210.17546 , year=

    Preventing verbatim memorization in language models gives a false sense of privacy , author=. arXiv preprint arXiv:2210.17546 , year=

  13. [13]

    arXiv preprint arXiv:2205.12628 , year=

    Are Large Pre-Trained Language Models Leaking Your Personal Information? , author=. arXiv preprint arXiv:2205.12628 , year=

  14. [14]

    30th USENIX Security Symposium (USENIX Security 21) , pages=

    Extracting training data from large language models , author=. 30th USENIX Security Symposium (USENIX Security 21) , pages=

  15. [15]

    arXiv preprint arXiv:2209.10505 , year=

    Text revealer: Private text reconstruction via model inversion attacks against transformers , author=. arXiv preprint arXiv:2209.10505 , year=

  16. [16]

    arXiv preprint arXiv:2306.13789 , year=

    Deconstructing Classifiers: Towards A Data Reconstruction Attack Against Text Classification Models , author=. arXiv preprint arXiv:2306.13789 , year=

  17. [17]

    arXiv preprint arXiv:2203.13920 , year=

    Canary extraction in natural language understanding models , author=. arXiv preprint arXiv:2203.13920 , year=

  18. [18]

    2020 IEEE Symposium on Security and Privacy (SP) , pages=

    Privacy risks of general-purpose language models , author=. 2020 IEEE Symposium on Security and Privacy (SP) , pages=. 2020 , organization=

  19. [19]

    arXiv preprint arXiv:2305.03010 , year=

    Sentence Embedding Leaks More Information than You Expect: Generative Embedding Inversion Attack to Recover the Whole Sentence , author=. arXiv preprint arXiv:2305.03010 , year=

  20. [20]

    arXiv preprint arXiv:2306.11698 , year=

    DecodingTrust: A Comprehensive Assessment of Trustworthiness in GPT Models , author=. arXiv preprint arXiv:2306.11698 , year=

  21. [21]

    GPT-4 Technical Report , url =

    OpenAI , biburl =. GPT-4 Technical Report , url =. ArXiv , keywords =

  22. [22]

    2022 IEEE Symposium on Security and Privacy (SP) , pages=

    Membership inference attacks from first principles , author=. 2022 IEEE Symposium on Security and Privacy (SP) , pages=. 2022 , organization=

  23. [23]

    2018 IEEE 31st computer security foundations symposium (CSF) , pages=

    Privacy risk in machine learning: Analyzing the connection to overfitting , author=. 2018 IEEE 31st computer security foundations symposium (CSF) , pages=. 2018 , organization=

  24. [24]

    2017 IEEE symposium on security and privacy (SP) , pages=

    Membership inference attacks against machine learning models , author=. 2017 IEEE symposium on security and privacy (SP) , pages=. 2017 , organization=

  25. [25]

    Proceedings of the IEEE/CVF conference on computer vision and pattern recognition , pages=

    High-resolution image synthesis with latent diffusion models , author=. Proceedings of the IEEE/CVF conference on computer vision and pattern recognition , pages=

  26. [26]

    arXiv preprint arXiv:2010.15980 , year=

    Autoprompt: Eliciting knowledge from language models with automatically generated prompts , author=. arXiv preprint arXiv:2010.15980 , year=

  27. [27]

    arXiv preprint arXiv:2104.08691 , year=

    The power of scale for parameter-efficient prompt tuning , author=. arXiv preprint arXiv:2104.08691 , year=

  28. [28]

    AI Open , year=

    GPT understands, too , author=. AI Open , year=

  29. [29]

    arXiv preprint arXiv:2101.00190 , year=

    Prefix-tuning: Optimizing continuous prompts for generation , author=. arXiv preprint arXiv:2101.00190 , year=

  30. [30]

    arXiv preprint arXiv:2110.07602 , year=

    P-tuning v2: Prompt tuning can be comparable to fine-tuning universally across scales and tasks , author=. arXiv preprint arXiv:2110.07602 , year=

  31. [31]

    IEEE transactions on automatic control , volume=

    Multivariate stochastic approximation using a simultaneous perturbation gradient approximation , author=. IEEE transactions on automatic control , volume=. 1992 , publisher=

  32. [32]

    arXiv preprint arXiv:2305.17333 , year=

    Fine-Tuning Language Models with Just Forward Passes , author=. arXiv preprint arXiv:2305.17333 , year=

  33. [33]

    Mironov, Ilya , booktitle=. R. 2017 , organization=

  34. [34]

    arXiv preprint arXiv:1905.02383 , year=

    Gaussian differential privacy , author=. arXiv preprint arXiv:1905.02383 , year=

  35. [35]

    arXiv preprint arXiv:2306.03082 , year=

    InstructZero: Efficient Instruction Optimization for Black-Box Large Language Models , author=. arXiv preprint arXiv:2306.03082 , year=

  36. [36]

    International Conference on Machine Learning , pages=

    Black-box tuning for language-model-as-a-service , author=. International Conference on Machine Learning , pages=. 2022 , organization=

  37. [37]

    arXiv preprint arXiv:2108.01624 , year=

    Large-scale differentially private BERT , author=. arXiv preprint arXiv:2108.01624 , year=

  38. [38]

    ICASSP 2022-2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP) , pages=

    An efficient dp-sgd mechanism for large scale nlu models , author=. ICASSP 2022-2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP) , pages=. 2022 , organization=

  39. [39]

    arXiv preprint arXiv:2110.05679 , year=

    Large language models can be strong differentially private learners , author=. arXiv preprint arXiv:2110.05679 , year=

  40. [40]

    arXiv preprint arXiv:2305.15594 , year=

    Flocks of Stochastic Parrots: Differentially Private Prompt Learning for Large Language Models , author=. arXiv preprint arXiv:2305.15594 , year=

  41. [41]

    arXiv preprint arXiv:2010.01285 , year=

    Differentially private representation for nlp: Formal guarantee and an empirical study on privacy and fairness , author=. arXiv preprint arXiv:2010.01285 , year=

  42. [42]

    Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security , pages=

    DP-Forward: Fine-tuning and inference on language models with differential privacy in forward pass , author=. Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security , pages=

  43. [43]

    International Conference on Machine Learning , pages=

    Large scale private learning via low-rank reparametrization , author=. International Conference on Machine Learning , pages=. 2021 , organization=

  44. [44]

    arXiv preprint arXiv:2110.06500 , year=

    Differentially private fine-tuning of language models , author=. arXiv preprint arXiv:2110.06500 , year=

  45. [45]

    arXiv preprint arXiv:2210.00036 , year=

    Differentially private bias-term only fine-tuning of foundation models , author=. arXiv preprint arXiv:2210.00036 , year=

  46. [46]

    arXiv preprint arXiv:2401.00211 , year=

    Open-TI: Open Traffic Intelligence with Augmented Language Model , author=. arXiv preprint arXiv:2401.00211 , year=

  47. [47]

    arXiv preprint arXiv:2302.07842 , year=

    Augmented language models: a survey , author=. arXiv preprint arXiv:2302.07842 , year=

  48. [48]

    Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery , volume=

    A critical review of state-of-the-art chatbot designs and applications , author=. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery , volume=. 2022 , publisher=

  49. [49]

    arXiv preprint arXiv:2312.06717 , year=

    Privacy Issues in Large Language Models: A Survey , author=. arXiv preprint arXiv:2312.06717 , year=

  50. [50]

    Theory of Cryptography: Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4-7, 2006

    Calibrating noise to sensitivity in private data analysis , author=. Theory of Cryptography: Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4-7, 2006. Proceedings 3 , pages=. 2006 , organization=

  51. [51]

    Foundations and Trends

    The algorithmic foundations of differential privacy , author=. Foundations and Trends. 2014 , publisher=

  52. [52]

    Advances in Neural Information Processing Systems , volume=

    Adversarial weight perturbation helps robust generalization , author=. Advances in Neural Information Processing Systems , volume=

  53. [53]

    arXiv preprint arXiv:1907.11692 , year=

    Roberta: A robustly optimized bert pretraining approach , author=. arXiv preprint arXiv:1907.11692 , year=

  54. [54]

    arXiv preprint arXiv:2103.06219 , year=

    Why flatness does and does not correlate with generalization for deep neural networks , author=. arXiv preprint arXiv:2103.06219 , year=

  55. [55]

    Proceedings of the 2013 conference on empirical methods in natural language processing , pages=

    Recursive deep models for semantic compositionality over a sentiment treebank , author=. Proceedings of the 2013 conference on empirical methods in natural language processing , pages=

  56. [56]

    arXiv preprint arXiv:2310.09639 , year=

    DPZero: Dimension-Independent and Differentially Private Zeroth-Order Optimization , author=. arXiv preprint arXiv:2310.09639 , year=

  57. [57]

    , journal=

    Spall, J.C. , journal=. Multivariate stochastic approximation using a simultaneous perturbation gradient approximation , year=

  58. [58]

    2024 , eprint=

    Fine-Tuning Language Models with Just Forward Passes , author=. 2024 , eprint=

  59. [59]

    arXiv preprint arXiv:1606.05250 , year=

    Squad: 100,000+ questions for machine comprehension of text , author=. arXiv preprint arXiv:1606.05250 , year=

  60. [60]

    arXiv preprint arXiv:1706.09254 , year=

    The E2E dataset: New challenges for end-to-end generation , author=. arXiv preprint arXiv:1706.09254 , year=

  61. [61]

    arXiv preprint arXiv:2007.02871 , year=

    Dart: Open-domain structured data record to text generation , author=. arXiv preprint arXiv:2007.02871 , year=

  62. [62]

    arXiv preprint arXiv:1804.07461 , year=

    GLUE: A multi-task benchmark and analysis platform for natural language understanding , author=. arXiv preprint arXiv:1804.07461 , year=

  63. [63]

    Proceedings of the AAAI conference on artificial intelligence , volume=

    Semantic sentence matching with densely-connected recurrent and co-attentive information , author=. Proceedings of the AAAI conference on artificial intelligence , volume=

  64. [64]

    arXiv preprint arXiv:1704.05426 , year=

    A broad-coverage challenge corpus for sentence understanding through inference , author=. arXiv preprint arXiv:1704.05426 , year=

  65. [65]

    , author=

    The trec-8 question answering track report. , author=. Trec , volume=

  66. [66]

    arXiv preprint arXiv:1810.04805 , year=

    Bert: Pre-training of deep bidirectional transformers for language understanding , author=. arXiv preprint arXiv:1810.04805 , year=

  67. [67]

    OpenAI blog , volume=

    Language models are unsupervised multitask learners , author=. OpenAI blog , volume=

  68. [68]

    arXiv preprint arXiv:2205.01068 , year=

    Opt: Open pre-trained transformer language models , author=. arXiv preprint arXiv:2205.01068 , year=

  69. [69]

    arXiv preprint arXiv:2103.08493 , year=

    How many data points is a prompt worth? , author=. arXiv preprint arXiv:2103.08493 , year=

  70. [71]

    arXiv preprint arXiv:2203.03540 , year=

    Gatortron: A large clinical language model to unlock patient information from unstructured electronic health records , author=. arXiv preprint arXiv:2203.03540 , year=

  71. [72]

    arXiv preprint arXiv:2401.04343 , year=

    Private Fine-tuning of Large Language Models with Zeroth-order Optimization , author=. arXiv preprint arXiv:2401.04343 , year=

  72. [73]

    arXiv preprint arXiv:2305.06212 , year=

    Privacy-preserving prompt tuning for large language model services , author=. arXiv preprint arXiv:2305.06212 , year=

  73. [74]

    International colloquium on automata, languages, and programming , pages=

    Differential privacy , author=. International colloquium on automata, languages, and programming , pages=. 2006 , organization=

  74. [75]

    arXiv preprint arXiv:2203.14195 , year=

    How to robustify black-box ml models? a zeroth-order optimization perspective , author=. arXiv preprint arXiv:2203.14195 , year=

  75. [76]

    Proceedings of the 2020 ACM SIGSAC conference on computer and communications security , pages=

    Information leakage in embedding models , author=. Proceedings of the 2020 ACM SIGSAC conference on computer and communications security , pages=

  76. [77]

    arXiv preprint arXiv:2305.18462 , year=

    Membership inference attacks against language models via neighbourhood comparison , author=. arXiv preprint arXiv:2305.18462 , year=

  77. [78]

    arXiv preprint arXiv:2310.16789 , year=

    Detecting pretraining data from large language models , author=. arXiv preprint arXiv:2310.16789 , year=

  78. [79]

    arXiv preprint arXiv:2310.14369 , year=

    Mope: Model perturbation-based privacy attacks on language models , author=. arXiv preprint arXiv:2310.14369 , year=

  79. [80]

    Proceedings of the 2020 ACM SIGSAC conference on computer and communications security , pages=

    Analyzing information leakage of updates to natural language models , author=. Proceedings of the 2020 ACM SIGSAC conference on computer and communications security , pages=

  80. [81]

    arXiv preprint arXiv:2402.00357 , year=

    Safety of Multimodal Large Language Models on Images and Text , author=. arXiv preprint arXiv:2402.00357 , year=

Showing first 80 references.