pith. sign in

arxiv: 2606.09401 · v1 · pith:43TGKL6Inew · submitted 2026-06-08 · 💻 cs.LG · cs.CR

Benchmarking Empirical Privacy Protection for Adaptations of Large Language Models

Bart{\l}omiej Marek , Lorenzo Rossi , Vincent Hanke , Xun Wang , Michael Backes , Franziska Boenisch , Adam Dziedzic This is my paper

Pith reviewed 2026-06-27 17:12 UTC · model grok-4.3

classification 💻 cs.LG cs.CR
keywords differential privacylarge language modelsprivacy attacksdistribution shiftfine-tuningmembership inferencecanary extraction
0
0 comments X

The pith

The closer adaptation data is to an LLM's pretraining distribution, the higher its practical privacy risk under differential privacy.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper benchmarks how well differential privacy protects large language models during adaptation when the new data varies in similarity to what the model saw in pretraining. It applies state-of-the-art attacks to measure leakage across exact overlaps, in-distribution examples, and fully out-of-distribution cases. The central finding is that distribution closeness raises real-world privacy exposure even when the formal privacy budget stays fixed and there is no direct data overlap. Parameter-efficient methods such as LoRA show stronger empirical protection when data is out-of-distribution. The work also sketches a wider evaluation framework that looks at privacy across the entire pretrain-adapt-deploy pipeline.

Core claim

Distribution shifts strongly influence privacy vulnerability: the closer the adaptation data is to the pretraining distribution, the higher the practical privacy risk at the same theoretical guarantee, even without direct data overlap. Parameter-efficient fine-tuning methods such as LoRA achieve the highest empirical privacy protection for OOD data.

What carries the argument

Controlled variation of adaptation data distribution (exact overlap, IID, OOD) combined with robust membership inference and canary extraction attacks to measure leakage after DP adaptation.

If this is right

  • Practical privacy in DP LLM adaptation depends on how close the fine-tuning data is to pretraining data, not only on the privacy budget.
  • LoRA and similar parameter-efficient methods deliver better empirical protection than full fine-tuning when adaptation data is out-of-distribution.
  • Different adaptation methods and privacy regimes produce measurably different leakage under the same theoretical guarantee.
  • A structured assessment that covers the full pretrain-adapt pipeline is needed to catch risks that adaptation-only checks miss.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Privacy evaluations for deployed LLMs should routinely test adaptation sets against estimated pretraining distributions rather than assuming uniform risk.
  • If distribution closeness drives leakage, then techniques that deliberately push adaptation data further out-of-distribution could reduce risk without tightening the privacy budget.
  • The proposed holistic framework could be applied to measure whether post-adaptation quantization or deployment steps introduce additional leakage channels.

Load-bearing premise

The chosen attacks reliably detect the extra leakage caused by distribution closeness, and distribution shift is the main driver of that leakage beyond the formal privacy parameter.

What would settle it

An experiment in which membership inference or canary extraction success rates show no increase as adaptation data moves closer to the pretraining distribution at fixed privacy budgets.

Figures

Figures reproduced from arXiv: 2606.09401 by Adam Dziedzic, Bart{\l}omiej Marek, Franziska Boenisch, Lorenzo Rossi, Michael Backes, Vincent Hanke, Xun Wang.

Figure 1
Figure 1. Figure 1: Setup for Privacy Auditing of private LLM Adaptations. To assess leakage, we focus on the Robust Mem￾bership Inference Attack (RMIA) (Zarifzadeh et al., 2024), which represents the strongest state￾of-the-art threat model for auditing LLM pri￾vacy, and complement this with data extraction attacks (Tramer et al., 2022; Carlini et al., 2021; ` 2019) to evaluate more severe forms of informa￾tion leakage. For t… view at source ↗
Figure 2
Figure 2. Figure 2: IID data is more susceptible to leakage using the pretrained base model than OOD data. We compare the effectiveness of performing RMIA on fully fine-tuned Pythia 1B with ε = 8 with different pretrained models as reference models. 4.2 RQ2: WHICH DP ADAPTATION METHOD IS THE MOST PROTECTIVE? Motivation. It is known that the type of adaptation significantly impacts the utility of the final model (Zhu et al., 2… view at source ↗
Figure 3
Figure 3. Figure 3: Prefix tuning reduces the number of verbatim memorized samples, especially for small ε values. We show the result for Pythia 1B adapted on Bookcorpus2 val and SAMSum datasets with ε = {0.1, 1, 3, 8, 50, 100,∞}. We present the x-axis using a log scale. 4.6 RQ6: HOW DO PRIVACY-UTILITY TRADE-OFFS BEHAVE? Motivation. We also analyze the different empirical privacy-utility trade-offs that can be achieved by the… view at source ↗
Figure 4
Figure 4. Figure 4: Privacy-utility curves for the top perplexity-selected runs from the Pythia-1B hyper￾parameter search, shown for the chosen adaptation method, dataset, and privacy budget. 5 DISCUSSION OF OUR RESULTS Our findings reveal a complex interplay between pretraining and adaptation data. This significantly affects the privacy risks under DP adaptations. Below, we discuss the implications of these findings when ada… view at source ↗
Figure 5
Figure 5. Figure 5: Stages of Auditing. We analyze four stages of auditing: 1 Auditing Pretraining, 2 Auditing Adaptation, 3 Joint Auditing of Pre￾training and Adaptations, 4 Post-Adaptation Auditing of the Pretraining. 𝑆 𝐷 Pretraining Data S and 𝑆ሚ = S ∪ {𝑥} Adaptation Data D and 𝐷෩ = D ∪ {𝑥} Auditing for Pretrain-Adapt Paradigm for S, 𝐷, 𝑆ሚ, and 𝐷෩ Standard Auditing for 𝐷 vs 𝐷෩ 𝑆 𝐷෩ x 𝑆ሚ x 𝑆ሚ x 𝐷 𝐷෩ x Standard Auditing for … view at source ↗
Figure 7
Figure 7. Figure 7: Membership Inference for Adaptations over Various Privacy Regimes. We audit the adaptations on the same pretrained LLM. We present the AUC scores obtained with RMIA for the Pythia 1B model adapted on different datasets with ε ∈ {0.1, 1, 3, 5, 8, ∞} [PITH_FULL_IMAGE:figures/full_fig_p024_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Subset Size and Complexity. The effect of the pretraining data subsets’ size and complexity on the incurred privacy leakage from the corresponding LLM adaptations. We evaluate the leakage using AUC and the Pythia 1B adapted with ε = 8. C.6 COMPUTATIONAL COST ANALYSIS To provide practical guidance on the computational efficiency of different adaptation methods, similarly to (Hanke et al., 2024), we measured… view at source ↗
Figure 9
Figure 9. Figure 9: Overlap and IID data show the same amount of privacy leakage across training. The x-axis shows the difference between the initial pretrained loss and the evaluation loss. The y-axis represents the AUC score. We adapt Pythia 1B with ε = 8. 0 20 40 60 80 100 Sequence Length 2 3 4 5 6 7 8 Exposure Full fine-tune Head fine-tune LoRA Prefix (a) Adversarial prefix length = 10 0 20 40 60 80 100 Sequence Length 2 … view at source ↗
Figure 10
Figure 10. Figure 10: The privacy leakage comes mostly from the adversarial prefix and much less from the interaction between the prefix and the sample. We present the exposure when considering different lengths of canary prefixes after adapting Pythia 1B on Github Val. The evaluation was done for ε = ∞. D INFLUENCE OF THE ATTACKER’S KNOWLEDGE We can observe how impactful an attacker’s knowledge about the target model and its … view at source ↗
Figure 11
Figure 11. Figure 11: Using at least one shadow model is crucial for RMIA, particularly for differentially private adaptations. We present the AUC using RMIA with different types of shadow models after adapting Pythia 1B on Bookcorpus2 Val and SAMSum. The evaluation was done for ε = {8, ∞}. E LOSS VALUES E.1 INITIAL LOSS OF THE LLM [PITH_FULL_IMAGE:figures/full_fig_p033_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Further analysis of the effectiveness of RMIA with pretrained models as a reference model. As an extension of [PITH_FULL_IMAGE:figures/full_fig_p034_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: The two ways to approximate the exposure are similar. The relation between the model exposure and sampling exposure. The p-value is related to the Pearson correlation test. G MEMORIZATION OF THE PRETRAINED MODEL [PITH_FULL_IMAGE:figures/full_fig_p037_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: γ = 1 is a strong baseline. We present the AUC using RMIA with different types of values of γ after adapting Pythia 1B on SAMSum. The evaluation was done for ε = {8, ∞}. Furthermore, our holistic privacy auditing framework in the pretrain-adapt paradigm stands out by providing a comprehensive privacy assessment across the entire pipeline rather than isolated stages. Previous methods focus on the separated… view at source ↗
read the original abstract

Recent work has applied differential privacy (DP) to adapt large language models (LLMs) for sensitive applications, offering theoretical guarantees. However, its practical effectiveness remains unclear, partly due to LLM pretraining, where overlaps and interdependencies with adaptation data can undermine privacy despite DP efforts. To analyze this issue in practice, we investigate privacy risks under DP adaptations in LLMs using state-of-the-art attacks such as robust membership inference and canary data extraction. We benchmark these risks by systematically varying the adaptation data distribution, from exact overlaps with pretraining data, through in-distribution (IID) cases, to entirely out-of-distribution (OOD) examples. Additionally, we evaluate how different adaptation methods and different privacy regimes impact the vulnerability. Our results show that distribution shifts strongly influence privacy vulnerability: the closer the adaptation data is to the pretraining distribution, the higher the practical privacy risk at the same theoretical guarantee, even without direct data overlap. We find that parameter-efficient fine-tuning methods, such as LoRA, achieve the highest empirical privacy protection for OOD data. Our benchmark identifies key factors for achieving practical privacy in DP LLM adaptation, providing actionable insights for deploying customized models in sensitive settings. Looking forward, we propose a structured framework for holistic privacy assessment beyond adaptation privacy, to identify and evaluate risks across the full pretrain-adapt pipeline of LLMs.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper presents an empirical benchmarking study of privacy risks in differentially private (DP) adaptations of large language models. Using robust membership inference and canary data extraction attacks, it systematically varies adaptation data distributions (exact pretraining overlaps, IID, and OOD) while holding theoretical DP guarantees fixed, and also examines adaptation methods (e.g., LoRA) and privacy regimes. The central claim is that closer proximity of adaptation data to the pretraining distribution increases practical privacy leakage even without direct overlap, with LoRA providing the strongest empirical protection for OOD cases; a framework for holistic pretrain-adapt privacy assessment is proposed.

Significance. If the empirical patterns hold after full verification of methods and statistics, the work would be significant for sensitive LLM deployments: it demonstrates that theoretical DP epsilon is insufficient to predict practical risk and identifies distribution shift as a key modulator, offering concrete guidance on method choice (e.g., LoRA for OOD) and motivating broader pipeline-level privacy evaluation beyond adaptation alone.

major comments (2)
  1. [Abstract / Experimental Setup] Abstract and experimental design: the distribution-shift claim rests on the attacks surfacing genuine residual leakage rather than artifacts, yet the provided description lacks full attack implementations, data-overlap quantification, controls for adaptation hyperparameters (step count, LoRA rank), and statistical tests; these details are load-bearing for substantiating that proximity to pretraining increases empirical risk at fixed epsilon.
  2. [Results] Results reporting: directional trends are noted but without raw success rates, confidence intervals, or ablation on whether varying distribution is the dominant factor (vs. other confounders), the cross-distribution comparison cannot yet be treated as conclusive evidence.
minor comments (1)
  1. [Conclusion] The proposed holistic privacy framework is mentioned only at a high level; a concrete outline or pseudocode would improve actionability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our empirical benchmarking of privacy risks in DP-adapted LLMs. We agree that greater transparency in attack details, data quantification, hyperparameter controls, statistical tests, and raw results reporting is needed to substantiate the distribution-shift claims. We will revise the manuscript to incorporate these elements.

read point-by-point responses

  1. Referee: [Abstract / Experimental Setup] Abstract and experimental design: the distribution-shift claim rests on the attacks surfacing genuine residual leakage rather than artifacts, yet the provided description lacks full attack implementations, data-overlap quantification, controls for adaptation hyperparameters (step count, LoRA rank), and statistical tests; these details are load-bearing for substantiating that proximity to pretraining increases empirical risk at fixed epsilon.

    Authors: We appreciate this observation. The manuscript describes the membership inference attack (loss-based with shadow models) and canary extraction (perplexity ranking), but we will expand the experimental setup with: full pseudocode in an appendix; quantitative overlap metrics (token Jaccard and 5-gram overlap between adaptation and pretraining sets); fixed controls (adaptation steps=5000, LoRA rank=8, same optimizer across all distribution variants); and paired t-tests with p-values on success rates. These additions will confirm the leakage differences arise from distribution proximity at fixed ε rather than implementation artifacts. revision: yes

  2. Referee: [Results] Results reporting: directional trends are noted but without raw success rates, confidence intervals, or ablation on whether varying distribution is the dominant factor (vs. other confounders), the cross-distribution comparison cannot yet be treated as conclusive evidence.

    Authors: We agree the current presentation focuses on trends. The revision will add tables reporting raw rates (MIA AUC/precision, canary extraction fraction), 95% bootstrap confidence intervals, and an ablation holding model, ε, steps, and rank fixed while varying only distribution (exact overlap vs. IID vs. OOD). This isolates distribution shift as the primary factor and strengthens the cross-distribution evidence. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper is an empirical benchmarking study that evaluates privacy risks in DP-adapted LLMs by running membership inference and canary extraction attacks across controlled variations in adaptation data distribution (exact overlap, IID, OOD) while holding the theoretical DP guarantee fixed. No mathematical derivations, fitted parameters renamed as predictions, or load-bearing self-citations appear in the abstract or described experimental design; the central claim follows directly from the attack outcomes on the adapted models rather than reducing to any input quantity by construction. The work is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The paper is an empirical benchmarking study that rests on established differential privacy definitions and attack methodologies from the literature. No new free parameters are introduced to support the central claim, and no new entities are postulated.

axioms (2)
  • domain assumption Differential privacy mechanisms applied during adaptation provide a quantifiable theoretical privacy guarantee that can be probed by membership inference and extraction attacks.
    The entire benchmarking exercise presupposes that these attacks are valid probes of the remaining privacy after DP adaptation.
  • domain assumption The pretraining distribution of the base LLM is fixed and known enough to allow controlled construction of adaptation datasets at varying distances from it.
    The experimental axis of distribution shift requires the ability to measure and control similarity to pretraining data.

pith-pipeline@v0.9.1-grok · 5791 in / 1509 out tokens · 39436 ms · 2026-06-27T17:12:19.342959+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

299 extracted references · 26 canonical work pages · 3 internal anchors

  1. [1]

    Scaling Learning Algorithms Towards

    Bengio, Yoshua and LeCun, Yann , booktitle =. Scaling Learning Algorithms Towards

  2. [2]

    and Osindero, Simon and Teh, Yee Whye , journal =

    Hinton, Geoffrey E. and Osindero, Simon and Teh, Yee Whye , journal =. A Fast Learning Algorithm for Deep Belief Nets , volume =

  3. [3]

    2016 , publisher=

    Deep learning , author=. 2016 , publisher=

    2016

  4. [4]

    2024 , eprint=

    Gemma 2: Improving Open Language Models at a Practical Size , author=. 2024 , eprint=

    2024

  5. [5]

    arXiv preprint arXiv:2507.06261 , year=

    Gemini 2.5: Pushing the frontier with advanced reasoning, multimodality, long context, and next generation agentic capabilities , author=. arXiv preprint arXiv:2507.06261 , year=

    Pith/arXiv arXiv

  6. [6]

    arXiv preprint arXiv:2303.08774 , year=

    Gpt-4 technical report , author=. arXiv preprint arXiv:2303.08774 , year=

    Pith/arXiv arXiv

  7. [7]

    2024 , eprint=

    The Llama 3 Herd of Models , author=. 2024 , eprint=

    2024

  8. [8]

    2024 , eprint=

    2 OLMo 2 Furious , author=. 2024 , eprint=

    2024

  9. [9]

    Preprint , year=

    OLMo: Accelerating the Science of Language Models , author=. Preprint , year=

  10. [10]

    PrivAuditor: Benchmarking Data Protection Vulnerabilities in LLM Adaptation Techniques , url =

    Zhu, Derui and Chen, Dingfan and Wu, Xiongfei and Geng, Jiahui and Li, Zhuo and Grossklags, Jens and Ma, Lei , booktitle =. PrivAuditor: Benchmarking Data Protection Vulnerabilities in LLM Adaptation Techniques , url =

  11. [11]

    2021 , eprint=

    Bad Characters: Imperceptible NLP Attacks , author=. 2021 , eprint=

    2021

  12. [12]

    2024 , eprint=

    Detecting Pretraining Data from Large Language Models , author=. 2024 , eprint=

    2024

  13. [13]

    32nd USENIX Security Symposium (USENIX Security 23) , pages=

    Extracting training data from diffusion models , author=. 32nd USENIX Security Symposium (USENIX Security 23) , pages=

  14. [14]

    Proceedings of the 41st International Conference on Machine Learning , pages =

    Position: Considerations for Differentially Private Learning with Large-Scale Public Pretraining , author =. Proceedings of the 41st International Conference on Machine Learning , pages =. 2024 , editor =

    2024

  15. [15]

    Gaussian Mixture Models

    Reynolds, Douglas. Gaussian Mixture Models. Encyclopedia of Biometrics. 2009. doi:10.1007/978-0-387-73003-5_196

    work page doi:10.1007/978-0-387-73003-5_196 2009

  16. [16]

    Algorithmic Learning Theory , publisher =

    Learning with Deep Cascades , isbn =. Algorithmic Learning Theory , publisher =. doi:10.1007/978-3-319-24486-0_17 , series =

    work page doi:10.1007/978-3-319-24486-0_17

  17. [17]

    Koltchinskii and D

    V. Koltchinskii and D. Panchenko , title =. The Annals of Statistics , number =. 2002 , doi =

    2002

  18. [18]

    Performance Measures for Neyman–Pearson Classification , volume =

    Scott, Clayton , date =. Performance Measures for Neyman–Pearson Classification , volume =. doi:10.1109/TIT.2007.901152 , abstract =

    work page doi:10.1109/tit.2007.901152 2007

  19. [19]

    arXiv preprint arXiv:1606.06565 , year=

    Concrete problems in AI safety , author=. arXiv preprint arXiv:1606.06565 , year=

    Pith/arXiv arXiv

  20. [20]

    arXiv preprint arXiv:1807.01697 , year=

    Benchmarking neural network robustness to common corruptions and surface variations , author=. arXiv preprint arXiv:1807.01697 , year=

    Pith/arXiv arXiv

  21. [21]

    arXiv preprint arXiv:1901.10513 , year=

    Adversarial examples are a natural consequence of test error in noise , author=. arXiv preprint arXiv:1901.10513 , year=

    Pith/arXiv arXiv 1901

  22. [22]

    Advances in Neural Information Processing Systems , volume=

    Failing loudly: An empirical study of methods for detecting dataset shift , author=. Advances in Neural Information Processing Systems , volume=

  23. [23]

    Learning with Rejection , volume =

    Cortes, Corinna and. Learning with Rejection , volume =. Algorithmic Learning Theory , publisher =. doi:10.1007/978-3-319-46379-7_5 , note =

    work page doi:10.1007/978-3-319-46379-7_5

  24. [24]

    2024 , note =

    GPT-Image-1 , author =. 2024 , note =

    2024

  25. [25]

    and Nowak, R

    Scott, C. and Nowak, R. , date =. A Neyman-Pearson approach to statistical learning , volume =. doi:10.1109/TIT.2005.856955 , abstract =

    work page doi:10.1109/tit.2005.856955 2005

  26. [26]

    Beyond Perturbations: Learning Guarantees with Arbitrary Adversarial Test Examples , url =

    Goldwasser, Shafi and Kalai, Adam Tauman and Kalai, Yael and Montasser, Omar , booktitle =. Beyond Perturbations: Learning Guarantees with Arbitrary Adversarial Test Examples , url =

  27. [27]

    2019 , eprint=

    Combining p-values via averaging , author=. 2019 , eprint=

    2019

  28. [28]

    International Conference on Learning Representations , year=

    Towards Deep Learning Models Resistant to Adversarial Attacks , author=. International Conference on Learning Representations , year=

  29. [29]

    Fleet , title =

    Sara Sabour and Yanshuai Cao and Fartash Faghri and David J. Fleet , title =. 4th International Conference on Learning Representations,. 2016 , url =

    2016

  30. [30]

    International Conference on Machine Learning , pages=

    On calibration of modern neural networks , author=. International Conference on Machine Learning , pages=. 2017 , organization=

    2017

  31. [31]

    international conference on machine learning , pages=

    Dropout as a bayesian approximation: Representing model uncertainty in deep learning , author=. international conference on machine learning , pages=. 2016 , organization=

    2016

  32. [32]

    International Conference on Machine Learning , pages=

    Weight uncertainty in neural network , author=. International Conference on Machine Learning , pages=. 2015 , organization=

    2015

  33. [33]

    International Conference on Learning Representations , year=

    DEBERTA: DECODING-ENHANCED BERT WITH DISENTANGLED ATTENTION , author=. International Conference on Learning Representations , year=

  34. [34]

    arXiv preprint arXiv:2402.12819 , year=

    Fine-Tuning, Prompting, In-Context Learning and Instruction-Tuning: How Many Labelled Samples Do We Need? , author=. arXiv preprint arXiv:2402.12819 , year=

    arXiv

  35. [35]

    arXiv preprint arXiv:2310.10508 , year=

    Prompt Engineering or Fine Tuning: An Empirical Assessment of Large Language Models in Automated Software Engineering Tasks , author=. arXiv preprint arXiv:2310.10508 , year=

    arXiv

  36. [36]

    Advances in neural information processing systems , volume=

    Language models are few-shot learners , author=. Advances in neural information processing systems , volume=

  37. [37]

    University of Cambridge , volume=

    Uncertainty in deep learning , author=. University of Cambridge , volume=

  38. [38]

    arXiv preprint arXiv:1612.01474 , year=

    Simple and scalable predictive uncertainty estimation using deep ensembles , author=. arXiv preprint arXiv:1612.01474 , year=

    Pith/arXiv arXiv

  39. [39]

    2019 IEEE Security and Privacy Workshops (SPW) , pages=

    On the robustness of deep k-nearest neighbors , author=. 2019 IEEE Security and Privacy Workshops (SPW) , pages=. 2019 , organization=

    2019

  40. [40]

    2020 IEEE Security and Privacy Workshops (SPW) , pages=

    Minimum-Norm Adversarial Examples on KNN and KNN based Models , author=. 2020 IEEE Security and Privacy Workshops (SPW) , pages=. 2020 , organization=

    2020

  41. [41]

    Summer school on machine learning , pages=

    Gaussian processes in machine learning , author=. Summer school on machine learning , pages=. 2003 , organization=

    2003

  42. [42]

    Evasion Attacks against Machine Learning at Test Time

    Biggio, Battista and Corona, Igino and Maiorca, Davide and Nelson, Blaine and S rndi \' c , Nedim and Laskov, Pavel and Giacinto, Giorgio and Roli, Fabio. Evasion Attacks against Machine Learning at Test Time. Machine Learning and Knowledge Discovery in Databases. 2013

    2013

  43. [43]

    arXiv preprint arXiv:1412.6572 , year=

    Explaining and harnessing adversarial examples , author=. arXiv preprint arXiv:1412.6572 , year=

    Pith/arXiv arXiv

  44. [44]

    Proceedings of the 36th International Conference on Machine Learning , pages =

    The Odds are Odd: A Statistical Test for Detecting Adversarial Examples , author =. Proceedings of the 36th International Conference on Machine Learning , pages =. 2019 , editor =

    2019

  45. [45]

    2014 , URL =

    Intriguing properties of neural networks , author =. 2014 , URL =

    2014

  46. [46]

    International Conference on Learning Representations , year=

    Understanding the failure modes of out-of-distribution generalization , author=. International Conference on Learning Representations , year=

  47. [47]

    McDaniel , title =

    Nicolas Papernot and Patrick D. McDaniel , title =. CoRR , volume =. 2018 , url =

    2018

  48. [48]

    2009 , isbn =

    Koller, Daphne and Friedman, Nir , title =. 2009 , isbn =

    2009

  49. [49]

    Proceedings of the 36th International Conference on Machine Learning , pages =

    Analyzing and Improving Representations with the Soft Nearest Neighbor Loss , author =. Proceedings of the 36th International Conference on Machine Learning , pages =. 2019 , editor =

    2019

  50. [50]

    arXiv preprint arXiv:1610.02136 , year=

    A baseline for detecting misclassified and out-of-distribution examples in neural networks , author=. arXiv preprint arXiv:1610.02136 , year=

    Pith/arXiv arXiv

  51. [51]

    arXiv preprint arXiv:2007.15147 , year=

    Detecting Anomalous Inputs to DNN Classifiers By Joint Statistical Testing at the Layers , author=. arXiv preprint arXiv:2007.15147 , year=

    arXiv 2007

  52. [52]

    , author=

    To Trust Or Not To Trust A Classifier. , author=. NeurIPS , pages=

  53. [53]

    arXiv preprint arXiv:1910.00727 , year=

    Analyzing and Improving Neural Networks by Generating Semantic Counterexamples through Differentiable Rendering , author=. arXiv preprint arXiv:1910.00727 , year=

    arXiv 1910

  54. [54]

    arXiv preprint arXiv:2101.06549 , year=

    AdvSim: Generating Safety-Critical Scenarios for Self-Driving Vehicles , author=. arXiv preprint arXiv:2101.06549 , year=

    arXiv

  55. [55]

    arXiv preprint arXiv:2103.07403 , year=

    Generating and Characterizing Scenarios for Safety Testing of Autonomous Vehicles , author=. arXiv preprint arXiv:2103.07403 , year=

    arXiv

  56. [56]

    International Conference on Machine Learning , pages=

    Delayed impact of fair machine learning , author=. International Conference on Machine Learning , pages=. 2018 , organization=

    2018

  57. [57]

    arXiv preprint arXiv:1809.04684 , year=

    Fair lending needs explainable models for responsible recommendation , author=. arXiv preprint arXiv:1809.04684 , year=

    Pith/arXiv arXiv

  58. [58]

    Black Hat , year=

    Evading machine learning malware detection , author=. Black Hat , year=

  59. [59]

    arXiv preprint arXiv:1402.1389 , year=

    Distributed variational inference in sparse Gaussian process regression and latent variable models , author=. arXiv preprint arXiv:1402.1389 , year=

    Pith/arXiv arXiv

  60. [60]

    Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops , pages=

    Evaluating scalable bayesian deep learning methods for robust computer vision , author=. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops , pages=

  61. [61]

    arXiv preprint arXiv:2102.12967 , year=

    Statistical Testing for Efficient Out of Distribution Detection in Deep Neural Networks , author=. arXiv preprint arXiv:2102.12967 , year=

    arXiv

  62. [62]

    A Simple Unified Framework for Detecting Out-of-Distribution Samples and Adversarial Attacks , url =

    Lee, Kimin and Lee, Kibok and Lee, Honglak and Shin, Jinwoo , booktitle =. A Simple Unified Framework for Detecting Out-of-Distribution Samples and Adversarial Attacks , url =

  63. [63]

    Llama3, https://ai.meta.com/blog/meta-llama-3/

  64. [64]

    Claude3, https://www.anthropic.com/news/claude-3-family

    Anthropic , year=. Claude3, https://www.anthropic.com/news/claude-3-family

  65. [65]

    Cohere, https://cohere.ai

  66. [66]

    OpenAI, https://openai.com

  67. [67]

    2025 IEEE Security and Privacy Workshops (SPW) , pages=

    Membership Inference Attacks on Sequence Models , author=. 2025 IEEE Security and Privacy Workshops (SPW) , pages=. 2025 , organization=

    2025

  68. [68]

    ICLR 2025 Workshop on Navigating and Addressing Data Problems for Foundation Models , year=

    Privacy Auditing for Large Language Models with Natural Identifiers , author=. ICLR 2025 Workshop on Navigating and Addressing Data Problems for Foundation Models , year=

    2025

  69. [69]

    International Conference on Artificial Intelligence and Statistics , pages=

    On the privacy risks of algorithmic recourse , author=. International Conference on Artificial Intelligence and Statistics , pages=. 2023 , organization=

    2023

  70. [70]

    Auditing f -differential privacy in one run , author=

  71. [71]

    Sujet-finance-instruct-177k dataset

  72. [72]

    RunPod GPU Cloud pricing, https://www.runpod.io/gpu-instance/pricing

  73. [73]

    Zhang and A

    Florian Tramèr and F. Zhang and A. Juels and M. Reiter and T. Ristenpart. , title=. USENIX Security Symposium , year=

  74. [74]

    Courville and P

    Yoshua Bengio and A. Courville and P. Vincent. , title=. ArXiv , year=

  75. [75]

    Uchida and S

    Yuki Nagai and Y. Uchida and S. Sakazawa and Shin’ichi Satoh. , title=. International Journal of Multimedia Information Retrieval, 7:3–16 , year=

  76. [76]

    Hengrui Jia and C. A. Choquette-Choo and V. Chandrasekaran and N. Papernot. , title=. USENIX Security Symposium , year=

  77. [77]

    Kornblith and M

    Ting Chen and S. Kornblith and M. Norouzi and G. Hinton. , title=. International Conference on Machine Learning , year=

  78. [78]

    Fan and Y

    Kaiming He and H. Fan and Y. Wu and S. Xie and R. Girshick. , title=. Computer Vision and Pattern Recognition , year=

  79. [79]

    Strub and F

    Jean-Bastien Grill and F. Strub and F. Altché and C. Tallec and P. H. Richemond and E. Buchatskaya and C. Doersch and B. A. Pires and Z. D. Guo and M. G. Azar and B. Piot and K. Kavukcuoglu and R. Munos and M. Valko. , title=. Computer Vision and Pattern Recognition , year=

  80. [80]

    Jialong Zhang and Zhongshu Gu and Jiyong Jang and Hui Wu and M. P. Stoecklin and H. Huang and I. Molloy. , title=

Showing first 80 references.