pith. sign in

arxiv: 2203.03929 · v2 · pith:PWELKFEVnew · submitted 2022-03-08 · 💻 cs.LG · cs.AI· cs.CR

Quantifying Privacy Risks of Masked Language Models Using Membership Inference Attacks

classification 💻 cs.LG cs.AIcs.CR
keywords attacksinferencemembershipmlmsattackmodelspriorprivacy
0
0 comments X
read the original abstract

The wide adoption and application of Masked language models~(MLMs) on sensitive data (from legal to medical) necessitates a thorough quantitative investigation into their privacy vulnerabilities -- to what extent do MLMs leak information about their training data? Prior attempts at measuring leakage of MLMs via membership inference attacks have been inconclusive, implying the potential robustness of MLMs to privacy attacks. In this work, we posit that prior attempts were inconclusive because they based their attack solely on the MLM's model score. We devise a stronger membership inference attack based on likelihood ratio hypothesis testing that involves an additional reference MLM to more accurately quantify the privacy risks of memorization in MLMs. We show that masked language models are extremely susceptible to likelihood ratio membership inference attacks: Our empirical results, on models trained on medical notes, show that our attack improves the AUC of prior membership inference attacks from 0.66 to an alarmingly high 0.90 level, with a significant improvement in the low-error region: at 1% false positive rate, our attack is 51X more powerful than prior work.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 6 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Detecting Pretraining Data from Large Language Models

    cs.CL 2023-10 conditional novelty 7.0

    Min-K% Prob detects pretraining data in LLMs by flagging outlier low-probability words in text, achieving 7.4% better performance than prior methods on the new WIKIMIA benchmark.

  2. Batch Normalization Amplifies Memorization and Privacy Risks

    cs.LG 2026-05 unverdicted novelty 6.0

    Batch normalization amplifies memorization of outlier samples in deep neural networks, directly increasing susceptibility to membership inference attacks.

  3. Pretraining Data Exposure in Large Language Models: A Survey of Membership Inference, Data Contamination, and Security Implications

    cs.CL 2026-05 unverdicted novelty 6.0

    First unified survey formalizing Pretraining Data Exposure across exposure levels and reviewing attack, defense, and contamination methods for LLMs.

  4. Auditing Training Data in Domain-adapted LLMs: LoRA-MINT

    cs.CL 2026-06 unverdicted novelty 5.0

    LoRA-MINT uses perplexity to perform membership inference on LoRA-fine-tuned LLMs, reporting 0.77-0.92 precision across four models and three datasets while outperforming baselines.

  5. Towards the Anonymization of the Language Modeling

    cs.CL 2025-01 unverdicted novelty 4.0

    Authors introduce MLM and CLM specialization methods that avoid memorizing identifiers in sensitive training data while aiming for a privacy-utility tradeoff on medical datasets.

  6. Large Language Model Agent: A Survey on Methodology, Applications and Challenges

    cs.CL 2025-03 accept novelty 3.0

    A survey that deconstructs LLM agent systems via a methodology-centered taxonomy linking design principles to emergent behaviors, applications, and challenges.