The most updated information is available on Google Scholar.
2024
-
SoK: Membership Inference Attacks on LLMs are Rushing Nowhere (and How to Fix It)
Matthieu Meeus, Shilov Igor, Shubham Jain, Manuel Faysse, Marek Rei, and Yves-Alexandre Montjoye
arXiv preprint arXiv:2406.17975, 2024
TLDR; We wrote an SoK on recent developments in MIAs against LLMs. We discuss how things have evolved recently, show popular evaluation setups to be flawed, and examine solutions going forward.
-
Mosaic Memory: Fuzzy Duplication in Copyright Traps for Large Language Models
Igor Shilov, Matthieu Meeus, and Yves-Alexandre Montjoye
arXiv preprint arXiv:2405.15523, 2024
-
Lost in the Averages: A New Specific Setup to Evaluate Membership Inference Attacks Against Machine Learning Models
Florent Guépin, Nataša Krčo, Matthieu Meeus, and Yves-Alexandre Montjoye
arXiv preprint arXiv:2405.15423, 2024
-
Did the Neurons Read your Book? Document-level Membership Inference for Large Language Models
Matthieu Meeus, Shubham Jain, Marek Rei, and Yves-Alexandre Montjoye
In 33rd USENIX Security Symposium (USENIX Security 24), 2024
TLDR; Given a pretrained LLM and a document, can I infer whether the document was used to train the LLM? First, we rely on the collection of documents which we know have been used to train the LLM (members) and documents made available after the model release data (non-members). We then query the LLM on both members and non-members for token-level probabilities and train a classifier to predict binary membership. Spoiler: It’s harder than you think!
-
Copyright Traps for Large Language Models
Matthieu Meeus, Igor Shilov, Manuel Faysse, and Yves-Alexandre Montjoye
In Forty-first International Conference on Machine Learning, 2024
TLDR; We add copyright traps to original content. These are highly unique sequences that, if an LLM were to be trained on it, we would be able to tell through how the LLM reacts to our injected trap. We inject a variety of traps into the pretraining dataset of the real-world 1.3B CroissantLLM trained from scratch, and find that copyright traps indeed enable content detectability.
2023
-
Achilles’ Heels: Vulnerable Record Identification in Synthetic Data Publishing
Matthieu Meeus, Florent Guepin, Ana-Maria Creţu, and Yves-Alexandre Montjoye
In European Symposium on Research in Computer Security, 2023
TLDR; We audit the privacy risk of synthetic tabular data through Membership Inference Attacks (MIAs). For this, we are most concerned about the worst-case risk - so we propose a method to identify the most at-risk data records in a dataset. We show that our vulnerable record identification method beats previously used, ad-hoc outlier detection mechanisms significantly.
-
Synthetic Is All You Need: Removing the Auxiliary Data Assumption for Membership Inference Attacks Against Synthetic Data
Florent Guépin, Matthieu Meeus, Ana-Maria Creţu, and Yves-Alexandre Montjoye
In European Symposium on Research in Computer Security, 2023
TLDR; In Membership Inference Attacks (MIAs) against synthetic data, we typically assume the attacker to have access to some auxiliary data (from the same distribution as the real training data). In practice, this is not that realistic, especially for use cases typically suggested for synthetic data. We here examine what happens to the MIA performance when we use the released synthetic itself as a replacement for the auxiliary dataset to build shadow-modeling based MIAs. Spoiler: MIAs still work, but with a substantial drop compared to real auxiliary data.
-
Concerns about using a digital mask to safeguard patient privacy
Matthieu Meeus, Shubham Jain, and Yves-Alexandre Montjoye
Nature Medicine, 2023
TLDR; A widely covered Nature paper introduces a Digital Mask (DM), an ’anonymization’ algorithm to be applied to facial images of patients. Reportedly, the mask would irreversibly erase all identifiable features while retaining the information necessary for medical diagnosis. We show their setup to evaluate the anonymization provided by the DM to be seriously flawed, and show that in a proper setup, the risk of identification increases by 100X.