publications

2024

1. Preprint

   ChocoLlama: Lessons Learned From Teaching Llamas Dutch

   Matthieu Meeus, Anthony Rathé, François Remy, Pieter Delobelle, Jens-Joris Decorte, and Thomas Demeester

   arXiv preprint arXiv:2412.07633, 2024

   All 6 models are available on HuggingFace.

   TL;DR Paper Code

   TLDR; We further pretrain Llama-2/3 on Dutch data, and release a family of 6 open-source LLMs. We elaborate on our learnings in the paper (modifying the tokenizer, using LoRA at scale for language adaptation, pretraining versus posttraining, benchmarking).

2. Preprint

   SoK: Membership Inference Attacks on LLMs are Rushing Nowhere (and How to Fix It)

   Matthieu Meeus, Shilov Igor, Shubham Jain, Manuel Faysse, Marek Rei, and Yves-Alexandre Montjoye

   arXiv preprint arXiv:2406.17975, 2024

   TL;DR Paper Code

   TLDR; We wrote an SoK on recent developments in MIAs against LLMs. We discuss how things have evolved recently, show popular evaluation setups to be flawed, and examine solutions going forward.

3. Preprint

   Mosaic Memory: Fuzzy Duplication in Copyright Traps for Large Language Models

   Igor Shilov, Matthieu Meeus, and Yves-Alexandre Montjoye

   arXiv preprint arXiv:2405.15523, 2024

   Paper
4. Preprint

   Lost in the Averages: A New Specific Setup to Evaluate Membership Inference Attacks Against Machine Learning Models

   Florent Guépin, Nataša Krčo, Matthieu Meeus, and Yves-Alexandre Montjoye

   arXiv preprint arXiv:2405.15423, 2024

   Paper
5. USENIX Security

   Did the Neurons Read your Book? Document-level Membership Inference for Large Language Models

   Matthieu Meeus, Shubham Jain, Marek Rei, and Yves-Alexandre Montjoye

   In 33rd USENIX Security Symposium (USENIX Security 24), 2024

   Press coverage in Le Monde.

   TL;DR Paper Code

   TLDR; Given a pretrained LLM and a document, can I infer whether the document was used to train the LLM? First, we rely on the collection of documents which we know have been used to train the LLM (members) and documents made available after the model release data (non-members). We then query the LLM on both members and non-members for token-level probabilities and train a classifier to predict binary membership. Spoiler: It’s harder than you think!

6. ICML

   Copyright Traps for Large Language Models

   Matthieu Meeus, Igor Shilov, Manuel Faysse, and Yves-Alexandre Montjoye

   In Forty-first International Conference on Machine Learning, 2024

   Press coverage in MIT Technology Review and Nature News.

   TL;DR Paper Code

   TLDR; We add copyright traps to original content. These are highly unique sequences that, if an LLM were to be trained on it, we would be able to tell through how the LLM reacts to our injected trap. We inject a variety of traps into the pretraining dataset of the real-world 1.3B CroissantLLM trained from scratch, and find that copyright traps indeed enable content detectability.

2023

1. ESORICS

   Achilles’ Heels: Vulnerable Record Identification in Synthetic Data Publishing

   Matthieu Meeus, Florent Guepin, Ana-Maria Creţu, and Yves-Alexandre Montjoye

   In European Symposium on Research in Computer Security, 2023

   TL;DR Paper Code

   TLDR; We audit the privacy risk of synthetic tabular data through Membership Inference Attacks (MIAs). For this, we are most concerned about the worst-case risk - so we propose a method to identify the most at-risk data records in a dataset. We show that our vulnerable record identification method beats previously used, ad-hoc outlier detection mechanisms significantly.

2. ESORICS Workshop

   Synthetic Is All You Need: Removing the Auxiliary Data Assumption for Membership Inference Attacks Against Synthetic Data

   Florent Guépin, Matthieu Meeus, Ana-Maria Creţu, and Yves-Alexandre Montjoye

   In European Symposium on Research in Computer Security, 2023

   TL;DR Paper Code

   TLDR; In Membership Inference Attacks (MIAs) against synthetic data, we typically assume the attacker to have access to some auxiliary data (from the same distribution as the real training data). In practice, this is not that realistic, especially for use cases typically suggested for synthetic data. We here examine what happens to the MIA performance when we use the released synthetic itself as a replacement for the auxiliary dataset to build shadow-modeling based MIAs. Spoiler: MIAs still work, but with a substantial drop compared to real auxiliary data.

3. Nature Medicine

   Concerns about using a digital mask to safeguard patient privacy

   Matthieu Meeus, Shubham Jain, and Yves-Alexandre Montjoye

   Nature Medicine, 2023

   TL;DR Paper Code

   TLDR; A widely covered Nature paper introduces a Digital Mask (DM), an ’anonymization’ algorithm to be applied to facial images of patients. Reportedly, the mask would irreversibly erase all identifiable features while retaining the information necessary for medical diagnosis. We show their setup to evaluate the anonymization provided by the DM to be seriously flawed, and show that in a proper setup, the risk of identification increases by 100X.