The Surprising Effectiveness of Membership Inference with Simple N-Gram Coverage

Large language models often generate verbatim text from their training data, including copyrighted material, medical records, or passwords. This poses significant legal and ethical challenges, as data owners lack transparency and accountability from model providers regarding data usage. Proving data inclusion is difficult due to the protected nature of training datasets.

The speaker cites examples of LLMs generating Harry Potter quotes or leaking sensitive information, leading to lawsuits and discussions on fair use. Model providers can simply ask data owners to 'prove it' due to data protection.

Previous MIAs, such as those relying on loss or normalized loss, typically require 'white-box' access to the model's internal states (e.g., loss metrics, log probabilities). This is a significant limitation for popular, proprietary LLMs that only offer 'black-box' API access, returning only text outputs.

Existing methods 'assume white-box access to the model' (05:19). 'A lot of these popular models provide limited access to what they return to user queries. So we don't have like these loss metrics or log probabilities' (07:43).

The proposed 'n-gram coverage attack' infers membership by empirically measuring how closely a model's sampled outputs align with a specific sequence. It splits a candidate text (X) into a prefix and suffix, feeds the prefix to the LLM, samples multiple suffixes, and then calculates the n-gram overlap (coverage) between the sampled suffixes and the original suffix. The maximum similarity score across multiple samples is used as the membership signal.

The method 'split[s] x into a prefix and a suffix... give the prefix as context into our model... sample many suffixes and then see how close the sampled outputs are to the ground truth' (09:12). 'Max works the best' for aggregation (15:07).

The n-gram coverage attack consistently outperforms the DECOP black-box baseline across various LLMs and datasets (WikiMIA, BookMIA, TuluMix). DECOP struggles because it relies on the target model acting as a faithful QA model, which is not always the case, especially for weaker or non-instruction-tuned models.

The method 'clearly outperform[s] this other blackbox baseline... across like these models in this wiki setting' (30:47). DECOP's assumption that 'the target model is like a faithful QA model' might not apply to all models (36:28).

Despite its black-box nature, the n-gram coverage attack achieves performance surprisingly competitive with white-box MIAs, reaching up to 95% of their average performance on WikiMIA. Crucially, it is significantly cheaper and more flexible than DECOP, requiring fewer tokens (d*N vs. 100*N) and no external paraphrasing model.

On WikiMIA, the average metric using coverage is '95% of the white box performance across models' (37:09). The attack is 'more manageable' with a total token budget of 'd * n rather than like this 100 n' (25:20).

The n-gram coverage attack is effective at detecting membership in fine-tuning datasets (SFT data), as demonstrated on the TuluMix dataset. This extends the utility of MIAs beyond pre-training to later stages of the LLM development cycle.

On TuluMix, 'our method is very effective... in disambiguating members and numbers as seen by the relatively high scores' (39:45). 'Fine-tuning membership inference is effective' (40:57).

The attack's performance (AROC) scales positively with the number of sequences generated per sample, allowing for a trade-off between budget and accuracy. Ablation studies also show that a 50% prefix/suffix split is optimal for balancing context and generation length, and a sampling temperature around 0.8-1.0 yields the best results for a fixed number of generations.

As we generate 'more sequences per sample, our AROC... is increasing' (42:21). '50% is working the best' for prefix length (16:18). 'The best is around like 0.8 or or one' for temperature (45:00).