Information Leakage from Embedding in Large Language Models (2405.11916v3)
Abstract: The widespread adoption of LLMs has raised concerns regarding data privacy. This study aims to investigate the potential for privacy invasion through input reconstruction attacks, in which a malicious model provider could potentially recover user inputs from embeddings. We first propose two base methods to reconstruct original texts from a model's hidden states. We find that these two methods are effective in attacking the embeddings from shallow layers, but their effectiveness decreases when attacking embeddings from deeper layers. To address this issue, we then present Embed Parrot, a Transformer-based method, to reconstruct input from embeddings in deep layers. Our analysis reveals that Embed Parrot effectively reconstructs original inputs from the hidden states of ChatGLM-6B and Llama2-7B, showcasing stable performance across various token lengths and data distributions. To mitigate the risk of privacy breaches, we introduce a defense mechanism to deter exploitation of the embedding reconstruction process. Our findings emphasize the importance of safeguarding user privacy in distributed learning systems and contribute valuable insights to enhance the security protocols within such environments.
- Slora: Federated parameter efficient fine-tuning of language models, 2023.
- LAMP: Extracting text from gradients with language model priors. In Oh, A. H., Agarwal, A., Belgrave, D., and Cho, K. (eds.), Advances in Neural Information Processing Systems, 2022.
- Improving language models by retrieving from trillions of tokens, 2022.
- Federated large language model: A position paper, 2023.
- Glm: General language model pretraining with autoregressive blank infilling. In Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pp. 320–335, 2022.
- Decepticons: Corrupted transformers breach privacy in federated learning for language models. In The Eleventh International Conference on Learning Representations, 2023.
- Transformer feed-forward layers are key-value memories, 2021.
- Towards sentence level inference attack against pre-trained language models. Proc. Priv. Enhancing Technol., 2023:62–78, 2023.
- Skip-thought vectors, 2015.
- Distributed representations of sentences and documents, 2014.
- Sentence embedding leaks more information than you expect: Generative embedding inversion attack to recover the whole sentence. In Rogers, A., Boyd-Graber, J., and Okazaki, N. (eds.), Findings of the Association for Computational Linguistics: ACL 2023, pp. 14022–14040, Toronto, Canada, July 2023. Association for Computational Linguistics. doi: 10.18653/v1/2023.findings-acl.881.
- Lin, C.-Y. ROUGE: A package for automatic evaluation of summaries. In Text Summarization Branches Out, pp. 74–81, Barcelona, Spain, July 2004. Association for Computational Linguistics.
- Pointer sentinel mixture models, 2016.
- Privacy-preserving face recognition using random frequency components. 2023 IEEE/CVF International Conference on Computer Vision (ICCV), pp. 19616–19627, 2023.
- Text embeddings reveal (almost) as much as text, 2023a.
- Language model inversion, 2023b.
- A comprehensive overview of large language models, 2023.
- Privacy risks of general-purpose language models. In 2020 IEEE Symposium on Security and Privacy (SP), pp. 1314–1331, 2020. doi: 10.1109/SP40000.2020.00095.
- Privacy-preserving deep learning: Revisited and enhanced. In Applications and Techniques in Information Security: 8th International Conference, ATIS 2017, Auckland, New Zealand, July 6–7, 2017, Proceedings, pp. 100–110. Springer, 2017.
- Language models are unsupervised multitask learners. 2019.
- Squad: 100,000+ questions for machine comprehension of text, 2016.
- Sentence-bert: Sentence embeddings using siamese bert-networks, 2019.
- Membership inference attacks against machine learning models, 2017.
- Information leakage in embedding models, 2020.
- Llama 2: Open foundation and fine-tuned chat models, 2023.
- Visbert: Hidden-state visualizations for transformers, 2020.
- Attention is all you need. Advances in neural information processing systems, 30, 2017.
- Privacy-preserving face recognition in the frequency domain. Proceedings of the AAAI Conference on Artificial Intelligence, 36(3):2558–2566, Jun. 2022. doi: 10.1609/aaai.v36i3.20157.
- Fingpt: Open-source financial large language models, 2023.
- React: Synergizing reasoning and acting in language models, 2023.
- Towards building the federated gpt: Federated instruction tuning, 2023a.
- When federated learning meets pre-trained language models’ parameter-efficient tuning methods, 2023b.
- idlg: Improved deep leakage from gradients, 2020.
- Deep leakage from gradients. In Wallach, H., Larochelle, H., Beygelzimer, A., d'Alché-Buc, F., Fox, E., and Garnett, R. (eds.), Advances in Neural Information Processing Systems, volume 32. Curran Associates, Inc., 2019a.
- Deep leakage from gradients, 2019b.
Collections
Sign up for free to add this paper to one or more collections.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.