Papers
Topics
Authors
Recent
Search
2000 character limit reached

LLM-CEG: Extending the Classification Error Gauge Framework for Privacy Auditing of Large Language Models

Published 26 Apr 2026 in cs.CR | (2604.23795v1)

Abstract: This paper extends the Classification Error Gauge (x-CEG) framework, originally developed for measuring the privacy-utility trade-off in tabular datasets, to privacy auditing of LLMs. We propose LLM-CEG, a systematic framework that employs membership inference attack (MIA) success rates as an empirical privacy gauge and model perplexity as a utility gauge, iteratively adjusting differential privacy parameters until both thresholds are jointly satisfied. A proof-of-concept prototype fine-tunes DistilGPT-2 on a synthetic clinical PII dataset under four privacy regimes using DP-SGD. Results indicate that DP-SGD reduces MIA attacker advantage by 71.5% while simultaneously improving out-of-distribution utility by 47-50% relative to the overfitted baseline, suggesting that differential privacy may act as implicit regularization under narrow fine-tuning conditions. We further extend the SIED engineering framework to the LLM context as LLM-SIED, providing an auditable, regulator-aligned process for privacy-compliant LLM deployment.

Authors (1)

Summary

  • The paper introduces LLM-CEG, extending the classification error gauge framework by employing MIA accuracy as a privacy gauge and perplexity as a utility measure.
  • The paper demonstrates that DP-SGD reduces privacy leakage by approximately 9x while simultaneously improving out-of-distribution utility compared to non-private baselines.
  • The paper establishes a regulator-aligned auditing process with LLM-SIED, supporting empirical evaluation of privacy-utility trade-offs in sensitive applications.

Extending the Classification Error Gauge Framework for LLM Privacy Auditing

Introduction

The paper "LLM-CEG: Extending the Classification Error Gauge Framework for Privacy Auditing of LLMs" (2604.23795) introduces the LLM-CEG framework, establishing a systematic, empirical, and practitioner-oriented methodology for quantifying the privacy-utility landscape of LLMs, specifically under differential privacy (DP) constraints. The original x-CEG concept, developed for tabular data privacy auditing, is adapted to modern LLMs by leveraging membership inference attack (MIA) accuracy as a privacy gauge and perplexity as a utility gauge. This dual-metric approach enables iterative tuning of DP budgets to simultaneously satisfy empirical privacy and utility thresholds for high-stakes applications involving sensitive data such as clinical patient information.

Theoretical Foundation and Framework Adaptation

The foundational principle guiding LLM-CEG is the empirical measurement of the privacy-utility trade-off. In the LLM context, this translates to using MIA attacker advantage as a direct indicator of memorization risk and thus privacy leakage, while perplexity measures language generation performance. The iterative algorithm adjusts the DP privacy budget (ε\varepsilon) until the model meets both an attacker advantage threshold and a minimum acceptable utility criterion. This process, formalized in the LLM-CEG algorithm, produces both a privacy-audited model and a privacy audit report suitable for regulatory purposes. The mapping from the x-CEG framework is precise: classification error on privatized tabular data becomes MIA advantage on LLM weights, and data perturbation (e.g., DP via Laplace mechanism) is replaced by DP-SGD during fine-tuning of the LLM.

LLM-CEG is complemented by LLM-SIED, an engineering process adapted from the SIED framework for specification, implementation, evaluation, and dissemination of privacy-compliant AI. LLM-SIED provides end-to-end audibility, regulator alignment (including explicit support for EU AI Act and NIST AI RMF requirements), and procedural clarity for organizations seeking trustworthy LLM deployments.

Experimental Methodology

Experiments center on fine-tuning DistilGPT-2 on a synthetic PII clinical dataset, with explicit partitioning into member (training) and non-member (held-out) samples. Three DP-SGD configurations (ε∈{8,2,0.5}\varepsilon \in \{8, 2, 0.5\}, δ=10−5\delta=10^{-5}) are compared with a non-private baseline. The Opacus library implements per-sample gradient clipping and noise addition, with privacy accounting via Renyi DP. All experiments are reproducible on consumer hardware, supporting broad accessibility.

Key evaluation metrics:

  • MIA attacker advantage: The excess attack accuracy over random guessing, measuring empirical privacy leakage.
  • Perplexity: Average negative log-likelihood on out-of-distribution text, measuring generalization.

Results

LLM-CEG yields several strong empirical findings:

  • Severe privacy vulnerability in the non-private baseline, as a loss-based MIA achieves an 85.8% attack accuracy (advantage 0.358, AUROC 0.876). This is direct evidence of membership exposure and memorization in standard fine-tuning.
  • DP-SGD suppresses the member/non-member loss gap by approximately 9x. All DP configurations converge to near-chance attackability (attacker advantage 0.102–0.106, AUROC ≈ 0.514), indicating robust empirical privacy protection even as ε\varepsilon varies by an order of magnitude.
  • Out-of-distribution utility improves with DP-SGD: All DP models achieve substantially lower perplexity (119–122) vs. the baseline (179.91), corresponding to 47–50% improvement in normalized utility. This suggests that DP-SGD noise acts as implicit regularization, constraining overfitting and preserving pre-trained knowledge in fine-tuning regimes with narrow datasets. Figure 1

    Figure 2: LLM-CEG Privacy-Utility Pareto Curve; DP-SGD models achieve both strong privacy (low MIA advantage) and enhanced utility (normalized utility > 100%), with ε=8\varepsilon=8 yielding Pareto-optimal trade-off.

The Pareto curve above encapsulates the privacy-utility frontier, with all DP models landing squarely in the green "acceptable zone." The ε=8\varepsilon=8 configuration is Pareto-optimal: it provides equivalent privacy to stricter DP settings without incurring any additional utility loss.

Notably, the empirical results contradict the conventional axiom that privacy and utility are strictly zero-sum. Under narrow fine-tuning (e.g., small, repetitive clinical datasets), DP may simultaneously enhance privacy and generalization, a claim supported by consistent performance across MIA and perplexity metrics.

Implications and Broader Context

The practical and theoretical implications of LLM-CEG are significant:

  • For Practitioners: LLM-CEG enables quantifiable, visual, and actionable privacy-utility navigation, supporting deployment decisions with direct relevance for compliance, risk management, and human-centered disclosure. The Pareto analysis facilitates empirical model selection beyond purely formal DP budget reporting.
  • For Regulators: The LLM-SIED process operationalizes responsible AI practices by instantiating auditability, threshold-based privacy selection, and complete documentation for compliance with EU and US standards.
  • For Research: The observed regularization effect of DP-SGD in narrow-data settings advances theoretical understanding of DP's stabilization properties and bridges findings from both privacy and generalization literature (e.g., connections to uniform stability).
  • For Future Work: LLM-CEG opens pathways for scaling evaluation to larger models and real-world datasets, integrating parameter-efficient fine-tuning (e.g., LoRA+DP), loss-landscape analyses, and more comprehensive participatory governance models.

Limitations and Future Directions

LLM-CEG's empirical MIA-based privacy guarantees are not a formal proof and should be interpreted as practical upper bounds. Additionally, all experiments are conducted with synthetic data and on a relatively small scale. There is substantial scope for replication at scale, further algorithmic optimization, and richer evaluation—including adversarial extraction scenarios and advanced attack configurations.

Conclusion

LLM-CEG provides a validated, reproducible, and regulator-aligned framework for empirically auditing the privacy-utility trade-off in LLMs. The framework's numerical results reveal that DP-SGD not only reduces practical privacy risk but also enhances generalization under overfitting-prone fine-tuning regimes. The extension of CEG to LLMs, coupled with human-centered auditing and dissemination processes, provides a comprehensive toolkit for trustworthy, privacy-preserving deployment of LLMs in sensitive real-world domains.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.