Extracting Training Data from Large Language Models

Carlini, Nicholas; Tramer, Florian; Wallace, Eric; Jagielski, Matthew; Herbert-Voss, Ariel; Lee, Katherine; Roberts, Adam; Brown, Tom; Song, Dawn; Erlingsson, Ulfar; Oprea, Alina; Raffel, Colin

Computer Science > Cryptography and Security

arXiv:2012.07805 (cs)

[Submitted on 14 Dec 2020 (v1), last revised 15 Jun 2021 (this version, v2)]

Title:Extracting Training Data from Large Language Models

Authors:Nicholas Carlini, Florian Tramer, Eric Wallace, Matthew Jagielski, Ariel Herbert-Voss, Katherine Lee, Adam Roberts, Tom Brown, Dawn Song, Ulfar Erlingsson, Alina Oprea, Colin Raffel

Download PDF

Abstract: It has become common to publish large (billion parameter) language models that have been trained on private datasets. This paper demonstrates that in such settings, an adversary can perform a training data extraction attack to recover individual training examples by querying the language model.
We demonstrate our attack on GPT-2, a language model trained on scrapes of the public Internet, and are able to extract hundreds of verbatim text sequences from the model's training data. These extracted examples include (public) personally identifiable information (names, phone numbers, and email addresses), IRC conversations, code, and 128-bit UUIDs. Our attack is possible even though each of the above sequences are included in just one document in the training data.
We comprehensively evaluate our extraction attack to understand the factors that contribute to its success. Worryingly, we find that larger models are more vulnerable than smaller models. We conclude by drawing lessons and discussing possible safeguards for training large language models.

Subjects:	Cryptography and Security (cs.CR); Computation and Language (cs.CL); Machine Learning (cs.LG)
Cite as:	arXiv:2012.07805 [cs.CR]
	(or arXiv:2012.07805v2 [cs.CR] for this version)

Submission history

From: Nicholas Carlini [view email]
[v1] Mon, 14 Dec 2020 18:39:09 UTC (2,128 KB)
[v2] Tue, 15 Jun 2021 17:45:26 UTC (4,885 KB)

Full-text links:

Download:

(license)

Current browse context:

cs.CR

< prev | next >

new | recent | 2012

Change to browse by:

cs
cs.CL
cs.LG

References & Citations

3 blog links

(what is this?)

DBLP - CS Bibliography

listing | bibtex

Nicholas Carlini
Florian Tramèr
Eric Wallace
Matthew Jagielski
Ariel Herbert-Voss

…

export bibtex citation

Bookmark

Bibliographic Tools

Bibliographic and Citation Tools

Bibliographic Explorer (What is the Explorer?)

Litmaps (What is Litmaps?)

Code & Data

Code and Data Associated with this Article

arXiv Links to Code & Data (What is Links to Code & Data?)

Recommenders and Search Tools

Connected Papers (What is Connected Papers?)

CORE Recommender (What is CORE?)

About arXivLabs

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs and how to get involved.

Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)