Saved in:
Bibliographic Details
Main Authors: Dai, Chenxi, Lu, Lin, Zhou, Pan
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2502.16086
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916625894080512
author Dai, Chenxi
Lu, Lin
Zhou, Pan
author_facet Dai, Chenxi
Lu, Lin
Zhou, Pan
contents Decentralized training has become a resource-efficient framework to democratize the training of large language models (LLMs). However, the privacy risks associated with this framework, particularly due to the potential inclusion of sensitive data in training datasets, remain unexplored. This paper identifies a novel and realistic attack surface: the privacy leakage from training data in decentralized training, and proposes \textit{activation inversion attack} (AIA) for the first time. AIA first constructs a shadow dataset comprising text labels and corresponding activations using public datasets. Leveraging this dataset, an attack model can be trained to reconstruct the training data from activations in victim decentralized training. We conduct extensive experiments on various LLMs and publicly available datasets to demonstrate the susceptibility of decentralized training to AIA. These findings highlight the urgent need to enhance security measures in decentralized training to mitigate privacy risks in training LLMs.
format Preprint
id arxiv_https___arxiv_org_abs_2502_16086
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Stealing Training Data from Large Language Models in Decentralized Training through Activation Inversion Attack
Dai, Chenxi
Lu, Lin
Zhou, Pan
Cryptography and Security
Decentralized training has become a resource-efficient framework to democratize the training of large language models (LLMs). However, the privacy risks associated with this framework, particularly due to the potential inclusion of sensitive data in training datasets, remain unexplored. This paper identifies a novel and realistic attack surface: the privacy leakage from training data in decentralized training, and proposes \textit{activation inversion attack} (AIA) for the first time. AIA first constructs a shadow dataset comprising text labels and corresponding activations using public datasets. Leveraging this dataset, an attack model can be trained to reconstruct the training data from activations in victim decentralized training. We conduct extensive experiments on various LLMs and publicly available datasets to demonstrate the susceptibility of decentralized training to AIA. These findings highlight the urgent need to enhance security measures in decentralized training to mitigate privacy risks in training LLMs.
title Stealing Training Data from Large Language Models in Decentralized Training through Activation Inversion Attack
topic Cryptography and Security
url https://arxiv.org/abs/2502.16086