Saved in:
Bibliographic Details
Main Authors: Rosenblatt, Lucas, Han, Bin, Wolfe, Robert, Howe, Bill
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2505.13819
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910955493916672
author Rosenblatt, Lucas
Han, Bin
Wolfe, Robert
Howe, Bill
author_facet Rosenblatt, Lucas
Han, Bin
Wolfe, Robert
Howe, Bill
contents Large language models (LLMs) can leak sensitive training data through memorization and membership inference attacks. Prior work has primarily focused on strong adversarial assumptions, including attacker access to entire samples or long, ordered prefixes, leaving open the question of how vulnerable LLMs are when adversaries have only partial, unordered sample information. For example, if an attacker knows a patient has "hypertension," under what conditions can they query a model fine-tuned on patient data to learn the patient also has "osteoarthritis?" In this paper, we introduce a more general threat model under this weaker assumption and show that fine-tuned LLMs are susceptible to these fragment-specific extraction attacks. To systematically investigate these attacks, we propose two data-blind methods: (1) a likelihood ratio attack inspired by methods from membership inference, and (2) a novel approach, PRISM, which regularizes the ratio by leveraging an external prior. Using examples from both medical and legal settings, we show that both methods are competitive with a data-aware baseline classifier that assumes access to labeled in-distribution data, underscoring their robustness.
format Preprint
id arxiv_https___arxiv_org_abs_2505_13819
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Fragments to Facts: Partial-Information Fragment Inference from LLMs
Rosenblatt, Lucas
Han, Bin
Wolfe, Robert
Howe, Bill
Machine Learning
Cryptography and Security
Computers and Society
Large language models (LLMs) can leak sensitive training data through memorization and membership inference attacks. Prior work has primarily focused on strong adversarial assumptions, including attacker access to entire samples or long, ordered prefixes, leaving open the question of how vulnerable LLMs are when adversaries have only partial, unordered sample information. For example, if an attacker knows a patient has "hypertension," under what conditions can they query a model fine-tuned on patient data to learn the patient also has "osteoarthritis?" In this paper, we introduce a more general threat model under this weaker assumption and show that fine-tuned LLMs are susceptible to these fragment-specific extraction attacks. To systematically investigate these attacks, we propose two data-blind methods: (1) a likelihood ratio attack inspired by methods from membership inference, and (2) a novel approach, PRISM, which regularizes the ratio by leveraging an external prior. Using examples from both medical and legal settings, we show that both methods are competitive with a data-aware baseline classifier that assumes access to labeled in-distribution data, underscoring their robustness.
title Fragments to Facts: Partial-Information Fragment Inference from LLMs
topic Machine Learning
Cryptography and Security
Computers and Society
url https://arxiv.org/abs/2505.13819