Saved in:
Bibliographic Details
Main Authors: Hughes, Anthony, Goldberg, Alexander, Jha, Prince, Perer, Adam, Aletras, Nikolaos, Mireshghallah, Niloofar
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.22373
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866913156385734656
author Hughes, Anthony
Goldberg, Alexander
Jha, Prince
Perer, Adam
Aletras, Nikolaos
Mireshghallah, Niloofar
author_facet Hughes, Anthony
Goldberg, Alexander
Jha, Prince
Perer, Adam
Aletras, Nikolaos
Mireshghallah, Niloofar
contents Safety classifiers are essential safeguards within generative AI systems, filtering harmful content or identifying at-risk users when interacting with large language models. Despite their necessity, these models are trained on sensitive datasets including discussions of self-harm and mental health, raising important, yet poorly understood, privacy concerns. Membership inference attacks (MIAs) allow adversaries to infer membership of examples used to train models. In this work, we hypothesize that identifying the examples on which the classifier is least confident are informative for an adversary to infer membership. This reflects a localized failure of generalization, where the model relies on memorization to resolve ambiguity in the training set. To investigate this, we introduce a new boundary-targeted selection strategy that identifies low confidence examples that amplify the signal of an examples membership within a training set. Our experimental results show that an adversary can recover 19% of the conversations a safety classifier flagged as indicating user distress, at a 5% false-positive rate, on a classifier fine-tuned for detecting a user who may require emotional support. This is $3.5$ times more than attacking using state-of-the-art MIA methods alone. Finally, we characterize the boundary laying examples and show that content-based filtering is ineffective for protection, and existing noise strategies can effectively mitigate susceptibility of these examples.
format Preprint
id arxiv_https___arxiv_org_abs_2605_22373
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Boundary-targeted Membership Inference Attacks on Safety Classifiers
Hughes, Anthony
Goldberg, Alexander
Jha, Prince
Perer, Adam
Aletras, Nikolaos
Mireshghallah, Niloofar
Machine Learning
Computation and Language
Safety classifiers are essential safeguards within generative AI systems, filtering harmful content or identifying at-risk users when interacting with large language models. Despite their necessity, these models are trained on sensitive datasets including discussions of self-harm and mental health, raising important, yet poorly understood, privacy concerns. Membership inference attacks (MIAs) allow adversaries to infer membership of examples used to train models. In this work, we hypothesize that identifying the examples on which the classifier is least confident are informative for an adversary to infer membership. This reflects a localized failure of generalization, where the model relies on memorization to resolve ambiguity in the training set. To investigate this, we introduce a new boundary-targeted selection strategy that identifies low confidence examples that amplify the signal of an examples membership within a training set. Our experimental results show that an adversary can recover 19% of the conversations a safety classifier flagged as indicating user distress, at a 5% false-positive rate, on a classifier fine-tuned for detecting a user who may require emotional support. This is $3.5$ times more than attacking using state-of-the-art MIA methods alone. Finally, we characterize the boundary laying examples and show that content-based filtering is ineffective for protection, and existing noise strategies can effectively mitigate susceptibility of these examples.
title Boundary-targeted Membership Inference Attacks on Safety Classifiers
topic Machine Learning
Computation and Language
url https://arxiv.org/abs/2605.22373