defense arXiv Jan 22, 2026 · 10w ago
Xinjie Zhou, Zhihui Yang, Lechao Cheng et al. · Zhejiang University · Hefei University of Technology
Defends against LLM PII memorization by inverting the model to synthesize pseudo-PII, then selectively unlearning it via LoRA
Model Inversion Attack Sensitive Information Disclosure nlp
Large language models (LLMs) exhibit powerful capabilities but risk memorizing sensitive personally identifiable information (PII) from their training data, posing significant privacy concerns. While machine unlearning techniques aim to remove such data, they predominantly depend on access to the training data. This requirement is often impractical, as training data in real-world deployments is commonly proprietary or inaccessible. To address this limitation, we propose Data-Free Selective Unlearning (DFSU), a novel privacy-preserving framework that removes sensitive PII from an LLM without requiring its training data. Our approach first synthesizes pseudo-PII through language model inversion, then constructs token-level privacy masks for these synthetic samples, and finally performs token-level selective unlearning via a contrastive mask loss within a low-rank adaptation (LoRA) subspace. Extensive experiments on the AI4Privacy PII-Masking dataset using Pythia models demonstrate that our method effectively removes target PII while maintaining model utility.
llm transformer Zhejiang University · Hefei University of Technology
ML Security Papers