benchmark 2025

Exploring Cross-Client Memorization of Training Data in Large Language Models for Federated Learning

Tinnakit Udsa 1, Can Udomcharoenchaikit 1, Patomporn Payoungkhamdee 1, Sarana Nutanong 1, Norrathep Rattanavipanon 2

1 VISTEC

2 Prince of Songkla University

0 citations · 22 references · arXiv
α

Published on arXiv

2510.08750

Model Inversion Attack

OWASP ML Top 10 — ML03

Sensitive Information Disclosure

OWASP LLM Top 10 — LLM06

Key Finding

FL-trained LLMs memorize client training data with intra-client memorization exceeding inter-client memorization, and memorization levels are significantly influenced by decoding strategies and prefix length

Federated learning (FL) enables collaborative training without raw data sharing, but still risks training data memorization. Existing FL memorization detection techniques focus on one sample at a time, underestimating more subtle risks of cross-sample memorization. In contrast, recent work on centralized learning (CL) has introduced fine-grained methods to assess memorization across all samples in training data, but these assume centralized access to data and cannot be applied directly to FL. We bridge this gap by proposing a framework that quantifies both intra- and inter-client memorization in FL using fine-grained cross-sample memorization measurement across all clients. Based on this framework, we conduct two studies: (1) measuring subtle memorization across clients and (2) examining key factors that influence memorization, including decoding strategies, prefix length, and FL algorithms. Our findings reveal that FL models do memorize client data, particularly intra-client data, more than inter-client data, with memorization influenced by training and inferencing factors.

Key Contributions

  • Framework to quantify both intra- and inter-client memorization in FL using fine-grained cross-sample memorization measurement across all clients
  • Empirical study showing FL-trained LLMs memorize intra-client data more than inter-client data
  • Analysis of key factors influencing FL memorization including decoding strategies, prefix length, and FL algorithm choice

🛡️ Threat Analysis

Model Inversion Attack

The framework quantifies how much FL-trained LLMs retain and can reproduce client training data by providing prefixes and measuring completion — directly measuring training data reconstruction risk (memorization) in a federated setting with distinct client data boundaries.

Details

Domains
nlpfederated-learning
Model Types
llmfederated
Threat Tags
training_time
Applications
federated learninglanguage modeling
Read PDF arXiv DOI

Similar Papers

attack

Reconstructing Training Data from Adapter-based Federated Large Language Models

2026 0 cit.
Model Inversion Attack
76%
attack

SOMP: Scalable Gradient Inversion for Large Language Models via Subspace-Guided Orthogonal Matching Pursuit

2026 0 cit.
Model Inversion Attack
76%
attack

Can Federated Learning Safeguard Private Data in LLM Training? Vulnerabilities, Attacks, and Defense Evaluation

2025 0 cit.
Model Inversion Attack
72%
defense

Mitigating Gradient Inversion Risks in Language Models via Token Obfuscation

2026 0 cit.
Model Inversion Attack
71%
defense

SecureGate: Learning When to Reveal PII Safely via Token-Gated Dual-Adapters for Federated LLMs

2026 0 cit.
Model Inversion Attack
68%
benchmark

Unintended Memorization of Sensitive Information in Fine-Tuned Language Models

2026 0 cit.
Model Inversion Attack
65%
benchmark

Personal Information Parroting in Language Models

2026 0 cit.
Model Inversion Attack
65%
benchmark

Understanding Privacy Risks in Code Models Through Training Dynamics: A Causal Approach

2025 1 cit.
Model Inversion Attack
65%