ML Security PapersComparing Reconstruction Attacks on Pretrained Versus Full Fine-tuned Large Language Model Embeddings on Homo Sapiens Splice Sites Genomic Data
Reem Al-Saidi 1, Erman Ayday 2, Ziad Kobti 1
Published on arXiv
2511.07481
Model Inversion Attack
OWASP ML Top 10 — ML03
Sensitive Information Disclosure
OWASP LLM Top 10 — LLM06
Key Finding
Fine-tuning LLMs on genomic tasks reduces embedding reconstruction attack success by up to 19.8% (XLNet), suggesting task-specific optimization as an unintended privacy-enhancing mechanism for sensitive genomic data
This study investigates embedding reconstruction attacks in large language models (LLMs) applied to genomic sequences, with a specific focus on how fine-tuning affects vulnerability to these attacks. Building upon Pan et al.'s seminal work demonstrating that embeddings from pretrained language models can leak sensitive information, we conduct a comprehensive analysis using the HS3D genomic dataset to determine whether task-specific optimization strengthens or weakens privacy protections. Our research extends Pan et al.'s work in three significant dimensions. First, we apply their reconstruction attack pipeline to pretrained and fine-tuned model embeddings, addressing a critical gap in their methodology that did not specify embedding types. Second, we implement specialized tokenization mechanisms tailored specifically for DNA sequences, enhancing the model's ability to process genomic data, as these models are pretrained on natural language and not DNA. Third, we perform a detailed comparative analysis examining position-specific, nucleotide-type, and privacy changes between pretrained and fine-tuned embeddings. We assess embeddings vulnerabilities across different types and dimensions, providing deeper insights into how task adaptation shifts privacy risks throughout genomic sequences. Our findings show a clear distinction in reconstruction vulnerability between pretrained and fine-tuned embeddings. Notably, fine-tuning strengthens resistance to reconstruction attacks in multiple architectures -- XLNet (+19.8\%), GPT-2 (+9.8\%), and BERT (+7.8\%) -- pointing to task-specific optimization as a potential privacy enhancement mechanism. These results highlight the need for advanced protective mechanisms for language models processing sensitive genomic data, while highlighting fine-tuning as a potential privacy-enhancing technique worth further exploration.
Key Contributions
- First systematic empirical comparison of embedding reconstruction attack vulnerability between pretrained and fine-tuned LLMs on sensitive genomic (DNA splice site) data
- DNA-specific tokenization mechanism for LLMs pretrained on natural language, enabling fair evaluation of genomic embedding privacy
- Position-specific and nucleotide-type analysis demonstrating that fine-tuning consistently reduces reconstruction vulnerability: XLNet (+19.8%), GPT-2 (+9.8%), BERT (+7.8%)
🛡️ Threat Analysis
Paper's primary focus is embedding inversion/reconstruction attacks — an adversary recovers private genomic sequences from LLM embedding vectors; paper evaluates attack success across pretrained and fine-tuned models (BERT, GPT-2, XLNet, RoBERTa) using Pan et al.'s reconstruction pipeline.