Window-based Membership Inference Attacks Against Fine-tuned Large Language Models

Most membership inference attacks (MIAs) against Large Language Models (LLMs) rely on global signals, like average loss, to identify training data. This approach, however, dilutes the subtle, localized signals of memorization, reducing attack effectiveness. We challenge this global-averaging paradigm, positing that membership signals are more pronounced within localized contexts. We introduce WBC (Window-Based Comparison), which exploits this insight through a sliding window approach with sign-based aggregation. Our method slides windows of varying sizes across text sequences, with each window casting a binary vote on membership based on loss comparisons between target and reference models. By ensembling votes across geometrically spaced window sizes, we capture memorization patterns from token-level artifacts to phrase-level structures. Extensive experiments across eleven datasets demonstrate that WBC substantially outperforms established baselines, achieving higher AUC scores and 2-3 times improvements in detection rates at low false positive thresholds. Our findings reveal that aggregating localized evidence is fundamentally more effective than global averaging, exposing critical privacy vulnerabilities in fine-tuned LLMs.

Key Contributions

• Challenges the global-averaging paradigm for MIA, demonstrating that localized memorization signals are fundamentally more discriminative than average loss
• Proposes WBC (Window-Based Comparison), a sliding-window attack that casts binary membership votes per window and ensembles across geometrically spaced window sizes
• Demonstrates 2-3x improvements in true positive rates at low false positive thresholds across 11 datasets against fine-tuned LLMs

🛡️ Threat Analysis

Details

Similar Papers