Detecting Data Contamination in Large Language Models

Large Language Models (LLMs) utilize large amounts of data for their training, some of which may come from copyrighted sources. Membership Inference Attacks (MIA) aim to detect those documents and whether they have been included in the training corpora of the LLMs. The black-box MIAs require a significant amount of data manipulation; therefore, their comparison is often challenging. We study state-of-the-art (SOTA) MIAs under the black-box assumptions and compare them to each other using a unified set of datasets to determine if any of them can reliably detect membership under SOTA LLMs. In addition, a new method, called the Familiarity Ranking, was developed to showcase a possible approach to black-box MIAs, thereby giving LLMs more freedom in their expression to understand their reasoning better. The results indicate that none of the methods are capable of reliably detecting membership in LLMs, as shown by an AUC-ROC of approximately 0.5 for all methods across several LLMs. The higher TPR and FPR for more advanced LLMs indicate higher reasoning and generalizing capabilities, showcasing the difficulty of detecting membership in LLMs using black-box MIAs.

Key Contributions

Proposes Familiarity Ranking, a novel black-box MIA method for LLMs
First evaluation of SOTA black-box MIAs on recent LLMs using unified datasets
Unified benchmark comparison of black-box MIA methods across multiple LLMs

🛡️ Threat Analysis

Membership Inference Attack

Paper specifically evaluates membership inference attacks (MIA) on LLMs — determining whether specific documents were in the training corpus. Proposes a new black-box MIA method (Familiarity Ranking) and benchmarks existing SOTA black-box MIA methods across multiple LLMs.