Towards Sentence Level Inference Attack Against Pre-trained Language Models
In recent years, pre-trained language models (e.g., BERT and GPT) have shown the superior capability of textual representation learning, benefiting from their large architectures and massive training corpora. The industry has also quickly embraced language models to develop various downstream NLP ap...
Saved in:
| Published in | Proceedings on Privacy Enhancing Technologies Vol. 2023; no. 3; pp. 62 - 78 |
|---|---|
| Main Authors | , , , , |
| Format | Journal Article |
| Language | English |
| Published |
01.07.2023
|
| Online Access | Get full text |
| ISSN | 2299-0984 2299-0984 |
| DOI | 10.56553/popets-2023-0070 |
Cover
| Abstract | In recent years, pre-trained language models (e.g., BERT and GPT) have shown the superior capability of textual representation learning, benefiting from their large architectures and massive training corpora. The industry has also quickly embraced language models to develop various downstream NLP applications. For example, Google has already used BERT to improve its search system. The utility of the language embeddings also brings about potential privacy risks. Prior works have revealed that an adversary can either identify whether a keyword exists or gather a set of possible candidates for each word in a sentence embedding. However, these attacks cannot recover coherent sentences which leak high-level semantic information from the original text. To demonstrate that the adversary can go beyond the word-level attack, we present a novel decoder-based attack, which can reconstruct meaningful text from private embeddings after being pre-trained on a public dataset of the same domain. This attack is more challenging than a word-level attack due to the complexity of sentence structures. We comprehensively evaluate our attack in two domains and with different settings to show its superiority over the baseline attacks. Quantitative experimental results show that our attack can identify up to 3.5X of the number of keywords identified by the baseline attacks. Although our method reconstructs high-quality sentences in many cases, it often produces lower-quality sentences as well. We discuss these cases and the limitations of our method in detail |
|---|---|
| AbstractList | In recent years, pre-trained language models (e.g., BERT and GPT) have shown the superior capability of textual representation learning, benefiting from their large architectures and massive training corpora. The industry has also quickly embraced language models to develop various downstream NLP applications. For example, Google has already used BERT to improve its search system. The utility of the language embeddings also brings about potential privacy risks. Prior works have revealed that an adversary can either identify whether a keyword exists or gather a set of possible candidates for each word in a sentence embedding. However, these attacks cannot recover coherent sentences which leak high-level semantic information from the original text. To demonstrate that the adversary can go beyond the word-level attack, we present a novel decoder-based attack, which can reconstruct meaningful text from private embeddings after being pre-trained on a public dataset of the same domain. This attack is more challenging than a word-level attack due to the complexity of sentence structures. We comprehensively evaluate our attack in two domains and with different settings to show its superiority over the baseline attacks. Quantitative experimental results show that our attack can identify up to 3.5X of the number of keywords identified by the baseline attacks. Although our method reconstructs high-quality sentences in many cases, it often produces lower-quality sentences as well. We discuss these cases and the limitations of our method in detail |
| Author | Kabir, Ehsanul Gu, Kang Vosoughi, Soroush Ramsurrun, Neha Mehnaz, Shagufta |
| Author_xml | – sequence: 1 givenname: Kang surname: Gu fullname: Gu, Kang organization: Dartmouth College – sequence: 2 givenname: Ehsanul surname: Kabir fullname: Kabir, Ehsanul organization: Penn State University – sequence: 3 givenname: Neha surname: Ramsurrun fullname: Ramsurrun, Neha organization: Dartmouth College – sequence: 4 givenname: Soroush surname: Vosoughi fullname: Vosoughi, Soroush organization: Dartmouth College – sequence: 5 givenname: Shagufta surname: Mehnaz fullname: Mehnaz, Shagufta organization: Penn State University |
| BookMark | eNqFkMtOwzAQRS1UJErpB7DzDwTsOHaSZVXxqAgCibK2pvakCgQnsl2q_j1NywKxgNXcWZw7mnNORq5zSMglZ1dSSSmu-67HGJKUpSJhLGcnZJymZZmwsshGP_IZmYbwxhjjSnIuizF5WHZb8DbQF3QRnUFa4Se2dOFq9Id9FiOYdzpbQ-NCpM8ek-j3GS2twK03sEb62FlswwU5raENOP2eE_J6e7Oc3yfV091iPqsSw4VgiTAA3KyEyspCZBkoWFmGUK5yq4wRubWyrm0qClkomwmUqkArkMkayhwkExOSHns3rofdFtpW9775AL_TnOmDEX00ogcjejCyh_IjZHwXgsdamyZCbDo3fNP-SfJf5P_XvgBqSnry |
| CitedBy_id | crossref_primary_10_1007_s11191_024_00561_9 |
| ContentType | Journal Article |
| DBID | AAYXX CITATION ADTOC UNPAY |
| DOI | 10.56553/popets-2023-0070 |
| DatabaseName | CrossRef Unpaywall for CDI: Periodical Content Unpaywall |
| DatabaseTitle | CrossRef |
| DatabaseTitleList | CrossRef |
| Database_xml | – sequence: 1 dbid: UNPAY name: Unpaywall url: https://proxy.k.utb.cz/login?url=https://unpaywall.org/ sourceTypes: Open Access Repository |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Law |
| EISSN | 2299-0984 |
| EndPage | 78 |
| ExternalDocumentID | 10.56553/popets-2023-0070 10_56553_popets_2023_0070 |
| GroupedDBID | 5VS AAYXX ACGFS ADBBV ADBLJ AIKXB ALMA_UNASSIGNED_HOLDINGS BCNDV CITATION EJD IPNFZ KQ8 M~E OK1 RIG SLJYH ADTOC UNPAY |
| ID | FETCH-LOGICAL-c1330-3caa1cb36498344a6abd0ea9b7d6cc37dd5ffd238586d43e568ed3e05fa97a503 |
| IEDL.DBID | UNPAY |
| ISSN | 2299-0984 |
| IngestDate | Tue Aug 19 22:30:06 EDT 2025 Thu Apr 24 22:57:57 EDT 2025 Sat Oct 25 08:35:24 EDT 2025 |
| IsDoiOpenAccess | true |
| IsOpenAccess | true |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | 3 |
| Language | English |
| License | https://creativecommons.org/licenses/by/4.0 cc-by |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-c1330-3caa1cb36498344a6abd0ea9b7d6cc37dd5ffd238586d43e568ed3e05fa97a503 |
| OpenAccessLink | https://proxy.k.utb.cz/login?url=https://petsymposium.org/popets/2023/popets-2023-0070.pdf |
| PageCount | 17 |
| ParticipantIDs | unpaywall_primary_10_56553_popets_2023_0070 crossref_citationtrail_10_56553_popets_2023_0070 crossref_primary_10_56553_popets_2023_0070 |
| PublicationCentury | 2000 |
| PublicationDate | 2023-7-00 |
| PublicationDateYYYYMMDD | 2023-07-01 |
| PublicationDate_xml | – month: 07 year: 2023 text: 2023-7-00 |
| PublicationDecade | 2020 |
| PublicationTitle | Proceedings on Privacy Enhancing Technologies |
| PublicationYear | 2023 |
| SSID | ssj0001651158 |
| Score | 2.2265217 |
| Snippet | In recent years, pre-trained language models (e.g., BERT and GPT) have shown the superior capability of textual representation learning, benefiting from their... |
| SourceID | unpaywall crossref |
| SourceType | Open Access Repository Enrichment Source Index Database |
| StartPage | 62 |
| Title | Towards Sentence Level Inference Attack Against Pre-trained Language Models |
| URI | https://petsymposium.org/popets/2023/popets-2023-0070.pdf |
| UnpaywallVersion | publishedVersion |
| Volume | 2023 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| journalDatabaseRights | – providerCode: PRVAFT databaseName: Open Access Digital Library customDbUrl: eissn: 2299-0984 dateEnd: 99991231 omitProxy: true ssIdentifier: ssj0001651158 issn: 2299-0984 databaseCode: KQ8 dateStart: 20150416 isFulltext: true titleUrlDefault: http://grweb.coalliance.org/oadl/oadl.html providerName: Colorado Alliance of Research Libraries – providerCode: PRVHPJ databaseName: ROAD: Directory of Open Access Scholarly Resources customDbUrl: eissn: 2299-0984 dateEnd: 99991231 omitProxy: true ssIdentifier: ssj0001651158 issn: 2299-0984 databaseCode: M~E dateStart: 20150101 isFulltext: true titleUrlDefault: https://road.issn.org providerName: ISSN International Centre – providerCode: PRVJWN databaseName: Sciendo:Open Access customDbUrl: eissn: 2299-0984 dateEnd: 99991231 omitProxy: true ssIdentifier: ssj0001651158 issn: 2299-0984 databaseCode: ADBLJ dateStart: 20150416 isFulltext: true titleUrlDefault: https://www.sciendo.com/ providerName: Sciendo |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV3NT8IwFG8EDp78NmKU9OBJMzK2dh9HYiCoQEiEBL0sXdsZwxgLbCF48G-3bxsENdHorVlel5f3ur3Pvh9CV1J9fQZR0Ylguq4Rqvua4wRcRSlUOMrcUINBQr_Xtzojcj-m4y2oL-UqLlZTaFhKp1khP57BI4jRzWKtwVqDOTX1WAQlVLGocsPLqDLqD5pPACZnwM161yF5FVO5LPT73k92aDeNYrZasjDcMi7tffS8YSvrKZnU08Sv87cvExv_xfcB2itcTtzMz8gh2pHRESp12fIYPQyzrtkFfoTRnEr_uAtNRPhufQ0QN5OE8QluvrBX5UjiwVxqGaqEFLhbpDox4KmFixM0areGtx2tgFfQuApM1d-XM9bgvmkRF8A2mMV8oUvm-rawODdtIWgQCAMqh5YgpqSWI4UpdRow12ZUN09ROZpF8gxh0rAFtblsSEe9yKY-pFcN6RKo8zpUVJG-FrbHi9njwGzoqRgk04-Xy8gDGXkgoyq63myJ88EbPxHfbDT4O_X5n6gvUDmZp_JS-R6JX0Ol3nurVpy1D5F63As |
| linkProvider | Unpaywall |
| linkToUnpaywall | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV3NS8MwFA-uO3jyW5yo5OBJ6ejapB_HIo6pcwzcYHopaZKKrOvK1jLmX29e242poOgtlJfyeC_t-8z7IXQp1ddnEhWdCGYYOqFGqLtuxFWUQoWrzA01GST0H3t2Z0juR3S0AfWlXMX5cgINS_mkKOSnU3gEMbpVrXVY6zCnppmKqIbqNlVuuIbqw17ffwYwORNu1nsuKauYymWh3_d-skPbeZKy5YLF8YZxae-ilzVbRU_JuJlnYZO_f5nY-C--99BO5XJivzwj-2hLJgeo1mWLQ_QwKLpm5_gJRnMq_eMuNBHhu9U1QOxnGeNj7L-yN-VI4v5M6gWqhBS4W6U6MeCpxfMjNGzfDm46egWvoHMVmKq_L2esxUPLJh6AbTCbhcKQzAsdYXNuOULQKBImVA5tQSxJbVcKSxo0Yp7DqGEdIy2ZJvIEYdJyBHW4bElXvcihIaRXTekRqPO6VDSQsRJ2wKvZ48BsHKgYpNBPUMooABkFIKMGulpvScvBGz8RX681-Dv16Z-oz5CWzXJ5rnyPLLyoTtkHbcPa2g |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Towards+Sentence+Level+Inference+Attack+Against+Pre-trained+Language+Models&rft.jtitle=Proceedings+on+Privacy+Enhancing+Technologies&rft.au=Gu%2C+Kang&rft.au=Kabir%2C+Ehsanul&rft.au=Ramsurrun%2C+Neha&rft.au=Vosoughi%2C+Soroush&rft.date=2023-07-01&rft.issn=2299-0984&rft.eissn=2299-0984&rft.volume=2023&rft.issue=3&rft.spage=62&rft.epage=78&rft_id=info:doi/10.56553%2Fpopets-2023-0070&rft.externalDBID=n%2Fa&rft.externalDocID=10_56553_popets_2023_0070 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2299-0984&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2299-0984&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2299-0984&client=summon |