最近的工作证明了从生成语言模型中成功提取培训数据。但是，在文本分类模型中，这种提取是否可行，因为培训目标是预测类标签而不是下一字预测。这提出了一个有趣的挑战，并提出了关于文本分类设置中培训数据隐私的重要问题。因此，我们通过研究与学习任务无关的培训数据的意外记忆的问题来研究文本分类域中的潜在隐私泄漏。我们提出了一种算法，通过利用模型提供的类标签的可能性来提取部分文本的缺失令牌。我们通过将金丝雀插入训练集并试图在训练后提取令牌来测试算法的有效性。在我们的实验中，我们证明了在一定程度上可以成功提取。这也可以用作审计策略，以评估未经同意的任何未经授权使用个人数据的使用。

Privacy preserving deep learning is an emerging field in machine learning that aims to mitigate the privacy risks in the use of deep neural networks. One such risk is training data extraction from language models that have been trained on datasets , which contain personal and privacy sensitive information. In our study, we investigate the extent of named entity memorization in fine-tuned BERT models. We use single-label text classification as representative downstream task and employ three different fine-tuning setups in our experiments, including one with Differentially Privacy (DP). We create a large number of text samples from the fine-tuned BERT models utilizing a custom sequential sampling strategy with two prompting strategies. We search in these samples for named entities and check if they are also present in the fine-tuning datasets. We experiment with two benchmark datasets in the domains of emails and blogs. We show that the application of DP has a huge effect on the text generation capabilities of BERT. Furthermore, we show that a fine-tuned BERT does not generate more named entities entities specific to the fine-tuning dataset than a BERT model that is pre-trained only. This suggests that BERT is unlikely to emit personal or privacy sensitive named entities. Overall, our results are important to understand to what extent BERT-based services are prone to training data extraction attacks.

随着大型预训练的语言模型（例如GPT-2和BERT）的广泛可用性，最近的趋势是微调一个预训练的模型，以在下游任务上实现最新的性能。一个自然的示例是“智能回复”应用程序，其中调整了预训练的模型以为给定的查询消息提供建议的答复。由于这些模型通常是使用敏感数据（例如电子邮件或聊天成绩单）调整的，因此了解和减轻模型泄漏其调整数据的风险很重要。我们研究了典型的智能回复管道中的潜在信息泄漏漏洞，并引入了一种新型的主动提取攻击，该攻击利用包含敏感数据的文本中的规范模式。我们通过实验表明，对手可以提取培训数据中存在的敏感用户信息。我们探讨了潜在的缓解策略，并从经验上证明了差异隐私如何成为这种模式提取攻击的有效防御机制。

It has become common to publish large (billion parameter) language models that have been trained on private datasets. This paper demonstrates that in such settings, an adversary can perform a training data extraction attack to recover individual training examples by querying the language model. We demonstrate our attack on GPT-2, a language model trained on scrapes of the public Internet, and are able to extract hundreds of verbatim text sequences from the model's training data. These extracted examples include (public) personally identifiable information (names, phone numbers, and email addresses), IRC conversations, code, and 128-bit UUIDs. Our attack is possible even though each of the above sequences are included in just one document in the training data.We comprehensively evaluate our extraction attack to understand the factors that contribute to its success. Worryingly, we find that larger models are more vulnerable than smaller models. We conclude by drawing lessons and discussing possible safeguards for training large language models.

Language models are widely deployed to provide automatic text completion services in user products. However, recent research has revealed that language models (especially large ones) bear considerable risk of memorizing private training data, which is then vulnerable to leakage and extraction by adversaries. In this study, we test the efficacy of a range of privacy-preserving techniques to mitigate unintended memorization of sensitive user text, while varying other factors such as model size and adversarial conditions. We test both "heuristic" mitigations (those without formal privacy guarantees) and Differentially Private training, which provides provable levels of privacy at the cost of some model performance. Our experiments show that (with the exception of L2 regularization), heuristic mitigations are largely ineffective in preventing memorization in our test suite, possibly because they make too strong of assumptions about the characteristics that define "sensitive" or "private" text. In contrast, Differential Privacy reliably prevents memorization in our experiments, despite its computational and model-performance costs.

The wide adoption and application of Masked language models~(MLMs) on sensitive data (from legal to medical) necessitates a thorough quantitative investigation into their privacy vulnerabilities -- to what extent do MLMs leak information about their training data? Prior attempts at measuring leakage of MLMs via membership inference attacks have been inconclusive, implying the potential robustness of MLMs to privacy attacks. In this work, we posit that prior attempts were inconclusive because they based their attack solely on the MLM's model score. We devise a stronger membership inference attack based on likelihood ratio hypothesis testing that involves an additional reference MLM to more accurately quantify the privacy risks of memorization in MLMs. We show that masked language models are extremely susceptible to likelihood ratio membership inference attacks: Our empirical results, on models trained on medical notes, show that our attack improves the AUC of prior membership inference attacks from 0.66 to an alarmingly high 0.90 level, with a significant improvement in the low-error region: at 1% false positive rate, our attack is 51X more powerful than prior work.

大数据的收集和可用性，结合预先训练的模型（例如，BERT，XLNET等）的进步，彻底改变了现代自然语言处理任务的预测性能，从文本分类到文本生成。这允许公司通过封装作为API的微调BERT的模型来提供作为服务（MLAAS）的机器学习。但是，基于BERT的API展示了一系列安全性和隐私漏洞。例如，先前的工作通过提取的模型制作的对手示例利用了基于BERT的API的安全问题。然而，通过提取的模型的BERT基API的隐私泄漏问题尚未得到很好的研究。另一方面，由于基于BERT的API的高容量，微调模型易于覆盖，但是可以从提取的模型泄露哪种信息仍然未知。在这项工作中，我们首先介绍有效的模型提取攻击，我们通过仅通过查询有限数量的查询来实际窃取基于BERT的API（目标/受害者模型）。我们进一步开发了有效的属性推理攻击，可以推断基于BERT的API使用的训练数据的敏感属性。我们在各种逼真设置下对基准数据集进行了广泛的实验，验证了基于BERT的API的潜在漏洞。此外，我们展示了两个有希望的防御方法对我们的攻击无效，这需要更有效的防御方法。

Past work has shown that large language models are susceptible to privacy attacks, where adversaries generate sequences from a trained model and detect which sequences are memorized from the training set. In this work, we show that the success of these attacks is largely due to duplication in commonly used web-scraped training sets. We first show that the rate at which language models regenerate training sequences is superlinearly related to a sequence's count in the training set. For instance, a sequence that is present 10 times in the training data is on average generated ~1000 times more often than a sequence that is present only once. We next show that existing methods for detecting memorized sequences have near-chance accuracy on non-duplicated training sequences. Finally, we find that after applying methods to deduplicate training data, language models are considerably more secure against these types of privacy attacks. Taken together, our results motivate an increased focus on deduplication in privacy-sensitive applications and a reevaluation of the practicality of existing privacy attacks.

大型语言模型被显示为记住隐私信息，例如培训数据中的社会保险号。鉴于培训语料库的巨大规模，筛选和自动筛选和过滤这些隐私数据是一项挑战。在本文中，我们提出了秘密编辑的培训（CRT），这是一种培训语言生成模型的方法，同时保护机密细分市场。我们从差异隐私（解决一个相关但独特的问题）中借鉴了想法，并表明我们的方法能够通过随机将培训过程的部分随机化来防止意外的记忆。此外，我们证明了通过近似正确的筛选策略进行修复会放大机密性保证。我们实施LSTM和GPT语言模型的方法。我们的实验结果表明，通过CRT训练的模型获得了几乎相同的困惑，同时保持了强大的机密性。

We introduce a new language representation model called BERT, which stands for Bidirectional Encoder Representations from Transformers. Unlike recent language representation models (Peters et al., 2018a;Radford et al., 2018), BERT is designed to pretrain deep bidirectional representations from unlabeled text by jointly conditioning on both left and right context in all layers. As a result, the pre-trained BERT model can be finetuned with just one additional output layer to create state-of-the-art models for a wide range of tasks, such as question answering and language inference, without substantial taskspecific architecture modifications.BERT is conceptually simple and empirically powerful. It obtains new state-of-the-art results on eleven natural language processing tasks, including pushing the GLUE score to 80.5% (7.7% point absolute improvement), MultiNLI accuracy to 86.7% (4.6% absolute improvement), SQuAD v1.1 question answering Test F1 to 93.2 (1.5 point absolute improvement) and SQuAD v2.0 Test F1 to 83.1 (5.1 point absolute improvement).

This paper describes a testing methodology for quantitatively assessing the risk that rare or unique training-data sequences are unintentionally memorized by generative sequence models-a common type of machine-learning model. Because such models are sometimes trained on sensitive data (e.g., the text of users' private messages), this methodology can benefit privacy by allowing deep-learning practitioners to select means of training that minimize such memorization.In experiments, we show that unintended memorization is a persistent, hard-to-avoid issue that can have serious consequences. Specifically, for models trained without consideration of memorization, we describe new, efficient procedures that can extract unique, secret sequences, such as credit card numbers. We show that our testing strategy is a practical and easy-to-use first line of defense, e.g., by describing its application to quantitatively limit data exposure in Google's Smart Compose, a commercial text-completion neural network trained on millions of users' email messages.

NLP中的培训数据记忆可以是有益的（例如，封闭书QA）和不良（个人数据提取）。无论如何，成功的模型培训需要非琐碎的记忆量来存储单词拼写，各种语言特质和共同知识。然而，关于影响NLP模型的记忆行为的内容知之甚少，因为该字段倾向于专注于泛化的同样重要问题。在这项工作中，我们证明了由字节对编码（BPE）学习的子字词汇的大小极大地影响了标准变压器模型的能力和趋势，即使我们控制获取学习参数的数量，也是如此。我们发现，通过大小的子字词汇大小，变压器模型更容易适合随机映射，更容易受到成员推理攻击。同样，给定提示，具有大小字词汇的基于变换器的语言模型更频繁地再现培训数据。我们猜测这种效果是由于随着BPE词汇量而发生的序列的减少引起的。我们的研究结果可以允许更明智的超参数选择，这对于特定用例来说更好地定制。

我们提出了Pangu-Coder，这是一种仅预读的解码器语言模型，该模型采用pangu-alpha架构进行文本到代码生成，即给定自然语言问题描述的编程语言解决方案的合成。我们使用两阶段策略训练Pangu-Coder：第一阶段采用因果语言建模（CLM）来预先培训原始编程语言数据，而第二阶段则使用因果语言建模和掩盖语言建模（MLM）的组合培训目标，专注于文本到代码生成的下游任务，并培训松散的自然语言程序定义和代码功能。最后，我们讨论了pangu-coder-ft，该pander the是通过竞争性编程问题和代码与持续集成测试的结合进行了微调的。我们评估了pangu-coder，重点是它是否生成功能上正确的程序，并证明它在参加较小的上下文窗口和较少的数据培训的同时，它比诸如Codex之类的类似大小的模型（例如Codex）实现等效性或更好的性能。

Named entity recognition models (NER), are widely used for identifying named entities (e.g., individuals, locations, and other information) in text documents. Machine learning based NER models are increasingly being applied in privacy-sensitive applications that need automatic and scalable identification of sensitive information to redact text for data sharing. In this paper, we study the setting when NER models are available as a black-box service for identifying sensitive information in user documents and show that these models are vulnerable to membership inference on their training datasets. With updated pre-trained NER models from spaCy, we demonstrate two distinct membership attacks on these models. Our first attack capitalizes on unintended memorization in the NER's underlying neural network, a phenomenon NNs are known to be vulnerable to. Our second attack leverages a timing side-channel to target NER models that maintain vocabularies constructed from the training data. We show that different functional paths of words within the training dataset in contrast to words not previously seen have measurable differences in execution time. Revealing membership status of training samples has clear privacy implications, e.g., in text redaction, sensitive words or phrases to be found and removed, are at risk of being detected in the training dataset. Our experimental evaluation includes the redaction of both password and health data, presenting both security risks and privacy/regulatory issues. This is exacerbated by results that show memorization with only a single phrase. We achieved 70% AUC in our first attack on a text redaction use-case. We also show overwhelming success in the timing attack with 99.23% AUC. Finally we discuss potential mitigation approaches to realize the safe use of NER models in light of the privacy and security implications of membership inference attacks.

Transfer learning, where a model is first pre-trained on a data-rich task before being finetuned on a downstream task, has emerged as a powerful technique in natural language processing (NLP). The effectiveness of transfer learning has given rise to a diversity of approaches, methodology, and practice. In this paper, we explore the landscape of transfer learning techniques for NLP by introducing a unified framework that converts all text-based language problems into a text-to-text format. Our systematic study compares pre-training objectives, architectures, unlabeled data sets, transfer approaches, and other factors on dozens of language understanding tasks. By combining the insights from our exploration with scale and our new "Colossal Clean Crawled Corpus", we achieve state-of-the-art results on many benchmarks covering summarization, question answering, text classification, and more. To facilitate future work on transfer learning for NLP, we release our data set, pre-trained models, and code.

分层文本分类包括将文本文档分类为类和子类的层次结构。尽管人造神经网络已经证明有用的是执行这项任务，但遗憾的是，由于培训数据记忆，他们可以将培训数据信息泄漏到对手。在模型培训期间使用差异隐私可以减轻泄漏攻击训练型型号，使模型能够以降低的模型精度安全地共享。这项工作调查了具有差异隐私保证的分层文本分类中的隐私实用权折衷，并识别了提供优越权衡的神经网络架构。为此，我们使用白盒会员推理攻击来凭经验评估三种广泛使用的神经网络架构的信息泄漏。我们表明，大型差异隐私参数已经足以完全减轻隶属度推理攻击，因此仅导致模型实用程序的中等减少。更具体地说，对于具有长文本的大型数据集，我们观察了基于变压器的模型，实现了整体有利的隐私式实用工具权，而对于具有较短文本的较小的数据集是优选的。

Laws and their interpretations, legal arguments and agreements\ are typically expressed in writing, leading to the production of vast corpora of legal text. Their analysis, which is at the center of legal practice, becomes increasingly elaborate as these collections grow in size. Natural language understanding (NLU) technologies can be a valuable tool to support legal practitioners in these endeavors. Their usefulness, however, largely depends on whether current state-of-the-art models can generalize across various tasks in the legal domain. To answer this currently open question, we introduce the Legal General Language Understanding Evaluation (LexGLUE) benchmark, a collection of datasets for evaluating model performance across a diverse set of legal NLU tasks in a standardized way. We also provide an evaluation and analysis of several generic and legal-oriented models demonstrating that the latter consistently offer performance improvements across multiple tasks.

NLP是与计算机或机器理解和解释人类语言的能力有关的人工智能和机器学习的一种形式。语言模型在文本分析和NLP中至关重要，因为它们允许计算机解释定性输入并将其转换为可以在其他任务中使用的定量数据。从本质上讲，在转移学习的背景下，语言模型通常在大型通用语料库上进行培训，称为预训练阶段，然后对特定的基本任务进行微调。结果，预训练的语言模型主要用作基线模型，该模型包含了对上下文的广泛掌握，并且可以进一步定制以在新的NLP任务中使用。大多数预训练的模型都经过来自Twitter，Newswire，Wikipedia和Web等通用领域的Corpora培训。在一般文本中训练的现成的NLP模型可能在专业领域效率低下且不准确。在本文中，我们提出了一个名为Securebert的网络安全语言模型，该模型能够捕获网络安全域中的文本含义，因此可以进一步用于自动化，用于许多重要的网络安全任务，否则这些任务将依靠人类的专业知识和繁琐的手动努力。 Securebert受到了我们从网络安全和一般计算域的各种来源收集和预处理的大量网络安全文本培训。使用我们提出的令牌化和模型权重调整的方法，Securebert不仅能够保留对一般英语的理解，因为大多数预训练的语言模型都可以做到，而且在应用于具有网络安全含义的文本时也有效。

With the capability of modeling bidirectional contexts, denoising autoencoding based pretraining like BERT achieves better performance than pretraining approaches based on autoregressive language modeling. However, relying on corrupting the input with masks, BERT neglects dependency between the masked positions and suffers from a pretrain-finetune discrepancy. In light of these pros and cons, we propose XLNet, a generalized autoregressive pretraining method that (1) enables learning bidirectional contexts by maximizing the expected likelihood over all permutations of the factorization order and (2) overcomes the limitations of BERT thanks to its autoregressive formulation. Furthermore, XLNet integrates ideas from Transformer-XL, the state-of-the-art autoregressive model, into pretraining. Empirically, under comparable experiment settings, XLNet outperforms BERT on 20 tasks, often by a large margin, including question answering, natural language inference, sentiment analysis, and document ranking. 1 .

机器学习（ML）模型已广泛应用于各种应用，包括图像分类，文本生成，音频识别和图形数据分析。然而，最近的研究表明，ML模型容易受到隶属推导攻击（MIS），其目的是推断数据记录是否用于训练目标模型。 ML模型上的MIA可以直接导致隐私违规行为。例如，通过确定已经用于训练与某种疾病相关的模型的临床记录，攻击者可以推断临床记录的所有者具有很大的机会。近年来，MIS已被证明对各种ML模型有效，例如，分类模型和生成模型。同时，已经提出了许多防御方法来减轻米西亚。虽然ML模型上的MIAS形成了一个新的新兴和快速增长的研究区，但还没有对这一主题进行系统的调查。在本文中，我们对会员推论和防御进行了第一个全面调查。我们根据其特征提供攻击和防御的分类管理，并讨论其优点和缺点。根据本次调查中确定的限制和差距，我们指出了几个未来的未来研究方向，以激发希望遵循该地区的研究人员。这项调查不仅是研究社区的参考，而且还为该研究领域之外的研究人员带来了清晰的照片。为了进一步促进研究人员，我们创建了一个在线资源存储库，并与未来的相关作品继续更新。感兴趣的读者可以在https://github.com/hongshenghu/membership-inference-machine-learning-literature找到存储库。