We agree with your point that “white-box” can refer to different types of access – e.g., gradients vs. log-likelihoods – and thus exists on a spectrum. In our paper, we treat all methods requiring any internal scoring signals as white-box without further sub-classification for clarity. We will also clarify this explicitly in the next version of our paper in Section 2.

Regarding whether methods and models are tied, we clarify that methods are defined by what information they require, and models by what information they expose. A white-box method (e.g., one requiring token likelihoods) can only be applied to models that expose the necessary internal signals (ie, a white-box model with respect to token likelihoods). Therefore, such a method cannot be used on a model that only provides completions (aka, a black-box model). Conversely, black-box methods are broadly applicable across all models, as they require only surface-level access to generated outputs. We will clarify this distinction to avoid ambiguity between method and models access levels.

Finally, thank you for noting the phrasing regarding baselines. We will revise our phrasing throughout the text to avoid implying that our method outperforms all black-box methods, and instead explicitly name the baseline (e.g., “our method is more efficient than DE-COP”).

---

Concern 4: It may be worthwhile citing the following paper. They show that using a group of sentences (rather than a single sentence) with ngram features can lead to improvements in the membership inference attack. The method is different and their setting focuses on machine translation sequence-to-sequence models, but their result corroborates well with your idea of using multiple strings and ngram overlaps.

• Hisamoto (2020). Membership Inference Attacks on Sequence-to-Sequence Models: Is My Data In Your Machine Translation System? https://direct.mit.edu/tacl/article/doi/10.1162/tacl_a_00299/43536/Membership-Inference-Attacks-on-Sequence-to

Thank you for this excellent suggestion! We appreciate you pointing out this highly relevant work. While they focus on machine translation, their demonstration that n-gram features are effective for membership inference in sequence-to-sequence models provides useful corroboration for our approach.

We will add this to our related work section**, acknowledging their contribution to demonstrating that n-gram-based features can be effective signals for membership inference, which supports exploring such approaches in other settings like ours. Thank you for this helpful reference!

---

Concern 5: Membership inference is a problem that potentially has important ramifications: for example, a prosecutor may use this to decide whether to sue LLM providers for copyright infringement. Because of this, I think there needs to be more rigorous and nuanced discussion of results (beyond simply stating that the method is "effective.").

Thank you for highlighting this important point about the societal implications of membership inference attacks. We agree that given the potential legal and ethical ramifications, our discussion would benefit more nuance and rigor.

We will revise the paper to more clearly articulate what “effective” means in our context, grounding our claims in specific quantitative results (e.g., AUROC, TPR at low FPR) and discussing their real-world implications. We will also explicitly scenarios where high precision is required, such as legal decision-making, and explain the tradeoffs involved in applying our method under such constraints. We also commit to qualifying our claims more rigorously and will avoid any language that could be interpreted as overstating our findings.

Additionally, we will add a dedicated "Limitations and Societal Impact" section that discusses the evidentiary limitations of membership inference attacks. Specifically, we will address: (1) the probabilistic nature of our method and what confidence scores imply in practice, (2) the fact that membership inference is inherently circumstantial and may require corroborating evidence in legal or forensic settings, and (3) the potential for both beneficial applications (e.g., transparency, auditing) and harmful misuse.

We recognize that our work could impact important debates around AI training data and copyright. By providing more rigorous analysis and careful framing, we aim to contribute responsibly to this discussion. Thank you for pushing us to address these crucial considerations.

Below, we include updated versions of all main-text tables, now expanded to include both the new baselines and the additional metrics. For clarity, tables are split up by dataset and metric. The first four columns (under “Ours →”) show our N-Gram Coverage Attack variants; the remaining columns (under “Baselines →”) correspond to the baselines. For each row, the highest-performing black-box method is bolded.

Summary of Results

Our updated experiments on four datasets, WikiMIA, WikiMIA Hard, TULU, and BookMIA, demonstrate strong performance across both AUROC and TPR at low FPR, providing comprehensive evidence of our method's effectiveness compared to multiple black-box baselines.

First, across all datasets, our method still achieves the best or tied-best AUROC among all black-box methods. Specifically, we outperform all baselines in 24 out of 27 model-dataset combinations (ie, Tulu/Tulu-7B), and tie with exactly one other baseline in the remaining three (once with DE-COP on BookMIA, and twice with zlib-normalized SPL on WikiMIA). Again, in many cases our method approaches the performance even of white-box attacks, or sometimes even exceeds it (WikiMIA Hard, LLaMA 7B and 65B).

Second, the TPR at 1% FPR corroborates the strong AUROC results in nearly all cases, demonstrating the effectiveness of N-Gram Coverage attack. On BookMIA, our method excels, outperforming all baselines by a margin of at least 0.14 across all models. On TULU, where other black-box methods generally struggle, our method consistently achieves the highest TPR and often approaches white-box performance, similar to the AUROC trends. On WikiMIA Hard, we win convincingly on 8 out of 10 models, while still maintaining the second-highest score on the other two models (LLaMA-30B and LLaMA-65B). On WikiMIA, our method leads on 2 out of 3 OpenAI models and 1 out of 4 LLaMA models. In the remaining cases, we lose narrowly (by 0.01 in two cases, and by 0.03 and 0.04 in the other two). Notably, on this dataset, no single baseline dominates across models – many baselines perform well on one model but poorly on others, whereas our method exhibits consistent, competitive performance across all models. Additionally, absolute TPR values on WikiMIA remain low for all black-box attacks (typically near 0 and always ≤ 0.06), underscoring the difficulty of obtaining high TPR at low FPR on this benchmark. Overall, these TPR results reinforce our AUROC findings: our method delivers strong, consistent performance across all datasets and models, while other baselines show more erratic performance patterns.

Results at other FPR thresholds (0.1%, 0.5%, 5.0%) largely corroborate the strong findings at 1.0% FPR. It's worth noting that performance at any single threshold can be somewhat arbitrary – some methods achieve early gains at extremely low FPRs but show little improvement thereafter. In contrast, our method demonstrates steady performance gains across the full range of thresholds, indicating a more balanced ROC curve while maintaining high precision throughout. This suggests our method provides strong performance regardless of the specific operating point chosen for deployment.

Our results across AUROC and TPR at low FPR, evaluated against strong black-box baselines across four diverse datasets show that our method is consistently effective across model families, data domains, and evaluation metrics. Unlike the other black-box baselines (including the three newly evaluated methods: VMA, PIP, and SPL) which show inconsistent performance across these settings, our method maintains competitive results whether evaluated on books (BookMIA), recent events (WikiMIA variants), or instruction-tuning data (TULU). This robustness across diverse domains and evaluation metrics, combined with our method's simplicity and efficiency, validates our design choices and establishes N-Gram Coverage Attack as a practical and effective black-box membership inference attack.

(continued from Response to Reviewer avj5 (Part 2)

Overall, our additional results with TPR at low FPR across four diverse datasets confirm our strong AUROC results, showing that our method is consistently effective across model families, data domains, and evaluation metrics. This robustness combined with our method's simplicity and efficiency, validates our design choices and establishes N-Gram Coverage Attack as a practical and effective black-box membership inference attack.

---

Concern 4: (1) One major contribution of this paper is the collection of a new benchmark, WIKIMIA-2024, which, however, is almost identical to the benchmark WIKIMIA-24 released in [1]. Both benchmarks are based on WIKIMIA but adapted to up-to-date LLMs by setting a new cut-off date. The paper should discuss in detail the essential differences between these two benchmarks, if they exist. Additionally, evaluating the proposed method and baselines on WIKIMIA-24 is also necessary.

For clarity, we denote the benchmark we release as WikiMIA_2024 Hard, and the benchmark from [1] as WikiMIA-24.

Clarification of Contributions

We would like to gently clarify that while the WikiMIA_2024 Hard dataset is one of the contributions of our paper, our primary contributions center on: (1) the N-Gram Coverage Attack – a simple, scalable black-box method that often matches white-box performance, and (2) our systematic analysis, revealing how design choices (aggregation strategies, sampling methods, similarity metrics) substantially impact performance.

WikiMIA_2024 Hard supports these contributions by providing a cleaner evaluation setting with reduced distribution shift artifacts. We view it as an important but auxiliary contribution that enables more rigorous evaluation of our method and findings. That said, we recognize the importance of distinguishing WikiMIA_2024 Hard from WikiMIA-24, and provide detailed comparison below.

Differences between WikiMIA_2024 Hard and WikiMIA-24 datasets

Thank you for raising this important distinction between our WikiMIA_2024 Hard dataset and the existing WikiMIA-24 dataset [1]. While both benchmarks apply a similar strategy of updating the cutoff date to adapt to more recent LLMs, their construction methodology differs significantly.

The original WikiMIA dataset [10] is collected by using different Wikipedia articles for members (pre-2017 event pages) and non-members (post-2023 event pages). While useful for initial evaluation, [9] demonstrates that such temporal splits can introduce distribution shifts, where models might leverage spurious features rather than detecting actual memorization.

WikiMIA-24 follows the original WikiMIA [10] collection process nearly identically, only updating the cutoff dates. The authors state they "follow a similar pipeline of WIKIMIA to collect a more up-to-date benchmark by moving forward the cutoff date to March 1, 2024" and "follow the same setting of WIKIMIA" for member data (Section 5.1, Benchmark Datasets Construction). Because WikiMIA-24 only updates the cutoffs, making no other modifications to the data collection procedure of WikiMIA [10], it likely inherits the same distribution shift vulnerabilities identified in [9].

Our WikiMIA_2024 Hard, in contrast, employs a fundamentally different construction approach than in WikiMIA [10] and WikiMIA-24 [1] to specifically address this distribution shift. Unlike these benchmarks which use completely different articles for members vs non-members, WikiMIA_2024 Hard leverages different versions of the same Wikipedia article (pre-2017 and post-2024) to create member/non-member pairs. This ensures that members and non-members are topically aligned and differ only due to the natural evolution of the same entry, rather than being drawn from distinct temporal event sets. By construction, this approach creates a cleaner, lower-shift benchmark that reduces spurious temporal signals. We validate this empirically by showing consistently lower performance across all methods and attacks on WikiMIA_2024 Hard compared to WikiMIA and WikiMIA-24. See Section *Additional Experiments on WikiMIA-24 directly below for detailed analysis. These steps and justifications are described further in Section 4.2 (Lines 200–211) of our paper. We will also clarify these distinctions between WikiMIA-2024 and WikiMIA-24 explicitly in the next version of the paper.

References

[1] Fu, Wenjie, et al. MIA-Tuner: Adapting Large Language Models as Pre-training Text Detector. Proceedings of the AAAI Conference on Artificial Intelligence, vol. 39, 2025, pp. 1234–1242. AAAI Press.

[2] Garg, Isha, et al. “Memorization through the Lens of Curvature of Loss Function around Samples.” Proceedings of the 41st International Conference on Machine Learning, PMLR, 2024.

[3] Ravikumar, Deepak, et al. “Unveiling Privacy, Memorization, and Input Curvature Links.” Proceedings of the 41st International Conference on Machine Learning, PMLR, 2024.

[4] Zhang, Jingyang, et al. Min-K%++: Improved Baseline for Detecting Pre-Training Data from Large Language Models. arXiv:2404.02936, arXiv, 23 May 2024.

[5] Fu, Wenjie, et al. "Membership Inference Attacks against Fine-tuned Large Language Models via Self-prompt Calibration." The Thirty-eighth Annual Conference on Neural Information Processing Systems. 2024.

[6] Carlini, Nicholas, et al. "Membership inference attacks from first principles." 2022 IEEE Symposium on Security and Privacy (2022).

[7] Bertran, Martin, et al. "Scalable membership inference attacks via quantile regression." Advances in Neural Information Processing Systems (2023).

[8] Wen, Yuxin, et al. Canary in a Coalmine: Better Membership Inference with Ensembled Adversarial Queries. International Conference on Learning Representations (ICLR), 2024.

[9] Das, Dipanjan, et al. Blind Baselines Beat Membership Inference Attacks for Foundation Models. arXiv, 2024, arXiv:2406.16201.

[10] Shi, Weijia, et al. Detecting Pretraining Data from Large Language Models. arXiv, 2023, arXiv:2310.16789.

[11] Levenshtein, Vladimir I.. “Binary codes capable of correcting deletions, insertions, and reversals.” Soviet physics. Doklady 10 (1965): 707-710.

[12] Duan, Michael et al. “Do Membership Inference Attacks Work on Large Language Models?” ArXiv abs/2402.07841 (2024)

[13] Xie, Roy et al. “ReCaLL: Membership Inference via Relative Conditional Log-Likelihoods.” Conference on Empirical Methods in Natural Language Processing (2024).

[14] Tran, Toan et al. “Tokens for Learning, Tokens for Unlearning: Mitigating Membership Inference Attacks in Large Language Models via Dual-Purpose Training.” ArXiv abs/2502.19726 (2025)

[15] Liu, Mingrui et al. “Mask-based Membership Inference Attacks for Retrieval-Augmented Generation.” Proceedings of the ACM on Web Conference 2025 (2024)

[16] Kim, Gyuwan et al. “Detecting Training Data of Large Language Models via Expectation Maximization.” ArXiv abs/2410.07582 (2024)

[17] Chang, Hongyan et al. “Context-Aware Membership Inference Attacks against Pre-trained Large Language Models.” ArXiv abs/2409.13745 (2024)

[18] Huang, Zhiheng et al. “DF-MIA: A Distribution-Free Membership Inference Attack on Fine-Tuned Large Language Models.” AAAI Conference on Artificial Intelligence (2025).

[19] Naseh, Ali et al. “Riddle Me This! Stealthy Membership Inference for Retrieval-Augmented Generation.” ArXiv abs/2502.00306 (2025)

[20] Antebi, Sagiv et al. “Tag&Tab: Pretraining Data Detection in Large Language Models Using Keyword-Based Membership Inference Attack.” ArXiv abs/2501.08454 (2025)

[21] Mattern, Justus et al. “Membership Inference Attacks against Language Models via Neighbourhood Comparison.” ArXiv abs/2305.18462 (2023)

[22] Panda, Ashwinee et al. “Privacy Auditing of Large Language Models.” ArXiv abs/2503.06808 (2025)

[23] Zhang, Anqi and Chaofeng Wu. “Adaptive Pre-training Data Detection for Large Language Models via Surprising Tokens.” ArXiv abs/2407.21248 (2024): n. pag.

[24] Wang, Cheng et al. “Con-ReCall: Detecting Pre-training Data in LLMs via Contrastive Decoding.” ArXiv abs/2409.03363 (2024)

[25] Eichler, Cédric et al. “Nob-MIAs: Non-biased Membership Inference Attacks Assessment on Large Language Models with Ex-Post Dataset Construction.” WISE (2024).

(continued Tulu tables)

TPR @ 0.5% FPR

TPR @ 1.0% FPR

TPR @ 5.0% FPR

WikiMIA_2024 Hard

AUROC

TPR @ 0.1% FPR