Safeguard User Privacy in LLM Cloud Services

The paper does not provide essential background information on large language models (LLMs) and reconstruction attacks in LLMs, making it challenging for researchers outside this specific field to understand.

I also have some questions about the reconstruction attack in LLMs:

1. What information does the attacker use to reconstruct the user input? Is it based solely on the hidden states?
2. What approach did you take in the evaluation section? Are you using the same attack methodology as described in prior work?

Modern LLMs have hidden/embedding dimensions that are in the thousands. A known effect in high-dimensional vector spaces is that random vectors are expected to be nearly orthogonal. Since you are empirically computing angles between residual vectors ("cumulative sums J_1 + J_2") and random token embedding vectors, I am wondering if all you measured in Proposition 1 (and in A.2) was just an observation of this phenomenon of high-dimensional vectors spaces. In fact, I do not see why observed (but expected) orthogonality with random embedding vectors would support your claim that embeddings and the residuals from the LLM's layers are actually in orthogonal (proper) subspaces: Both may well take place in exactly the same, i.e., improper, (sub)space. I'd suggest considering a more suitable experiment to support (or refute) the claim of Prop. 1: One idea that comes to my mind is computing the PCA of embedding vectors and determining if there is a (proper!) subspace spanned by the most significant (say, up to some threshold) principal components. Then you could check if and to what extent the residual terms from the LLM's layers are orthogonal to this principal subspace. (Disclaimer: I make no claim that this is the best method :-).)

Moreover, as defense approach you propose to randomly contract the hidden states h^(i-1) as to make the proportion of the residual terms larger and thus increase the "nonlinearity". However, as you just claimed in Prop. 1, these residuals/nonlinearities are supposedly near-orthogonal to the embeddings, so they should only have a marginal effect on the angles to the token embeddings -- but these angles are exactly what the attacker computes to find the nearest candidate tokens! More mathematically, if we write u=h^(i-1) for the unmodified hidden state, v=J_1+j_2 for the residual/nonlinear term that supposedly is orthogonal to the token embeddings, w to be a candidate token embedding, and x=1/p a random scaling factor, we get the dot product <v,w> \approx 0 due to the (claimed) near-orthogonality, and hence <xu + v, w> = x<u,w> + <v,w> \approx x<u,w> . And as you stated: "cosine distance is insensitive to the magnitude", so shrinking u=h^(i-1) and hence the <u,w> by a factor x won't change these angles! So in fact, your Prop. 1 implies that the proposed defense should NOT be very effective -- or conversely, if the defense is effective, Prop. 1 may be wrong, i.e., the embeddings and residuals are in the same (sub)space.

While it's nice to know that your methods is compatible with quantization, I am not sure if/how relevant it is for the theme of the paper (mix of concepts: privacy vs. size/efficiency).

Lastly, while your experiments indicate that the method is effective against the described reconstruction attacks, I want to remark that empirical privacy evaluations without formal privacy guarantees should be taken with a grain of salt (cf. Aerni et al., "Evaluations of Machine Learning Privacy Defenses are Misleading", CCS 2024). Therefore, I remain skeptical about the long-term validity and significance of the method's privacy protection capability. If the LLM can still accurately answer queries based on modified hidden states, it seems unintuitive that the sequence of tokens in the query cannot be better recovered (provided that the response has non-trivial dependencies on the query, e.g., for text summarization tasks, or when the reply is more complex than a simple 'yes'/'no', a number, or similar). Think: What would an LLM with your defense respond to prompts like "<Some text here>. Please quote the preceding text in verbatim."? Therefore, I wonder if more sophisticated attacks that are adapted to the defense approach (e.g., train a model that learns from collected 'modified hidden state' -> 'actual token/embedding' pairs) could be more successful.

Some key design statements are unclear and require further explanation; additionally, the rationale behind certain proposals needs to be explained in more detail.

1. Previous works [1,2] have highlighted the sparse nature of large language models. The statement of first contribution appears overstated and needs more precise positioning of its novelty.
2. The methodology primarily relies on empirical reconstruction attacks against watermark defenses (line 207). While the subsequent statistical tests are rigorously designed, this approach may be limited compared to more sophisticated attack strategies proposed in [3,4] that leverage optimal strategies based on prior knowledge. The reliability of these empirically-based assumptions remains questionable against advanced adversarial approaches.
3. The experimental section lacks implementation of important baseline methods [5,6]. This omission makes it difficult to properly evaluate the effectiveness of the proposed approach in the context of existing solutions. Including these comparisons would provide a more comprehensive evaluation framework.

• [1] Zhang Z, Xiao C, Qin Q, et al. Exploring the Benefit of Activation Sparsity in Pre-training[J]. ICML, 2024.
• [2] Liu Z, Wang J, Dao T, et al. Deja vu: Contextual sparsity for efficient llms at inference time[C]//International Conference on Machine Learning. PMLR, 2023: 22137-22176.
• [3] Huang Y, Gupta S, Song Z, et al. Evaluating gradient inversion attacks and defenses in federated learning[J]. Advances in neural information processing systems, 2021, 34: 7232-7241.
• [4] Tong M, Chen K, Yuang X, et al. On the Vulnerability of Text Sanitization[J]. arXiv preprint arXiv:2410.17052, 2024.
• [5] Mai P, Yan R, Huang Z, et al. Split-and-Denoise: Protect large language model inference with local differential privacy[J]. arXiv preprint arXiv:2310.09130, 2023.
• [6] Pang Q, Zhu J, Möllering H, et al. Bolt: Privacy-preserving, accurate and efficient inference for transformers[C]//2024 IEEE Symposium on Security and Privacy (SP). IEEE, 2024: 4753-4771.

1. I am not sure with the novelty of the technical contribution in this paper, is it only adjusting the two functions so that the nonlinear modules are amplified ?
2. How to shrink the hidden state ? Can you elaborate it more clearly?
3. Did you consider other attacks beyond the reconstruction attack ?

Privacy concerns

The paper argues that DP could leak to privacy leakage and doesn't adopt the DP guarantee. However, there is no empirical comparison between the protection levels for DP-based method and their proposed method [1][2]. Furthermore, they only use the reconstruction attack to evaluate the protection level of their method. However, from the reconstruted results, we can see that certain attributes/key words in the context can still be inferred by the attacker. More attacks, such as attribute inference attack, are desired.

From Figure 1, only the context is protected in the framework, while the instruction could also leak user's private information. Another inherent limitation of this framework is that if the LLM could return highly accurate response, then it's inevitable that the response would reveal sensitive information of the user. It's suggested that the authors could apply certain post-processing operations on the response to address the dilemma [3].

Attack methods

The paper considers a optimization-based attack method. In reality, the attackers could use a variety of approaches to reconstruct the original token. For example, they can train a more transformer-based model to infer the input from the privatized hidden representation. The authors may conduct experiments on more advanced attacks.

[1] Feyisetan, O., Balle, B., Drake, T., & Diethe, T. (2020, January). Privacy-and utility-preserving textual analysis via calibrated multivariate perturbations. In Proceedings of the 13th international conference on web search and data mining (pp. 178-186).

[2] Mattern, J., Weggenmann, B., & Kerschbaum, F. (2022, July). The Limits of Word Level Differential Privacy. In Findings of the Association for Computational Linguistics: NAACL 2022 (pp. 867-881).

[3] Chen, Y., Li, T., Liu, H., & Yu, Y. (2023). Hide and seek (has): A lightweight framework for prompt privacy protection. arXiv preprint arXiv:2309.03057.