Privacy Backdoors: Enhancing Membership Inference through Poisoning Pre-trained Models

• My main concern is that the assumption that the attacker already has part of the training data (i.e., the target data points) is quite unrealistic. This setting assumes that the attacker has way more knowledge than in traditional membership inference attacks, where usually only similar but not the exact same data points are available. If the fine-tuning data is assumed to be the victim's private data, then it is not really private in the first place if the attacker can collect parts of this data set. As a result, it is not very surprising to me that after introducing the "backdoor", the model leaks more information about these data points the attacker had in the first place.
• I am skeptical that the proposed approach is a "backdoor". Usually, backdoors in machine learning have a trigger and produce a predefined output. However, with the proposed approach, we are basically just changing the loss of specific samples. The way it is done is "stealthy", but the methodology does not fully align with the definition of a backdoor as it is currently defined in the literature.
• I am not quite sure what the intention of section 2.2 is. At the beginning of the second paragraph, it is said that the presented method shares similarities with federated learning. But then only differences are brought up. So, for the reader, it is not clear what the similarities are to federated learning.
• It is a bit hard to judge the performance of the LLMs based only on the log perplexity loss. It would be nice to have some kind of benchmark similar to the accuracy in the vision model experiments.
• The authors state that maximizing the loss of target data points does not work for LLMs; however, no explanation or experimental results are given, which shows that it does not work.

The limitations are addressed. However, I would encourage the authors to discuss the potential impact of different data distributions on the proposed approach.

Major:

• Stealthiness of the attack: The paper does not look at how, e.g. the zero-shot performance on unrelated data sets (e.g., NOT the target data set) changes once the model is poisoned. The original CLIP paper (Radford et al., 2019) considers many different data sets. I understood that the authors argue that poisoning for better MIA on CIFAR-10 is stealthy because the performance on CIFAR-10 doesn't change much. But how well is the model still performing on other data sets such as CLEVER, FGVC Aircraft or others? Is there forgetting regarding that data? I see that the scenario breaks a bit down if that is the case because the adversary would need to poison specifically for one victim while hoping that nobody else uses the model and wonders why it performs poor in zero-shot. Eventually this would lead to the model being flagged and the model being taken down. I am willing to increase my score if this point has been addressed by the authors or if they clarify why this is not relevant.

Minor:

• Defense and Detection: The paper would be better if it could provide some ideas regarding potential defenses against this attack or methods to detect that the model includes a backdoor. I don't expect experiments but it would be great to elaborate a bit more than "In the future, it may be necessary for those who make use of pre-trained models to perform as much (or more) validation of the pre-trained models that are being used as any other aspect of the training pipeline."
• Table 3: It would be great to specify which model is being used in a separate column. It can be quite confusing as apparently the Linear Probing is only used with CLIP.
• Tables: It would be great if the caption could be elaborating a bit more than just a heading. E.g., by mentioning the model that is under attack.
• Pre-training data: It would be good to mention what pre-training data has been used for the pre-trained models. This can make quite a difference when replicating the results.

Yes

Novelty

The paper claims in several places to introduce a “new” threat model and privacy attack, however, closely related [1] and virtually identical [2] settings have been proposed by other works. While the paper already briefly discusses [1], classifying it as concurrent work (available for slightly less than 2 months at submission time), it omits [2] (available for slightly more than 2 months at submission time). I believe that due to the large similarities in settings between these works, they warrant a longer discussion in similarities, differences, and concurrence in the paper; and the claim to unveiling a “new vulnerability” reassessed and tamed down in light of this discussion.

Strong assumptions

The paper reads currently as if the presented attack would be just a nice addition on top of any black-box MIA setting, and the presented game in Threat Model 2 makes it seem like it seamlessly integrates with the traditional MIA framework. However, I believe that this is misleading as the benefit from the introduced privacy backdoor attack is tied to assumptions that are stronger than those usually found in MIA literature.

In MIA, online and offline attacks are usually distinguished [3]. In online MIA (weak setting), the attacker is assumed to be able to adjust the computationally heavy part of their attack (e.g., retrain their shadow models) when the challenger reveals a new target data point to them. In offline MIA (strong setting), the attacker prepares an attack once, before knowing specific target data points, and then this attack is employed (sometimes with minor adjustments without virtually any additional compute costs) once the challenger presents target data points. Also note that another standard assumption is that the challenger is allowed to continuously present new target data points to the attacker as long as they are samples from a distribution that is also available for the attacker for sampling. The paper currently does not introduce these standard elements and assumptions of MIA.

Instead, the implicitly induced setting is in fact weaker than that of online MIA; the entirety of $D_{\text{target}}$ has to be known to the attacker when preparing the privacy backdoor. As such, if at MIA time the challenger presents a new target data point (which is allowed under usual MIA assumptions) the privacy backdoor has no “support” for it and adjusting the backdoor is not possible anymore, as the model on which the MIA is done is already released from the hands of the attacker and the fine-tuning has already happened.

Further, the attack requires that the attacker possesses a dataset $D_{\text{aux}}$ that is disjoint from the target data points, which, while in many cases may be realistic, is a non-standard assumption in MIA once again. Standard MIA does not require that the dataset available to the attacker and the set of all potential target data points is disjoint.

In summary, the paper makes several non-standard restrictive assumptions to the MIA setting, without discussing or motivating them explicitly and clearly; the assumptions are only stated in scattered places and not positioned in the context of MIA.

Only partially follows best practices in MIA result reporting

TPR@1%FPR is reporting at an order(s) of magnitude(s) higher FPR than suggested best reporting practices [3].

ROC-AUC score is included, while logarithmic full ROC curves are omitted, in stark contrast to suggested best practices [3].

As such, it is currently unclear if the attack provides as large benefits as currently perceived also at more relevant FPR regimes.

Concerns over the employed MIA

In the evaluation, the authors use the LiRA [3] attack with 16 shadow models. However, as it has been already shown in [3] and especially reinforced in [4], the standard LiRA attack is particularly weak for a low number of shadow models. While the version using global variance estimators is better in this regime, it is unclear which one was used for evaluation in this paper. As such, for this potentially weak attack the privacy backdoor provides a large benefit. However, it remains to be seen if the benefit is equally as large for stronger attacks, specifically tailored to perform well with just a low number of shadow models, such as [4] (available since 6th Dec 2023).

Weak justification of the different attack strategy choices

The paper currently employs two contrasting attack strategies for vision models and large language models. For vision models the loss of the target data points is increased in the backdooring phase (“maximization”), while for LLMs the target data points are encouraged to be heavily memorized (“minimization”). While both of these strategies are clear how they would encourage contrast at fine-tuning time between member and non-member target data points, the use of different strategies is currently weakly motivated, impacting the convincingness of the paper’s technical contribution.

The differing choices could be better motivated by showing an experiment how the alternative strategies perform on the other domain, i.e., showing how minimization performs for vision, and how maximization performs for LLMs. In particular, the attacks on LLMs seem to be much stronger, which is currently unclear if this is due to the chosen attack strategy, the evaluation protocol and datasets, or due to some other factor.

Presentation, writing, and clarity

In several places there are certain inconsistencies, writing is not clear, or small errors in citation formatting or similar. This gives the overall impression that the paper was written hastily.

In Threat model 2, point 3; to match with the generic setup of MIA, I assume that the idea what this point should stand for is (correct me if I am wrong) that the challenger randomly selects if it present a target data point from the target set which was also included in the fine-tuning set or one that was not. However, I think that the used notation currently does not reflect this: 1. “[i]f $c=\text{head}$, they randomly select a target data point $(x,y)$ from $D_{\text{target}}$” — this $(x,y)$ could still be both in the training set or not in it, this does not tell us anything about that; 2. “if $c=$tail, a target data point $(x,y)$ is randomly sampled from $(D_{\text{target}} \setminus D_{\text{train}})$” — this is confusing, as this would imply that $D_{\text{target}}$ is a superset of $D_{\text{train}}$, which is not only not stated anywhere nor followed in the experimental section, but would also mean another highly unrealistic assumption. I believe, sampling from $D_{\text{target}} \cap D_{\text{train}}$ when the coin is head, and sampling from $D_{\text{target}} \setminus (D_{\text{target}} \cap D_{\text{train}})$ when the coin is tail would be a correct notation/presentation.

Section 3.2. is very confusing at the moment, as it gives a clear motivation for the maximization attack, but then presents the exact opposite of this idea for LLMs, solely because ‘maximization did not work’. In conjunction with the experiment justifying this choice and an adjustment in writing would make the presentation of the attack more compelling.

While, as I already elaborated above, the assumptions made by the attack are rather strong, they could be justified by presenting a clear real-world example for the attack (but still have to be explicitly compared to the standard assumptions of MIA). While there is an attempt on this in l159-l162, I suggest to elaborate on this and present it more convincingly, given that the assumptions made are non-standard for MIA.

I struggle to understand the paragraph from l267 to l271. I especially do not get the causal link between observed memorization and what is meant by similar format and similar types of personal information. What the supposed link between the results on Simple PII and MIMIC-IV is, is also unclear. I do not understand why these two results are compared, as to me, the outlier seems to be the result on Simple PII, with a base attack success of 0.242 TPR@1%FPR, compared to an order of magnitude lower TPRs on both ai4Privacy and MIMIC-IV. Further, if the statement is supposed to be that PII is memorized better by the LLMs than images by the vision models, then for this the experiment setup in my view is unfit, as the MIA scores on the unattacked models are comparable in each case (each time two datasets produce around 0.0X TPRs and once 0.1X-0.2X TPR), and in case of the attacked models, as the attacks are different, we cannot know if the difference stems from the data domain or the attack itself.

As already elaborated in its own point, the setting of MIA and how the presented attack relates to it have to be presented clearer, as currently in parts it seems like the attack enables a more powerful setting; being an additive improvement over any MIA scenario.

Citep and citet are mixed up in certain places, e.g., l68 or l115.

References

[1] S Feng and F Tramèr, Privacy Backdoors: Stealing Data with Corrupted Pretrained Models. http://www.arxiv.org/abs/2404.00473.

[2] R Liu et al., PreCurious: How Innocent Pre-Trained Language Models Turn into Privacy Traps. https://arxiv.org/abs/2403.09562.

[3] N Carlini et al., Membership Inference Attacks From First Principles. https://arxiv.org/abs/2112.03570.

[4] S Zarifzadeh et al., Low-Cost High-Power Membership Inference by Boosting Relativity. https://arxiv.org/abs/2312.03262v3.

Limitations are not prominently and explicitly discussed, only recognized in the checklist. In my view, the strong assumptions made in the threat model have to be discussed in the main paper. Note also other weaknesses pointed out in my review.

My main concerns are about the threat model and the evaluation of LLMs.

• Although the paper studies a new threat setting, existing model ecosystem may not work like the described manner. Specifically, the paper assumes the adversary can firstly finetune (i.e., poison) the publicly available pretrained model $F_{pre}$ to $F_{adv}$, and release the F_adv to the platform. Then the victim downloads and finetunes the $F_{adv}$ with D_train to $F_{adv, ft}$, and releases $F_{adv, ft}$ to the platform so the adversary can infer membership privacy from $F_{adv, ft}$. But why would the victim finetunes $F_{adv}$ instead of $F_{pre}$? Typically the victim would choose the $F_{pre}$ for finetuning, just like the authors choose the CLIP for evaluation instead of a random finetuned CLIP on the Hugging Face.

• Besides, the attack goal of maintaining a comparable level of performance on downstream tasks does not persuade the victim to use $F_{adv}$ instead of $F_{pre}$. Let's assume $F_{pre}$ and $F_{adv}$ have similar performance. As $F_{pre}$ is shared by organizations (e.g., Meta, OpenAI, etc.) that can pay the training cost, the downloads and likes of $F_{pre}$ is certainly high as what we have witnessed in the era of LLMs, and $F_{adv}$ can be just one of hundreds of finetuned $F_{pre}$, why would the victim prefer $F_{adv}$, with potentially not much downloads and likes?

• The impact of finetuning to the LLM performance is also questionable. The results reported in Table 2 is lower validation loss after finetuning, but the loss cannot tell the model performance (i.e., low loss is not necessarily better). I would suggest the authors to provide more concrete LLM evaluation.

• The evaluation on large language models is not thorough. The largest evaluated LLMs in this paper is GPT-Neo-2.7B while widely studied LLMs are above 7B such as LLaMA, Mistral, etc.

None