Detecting Training Data of Large Language Models via Expectation Maximization

We sincerely thank you for your thoughtful summary of our paper and for recognizing its strengths, particularly the novelty and key contributions in the context of recent research on MIAs for LLMs. We also greatly appreciate your constructive feedback and the opportunity to address your concerns. If our responses sufficiently clarify these points, we kindly hope you will consider raising your score.

---

[Weakness: Computational Costs]

Please see General Response (and Section 7.3 and Appendix C).

---

[Question: Initialization with Different Methods]

Please see General Response (and Appendix A).

Thank you for your detailed comments. Unfortunately, we believe some of your points stem from misunderstandings, which we address below. We also plan to clarify these aspects in the revised version of our paper.

---

Weaknesses

• W1. While “Blind Baselines” are supervised classifiers requiring labeled data (i.e., members and non-members), our EM-MIA is entirely unsupervised and does not rely on any labeled data.
• W2. We did not evaluate on benchmarks proposed by Miani et al. (2024) because their work focuses on dataset-level inference, whereas our paper addresses instance-level membership inference, which is a different problem.
• W3. Could you clarify your perspective? Do you believe our method qualifies as MIA or not? Furthermore, do you think it lacks practical utility?
• W4 & W5. As noted in Duan et al. (2024), none of the existing MIAs significantly outperform random guessing. Our method requires baseline methods that perform meaningfully better than random guessing, and we have explained this requirement in our work.
• W5. While the random setting of OLMoMIA is similar to MIMIR, OLMoMIA also includes additional settings that differ significantly from MIMIR.
• W6. We uploaded our code as supplementary material.
• W7. It seems there was a misunderstanding regarding Figure 1(b). This figure indicates 93.4% AUC-ROC in MIA when prefix scores are calculated using TPR@5%FPR with ground truth labels and negative prefix scores are used as membership scores. Comparison with 94.4% TPR@5%FPR of “Blind Baselines” does not make sense at all.

---

Questions

• Q1. We have removed the phrase “none are sufficiently effective to gain widespread adoption in the community.” We hope to see this line of work further.
• Q2. We do provide precise measures of ReCaLL’s performance without access to non-members (or data points with high prefix scores). Please refer to the results of ReCaLL-based baselines (Section 6.2.1), especially the “Rand” method in our main experiment tables.
• Q3. The robustness mainly means the method's ability to perform well across different data distributions. The minimal information includes no access to known members or non-members.
• Q4. This is related to Q3. The test data labels mean membership labels (i.e., whether a point is a member or non-member).
• Q5. Yes, as you understood, $D_{test}$ is the test dataset for which we aim to infer membership. The computation of the scoring function $S$ is explained in the "Update Rule for Prefix Scores" paragraph.
• Q6. We meant an indicator function. This has been fixed in the revised manuscript.
• Q7. We used the AUC-ROC-based scoring function $S$, as described in the formula you referred to in Q6. This is explicitly mentioned in the experimental section (Section 6.3).
• Q8. While we did not include experiments with external data, we believe our discussion can provide avenues for future exploration.

I really appreciate the effort. However, there is a clear misunderstanding of the previous work. For example:

W2. We did not evaluate on benchmarks proposed by Miani et al. (2024) because their work focuses on dataset-level inference, whereas our paper addresses instance-level membership inference, which is a different problem.

The work by Maini et al. [1] has two main contributions. First, they show that MIAs for LLMs do not work based on Maini et al. ICLR 2021 (SPOTLIGT) [2] (see Theorem 2). Second, as an alternative to membership inference, they advocated for a shift in focus toward dataset inference.

Nit: It is not Miani but Maini.

As explained in the initial review, this paper fails on the benchmarks proposed by Maini et al. 2024 based on the training and validation splits from the Pile dataset. Thus, I keep my score unchanged.

References:

1. LLM Dataset Inference: Did you train on my dataset? Pratyush Maini, Hengrui Jia, Nicolas Papernot, Adam Dziedzic. NeurIPS 2024.

2. Dataset Inference: Ownership Resolution in Machine Learning. Pratyush Maini, Mohammad Yaghini, Nicolas Papernot. ICLR 2021 (Spotlight).

We are thrilled that you appreciate the OLMoMIA dataset and recognize our improvements over ReCALL, particularly in overcoming its assumptions and limitations. We hope you will also acknowledge the significance of our main contributions, including the technical novelty of EM-MIA, in advancing research on MIAs for large language models (LLMs). If our responses address your concerns, we kindly ask you to consider raising your score. Below, we address your comments in detail.

---

[WikiMIA]

We did not explicitly mention in Section 2.3 that WikiMIA is not a reliable dataset for MIA experiments, though we noted that several papers are arguing that. Still, we believe that WikiMIA remains a valuable resource for MIA research. The prior SoTA MIAs, including Min-K%++ and ReCaLL, were developed using this dataset. Additionally, we assume that the likelihood of member data from WikiMIA belonging to the validation set is very low, as the validation set would be a tiny portion of the entire data.

---

[TPR @ low FPR]

Please see General Response (and Appendix B).

---

[Computational Cost]

Please see General Response (and Section 7.3 and Appendix C). After computing $ReCaLL_p(x)$ for all $p \in D_{test}$ and $x \in D_{test}$, these scores are reused at each iteration to refine $r(p)$ and $f(x)$. This reuse eliminates the need for additional LLM inferences, making the process computationally efficient.

---

[Robustness to the choice of the initialization method and the scoring function]

Please see General Response (and Appendix A).

---

[OLMo-MIA - number of clusters, Min-K%/Min-K%++, and n-gram overlap ratio]

We determined the number of clusters using the Silhouette score, a commonly used metric for K-means clustering. While Min-K% and Min-K%++ often outperform other methods, this is not guaranteed. These methods may be sensitive to the choice of $K$. In our experiments, we used a fixed value of $K=20$ without further tuning. We will release the OLMoMIA dataset so that researchers can use and analyze it with various metrics, including the n-gram overlap ratio. Additionally, our code will enable users to generate their own OLMoMIA datasets for further exploration.

---

[Prefix Sizes]

Could you clarify what you mean by "prefix size" and "concentration of non-members"? These terms are not used in our paper, and additional context would help us address your concern more effectively.

We appreciate you found our work novel, empirically strong, and valuable for future research. We have made every effort to address your concerns and incorporate your suggestions. In some cases, we provided clarifications or requested additional feedback to improve our paper further. We hope you might consider raising your score to an acceptance level if our responses adequately address the major considerations you identified as necessary for acceptance.

---

[Metric - TPR @ low FPR]

Please see General Response (and Appendix B).

---

[Computational Complexity]

Please see General Response (and Appendix C). We agree that considering a compute-constrained setting is a valuable suggestion. We view improving the efficiency of EM-MIA and other MIAs as an exciting direction for future work.

---

[Missing Experiments - Varying the number of shots $n$]

To clarify, while each component in EM-MIA is a design choice, we mainly used the update rule for prefix scores as Line 3 in Algorithm 1 (calculating pairwise ReCaLL scores on all data $x \in D_{test}$ using each example $p \in D_{test}$ as a standalone prefix once and comparing them with the estimate of membership scores at each iteration) and the update rule for membership scores as Line 4 in Algorithm 1 (directly using a negative prefix score as a membership score), as described in Section 6.4. In this case, we do not even need to tune or exhaustively search $n$. That is the reason why we do not include a plot for the effect of $n$.

On the other hand, $n$ is an important hyperparameter for ReCaLL. You can refer to the ReCaLL paper to see how its performance changes with respect to $n$. In our experience, ReCaLL was sensitive to $n$ and the selected data points to construct a prefix. Our Figure 1 illustrates how the effectiveness of each example as a prefix varies significantly.

If you mentioned the number of shots because you are thinking about choosing a prefix consisting of data points with top prefix scores that we suggested as an alternative way to update membership scores, we hope this explanation resolves your concern. We will further clarify this in the revision.

---

[Missing Experiments - Varying the number of iterations]

As explained above, each iteration updates scores without requiring additional LLM inferences, making the process fast. The number of iterations does not affect the overall computational complexity. We set the maximum number to 10, and the process usually converged after 4-5 iterations.

---

[Missing Experiments - Ablation on initialization]

Please see General Response (and Appendix A).

---

[Missing Experiments - Reusing test examples]

Could you please elaborate more on the ablation experiments you described? If you want a comparison after removing data points used from ReCaLL, this can be done easily by omitting the “keep_used” option in “eval.py.”

---

[Clarity - Pre-training data detection]

Our method can indeed be applied to different training stages, but we focused on pre-training data detection in this work. We will clarify this in the revision.

---

[Clarity - Intuition behind ReCaLL]

Thank you for this suggestion. We added a brief explanation to provide an intuition of why ReCaLL works in Section 2.4 for readers unfamiliar with ReCaLL.

---

[Clarity - Prefix score]

We agree that the definition of a prefix score in the abstract might feel abstract. Providing a formal definition would require a detailed explanation of ReCaLL, which could overwhelm readers. If you have suggestions for simplifying this explanation without losing clarity, we would greatly appreciate them.

---

[Clarity - Table]

We recognize the tables are dense with numbers. Following Min-K%++ and ReCaLL, we reported results for all combinations of methods, models, and lengths. Our tables include additional results due to the larger number of ReCaLL-based baselines we evaluated. We encourage readers to first focus on average scores and then dive into specific comparisons of interest.

---

[Clarity - OLMoMIA]

We added equations for our OLMoMIA settings in Appendix E. Members and non-members are clustered separately. We stated this in Line 326 of the original manuscript.

---

[Missing References]

Thank you for pointing out missing references. We have added them in the revised version.

---

[Why use the ratio of the log-likelihoods instead of the difference?]

We experimented with both the ratio and the difference of log-likelihoods. Empirically, the ratio performed slightly better overall. Additionally, we followed the ReCaLL approach for consistency in comparison.

---

[EM Interpretation]

We interpret prefix scores as latent variables that need to be predicted.

---

[Plans for releasing code]

We uploaded our code as supplementary material.