Membership Inference Attacks against Large Vision-Language Models

We thank the reviewer rMMx for the insightful feedback. We address the concerns below.

---

Q1: [The setting for detecting a description sentence is a little confusing for me. Why do you feed the model with a black image rather than others, like those generated by DALL-E? Also, why do you skip the instructions here? It is less possible to produce the target description for the target VLM just based on a black image and an empty instruction. Why don't skip the input image? Could you please explain the setting of MIA in the description sentence?]

A1: Note that our MIA framework is for detecting text or images solely instead of image-description pairs. This setting is more practical. For example, we want to know whether private photo or address is used for commercial training. Naturally, when detecting the text, we assume that the attacker does not have any information about image. Therefore, we can not use images generated from DALL-E.

In line 109, we assume a grey-box setting on the target model, where the attacker can query the model by a custom prompt (including an image and text) and have access to the tokenizer, the output logits, and the generated text. Therefore, we are not allowed to extract the underlying language model from a VLLM. Additionally, if we provide None or empty to VLLM such as llama_adapter v2 in image place, then an error will be raised. Also, we note that in the open source code of llama adapter, when using the text-only data for finetuning, the model is supplied with an all-zero image. For the consistence of our experimental setting that we provide image and text modals as inputs, we choose to provide an all-zero image (black) to all models.

The reason we adopt an empty instruction is that, provided an all-zero (black) image, common instructions, such as "Describe this image in detail", the VLLMs have the tendency to output response that "This image is black". This will introduce additional bias to our task: the description text MIAs. Therefore, we use the empty instruction.

---

Q2: [How to set the threshold value \lambda in the MIA process?]

A2: For the evaluation, we use the AUC score and TPR@low FPR score as the metric. The report of these scores as performance measures is standard in prior MIA works, such as [1]. Note that these two scores are threshold-independent. It's the area under ROC curve, which plots the true positive rate against the false positive rate for different threshold settings. So we don't need to select a specific $\lambda$ when we want to compare different MIA methods (classifiers). Note that if the task is to perform MIA via a specific method instead of evaluating different MIA methods, we can perform a hyperparameter search over a small validation set to select $\lambda$. We will add this explanation of the metric in the revised version.

---

If the reviewer rMMx has any remaining concerns, we are happy to clarify further.

---

Refs

[1] Shi, Weijia, et al. "Detecting Pretraining Data from Large Language Models." ICLR 2024.

We thank the reviewer e87W for the insightful feedback. We address the concerns below.

---

Q1: Is there any underlying bias caused by the nature of differences between natural and synthetic data (in VL-MIA/DALL-E)?

A1: This is an interesting question and thanks for pointing it out. It is hard to make the member data and non-member data be in the same distribution. We considered different possible bias when constructing our datasets.

• One bias is that the member data and non-member data might contain different identities so that the separation would be trivial. We call it the identity bias. To resolve the identity bias, we use DALL-E to generate non-member images based on the description of the member images to ensure the member image and non-member image in the same pair contain the same identity, such as a basketball.

• Admittedly, as you pointed out, there might be other unresolved bias, such that the fact that member data are real (not AI generated) images and non-member data are fake (AI generated) images. We call it the reality bias. To resolve the reality bias, we provide "VL-MIA: Flickr", which divide member and non-member images based on release time, following the prior work [1] which uses latest wiki text as non-members.

Despite our effort aforementioned to reduce the bias, we additionally produced two new datasets designed to eliminate bias using i.i.d samples from the same distribution. We synthesize two new MIA datasets: the Geometry dataset and the Password dataset. The image in the Geometry dataset consists of a random 4x4 arrangement of geometrical shapes, and the image in the Password dataset consists of a random 6x6 arrangement of characters and digits from (E)MINST. The associated text is its corresponding content (e.g., characters, colors, shapes). We select half of the datasets, that can be considered as the member set, to finetune VLLM while the remaining part is the non-member set. This approach ensures that members and non-members are i.i.d sampled thus eliminating potential bias, and can be used in any VLLM with diversity and generalization just by simple finetuning. We provide some examples of this dataset in Figure 2 of the PDF.

We conduct the image MIA by finetuning LLaMA Adapter v2.1 following the finetune instruction provided by the authors. The results are presented in Table 4 of the PDF. We observe that our Modfied Rényi and Max Rényi still outperform other previous baselines.

---

Q2: [why did we choose instruction text for members and generated text for non-members in VT-MIA/Text?]

A2: Sorry for the confusion, we'll clarify in the final release. Recall that in the instruction tuning stage of a vllm, every data entry contains an image, a question, and the corresponding answer to the image. We use the answer text as member data and GPT-4 generated answers under the same question and same image as non-member data. Specifically, for LLaVA v1.5 and LLaMA_adapter v2, we use the answers in LLaVA v1.5's instruction tuning as member data. (The word "instruction" in paper main body Table 1 is a typo and will be corrected as "instruction-tuning text".) For MiniGPT-4, we use answers in MiniGPT-4's instruction tuning as member data. We will revise the confusing content in Table 1 in the final release.

---

Q3: Insight on the parameters $\alpha$ and $K$. How to select these parameters?

A3: In short, $\alpha$ controls the aggregation from the next-token distribution at some token to a single entropy score, and $K$ controls the aggregation from a sequence of entropy scores to the final score for this sequence.

• The parameter $\alpha$ controls how the entropy will represent the next token probability distribution at the current token. For example, $\alpha=0$ treats all non-zero next-token probabilities equally and $\alpha=\infty$ only involves the largest next-token probability. In paper main body Table 2 we find that $\alpha = 0.5$ is the best choice in image MIA, while in paper main body Table 3, $\alpha = \infty$ is the best choice in text MIA.

• The parameter $K$ determines the percentage of tokens in a sequence with the highest entropy scores that are selected to compute the final score. In the experiment section of the paper, we find that different sequences have different representative parts, and therefore different $K$ may be applied.

In all, the optimal $K$ and $\alpha$ are largely determined by different data modalities and distributions. We propose this family of criteria to accommodate different possible data distributions. Therefore, similar to prior work [1], we suggest using a validation set and performing a small sweep over different $K$ and $\alpha$ to select the optimal parameters.

---

If the reviewer e87W has any remaining concerns, we are happy to clarify further.

---

Refs

[1] "Detecting Pretraining Data from Large Language Models." ICLR 2024.

We thank the reviewer FZ3m for the insightful feedback. We address the concerns below.

---

Q1: Clarification on image embeddings but not image tokens. Why do we not have access to the image tokens?

A1: As in the illustrative Figure 1 of the PDF, the VLLMs consist of a vision encoder, a text tokenizer, and a language model. The output of the vision encoder (image embedding) has the same embedding dimension $d$ as the text token embedding.

When feeding the VLLMs with an image and the instruction, a vision encoder transforms this image to $L_1$ hidden embeddings of dimension $d$, denoted by $E_{\rm image} \in \mathbb{R}^{d \times L_1}$. The text tokenizer first tokenizes the instruction into $L_2$ tokens and then looks up the embedding matrix to get its $d$-dimensional embedding $E_{\rm ins} \in \mathbb{R}^{d \times L_2}$. The image embedding and the instruction embedding are concatenated as $E_{\rm img-ins} = (E_{\rm image}, E_{\rm ins}) \in \mathbb{R}^{d \times (L_1+L_2)}$, which are then fed into a language model to perform next token prediction. The cross-entropy loss (CE loss) is calculated based on the predicted token id and the ground truth token id on the text tokens.

We can see that in this process, image embeddings are directly obtained from the vision encoder and there are no image tokens. There are no causal relations between consecutive image embeddings as well. Therefore, as we stated in Section 1, target-based MIA that requires token ids cannot be directly applied.

In the final version, we will add the detailed description as well as the illustrative figure in the appendix.

---

Q2: For detecting images, how do you determine which logits are for image, instructions, or description text, during the attack phase?

A2: Similarly to the figure in Q1, there is a one-to-one correspondence between the logit and input. For example, given image embedding with token length $L_1$, instructions with length $L_2$, and description text with length $L_3$, the language model will output logits of the shape $(L_1+L_2+L_3)\times |\mathcal{V}|$, where $\mathcal{V}$ is the vocabulary set, we can access the logits of the image by the slice $[0:L_1]$, the logits of instruction by the slice $[L_1:L_1+L_2]$, and the logits of description by the slice $[L_1+L_2: L_1+L_2+L_3]$.

---

Q3: How to choose $K$ and $\alpha$ for the MaxRényi-K% metric?

A3: In short, $\alpha$ controls the aggregation from the next-token distribution at some token to a single entropy score, and $K$ controls the aggregation from a sequence of entropy scores to the final score for this sequence.

• The parameter $\alpha$ controls how the entropy will represent the next token probability distribution at the current token. For example, $\alpha=0$ treats all non-zero next-token probabilities equally and $\alpha=\infty$ only involves the largest next-token probability. In paper main body Table 2 we find that $\alpha = 0.5$ is the best choice in image MIA, while in paper main body Table 3, $\alpha = \infty$ is the best choice in text MIA.

• The parameter $K$ determines the percentage of tokens in a sequence with the highest entropy scores that are selected to compute the final score. In the experiment section of the paper, we find that different sequences have different representative parts, and therefore different $K$ may be applied.

In all, the optimal $K$ and $\alpha$ are largely determined by different data modalities and distributions. We propose this family of criteria to accommodate different possible data distributions. Therefore, similar to prior work [1], we suggest using a validation set and performing a small sweep over different $K$ and $\alpha$ to select the optimal parameters.

---

If the reviewer FZ3m has any remaining concerns, we are happy to clarify further.

---

Refs

[1] "Detecting Pretraining Data from Large Language Models." ICLR 2024.

We thank the reviewer M6Nm for the insightful feedback. We address the concerns below.

---

Q1: Small Evaluation Dataset.

A1: We extend both VL-MIA/Flickr and VL-MIA/Text to 2000 samples. The results in the extended datasets can be found in Table 2 and Table 3 of the PDF, where we can observe the same trend as our original results. We also introduce two new datasets as shown in A3 below. We will release these complete datasets in the final version.

Q2: Does not consider the TPR at low FPR.

A2: Please see TPR at 5% FPR result in Table 1 of the PDF. We will add the results in our final version. These results are aligned with AUC results in Table 1 of the paper, and $\alpha=0.5$ is the optimal choice for image MIA.

Q3: Generalizability to other types of vision-language models and datasets.

A3: We thank the reviewer for pointing out this interesting question. To make our benchmark more comprehensive, we synthesize two new MIA datasets, see general response for details.

---

Q4: How to choose $K$ for the MaxRényi-K% metric?

A4: In short, $K$ controls the aggregation from a sequence of entropy scores to the final score for this sequence.

The parameter $K$ determines the percentage of tokens in a sequence with the highest entropy scores that are selected to compute the final score. In the experiment section of the paper, we find that different sequences have different representative parts, and therefore different $K$ may be applied.

In all, the optimal $K$ is largely determined by different data modalities and distributions. We propose this family of criteria to accommodate different possible data distributions. Therefore, similar to prior work [1], we suggest using a validation set and performing a small sweep over different $K$ and $\alpha$ to select the optimal parameters.

---

If the reviewer M6Nm has any remaining concerns, we are happy to clarify further.

---

Refs

[1] "Detecting Pretraining Data from Large Language Models." ICLR 2024.

We thank reviewer M6Nm for the meaningful feedback. Regarding the concern that our method assumes that the attacker has collected some member and non-member data in advance, we explain that this assumption is practical in real-world scenarios. For open-source models trained on open-source data, we can confidently obtain both member and non-member data, as demonstrated in this paper's Section 4. For closed-source models, such as GPT4, we speculate that commonly used datasets, such as MS COCO, and a wide collection of copyrighted materials [1], are used as training data by these closed-source models.

Note that all of the baseline methods (e.g., PPL, min-k) also require a validation set to estimate a threshold ($\lambda$ in Equation 1) to determine membership. The above choice of member and non-member dataset can be universally used for all MIA methods.

We would like to add these clarifications after line 305 with the revised version to enhance understanding on member and non-member data selection.

Refs:

[1] "Speak, memory: An archaeology of books known to chatgpt/gpt-4." arXiv 2023.

---

Remark: We have further extended our benchmark size to 10k and observed similar results, which will be released in the final version. In addition, our heuristic findings in the paper suggest that for text MIA, one can select a smaller k, e.g.,0 or 10; while for image MIA, one can select k=100.