Yu He, The State Key Laboratory of Blockchain and Data Security, Zhejiang University; Boheng Li, College of Computing and Data Science, Nanyang Technological University; Liu Liu and Zhongjie Ba, The State Key Laboratory of Blockchain and Data Security, Zhejiang University; Wei Dong, College of Computing and Data Science, Nanyang Technological University; Yiming Li, The State Key Laboratory of Blockchain and Data Security, Zhejiang University; and College of Computing and Data Science, Nanyang Technological University; Zhan Qin, Kui Ren, and Chun Chen, The State Key Laboratory of Blockchain and Data Security, Zhejiang University
Membership Inference Attacks (MIAs) aim to predict whether a data sample belongs to the model's training set or not. Although prior research has extensively explored MIAs in Large Language Models (LLMs), they typically require accessing to complete output logits (i.e., logits-based attacks), which are usually not available in practice. In this paper, we study the vulnerability of pre-trained LLMs to MIAs in the label-only setting, where the adversary can only access generated tokens (text). We first reveal that existing label-only MIAs have minor effects in attacking pre-trained LLMs, although they are highly effective in inferring fine-tuning datasets used for personalized LLMs. We find that their failure stems from two main reasons, including better generalization and overly coarse perturbation. Specifically, due to the extensive pre-training corpora and exposing each sample only a few times, LLMs exhibit minimal robustness differences between members and non-members. This makes token-level perturbations too coarse to capture such differences.
To alleviate these problems, we propose PETAL: a label-only membership inference attack based on PEr-Token semAntic simiLarity. Specifically, PETAL leverages token-level semantic similarity to approximate output probabilities and subsequently calculate the perplexity. It finally exposes membership based on the common assumption that members are 'better' memorized and have smaller perplexity. We conduct extensive experiments on the WikiMIA benchmark and the more challenging MIMIR benchmark. Empirically, our PETAL performs better than the extensions of existing label-only attacks against personalized LLMs and even on par with other advanced logit-based attacks across all metrics on five prevalent open-source LLMs. Our study highlights that pre-trained LLMs remain vulnerable to privacy risks posed by MIAs even in the most challenging and realistic setting, calling for attention to develop more effective defenses.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Yu He and Boheng Li and Liu Liu and Zhongjie Ba and Wei Dong and Yiming Li and Zhan Qin and Kui Ren and Chun Chen},
title = {Towards {Label-Only} Membership Inference Attack against Pre-trained Large Language Models},
booktitle = {34th USENIX Security Symposium (USENIX Security 25)},
year = {2025},
isbn = {978-1-939133-52-6},
address = {Seattle, WA},
pages = {1609--1628},
url = {https://www.usenix.org/conference/usenixsecurity25/presentation/he-yu},
publisher = {USENIX Association},
month = aug
}
