Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in [1].
Membership Inference Attacks and Privacy in Topic Modeling
Authors: Nico Manzonelli, Wanrong Zhang, Salil Vadhan
TMLR 2024 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | To explore the privacy in topic modeling, we conduct membership inference attacks (MIAs) which infer whether or not a specific document was used to train LDA. We propose an attack based on an LDA-specific query statistic designed to exploit memorization. This query statistic is integrated into the Likelihood Ratio Attack (Li RA) framework introduced by Carlini et al. (2022). We show that our attack can confidently infer the membership of documents included in the training data of LDA which indicates that the privacy risks in generative modeling are not restricted to large neural models. |
| Researcher Affiliation | Academia | Nico Manzonelli EMAIL John A. Paulson School of Engineering and Applied Sciences Harvard University Wanrong Zhang John A. Paulson School of Engineering and Applied Sciences Harvard University Salil Vadhan John A. Paulson School of Engineering and Applied Sciences Harvard University |
| Pseudocode | Yes | Algorithm 1 Fully Differentially Private Topic Modeling (FDPTM) Algorithm 2 Online Li RA on Topic Models Algorithm 3 Offline Li RA on Topic Models |
| Open Source Code | Yes | The code for the attack simulations is available at https://github.com/nicomanzonelli/topic_model_attacks. |
| Open Datasets | Yes | The URLs for the datasets Tweet Rumors, 20Newsgroup and NIPS are https://www.zubiaga.org/ datasets, http://qwone.com/~jason/20Newsgroups and https://archive.ics.uci.edu/ml/datasets/ bag+of+words respectively. |
| Dataset Splits | Yes | To initiate the attack, we randomly sample half of the data to learn and release Φobs. Next, we train N shadow topic models by repeatedly sampling half of the data to simulate sampling from D. |
| Hardware Specification | No | The authors would like to acknowledge the MITLL Supercomputing Center for providing compute and consulting resources that contributed to our results. |
| Software Dependencies | No | Tokenization, stop words, and lemmatization implemented via python package nltk https://www.nltk.org In practice, we use Sci Py s out-of-the-box optimization methods to estimate ζ(Φ, d) (Virtanen et al., 2020). For each experiment, we learn Φ using scikit-learn s implementation of LDA with default learning parameters. |
| Experiment Setup | Yes | For Tweet Set and 20Newsgroup we set the number of topics k to 5 and 20 respectively based on the data s known distribution across topics... We learn N = 128 shadow models, replicate each experiment 10 times and report our results across all iterations. For DPSU, we fix the privacy parameter δ = 10 5 and set the parameter α = 3 to control the cut-off value Γ like in Carvalho et al. (2022). We vary our privacy loss parameters in intervals across common ε choices for DP ML solutions. Specifically, we first fix ε2 = 3 for DP LDA and vary ε1 for DPSU. Then, we fix ε1 = 3 and vary ε2. |