Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in [1].
Recovering Private Text in Federated Learning of Language Models
Authors: Samyak Gupta, Yangsibo Huang, Zexuan Zhong, Tianyu Gao, Kai Li, Danqi Chen
NeurIPS 2022 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | 6 Experiments Model and datasets. We evaluate the proposed attack with the GPT-2 base (117M parameters) model (Radford et al., 2019) on two language modeling datasets, including Wiki Text-103 (Merity et al., 2017) and the Enron Email dataset (Klimt & Yang, 2004). Both datasets are publicly available for research uses. and Evaluation metrics. We use the following metrics to evaluate the attack performance: (a) ROUGE (Lin, 2004)... (b) We also propose to use named entity recovery ratio (NERR)... |
| Researcher Affiliation | Academia | Samyak Gupta Princeton University EMAIL Yangsibo Huang Princeton University EMAIL Zexuan Zhong Princeton University EMAIL Tianyu Gao Princeton University EMAIL Kai Li Princeton University EMAIL Danqi Chen Princeton University EMAIL |
| Pseudocode | Yes | We provide a detailed algorithm in Appendix A. |
| Open Source Code | Yes | Our code is publicly available at https://github.com/Princeton-SysML/FILM. |
| Open Datasets | Yes | We evaluate the proposed attack with the GPT-2 base (117M parameters) model (Radford et al., 2019) on two language modeling datasets, including Wiki Text-103 (Merity et al., 2017) and the Enron Email dataset (Klimt & Yang, 2004). Both datasets are publicly available for research uses. |
| Dataset Splits | No | The paper states "All models were trained using early stopping, i.e., models were trained until the loss of the model on the evaluation set increased." which implies an evaluation/validation set, but it does not specify any explicit train/validation/test dataset splits (e.g., percentages or sample counts). |
| Hardware Specification | Yes | We note that the running time of our algorithm is quite fast, and we can recover a single sentence in under a minute using an Nvidia 2080TI GPU. |
| Software Dependencies | No | The paper mentions using the "GPT-2 model" and implies programming for it but does not specify any software dependencies with version numbers (e.g., "PyTorch 1.9", "Python 3.8"). |
| Experiment Setup | Yes | Unless otherwise noted, we train the model on these sentences for 90, 000 iterations using an initial learning rate of 1 10 5, with a linearly decayed learning rate scheduler. All models were trained using early stopping, i.e., models were trained until the loss of the model on the evaluation set increased. and Our experiments demonstrate high-fidelity recovery of a single sentence feasible, and recovery of significant portions of sentences for training batches of up to 128 sentences. and We analyze the attack performance with different batch sizes, the number of training data points, and the number of training epochs. |