When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs)
Large language models fine-tuned on domain-specific data are vulnerable to membership inference attacks, which can reveal whether particular examples were used in training. While prior work has established that fine-tuned models exhibit higher vulnerability than pre-trained models, this research has...
| Autor: | |
|---|---|
| Formato: | tesis de maestría |
| Fecha de publicación: | 2026 |
| País: | España |
| Recursos: | Universitat Politècnica de Catalunya (UPC) |
| Repositorio: | UPCommons. Portal del coneixement obert de la UPC |
| Idioma: | inglés |
| OAI Identifier: | oai:dnet:upcommonspor::40ca596fdcd89e1ce8778912bbd7987b |
| Acesso em linha: | https://hdl.handle.net/2117/460646 |
| Access Level: | acceso abierto |
| Palavra-chave: | Machine learning Computer security Atacs d'inferència de pertinença Models de llenguatge grans Ajust fi Privacitat Ajust fi eficient en paràmetres Sobreajust Membership inference attacks Large language models Fine-tuning Privacy Parameter-efficient fine-tuning Overfitting Aprenentatge automàtic Seguretat informàtica Àrees temàtiques de la UPC::Informàtica::Intel·ligència artificial::Aprenentatge automàtic Àrees temàtiques de la UPC::Informàtica::Seguretat informàtica |
| id |
ES_ca98dfdc371c7d93aa4624d4443faacb |
|---|---|
| oai_identifier_str |
oai:dnet:upcommonspor::40ca596fdcd89e1ce8778912bbd7987b |
| network_acronym_str |
ES |
| network_name_str |
España |
| repository_id_str |
|
| spelling |
When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs)Dié, Jean, Pierre, Dao-KoinMachine learningComputer securityAtacs d'inferència de pertinençaModels de llenguatge gransAjust fiPrivacitatAjust fi eficient en paràmetresSobreajustMembership inference attacksLarge language modelsFine-tuningPrivacyParameter-efficient fine-tuningOverfittingAprenentatge automàticSeguretat informàticaÀrees temàtiques de la UPC::Informàtica::Intel·ligència artificial::Aprenentatge automàticÀrees temàtiques de la UPC::Informàtica::Seguretat informàticaLarge language models fine-tuned on domain-specific data are vulnerable to membership inference attacks, which can reveal whether particular examples were used in training. While prior work has established that fine-tuned models exhibit higher vulnerability than pre-trained models, this research has focused almost exclusively on endpoint comparisons-evaluating vulnerability after fine-tuning is complete without examining how it develops during training. This thesis investigates the progressive emergence of membership inference vulnerability across training epochs and its relationship with overfitting. We evaluate five membership inference attacks across five fine-tuning methods (full fine-tuning, LoRA, BitFit, adapter tuning, and prefix tuning), three model scales (1B, 6.9B, and 12B parameters), and five training epochs, yielding 375 attack evaluations. To ensure methodological rigor, we employ bag-of-words validation to verify that evaluation datasets are free from distribution artifacts that have confounded prior benchmarks. The central finding is a strong correlation between the training-validation loss gap-a standard measure of overfitting-and attack effectiveness across all experimental conditions. Pearson correlations range from 0.838 to 0.996 across attack methods, with all correlations statistically significant (p < 0.001). This relationship holds consistently across fine-tuning methods and model scales, suggesting that membership inference attacks primarily succeed when models are overfitted rather than exploiting fundamental architectural vulnerabilities. Reference-based attacks, which compare the fine-tuned model's behavior against the original base model, show amplified sensitivity compared to attacks that examine only the fine-tuned model, achieving high effectiveness at lower overfitting levels. These findings suggest that standard generalization practices may reduce membership inference vulnerability alongside their benefits for model quality. The loss gap, already monitored by practitioners for model selection, could serve as a practical privacy risk indicator during fine-tuning without requiring attack implementation. The core contributions of this thesis have been accepted for publication at RECSI 2026 (XVIII Reunión Española sobre Criptología y Seguridad de la Información).Universitat Politècnica de CatalunyaMoreno Ribas, AntonioDavid Sánchez Ruenes, Josep Domingo I Ferrer20262026-01-2720262026-04-16master thesishttp://purl.org/coar/resource_type/c_bdccNAhttp://purl.org/coar/version/c_be7fb7dd8ff6fe43info:eu-repo/semantics/masterThesisapplication/pdfapplication/pdfhttps://hdl.handle.net/2117/460646reponame:UPCommons. Portal del coneixement obert de la UPCinstname:Universitat Politècnica de Catalunya (UPC)Inglésengopen accesshttp://purl.org/coar/access_right/c_abf2info:eu-repo/semantics/openAccessoai:dnet:upcommonspor::40ca596fdcd89e1ce8778912bbd7987b2026-05-27T15:37:01Z |
| dc.title.none.fl_str_mv |
When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs) |
| title |
When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs) |
| spellingShingle |
When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs) Dié, Jean, Pierre, Dao-Koin Machine learning Computer security Atacs d'inferència de pertinença Models de llenguatge grans Ajust fi Privacitat Ajust fi eficient en paràmetres Sobreajust Membership inference attacks Large language models Fine-tuning Privacy Parameter-efficient fine-tuning Overfitting Aprenentatge automàtic Seguretat informàtica Àrees temàtiques de la UPC::Informàtica::Intel·ligència artificial::Aprenentatge automàtic Àrees temàtiques de la UPC::Informàtica::Seguretat informàtica |
| title_short |
When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs) |
| title_full |
When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs) |
| title_fullStr |
When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs) |
| title_full_unstemmed |
When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs) |
| title_sort |
When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs) |
| dc.creator.none.fl_str_mv |
Dié, Jean, Pierre, Dao-Koin |
| author |
Dié, Jean, Pierre, Dao-Koin |
| author_facet |
Dié, Jean, Pierre, Dao-Koin |
| author_role |
author |
| dc.contributor.none.fl_str_mv |
Moreno Ribas, Antonio David Sánchez Ruenes, Josep Domingo I Ferrer |
| dc.subject.none.fl_str_mv |
Machine learning Computer security Atacs d'inferència de pertinença Models de llenguatge grans Ajust fi Privacitat Ajust fi eficient en paràmetres Sobreajust Membership inference attacks Large language models Fine-tuning Privacy Parameter-efficient fine-tuning Overfitting Aprenentatge automàtic Seguretat informàtica Àrees temàtiques de la UPC::Informàtica::Intel·ligència artificial::Aprenentatge automàtic Àrees temàtiques de la UPC::Informàtica::Seguretat informàtica |
| topic |
Machine learning Computer security Atacs d'inferència de pertinença Models de llenguatge grans Ajust fi Privacitat Ajust fi eficient en paràmetres Sobreajust Membership inference attacks Large language models Fine-tuning Privacy Parameter-efficient fine-tuning Overfitting Aprenentatge automàtic Seguretat informàtica Àrees temàtiques de la UPC::Informàtica::Intel·ligència artificial::Aprenentatge automàtic Àrees temàtiques de la UPC::Informàtica::Seguretat informàtica |
| description |
Large language models fine-tuned on domain-specific data are vulnerable to membership inference attacks, which can reveal whether particular examples were used in training. While prior work has established that fine-tuned models exhibit higher vulnerability than pre-trained models, this research has focused almost exclusively on endpoint comparisons-evaluating vulnerability after fine-tuning is complete without examining how it develops during training. This thesis investigates the progressive emergence of membership inference vulnerability across training epochs and its relationship with overfitting. We evaluate five membership inference attacks across five fine-tuning methods (full fine-tuning, LoRA, BitFit, adapter tuning, and prefix tuning), three model scales (1B, 6.9B, and 12B parameters), and five training epochs, yielding 375 attack evaluations. To ensure methodological rigor, we employ bag-of-words validation to verify that evaluation datasets are free from distribution artifacts that have confounded prior benchmarks. The central finding is a strong correlation between the training-validation loss gap-a standard measure of overfitting-and attack effectiveness across all experimental conditions. Pearson correlations range from 0.838 to 0.996 across attack methods, with all correlations statistically significant (p < 0.001). This relationship holds consistently across fine-tuning methods and model scales, suggesting that membership inference attacks primarily succeed when models are overfitted rather than exploiting fundamental architectural vulnerabilities. Reference-based attacks, which compare the fine-tuned model's behavior against the original base model, show amplified sensitivity compared to attacks that examine only the fine-tuned model, achieving high effectiveness at lower overfitting levels. These findings suggest that standard generalization practices may reduce membership inference vulnerability alongside their benefits for model quality. The loss gap, already monitored by practitioners for model selection, could serve as a practical privacy risk indicator during fine-tuning without requiring attack implementation. The core contributions of this thesis have been accepted for publication at RECSI 2026 (XVIII Reunión Española sobre Criptología y Seguridad de la Información). |
| publishDate |
2026 |
| dc.date.none.fl_str_mv |
2026 2026-01-27 2026 2026-04-16 |
| dc.type.none.fl_str_mv |
master thesis http://purl.org/coar/resource_type/c_bdcc NA http://purl.org/coar/version/c_be7fb7dd8ff6fe43 |
| dc.type.openaire.fl_str_mv |
info:eu-repo/semantics/masterThesis |
| format |
masterThesis |
| dc.identifier.none.fl_str_mv |
https://hdl.handle.net/2117/460646 |
| url |
https://hdl.handle.net/2117/460646 |
| dc.language.none.fl_str_mv |
Inglés eng |
| language_invalid_str_mv |
Inglés |
| language |
eng |
| dc.rights.none.fl_str_mv |
open access http://purl.org/coar/access_right/c_abf2 |
| dc.rights.openaire.fl_str_mv |
info:eu-repo/semantics/openAccess |
| rights_invalid_str_mv |
open access http://purl.org/coar/access_right/c_abf2 |
| eu_rights_str_mv |
openAccess |
| dc.format.none.fl_str_mv |
application/pdf application/pdf |
| dc.publisher.none.fl_str_mv |
Universitat Politècnica de Catalunya |
| publisher.none.fl_str_mv |
Universitat Politècnica de Catalunya |
| dc.source.none.fl_str_mv |
reponame:UPCommons. Portal del coneixement obert de la UPC instname:Universitat Politècnica de Catalunya (UPC) |
| instname_str |
Universitat Politècnica de Catalunya (UPC) |
| reponame_str |
UPCommons. Portal del coneixement obert de la UPC |
| collection |
UPCommons. Portal del coneixement obert de la UPC |
| repository.name.fl_str_mv |
|
| repository.mail.fl_str_mv |
|
| _version_ |
1869419493734744064 |
| score |
15.811543 |