When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs)

Large language models fine-tuned on domain-specific data are vulnerable to membership inference attacks, which can reveal whether particular examples were used in training. While prior work has established that fine-tuned models exhibit higher vulnerability than pre-trained models, this research has...

ver descrição completa

Detalhes bibliográficos
Autor: Dié, Jean, Pierre, Dao-Koin
Formato: tesis de maestría
Fecha de publicación:2026
País:España
Recursos:Universitat Politècnica de Catalunya (UPC)
Repositorio:UPCommons. Portal del coneixement obert de la UPC
Idioma:inglés
OAI Identifier:oai:dnet:upcommonspor::40ca596fdcd89e1ce8778912bbd7987b
Acesso em linha:https://hdl.handle.net/2117/460646
Access Level:acceso abierto
Palavra-chave:Machine learning
Computer security
Atacs d'inferència de pertinença
Models de llenguatge grans
Ajust fi
Privacitat
Ajust fi eficient en paràmetres
Sobreajust
Membership inference attacks
Large language models
Fine-tuning
Privacy
Parameter-efficient fine-tuning
Overfitting
Aprenentatge automàtic
Seguretat informàtica
Àrees temàtiques de la UPC::Informàtica::Intel·ligència artificial::Aprenentatge automàtic
Àrees temàtiques de la UPC::Informàtica::Seguretat informàtica
id ES_ca98dfdc371c7d93aa4624d4443faacb
oai_identifier_str oai:dnet:upcommonspor::40ca596fdcd89e1ce8778912bbd7987b
network_acronym_str ES
network_name_str España
repository_id_str
spelling When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs)Dié, Jean, Pierre, Dao-KoinMachine learningComputer securityAtacs d'inferència de pertinençaModels de llenguatge gransAjust fiPrivacitatAjust fi eficient en paràmetresSobreajustMembership inference attacksLarge language modelsFine-tuningPrivacyParameter-efficient fine-tuningOverfittingAprenentatge automàticSeguretat informàticaÀrees temàtiques de la UPC::Informàtica::Intel·ligència artificial::Aprenentatge automàticÀrees temàtiques de la UPC::Informàtica::Seguretat informàticaLarge language models fine-tuned on domain-specific data are vulnerable to membership inference attacks, which can reveal whether particular examples were used in training. While prior work has established that fine-tuned models exhibit higher vulnerability than pre-trained models, this research has focused almost exclusively on endpoint comparisons-evaluating vulnerability after fine-tuning is complete without examining how it develops during training. This thesis investigates the progressive emergence of membership inference vulnerability across training epochs and its relationship with overfitting. We evaluate five membership inference attacks across five fine-tuning methods (full fine-tuning, LoRA, BitFit, adapter tuning, and prefix tuning), three model scales (1B, 6.9B, and 12B parameters), and five training epochs, yielding 375 attack evaluations. To ensure methodological rigor, we employ bag-of-words validation to verify that evaluation datasets are free from distribution artifacts that have confounded prior benchmarks. The central finding is a strong correlation between the training-validation loss gap-a standard measure of overfitting-and attack effectiveness across all experimental conditions. Pearson correlations range from 0.838 to 0.996 across attack methods, with all correlations statistically significant (p < 0.001). This relationship holds consistently across fine-tuning methods and model scales, suggesting that membership inference attacks primarily succeed when models are overfitted rather than exploiting fundamental architectural vulnerabilities. Reference-based attacks, which compare the fine-tuned model's behavior against the original base model, show amplified sensitivity compared to attacks that examine only the fine-tuned model, achieving high effectiveness at lower overfitting levels. These findings suggest that standard generalization practices may reduce membership inference vulnerability alongside their benefits for model quality. The loss gap, already monitored by practitioners for model selection, could serve as a practical privacy risk indicator during fine-tuning without requiring attack implementation. The core contributions of this thesis have been accepted for publication at RECSI 2026 (XVIII Reunión Española sobre Criptología y Seguridad de la Información).Universitat Politècnica de CatalunyaMoreno Ribas, AntonioDavid Sánchez Ruenes, Josep Domingo I Ferrer20262026-01-2720262026-04-16master thesishttp://purl.org/coar/resource_type/c_bdccNAhttp://purl.org/coar/version/c_be7fb7dd8ff6fe43info:eu-repo/semantics/masterThesisapplication/pdfapplication/pdfhttps://hdl.handle.net/2117/460646reponame:UPCommons. Portal del coneixement obert de la UPCinstname:Universitat Politècnica de Catalunya (UPC)Inglésengopen accesshttp://purl.org/coar/access_right/c_abf2info:eu-repo/semantics/openAccessoai:dnet:upcommonspor::40ca596fdcd89e1ce8778912bbd7987b2026-05-27T15:37:01Z
dc.title.none.fl_str_mv When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs)
title When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs)
spellingShingle When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs)
Dié, Jean, Pierre, Dao-Koin
Machine learning
Computer security
Atacs d'inferència de pertinença
Models de llenguatge grans
Ajust fi
Privacitat
Ajust fi eficient en paràmetres
Sobreajust
Membership inference attacks
Large language models
Fine-tuning
Privacy
Parameter-efficient fine-tuning
Overfitting
Aprenentatge automàtic
Seguretat informàtica
Àrees temàtiques de la UPC::Informàtica::Intel·ligència artificial::Aprenentatge automàtic
Àrees temàtiques de la UPC::Informàtica::Seguretat informàtica
title_short When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs)
title_full When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs)
title_fullStr When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs)
title_full_unstemmed When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs)
title_sort When do membership inference attacks succeed? An empirical study of overfitting in fine-tuned Large Language Models (LLMs)
dc.creator.none.fl_str_mv Dié, Jean, Pierre, Dao-Koin
author Dié, Jean, Pierre, Dao-Koin
author_facet Dié, Jean, Pierre, Dao-Koin
author_role author
dc.contributor.none.fl_str_mv Moreno Ribas, Antonio
David Sánchez Ruenes, Josep Domingo I Ferrer
dc.subject.none.fl_str_mv Machine learning
Computer security
Atacs d'inferència de pertinença
Models de llenguatge grans
Ajust fi
Privacitat
Ajust fi eficient en paràmetres
Sobreajust
Membership inference attacks
Large language models
Fine-tuning
Privacy
Parameter-efficient fine-tuning
Overfitting
Aprenentatge automàtic
Seguretat informàtica
Àrees temàtiques de la UPC::Informàtica::Intel·ligència artificial::Aprenentatge automàtic
Àrees temàtiques de la UPC::Informàtica::Seguretat informàtica
topic Machine learning
Computer security
Atacs d'inferència de pertinença
Models de llenguatge grans
Ajust fi
Privacitat
Ajust fi eficient en paràmetres
Sobreajust
Membership inference attacks
Large language models
Fine-tuning
Privacy
Parameter-efficient fine-tuning
Overfitting
Aprenentatge automàtic
Seguretat informàtica
Àrees temàtiques de la UPC::Informàtica::Intel·ligència artificial::Aprenentatge automàtic
Àrees temàtiques de la UPC::Informàtica::Seguretat informàtica
description Large language models fine-tuned on domain-specific data are vulnerable to membership inference attacks, which can reveal whether particular examples were used in training. While prior work has established that fine-tuned models exhibit higher vulnerability than pre-trained models, this research has focused almost exclusively on endpoint comparisons-evaluating vulnerability after fine-tuning is complete without examining how it develops during training. This thesis investigates the progressive emergence of membership inference vulnerability across training epochs and its relationship with overfitting. We evaluate five membership inference attacks across five fine-tuning methods (full fine-tuning, LoRA, BitFit, adapter tuning, and prefix tuning), three model scales (1B, 6.9B, and 12B parameters), and five training epochs, yielding 375 attack evaluations. To ensure methodological rigor, we employ bag-of-words validation to verify that evaluation datasets are free from distribution artifacts that have confounded prior benchmarks. The central finding is a strong correlation between the training-validation loss gap-a standard measure of overfitting-and attack effectiveness across all experimental conditions. Pearson correlations range from 0.838 to 0.996 across attack methods, with all correlations statistically significant (p < 0.001). This relationship holds consistently across fine-tuning methods and model scales, suggesting that membership inference attacks primarily succeed when models are overfitted rather than exploiting fundamental architectural vulnerabilities. Reference-based attacks, which compare the fine-tuned model's behavior against the original base model, show amplified sensitivity compared to attacks that examine only the fine-tuned model, achieving high effectiveness at lower overfitting levels. These findings suggest that standard generalization practices may reduce membership inference vulnerability alongside their benefits for model quality. The loss gap, already monitored by practitioners for model selection, could serve as a practical privacy risk indicator during fine-tuning without requiring attack implementation. The core contributions of this thesis have been accepted for publication at RECSI 2026 (XVIII Reunión Española sobre Criptología y Seguridad de la Información).
publishDate 2026
dc.date.none.fl_str_mv 2026
2026-01-27
2026
2026-04-16
dc.type.none.fl_str_mv master thesis
http://purl.org/coar/resource_type/c_bdcc
NA
http://purl.org/coar/version/c_be7fb7dd8ff6fe43
dc.type.openaire.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
dc.identifier.none.fl_str_mv https://hdl.handle.net/2117/460646
url https://hdl.handle.net/2117/460646
dc.language.none.fl_str_mv Inglés
eng
language_invalid_str_mv Inglés
language eng
dc.rights.none.fl_str_mv open access
http://purl.org/coar/access_right/c_abf2
dc.rights.openaire.fl_str_mv info:eu-repo/semantics/openAccess
rights_invalid_str_mv open access
http://purl.org/coar/access_right/c_abf2
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
application/pdf
dc.publisher.none.fl_str_mv Universitat Politècnica de Catalunya
publisher.none.fl_str_mv Universitat Politècnica de Catalunya
dc.source.none.fl_str_mv reponame:UPCommons. Portal del coneixement obert de la UPC
instname:Universitat Politècnica de Catalunya (UPC)
instname_str Universitat Politècnica de Catalunya (UPC)
reponame_str UPCommons. Portal del coneixement obert de la UPC
collection UPCommons. Portal del coneixement obert de la UPC
repository.name.fl_str_mv
repository.mail.fl_str_mv
_version_ 1869419493734744064
score 15.811543