Skip to main content

Volume 2 · Memorization and extraction

The flagship volume: why generative pretrained models memorize training data verbatim, how an outside attacker extracts it, what factors (repetition, scale, context) amplify memorization, and defenses like deduplication / DP pretraining / memorization auditing.

Quantifying memorization & auditing

In one sentence insert random canaries into the training set, then use exposure to measure how strongly I prefer each one over random strings — higher exposure means it's memorized harder. Quantifying Memorization (ICLR 2023) goes further and measures audit memorization with canaries + exposure before release, turning "how much got memorized" into a regression-able number — don't say "it probably didn't memorize anything" on a hunch, which is the false security of a missing audit.

MediumResearch

DP privacy auditing

In one sentence insert many independent probes into training, then use how well you can guess "which probes were trained on" to derive an empirical ε lower bound — the privacy you actually deliver is no stronger than that bound. Steinke et al. (NeurIPS 2023 Outstanding Paper) made it runnable in one training run, cheap enough to keep as a regression check. Conclusion first: "we used a DP library" does not mean "the ε holds", and auditing is the only empirical way to turn a claimed ε into an audited ε.

MediumResearch