Skip to main content

34 docs tagged with "ML Engineer"

View all tags

Confidential inference: hand your prompt to the cloud without letting the cloud see it — the routes that ship, and what they don't solve

In one sentence what actually ships today is mainly the hardware isolation + remote attestation route — e.g. GPU confidential computing on NVIDIA H100/H200, and Apple Private Cloud Compute as a private cloud architecture with a verifiable transparency log (same mechanism family, different shapes — don't conflate them); the cryptographic route (HE / MPC) is still too expensive at LLM scale. But "confidential" is a marketing word — the real boundary isn't "the vendor says confidential," it's whether you (or your device) verified the attestation, who the threat model covers, and what it still doesn't solve (side channels, trusting the chip vendor, legal orders). This entry takes Volume 1's TEE and HE·MPC foundations down to "can you actually run private inference."

Cross-session / cross-tenant memory bleed: shared memory / cache without per-user isolation, and I hand one person's data to another

In one sentence in March 2023 a redis-py concurrency race in ChatGPT let some users see others' chat titles and the first message of a new conversation, and about 1.2% of active Plus users had their name / email / billing address / last-four card digits exposed in a roughly 9-hour window (OpenAI's official postmortem). Conclusion first: cross-session isolation is the system's responsibility, not "I'll be careful not to mix things up" — scope every cache / memory / session by user, with concurrency safety + ownership checks + auditing.

DP in-context learning: put differential privacy on the private examples in your prompt, not on training

In one sentence either it splits the private examples into disjoint subsets and does a noisy aggregation over my outputs across those subsets before answering, or it uses the private data to generate a batch of synthetic examples with an (ε, δ) guarantee that replace the real ones. What it can bound is any single private example's influence on the answer — not me introspecting the prompt. Two boundaries up front: it protects the examples, not the query itself; and ε isn't zero, so out-of-aggregation side channels still leak.

DP privacy auditing: is the ε you claim real? Empirically lower-bound your DP guarantee in one training run

In one sentence insert many independent probes into training, then use how well you can guess "which probes were trained on" to derive an empirical ε lower bound — the privacy you actually deliver is no stronger than that bound. Steinke et al. (NeurIPS 2023 Outstanding Paper) made it runnable in one training run, cheap enough to keep as a regression check. Conclusion first: "we used a DP library" does not mean "the ε holds", and auditing is the only empirical way to turn a claimed ε into an audited ε.

Federated analytics: compute only the "statistics," never centralize the raw data — but the guarantee still hinges on DP + secure aggregation

In one sentence that trains a model, this computes statistics. Already deployed the word "federated" does not automatically mean private — keeping data local is only the start; the real privacy guarantee hinges on whether DP and secure aggregation are actually done right; miss either layer and the aggregate result plus multi-round queries can still shake individuals loose.

Fine-tuning-as-a-service privacy: where your fine-tuning data goes, and how fine-tuning erodes alignment (privacy refusals included)

In one sentence how long it's retained, whether it's used for training or human review, whether the resulting fine-tuned model is yours alone — none of this is a single number; verify each vendor's current terms item by item (most vendor docs say fine-tuning inputs/outputs aren't used for training by default and the fine-tuned model is for your use alone — but still check the terms for your tier, your endpoint, your region, and remember they change). Face 2 — fine-tuning itself erodes alignment handing data to a vendor fine-tuning API means you must both verify the data boundary and assume fine-tuning will weaken alignment — including the privacy refusals the model would otherwise make. (Note: Qi et al. is primarily a result about safety-alignment erosion, not a direct data-leak / PII-extraction result — this entry uses it to say "fine-tuning weakens privacy refusals along with the rest," and does not overstate it as "fine-tuning can extract the training data.")

Homomorphic encryption and secure multi-party computation (HE·MPC): compute on ciphertext without trusting the remote hardware — at a steep speed cost

In one sentence the remote execution environment is not a trust root — security comes from cryptographic assumptions. The cost is being much slower (HE especially), so today they're used in narrow scenarios, and full private LLM inference is still expensive. Volume 1 covers what they guarantee, where the cost is, and how to choose between them and a TEE.

LoRA / Adapter Leaking Fine-tune Data: Published Delta + Public Base = Membership Inference Amplifier

In one sentence the difference between the base and the fine-tuned model is itself the fingerprint of the fine-tune data. An attacker who holds your adapter and that public base can use the public base as a reference frame and run membership inference / extraction amplified by the delta. LoRA-Leak (arXiv 2507.18302, ⚠️preprint) measures it "the delta is small / the base is public" is not privacy — the public base is a free reference in the attacker's hands that raises your members' distinguishability.

Membership inference: deciding whether a record was in my training set — the root of most privacy attacks

In one sentence: membership inference (MIA) asks a question that looks harmless but isn't — "was this record in my training set or not." It needs no original text (that's the fundamental difference from training-data extraction), only a yes/no; yet when the "yes" is itself sensitive (e.g. "this person is in a particular disease dataset"), that single bit is the leak. It is the core target differential privacy defends against, and the foundation of a whole chain of privacy attacks — extraction, attribute inference, and more — which is why it leads Volume 1.

Model inversion & attribute inference: with queries and confidence, an attacker can rebuild what a training sample 'looks like' — or infer your sensitive attributes

In one sentence model inversion — using repeated queries + the confidence I emit to rebuild what a class's training sample "looks like" (Fredrikson et al. at CCS 2015 reconstructed recognizable faces from a face-recognition model); and attribute inference — given a person's partial known info + me, inferring their undisclosed sensitive attribute (Fredrikson et al.'s 2014 warfarin-dosing case). Conclusion first: confidence / probability outputs are the fuel, and attribute inference also borrows population-statistics correlations — don't assume "didn't send raw data out" is safe; look at output granularity, whether DP is stacked, and whether a class maps to a single individual.

Multi-agent internal-channel leakage: when agents pass private data to each other, more leaks internally than in the external output

In one sentence internal channels leak substantially more sensitive data than the external output, and an audit that only looks at the final output misses a large fraction of it. Conclusion first: if your audit boundary stops at "what the model said to the user," it can't see the dominant leakage surface in a multi-agent system — internal channels must also be audited, redacted, and shared on a need-to-know minimum.

Multi-tenant RAG retrieval leakage: vectors aren't anonymous, and filtering by user isn't always isolation

In one sentence: in multi-tenant RAG, two intuitions both fail — "vectorized means anonymized" and "filtered by user means isolated." In some studied embedding settings a vector can be inverted back to approximate original text (including PII), so don't treat it as anonymization; retrieval ranks by similarity, not permission, so if the ACL runs after retrieval instead of before it, the most relevant private chunk may come from another tenant; and a single boundary bug in a shared cache / long-term memory can carry one user's private context into another's session.

On-device inference as a privacy posture: the prompt really doesn't leave the device — but here's what "on-device" doesn't cover

In one sentence on-device means "the device doesn't send it out." But "on-device" is a word that's easy to over-read — the real boundary isn't "the vendor says on-device," it's which requests still fall back to the cloud, how much capability you trade away because the on-device model is smaller, and the telemetry / diagnostics / model-download channels. Bottom line first: "on-device" ≠ "nothing leaves the device." What's verifiable is that a given request completes on the local device and its prompt didn't leave the device for that path; but which requests run on-device versus fall back to the cloud is a deployment fact to check, not a model promise. For the fall-back-to-cloud portion, you go back to confidential inference to verify it.

Quantifying memorization and memorization auditing: use canaries and exposure to measure how much I 'memorized' before release

In one sentence insert random canaries into the training set, then use exposure to measure how strongly I prefer each one over random strings — higher exposure means it's memorized harder. Quantifying Memorization (ICLR 2023) goes further and measures audit memorization with canaries + exposure before release, turning "how much got memorized" into a regression-able number — don't say "it probably didn't memorize anything" on a hunch, which is the false security of a missing audit.

Secure aggregation: let the server see only "the sum of everyone's updates," never any single update

In one sentence use secure multiparty computation so the server can compute only "the sum of all clients' updates," never any single update — the single point is hidden, and inversion loses what it stands on. It's communication-efficient and robust to client dropout, and is already used in Google's production FL (Bonawitz et al., MLSys 2019 secure aggregation downgrades "the server is trusted" to "the server only sees the aggregate sum"; but it's not a cure-all — it defends against "seeing a single update," not "the aggregate sum itself leaking" or "parties colluding," so still pair it with DP.

Split learning leakage: splitting the model in two so "raw data stays local" doesn't stop the server reconstructing your inputs from intermediate activations

In one sentence this is not private. The Feature-Space Hijacking Attack (Pasquini et al., CCS 2021) shows a malicious server can actively steer the split model into an insecure state and reconstruct the client's private training inputs from the intermediate activations (reconstructing images on MNIST / Omniglot / CelebA); UnSplit (Erdoğan et al., WPES @ CCS 2022) shows that even an honest-but-curious server — knowing only the client architecture, with no active interference — can invert (reconstruction MSE ≈ 0.08–0.15 on MNIST / Fashion-MNIST / CIFAR-10). Don't read "didn't send raw pixels" as privacy.

Synthetic-data privacy: replacing real data with synthetic data ≠ anonymous — unless generated under formal DP, and even then a utility trade-off remains

In one sentence synthetic data provides no anonymity by default. Stadler et al. (USENIX Security 2022) showed that any privacy evaluation based on "how similar real and synthetic records look" severely underestimates risk, and that synthetic data is no safer than traditional anonymisation — unless generated under a formal differential-privacy (DP) guarantee; and even with DP, you can't escape a hard privacy↔utility trade-off. Chen et al. (GAN-Leaks, CCS 2020) go further: even when the attacker can only sample from the generator (full black-box — exactly the "publish a synthetic dataset" case), membership inference (MIA) still distinguishes whether a given real record was in the training set above chance, and gets more accurate as overfitting rises. The only thing that gives a bound is formal DP, and ε is not zero.

Unlearning benchmarks and standardized evaluation: turning "did it forget cleanly?" into a regression-able score — and the benchmarks' own blind spots

In one sentence not just "can it still recite it?" but forget quality × retained utility × privacy leakage under attack, three axes at once. And these benchmarks converge on an uncomfortable finding — few methods survive both the utility test and the leakage test (MUSE reports that of eight algorithms, only one avoids severe privacy leakage ⚠️ preprint). But the benchmarks have blind spots of their own: a benchmark is a proxy, and passing it ≠ truly forgotten (this picks up this volume's Unlearning verifiability); whatever it doesn't cover is a corner it can't see.

Verifiability of machine unlearning: you deleted it but can't prove it — model-level unlearning is unverifiable, and "proofs" can be forged

In one sentence the same model parameters can be produced from a different dataset / a different gradient sequence, so a model owner can pass off a fabricated "I unlearned it" proof while actually keeping the record. Alongside it, TOFU (Maini et al., COLM 2024) turns "forget quality" into a measurable benchmark and finds no off-the-shelf method convincingly passes the "forget quality vs. utility" tradeoff. Conclusion first: audit the algorithm / process, not the final weights; "deleted" must be provable, or it's compliance theater.

Verifiable deletion and machine unlearning: "deleted the source record" ≠ "the model forgot" — and proving it forgot is harder still

In one sentence once memorization is in the weights, deleting the source doesn't make it vanish). Machine unlearning aims to make the model "behave as if it never saw that record." Two hard parts: ① how to actually forget (exact unlearning ≈ equivalent retraining, expensive; approximate unlearning is fast but unguaranteed); ② how to prove it forgot (verifiable deletion) — the piece engineering most lacks.