google-research/lm-extraction-benchmark google-research/lm-extraction-benchmark

  • Stars
    star
    244
  • Rank 159,871 (Top 4 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 1 year ago
  • Updated 25 days ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
google-research/lm-extraction-benchmark
github

google-research

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Training Data Extraction Challenge

Recent work has demonstrated the feasibility of training data extraction attacks on neural language models, where an adversary can interact with a pretrained model to recover individual examples contained in the training dataset. For example, the GPT-2 language model memorizes the name, email address, phone number, fax number, and physical address of a single person whose information was contained in the model's training dataset (Carlini et al. 2021). This presents various privacy risks, raises questions around generalization of language models, and generally is a surprising property of model training (Feldman 2020).

While existing attacks are strong proof-of-concepts, existing attacks aren't close to extracting the uppper bound of what the model has memorized. For example, out of GPT-2's entire 40 GB training dataset, just 600 examples were shown to be extractable by Carlini et al. (2021), for a total of 0.00000015%. However, recent work has found that large language models memorize as much as a few percent of their training datasets (Carlini et al. 2022), but current attacks are quite inefficient (Lehman et al. 2021, Kandpal et al. 2022).

Objective

In this challenge, you will improve targeted data extraction attacks. In a targeted attack, you are provided with a prefix sequence and must find the specific continuation (suffix) such that the entire sequence is contained in the training dataset. For example, if the training dataset contains the sentence "My phone number is 123-4567", and we provide you with the prefix "My phone number is", you should output the guessed suffix "123-4567". This differs from "untargeted" attacks, where an adversary searches for any memorized sample, i.e., any data that appears somewhere in the training dataset.

Why targeted attacks?

  • They matter more. It is more security critical if an adversary can recover information related to particular topics than just be able to recover some (arbitrary, uncontrolled) data that might be uninteresting.

  • They are easier to evaluate. Evaluating an untargeted attack requires checking if the sequence is contained anywhere in the training dataset; for The Pile, this would require searching over 800GB of text. This is challenging. In contrast, targeted attacks only require checking if the suffix of this particular sequence is correct.

Dataset

Our benchmark consists of a subset of 20,000 examples contained in The Pile's training dataset. This dataset has been used to train many recent large language models, including GPT-Neo 1.3B, the model you will be extracting data from.

Each example is split into a prefix and suffix, each 50 tokens long. Given the prefix, the task of the attack is to predict the suffix.

These 20,000 examples are designed to be somewhat easy-to-extract. They were all chosen to meet the property that there exists a prefix length that causes the model to generate the suffix string exactly. Moreover, we only choose examples that are well specified, in the sense that given the 50-token prefix, there is only one continuation such that the entire sequence is contained in the training dataset. Therefore, we have good reason to believe that a sufficiently strong attack should be able to perfectly complete the suffix given each example's 50-token prefix.

We will upload three datasets.

  • datasets/train_dataset.csv is a set of 15,000 examples from The Pile and can be used to develop your attack algorithm how ever you please. This dataset contains both the prefixes and suffixes for your use. We recommend that you reserve the last 1,000 examples as an internal validation set to compute the efficacy of your attack, but that's up to you.
  • datasets/val_prefixes.npy is a set of 1,000 examples sampled from the Pile identically to the training set; the prefix set was released on November 14th and the suffixes will be released on December 14th. This will be the dataset used to run the validation round (see below for details).
  • test_prefix.csv will also be a set of 1,000 examples sampled identically to the above two, with the prefixes released on January 23rd, 2023 and the suffixes released on January 27th, 2023.

Unfortunately we are unable to host the exact dataset as a numpy array in this repository. But an unofficial repository maintained by our collaborator at ETH Zรผrich contains the data.

Alternatively, if you would like to generate the data on your own from the original Pile dataset, we have released CSV files that contain pointers into The Pile. The script load_dataset.py takes the CSV and a copy of The Pile on your disk and will pull out the actual dataset itself, generating train_dataset.npy, train_prefix.npy and train_suffix.npy. It will also give train_preprefix.npy which is 100 extra tokens of context.

These examples have the property that np.concatenate([train_preprefix[0], train_prefix[0], train_suffix[0]]) = train_dataset[0] is a substring of The Pile. Your task is to use train_prefix to complete train_suffix.

Solution Format

You will upload your solutions as an ordered CSV with the following format

    Example ID, Suffix Guess
    8,          "[3, 6, 9]"
    12,         "[4, 2, 8]"
    8,          "[3, 7, 9]"
    7,          "[1, 2, 3]"
    9,          "[0, 0, 0]"
	...

Example ID is an integer between 0 and 1000 (the total number of test samples).

Suffix Guess is a python-style length-50 list of the tokens in the predicted suffix. This data should be tokenized with the GPT Neo 1.3B tokenizer, which is identical to the GPT-2 tokenizer.

You should order examples by how likely you believe they are to be training data. The first example in the list should be the suffix guess you are most confident is correct completeion of the corresponding prefix. The last example is the one that you are least confident is the correct suffix.

For example, in the above file, the first guess is that example 8 ends with the string [3, 6, 9 the second guess is that example 12 ends with the string [4, 2, 8] and then the third guess is that the same example 8 ends with the alterante [3, 7, 9] where here we've made a different guess for the second byte. (Obviously the sequences here should be 50 tokens long.)

There are no other constraints on this file. You do not need to make a guess for every example. You can make multiple guesses for some examples, and just a a single guess (or even none at all) for other examples. However once you have made the 100th error we will stop processing lines.

You may, if you wish, output at most 100,000 guesses and we will generate a full precision/recall curve using these guesses. However please note because you are allowed at most 100 incorrect guesses and so any rows after the 1,100th will be ignored for the competition metric.

Evaluation Metric

There are three dimensions that determine how well an extraction attack works: (1) the recall (the number of examples where you guess suffix correctly), (2) the precision (how often your guesses are correct), and (3) the speed (how long it takes your attack to run). In an ideal world an attack would be evaluated across all three dimensions at the same time. For example, the baseline attack (discussed below) shows the following curves when we run it for varying amounts of time.

But contests need to be evaluated on a single metric, and so we had to decide on some way to reduce an entire 3 dimensional curve to just a single point. Ultimately we decided on measuring recall, at 100 incorrect guesses, when constrained to 24 hours of runtime on a fixed platform. This rewards adversaries who can perform extraction quickly and with few mistakes.

We will release exact specifications of the hardware upon the release of the validation set, and will update this section when that happens. For the time being you can safely assume it will be (something like) a P100 GPU with a single-digit-of-cores CPU.

We selected these thresholds after an initial evaluation of existing baseline attacks. We found that most existing attacks saturate after >10 hours of compute, and so by allowing 24 hours of compute we hope to limit the effect of code-level optimization on the attack success rate. We selected 100 total errors because this corresponds to a ~35% recall for existing attacks, leaving significant room for improvement.

How To Submit

You will submit to us three artifacts by emailing [email protected]:

  • A solution CSV file as described above.

  • Code that will reproduce your results when supplied with a single argument containing the prefixes to attack.

  • A short (2-5 page) description of your attack.

  • A list of team members, your institution/affiliation if you have one, and an optional team name.

We will re-run your code to verify that it meets the 24 hour runtime requirement. Please document the steps necessary to run your code. While we make no hard constraints on how to do this, either a conda environment, a pip requirements.txt, or a docker setup would be appreciated. We will try to fix minimal bugs we encounter, and may even email teams if we have small challenges in reproducing results, but please test your code on a clean machine. (You can assume CUDA drivers, whichever version you depend on, have been installed.)

Example Submission

We have uploaded an example submission at example_submission/example_solution.csv and the code we will use to score submission at example_submission/score_submission.py. Internally the scoring file expects a numpy file of the suffixes example_submission/fake_test_suffixes.npy.

All of these data are completely random and synthetically generated to show the format of an upload.

Baseline Code

We have published sample baseline code to run a simple attack at baseline/simple_baseline.py. This code will run for a few hours on a P100 GPU to produce a set of guessed solution file.

cd baseline
python3 simple_baseline.py --root-dir tmp/ --experiment-name test/

If you would like to see simple results in just a few minutes you can reduce the number of guesses per example by running

cd baseline
python3 simple_baseline.py --root-dir tmp/ --experiment-name test/ --num-trials 1

By default this code runs on the last 1000 examples of the training set, and when it finishes will give you a few files called guess1.csv to guess100.csv with the guesses that are being made.

From here you can then run example_submission/score_submission.py as follows

python3 ../example_submission/score_submission.py --submission guess1.csv --answer ../datasets/train_suffix.npy

Cheating

Please don't! There is no prize for winning this contest. You don't get anything out of cheating. You will most likely be able to cheat without us noticing.

It's not very hard: our test set consists of sequences contained in The Pile---a dataset you already need to download to extract the training sequences and test prefixes. And so you can literally grep for the prefixes from The Pile, read off the suffixes, and submit those as the answer. You can also search for the prefixes on the internet and find many of them online. Please also don't do this for the test examples.

In order to mitigate the effects of cheating, we will require any participants who wish to be ranked on the official leaderboard to send us their code before the specific test set is released (see the timeline below). We will not release your code publicly (but we encourage you to do so), and will only use it to verify that running your code produces the claimed answers in the allocated runtime. In extremely exceptional situation where your code needs to be changed minimally to run on the provided test set, you may send us an update to your code if necessary.

Querying other models trained on The Pile (other than the provided 1.3B GPT-Neo model) is not allowed. The reasoning for this is that larger models exhibit more memorization. Querying models trained on other datasets that do not significantly overlap with The Pile is allowed.

If you're not sure if something is against the rules, please raise an issue to ask.

Timeline

  • August 22nd: Contest announced. We release in this repository the rules, submission criteria, and training dataset.

  • November 14th: Validation prefixes released. This validation round will allow participants to check how well they are doing compared to others, and also allow everyone to verify they are able to follow the submission criteria correctly.

  • December 9th AOE: Validation round closes. Teams submit validation set solutions by emailing CSV file to [email protected].

  • December 14th: Validation scores announced. We will run each team's validation submission and release publicly how well everyone does. At this time we will also release the validation suffixes for teams to be able and reproduce our ranking them self.

  • January 20th AOE: Final Code submission deadline. As discussed above, to mitigate cheating we will require teams submit code ahead of the test set release. This is that deadline.

  • January 23th: Test prefixes released at datasets/test_prefix.npy. Teams will then have five days to run their code on the test prefixes---because at most 24 hours of compute are allowed for the final submission, this should be more than enough.

  • January 27th AOE: Test round closes. Teams submit test set suffixes, a short 2-5 page paper describing the techniques being used, and (in exceptional circumstances) a .patch file modifying the code to run on the test set.

Additional Details

A detailed description of the dataset construction process is available at detailed_description.pdf.

Questions

If you have any questions raise an issue on this repositories issue tracker.

Organiziation

This contest is being run by (in alphabetical order) Nicholas Carlini, Christopher A. Choquette-Choo, Daphne Ippolito, Matthew Jagielski, Katherine Lee, Milad Nasr, Florian Tramer and Chiyuan Zhang.

Legal Stuff

This is not an officially supported Google project.

References

More Repositories

1

bert

TensorFlow code and pre-trained models for BERT
Python
36,701
star
2

google-research

Google Research
Jupyter Notebook
32,494
star
3

tuning_playbook

A playbook for systematically maximizing the performance of deep learning models.
24,615
star
4

vision_transformer

Jupyter Notebook
9,288
star
5

text-to-text-transfer-transformer

Code for the paper "Exploring the Limits of Transfer Learning with a Unified Text-to-Text Transformer"
Python
5,820
star
6

arxiv-latex-cleaner

arXiv LaTeX Cleaner: Easily clean the LaTeX code of your paper to submit to arXiv
Python
4,736
star
7

simclr

SimCLRv2 - Big Self-Supervised Models are Strong Semi-Supervised Learners
Jupyter Notebook
3,841
star
8

multinerf

A Code Release for Mip-NeRF 360, Ref-NeRF, and RawNeRF
Python
3,484
star
9

football

Check out the new game server:
Python
3,230
star
10

albert

ALBERT: A Lite BERT for Self-supervised Learning of Language Representations
Python
3,209
star
11

scenic

Scenic: A Jax Library for Computer Vision Research and Beyond
Python
2,999
star
12

frame-interpolation

FILM: Frame Interpolation for Large Motion, In ECCV 2022.
Python
2,643
star
13

t5x

Python
2,494
star
14

electra

ELECTRA: Pre-training Text Encoders as Discriminators Rather Than Generators
Python
2,284
star
15

kubric

A data generation pipeline for creating semi-realistic synthetic multi-object videos with rich annotations such as instance segmentation masks, depth maps, and optical flow.
Jupyter Notebook
2,180
star
16

uda

Unsupervised Data Augmentation (UDA)
Python
2,131
star
17

pegasus

Python
1,578
star
18

big_vision

Official codebase used to develop Vision Transformer, SigLIP, MLP-Mixer, LiT and more.
Jupyter Notebook
1,555
star
19

language

Shared repository for open-sourced projects from the Google AI Language team.
Python
1,553
star
20

dex-lang

Research language for array processing in the Haskell/ML family
Haskell
1,539
star
21

parti

1,513
star
22

big_transfer

Official repository for the "Big Transfer (BiT): General Visual Representation Learning" paper.
Python
1,491
star
23

torchsde

Differentiable SDE solvers with GPU support and efficient sensitivity analysis.
Python
1,444
star
24

FLAN

Python
1,373
star
25

disentanglement_lib

disentanglement_lib is an open-source library for research on learning disentangled representations.
Python
1,311
star
26

multilingual-t5

Python
1,197
star
27

robotics_transformer

Python
1,192
star
28

planet

Learning Latent Dynamics for Planning from Pixels
Python
1,134
star
29

mixmatch

Python
1,126
star
30

tapas

End-to-end neural table-text understanding models.
Python
1,080
star
31

fixmatch

A simple method to perform semi-supervised learning with limited data.
Python
1,053
star
32

morph-net

Fast & Simple Resource-Constrained Learning of Deep Network Structure
Python
1,011
star
33

deduplicate-text-datasets

Rust
982
star
34

deeplab2

DeepLab2 is a TensorFlow library for deep labeling, aiming to provide a unified and state-of-the-art TensorFlow codebase for dense pixel labeling tasks.
Python
976
star
35

batch-ppo

Efficient Batched Reinforcement Learning in TensorFlow
Python
963
star
36

augmix

AugMix: A Simple Data Processing Method to Improve Robustness and Uncertainty
Python
951
star
37

maxim

[CVPR 2022 Oral] Official repository for "MAXIM: Multi-Axis MLP for Image Processing". SOTA for denoising, deblurring, deraining, dehazing, and enhancement.
Python
937
star
38

magvit

Official JAX implementation of MAGVIT: Masked Generative Video Transformer
Python
847
star
39

pix2seq

Pix2Seq codebase: multi-tasks with generative modeling (autoregressive and diffusion)
Jupyter Notebook
801
star
40

seed_rl

SEED RL: Scalable and Efficient Deep-RL with Accelerated Central Inference. Implements IMPALA and R2D2 algorithms in TF2 with SEED's architecture.
Python
790
star
41

meta-dataset

A dataset of datasets for learning to learn from few examples
Python
740
star
42

noisystudent

Code for Noisy Student Training. https://arxiv.org/abs/1911.04252
Python
736
star
43

jax3d

Python
718
star
44

recsim

A Configurable Recommender Systems Simulation Platform
Python
717
star
45

lottery-ticket-hypothesis

A reimplementation of "The Lottery Ticket Hypothesis" (Frankle and Carbin) on MNIST.
Python
704
star
46

rliable

[NeurIPS'21 Outstanding Paper] Library for reliable evaluation on RL and ML benchmarks, even with only a handful of seeds.
Jupyter Notebook
689
star
47

circuit_training

Python
685
star
48

long-range-arena

Long Range Arena for Benchmarking Efficient Transformers
Python
681
star
49

federated

A collection of Google research projects related to Federated Learning and Federated Analytics.
Python
646
star
50

nasbench

NASBench: A Neural Architecture Search Dataset and Benchmark
Python
641
star
51

xtreme

XTREME is a benchmark for the evaluation of the cross-lingual generalization ability of pre-trained multilingual models that covers 40 typologically diverse languages and includes nine tasks.
Python
620
star
52

prompt-tuning

Original Implementation of Prompt Tuning from Lester, et al, 2021
Python
617
star
53

bleurt

BLEURT is a metric for Natural Language Generation based on transfer learning.
Python
611
star
54

lasertagger

Python
603
star
55

sound-separation

Python
578
star
56

dreamer

Dream to Control: Learning Behaviors by Latent Imagination
Python
568
star
57

robopianist

[CoRL '23] Dexterous piano playing with deep reinforcement learning.
Python
531
star
58

pix2struct

Python
530
star
59

fast-soft-sort

Fast Differentiable Sorting and Ranking
Python
527
star
60

bigbird

Transformers for Longer Sequences
Python
518
star
61

ravens

Train robotic agents to learn pick and place with deep learning for vision-based manipulation in PyBullet. Transporter Nets, CoRL 2020.
Python
517
star
62

sam

Python
512
star
63

vmoe

Jupyter Notebook
507
star
64

batch_rl

Offline Reinforcement Learning (aka Batch Reinforcement Learning) on Atari 2600 games
Python
489
star
65

tensor2robot

Distributed machine learning infrastructure for large-scale robotics research
Python
483
star
66

mint

Multi-modal Content Creation Model Training Infrastructure including the FACT model (AI Choreographer) implementation.
Python
465
star
67

byt5

Python
464
star
68

adapter-bert

Python
459
star
69

leaf-audio

LEAF is a learnable alternative to audio features such as mel-filterbanks, that can be initialized as an approximation of mel-filterbanks, and then be trained for the task at hand, while using a very small number of parameters.
Python
446
star
70

robustness_metrics

Jupyter Notebook
442
star
71

receptive_field

Compute receptive fields of your favorite convnets
Python
420
star
72

maxvit

[ECCV 2022] Official repository for "MaxViT: Multi-Axis Vision Transformer". SOTA foundation models for classification, detection, segmentation, image quality, and generative modeling...
Jupyter Notebook
417
star
73

ssl_detection

Semi-supervised learning for object detection
Python
394
star
74

maskgit

Official Jax Implementation of MaskGIT
Jupyter Notebook
376
star
75

l2p

Learning to Prompt (L2P) for Continual Learning @ CVPR22 and DualPrompt: Complementary Prompting for Rehearsal-free Continual Learning @ ECCV22
Python
369
star
76

nerf-from-image

Shape, Pose, and Appearance from a Single Image via Bootstrapped Radiance Field Inversion
Python
366
star
77

computation-thru-dynamics

Understanding computation in artificial and biological recurrent networks through the lens of dynamical systems.
Jupyter Notebook
362
star
78

tf-slim

Python
360
star
79

realworldrl_suite

Real-World RL Benchmark Suite
Python
332
star
80

distilling-step-by-step

Python
325
star
81

rigl

End-to-end training of sparse deep neural networks with little-to-no performance loss.
Python
314
star
82

python-graphs

A static analysis library for computing graph representations of Python programs suitable for use with graph neural networks.
Python
312
star
83

weatherbench2

A benchmark for the next generation of data-driven global weather models.
Python
306
star
84

tensorflow_constrained_optimization

Python
301
star
85

task_adaptation

Python
295
star
86

exoplanet-ml

Machine learning models and utilities for exoplanet science.
Python
283
star
87

ibc

Official implementation of Implicit Behavioral Cloning, as described in our CoRL 2021 paper, see more at https://implicitbc.github.io/
Python
282
star
88

self-organising-systems

Jupyter Notebook
279
star
89

tensorflow-coder

Python
275
star
90

retvec

RETVec is an efficient, multilingual, and adversarially-robust text vectorizer.
Jupyter Notebook
269
star
91

vdm

Jupyter Notebook
267
star
92

sparf

This is the official code release for SPARF: Neural Radiance Fields from Sparse and Noisy Poses [CVPR 2023-Highlight]
Python
263
star
93

falken

Falken provides developers with a service that allows them to train AI that can play their games
Python
253
star
94

syn-rep-learn

Learning from synthetic data - code and models
Python
246
star
95

meliad

Python
231
star
96

3d-moments

Code for CVPR 2022 paper '3D Moments from Near-Duplicate Photos'
Python
229
star
97

perceiver-ar

Python
224
star
98

rlds

Jupyter Notebook
216
star
99

ott

Python
215
star
100

language-table

Suite of human-collected datasets and a multi-task continuous control benchmark for open vocabulary visuolinguomotor learning.
Jupyter Notebook
213
star