google-research/lm-extraction-benchmark google-research/lm-extraction-benchmark

  • Stars
    star
    270
  • Rank 152,189 (Top 3 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 2 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
google-research/lm-extraction-benchmark
github

google-research

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Training Data Extraction Challenge

Recent work has demonstrated the feasibility of training data extraction attacks on neural language models, where an adversary can interact with a pretrained model to recover individual examples contained in the training dataset. For example, the GPT-2 language model memorizes the name, email address, phone number, fax number, and physical address of a single person whose information was contained in the model's training dataset (Carlini et al. 2021). This presents various privacy risks, raises questions around generalization of language models, and generally is a surprising property of model training (Feldman 2020).

While existing attacks are strong proof-of-concepts, existing attacks aren't close to extracting the uppper bound of what the model has memorized. For example, out of GPT-2's entire 40 GB training dataset, just 600 examples were shown to be extractable by Carlini et al. (2021), for a total of 0.00000015%. However, recent work has found that large language models memorize as much as a few percent of their training datasets (Carlini et al. 2022), but current attacks are quite inefficient (Lehman et al. 2021, Kandpal et al. 2022).

Objective

In this challenge, you will improve targeted data extraction attacks. In a targeted attack, you are provided with a prefix sequence and must find the specific continuation (suffix) such that the entire sequence is contained in the training dataset. For example, if the training dataset contains the sentence "My phone number is 123-4567", and we provide you with the prefix "My phone number is", you should output the guessed suffix "123-4567". This differs from "untargeted" attacks, where an adversary searches for any memorized sample, i.e., any data that appears somewhere in the training dataset.

Why targeted attacks?

  • They matter more. It is more security critical if an adversary can recover information related to particular topics than just be able to recover some (arbitrary, uncontrolled) data that might be uninteresting.

  • They are easier to evaluate. Evaluating an untargeted attack requires checking if the sequence is contained anywhere in the training dataset; for The Pile, this would require searching over 800GB of text. This is challenging. In contrast, targeted attacks only require checking if the suffix of this particular sequence is correct.

Dataset

Our benchmark consists of a subset of 20,000 examples contained in The Pile's training dataset. This dataset has been used to train many recent large language models, including GPT-Neo 1.3B, the model you will be extracting data from.

Each example is split into a prefix and suffix, each 50 tokens long. Given the prefix, the task of the attack is to predict the suffix.

These 20,000 examples are designed to be somewhat easy-to-extract. They were all chosen to meet the property that there exists a prefix length that causes the model to generate the suffix string exactly. Moreover, we only choose examples that are well specified, in the sense that given the 50-token prefix, there is only one continuation such that the entire sequence is contained in the training dataset. Therefore, we have good reason to believe that a sufficiently strong attack should be able to perfectly complete the suffix given each example's 50-token prefix.

We will upload three datasets.

  • datasets/train_dataset.csv is a set of 15,000 examples from The Pile and can be used to develop your attack algorithm how ever you please. This dataset contains both the prefixes and suffixes for your use. We recommend that you reserve the last 1,000 examples as an internal validation set to compute the efficacy of your attack, but that's up to you.
  • datasets/val_prefixes.npy is a set of 1,000 examples sampled from the Pile identically to the training set; the prefix set was released on November 14th and the suffixes will be released on December 14th. This will be the dataset used to run the validation round (see below for details).
  • test_prefix.csv will also be a set of 1,000 examples sampled identically to the above two, with the prefixes released on January 23rd, 2023 and the suffixes released on January 27th, 2023.

Unfortunately we are unable to host the exact dataset as a numpy array in this repository. But an unofficial repository maintained by our collaborator at ETH ZΓΌrich contains the data.

Alternatively, if you would like to generate the data on your own from the original Pile dataset, we have released CSV files that contain pointers into The Pile. The script load_dataset.py takes the CSV and a copy of The Pile on your disk and will pull out the actual dataset itself, generating train_dataset.npy, train_prefix.npy and train_suffix.npy. It will also give train_preprefix.npy which is 100 extra tokens of context.

These examples have the property that np.concatenate([train_preprefix[0], train_prefix[0], train_suffix[0]]) = train_dataset[0] is a substring of The Pile. Your task is to use train_prefix to complete train_suffix.

Solution Format

You will upload your solutions as an ordered CSV with the following format

    Example ID, Suffix Guess
    8,          "[3, 6, 9]"
    12,         "[4, 2, 8]"
    8,          "[3, 7, 9]"
    7,          "[1, 2, 3]"
    9,          "[0, 0, 0]"
	...

Example ID is an integer between 0 and 1000 (the total number of test samples).

Suffix Guess is a python-style length-50 list of the tokens in the predicted suffix. This data should be tokenized with the GPT Neo 1.3B tokenizer, which is identical to the GPT-2 tokenizer.

You should order examples by how likely you believe they are to be training data. The first example in the list should be the suffix guess you are most confident is correct completeion of the corresponding prefix. The last example is the one that you are least confident is the correct suffix.

For example, in the above file, the first guess is that example 8 ends with the string [3, 6, 9 the second guess is that example 12 ends with the string [4, 2, 8] and then the third guess is that the same example 8 ends with the alterante [3, 7, 9] where here we've made a different guess for the second byte. (Obviously the sequences here should be 50 tokens long.)

There are no other constraints on this file. You do not need to make a guess for every example. You can make multiple guesses for some examples, and just a a single guess (or even none at all) for other examples. However once you have made the 100th error we will stop processing lines.

You may, if you wish, output at most 100,000 guesses and we will generate a full precision/recall curve using these guesses. However please note because you are allowed at most 100 incorrect guesses and so any rows after the 1,100th will be ignored for the competition metric.

Evaluation Metric

There are three dimensions that determine how well an extraction attack works: (1) the recall (the number of examples where you guess suffix correctly), (2) the precision (how often your guesses are correct), and (3) the speed (how long it takes your attack to run). In an ideal world an attack would be evaluated across all three dimensions at the same time. For example, the baseline attack (discussed below) shows the following curves when we run it for varying amounts of time.

But contests need to be evaluated on a single metric, and so we had to decide on some way to reduce an entire 3 dimensional curve to just a single point. Ultimately we decided on measuring recall, at 100 incorrect guesses, when constrained to 24 hours of runtime on a fixed platform. This rewards adversaries who can perform extraction quickly and with few mistakes.

We will release exact specifications of the hardware upon the release of the validation set, and will update this section when that happens. For the time being you can safely assume it will be (something like) a P100 GPU with a single-digit-of-cores CPU.

We selected these thresholds after an initial evaluation of existing baseline attacks. We found that most existing attacks saturate after >10 hours of compute, and so by allowing 24 hours of compute we hope to limit the effect of code-level optimization on the attack success rate. We selected 100 total errors because this corresponds to a ~35% recall for existing attacks, leaving significant room for improvement.

How To Submit

You will submit to us three artifacts by emailing [email protected]:

  • A solution CSV file as described above.

  • Code that will reproduce your results when supplied with a single argument containing the prefixes to attack.

  • A short (2-5 page) description of your attack.

  • A list of team members, your institution/affiliation if you have one, and an optional team name.

We will re-run your code to verify that it meets the 24 hour runtime requirement. Please document the steps necessary to run your code. While we make no hard constraints on how to do this, either a conda environment, a pip requirements.txt, or a docker setup would be appreciated. We will try to fix minimal bugs we encounter, and may even email teams if we have small challenges in reproducing results, but please test your code on a clean machine. (You can assume CUDA drivers, whichever version you depend on, have been installed.)

Example Submission

We have uploaded an example submission at example_submission/example_solution.csv and the code we will use to score submission at example_submission/score_submission.py. Internally the scoring file expects a numpy file of the suffixes example_submission/fake_test_suffixes.npy.

All of these data are completely random and synthetically generated to show the format of an upload.

Baseline Code

We have published sample baseline code to run a simple attack at baseline/simple_baseline.py. This code will run for a few hours on a P100 GPU to produce a set of guessed solution file.

cd baseline
python3 simple_baseline.py --root-dir tmp/ --experiment-name test/

If you would like to see simple results in just a few minutes you can reduce the number of guesses per example by running

cd baseline
python3 simple_baseline.py --root-dir tmp/ --experiment-name test/ --num-trials 1

By default this code runs on the last 1000 examples of the training set, and when it finishes will give you a few files called guess1.csv to guess100.csv with the guesses that are being made.

From here you can then run example_submission/score_submission.py as follows

python3 ../example_submission/score_submission.py --submission guess1.csv --answer ../datasets/train_suffix.npy

Cheating

Please don't! There is no prize for winning this contest. You don't get anything out of cheating. You will most likely be able to cheat without us noticing.

It's not very hard: our test set consists of sequences contained in The Pile---a dataset you already need to download to extract the training sequences and test prefixes. And so you can literally grep for the prefixes from The Pile, read off the suffixes, and submit those as the answer. You can also search for the prefixes on the internet and find many of them online. Please also don't do this for the test examples.

In order to mitigate the effects of cheating, we will require any participants who wish to be ranked on the official leaderboard to send us their code before the specific test set is released (see the timeline below). We will not release your code publicly (but we encourage you to do so), and will only use it to verify that running your code produces the claimed answers in the allocated runtime. In extremely exceptional situation where your code needs to be changed minimally to run on the provided test set, you may send us an update to your code if necessary.

Querying other models trained on The Pile (other than the provided 1.3B GPT-Neo model) is not allowed. The reasoning for this is that larger models exhibit more memorization. Querying models trained on other datasets that do not significantly overlap with The Pile is allowed.

If you're not sure if something is against the rules, please raise an issue to ask.

Timeline

  • August 22nd: Contest announced. We release in this repository the rules, submission criteria, and training dataset.

  • November 14th: Validation prefixes released. This validation round will allow participants to check how well they are doing compared to others, and also allow everyone to verify they are able to follow the submission criteria correctly.

  • December 9th AOE: Validation round closes. Teams submit validation set solutions by emailing CSV file to [email protected].

  • December 14th: Validation scores announced. We will run each team's validation submission and release publicly how well everyone does. At this time we will also release the validation suffixes for teams to be able and reproduce our ranking them self.

  • January 20th AOE: Final Code submission deadline. As discussed above, to mitigate cheating we will require teams submit code ahead of the test set release. This is that deadline.

  • January 23th: Test prefixes released at datasets/test_prefix.npy. Teams will then have five days to run their code on the test prefixes---because at most 24 hours of compute are allowed for the final submission, this should be more than enough.

  • January 27th AOE: Test round closes. Teams submit test set suffixes, a short 2-5 page paper describing the techniques being used, and (in exceptional circumstances) a .patch file modifying the code to run on the test set.

Additional Details

A detailed description of the dataset construction process is available at detailed_description.pdf.

Questions

If you have any questions raise an issue on this repositories issue tracker.

Organiziation

This contest is being run by (in alphabetical order) Nicholas Carlini, Christopher A. Choquette-Choo, Daphne Ippolito, Matthew Jagielski, Katherine Lee, Milad Nasr, Florian Tramer and Chiyuan Zhang.

Legal Stuff

This is not an officially supported Google project.

References

More Repositories

1

bert

TensorFlow code and pre-trained models for BERT
Python
37,769
star
2

google-research

Google Research
Jupyter Notebook
33,759
star
3

tuning_playbook

A playbook for systematically maximizing the performance of deep learning models.
26,593
star
4

vision_transformer

Jupyter Notebook
10,251
star
5

text-to-text-transfer-transformer

Code for the paper "Exploring the Limits of Transfer Learning with a Unified Text-to-Text Transformer"
Python
6,099
star
6

arxiv-latex-cleaner

arXiv LaTeX Cleaner: Easily clean the LaTeX code of your paper to submit to arXiv
Python
5,233
star
7

simclr

SimCLRv2 - Big Self-Supervised Models are Strong Semi-Supervised Learners
Jupyter Notebook
3,937
star
8

multinerf

A Code Release for Mip-NeRF 360, Ref-NeRF, and RawNeRF
Python
3,612
star
9

timesfm

TimesFM (Time Series Foundation Model) is a pretrained time-series foundation model developed by Google Research for time-series forecasting.
Python
3,576
star
10

scenic

Scenic: A Jax Library for Computer Vision Research and Beyond
Python
3,295
star
11

football

Check out the new game server:
Python
3,260
star
12

albert

ALBERT: A Lite BERT for Self-supervised Learning of Language Representations
Python
3,209
star
13

frame-interpolation

FILM: Frame Interpolation for Large Motion, In ECCV 2022.
Python
2,818
star
14

t5x

Python
2,656
star
15

electra

ELECTRA: Pre-training Text Encoders as Discriminators Rather Than Generators
Python
2,325
star
16

kubric

A data generation pipeline for creating semi-realistic synthetic multi-object videos with rich annotations such as instance segmentation masks, depth maps, and optical flow.
Jupyter Notebook
2,312
star
17

big_vision

Official codebase used to develop Vision Transformer, SigLIP, MLP-Mixer, LiT and more.
Jupyter Notebook
2,219
star
18

uda

Unsupervised Data Augmentation (UDA)
Python
2,131
star
19

language

Shared repository for open-sourced projects from the Google AI Language team.
Python
1,605
star
20

pegasus

Python
1,600
star
21

dex-lang

Research language for array processing in the Haskell/ML family
Haskell
1,581
star
22

torchsde

Differentiable SDE solvers with GPU support and efficient sensitivity analysis.
Python
1,548
star
23

parti

1,538
star
24

big_transfer

Official repository for the "Big Transfer (BiT): General Visual Representation Learning" paper.
Python
1,504
star
25

FLAN

Python
1,460
star
26

robotics_transformer

Python
1,337
star
27

disentanglement_lib

disentanglement_lib is an open-source library for research on learning disentangled representations.
Python
1,311
star
28

multilingual-t5

Python
1,197
star
29

circuit_training

Python
1,151
star
30

tapas

End-to-end neural table-text understanding models.
Python
1,143
star
31

planet

Learning Latent Dynamics for Planning from Pixels
Python
1,134
star
32

mixmatch

Python
1,130
star
33

deduplicate-text-datasets

Rust
1,104
star
34

fixmatch

A simple method to perform semi-supervised learning with limited data.
Python
1,094
star
35

morph-net

Fast & Simple Resource-Constrained Learning of Deep Network Structure
Python
1,016
star
36

maxim

[CVPR 2022 Oral] Official repository for "MAXIM: Multi-Axis MLP for Image Processing". SOTA for denoising, deblurring, deraining, dehazing, and enhancement.
Python
996
star
37

deeplab2

DeepLab2 is a TensorFlow library for deep labeling, aiming to provide a unified and state-of-the-art TensorFlow codebase for dense pixel labeling tasks.
Python
995
star
38

batch-ppo

Efficient Batched Reinforcement Learning in TensorFlow
Python
963
star
39

augmix

AugMix: A Simple Data Processing Method to Improve Robustness and Uncertainty
Python
951
star
40

magvit

Official JAX implementation of MAGVIT: Masked Generative Video Transformer
Python
947
star
41

pix2seq

Pix2Seq codebase: multi-tasks with generative modeling (autoregressive and diffusion)
Jupyter Notebook
865
star
42

seed_rl

SEED RL: Scalable and Efficient Deep-RL with Accelerated Central Inference. Implements IMPALA and R2D2 algorithms in TF2 with SEED's architecture.
Python
793
star
43

meta-dataset

A dataset of datasets for learning to learn from few examples
Jupyter Notebook
762
star
44

noisystudent

Code for Noisy Student Training. https://arxiv.org/abs/1911.04252
Python
751
star
45

rliable

[NeurIPS'21 Outstanding Paper] Library for reliable evaluation on RL and ML benchmarks, even with only a handful of seeds.
Jupyter Notebook
747
star
46

recsim

A Configurable Recommender Systems Simulation Platform
Python
739
star
47

jax3d

Python
733
star
48

long-range-arena

Long Range Arena for Benchmarking Efficient Transformers
Python
719
star
49

lottery-ticket-hypothesis

A reimplementation of "The Lottery Ticket Hypothesis" (Frankle and Carbin) on MNIST.
Python
706
star
50

federated

A collection of Google research projects related to Federated Learning and Federated Analytics.
Python
675
star
51

bleurt

BLEURT is a metric for Natural Language Generation based on transfer learning.
Python
651
star
52

prompt-tuning

Original Implementation of Prompt Tuning from Lester, et al, 2021
Python
642
star
53

nasbench

NASBench: A Neural Architecture Search Dataset and Benchmark
Python
641
star
54

neuralgcm

Hybrid ML + physics model of the Earth's atmosphere
Python
641
star
55

xtreme

XTREME is a benchmark for the evaluation of the cross-lingual generalization ability of pre-trained multilingual models that covers 40 typologically diverse languages and includes nine tasks.
Python
631
star
56

lasertagger

Python
606
star
57

sound-separation

Python
603
star
58

pix2struct

Python
587
star
59

vmoe

Jupyter Notebook
569
star
60

dreamer

Dream to Control: Learning Behaviors by Latent Imagination
Python
568
star
61

robopianist

[CoRL '23] Dexterous piano playing with deep reinforcement learning.
Python
562
star
62

omniglue

Code release for CVPR'24 submission 'OmniGlue'
Python
561
star
63

fast-soft-sort

Fast Differentiable Sorting and Ranking
Python
561
star
64

ravens

Train robotic agents to learn pick and place with deep learning for vision-based manipulation in PyBullet. Transporter Nets, CoRL 2020.
Python
560
star
65

sam

Python
551
star
66

batch_rl

Offline Reinforcement Learning (aka Batch Reinforcement Learning) on Atari 2600 games
Python
521
star
67

bigbird

Transformers for Longer Sequences
Python
518
star
68

tensor2robot

Distributed machine learning infrastructure for large-scale robotics research
Python
483
star
69

byt5

Python
477
star
70

adapter-bert

Python
476
star
71

mint

Multi-modal Content Creation Model Training Infrastructure including the FACT model (AI Choreographer) implementation.
Python
465
star
72

leaf-audio

LEAF is a learnable alternative to audio features such as mel-filterbanks, that can be initialized as an approximation of mel-filterbanks, and then be trained for the task at hand, while using a very small number of parameters.
Python
446
star
73

robustness_metrics

Jupyter Notebook
442
star
74

maxvit

[ECCV 2022] Official repository for "MaxViT: Multi-Axis Vision Transformer". SOTA foundation models for classification, detection, segmentation, image quality, and generative modeling...
Jupyter Notebook
436
star
75

receptive_field

Compute receptive fields of your favorite convnets
Python
434
star
76

maskgit

Official Jax Implementation of MaskGIT
Jupyter Notebook
429
star
77

weatherbench2

A benchmark for the next generation of data-driven global weather models.
Python
420
star
78

l2p

Learning to Prompt (L2P) for Continual Learning @ CVPR22 and DualPrompt: Complementary Prompting for Rehearsal-free Continual Learning @ ECCV22
Python
408
star
79

distilling-step-by-step

Python
407
star
80

ssl_detection

Semi-supervised learning for object detection
Python
398
star
81

nerf-from-image

Shape, Pose, and Appearance from a Single Image via Bootstrapped Radiance Field Inversion
Python
377
star
82

computation-thru-dynamics

Understanding computation in artificial and biological recurrent networks through the lens of dynamical systems.
Jupyter Notebook
369
star
83

tf-slim

Python
368
star
84

realworldrl_suite

Real-World RL Benchmark Suite
Python
341
star
85

python-graphs

A static analysis library for computing graph representations of Python programs suitable for use with graph neural networks.
Python
325
star
86

rigl

End-to-end training of sparse deep neural networks with little-to-no performance loss.
Python
314
star
87

task_adaptation

Python
310
star
88

self-organising-systems

Jupyter Notebook
308
star
89

ibc

Official implementation of Implicit Behavioral Cloning, as described in our CoRL 2021 paper, see more at https://implicitbc.github.io/
Python
306
star
90

tensorflow_constrained_optimization

Python
300
star
91

syn-rep-learn

Learning from synthetic data - code and models
Python
294
star
92

arco-era5

Recipes for reproducing Analysis-Ready & Cloud Optimized (ARCO) ERA5 datasets.
Python
291
star
93

vdm

Jupyter Notebook
291
star
94

rlds

Jupyter Notebook
284
star
95

exoplanet-ml

Machine learning models and utilities for exoplanet science.
Python
283
star
96

retvec

RETVec is an efficient, multilingual, and adversarially-robust text vectorizer.
Jupyter Notebook
281
star
97

sparf

This is the official code release for SPARF: Neural Radiance Fields from Sparse and Noisy Poses [CVPR 2023-Highlight]
Python
279
star
98

tensorflow-coder

Python
275
star
99

language-table

Suite of human-collected datasets and a multi-task continuous control benchmark for open vocabulary visuolinguomotor learning.
Jupyter Notebook
260
star
100

falken

Falken provides developers with a service that allows them to train AI that can play their games
Python
254
star