ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2021, Vol. 58 ›› Issue (5): 1092-1105.doi: 10.7544/issn1000-1239.2021.20200908

所属专题: 2021人工智能安全与隐私保护技术专题

• 信息安全 • 上一篇    下一篇

通用深度学习语言模型的隐私风险评估

潘旭东,张谧,颜一帆,陆逸凡,杨珉   

  1. (复旦大学计算机科学技术学院 上海 200438) (xdpan18@fudan.edu.cn)
  • 出版日期: 2021-05-01
  • 基金资助: 
    国家自然科学基金项目(61972099,U1636204,U1836213,U1836210,U1736208);上海市自然科学基金项目(19ZR1404800)

Evaluating Privacy Risks of Deep Learning Based General-Purpose Language Models

Pan Xudong, Zhang Mi, Yan Yifan, Lu Yifan, Yang Min   

  1. (School of Computer Science, Fudan University, Shanghai 200438)
  • Online: 2021-05-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (61972099, U1636204, U1836213, U1836210, U1736208) and the Natural Science Foundation of Shanghai (19ZR1404800).

摘要: 近年来,自然语言处理领域涌现出多种基于Transformer网络结构的通用深度学习语言模型,简称“通用语言模型(general-purpose language models, GPLMs)”,包括Google提出的BERT(bidirectional encoder representation from transformers)模型等,已在多个标准数据集和多项重要自然语言处理任务上刷新了最优基线指标,并已逐渐在商业场景中得到应用.尽管其具有很好的泛用性和性能表现,在实际部署场景中,通用语言模型的安全性却鲜为研究者所重视.近年有研究工作指出,如果攻击者利用中间人攻击或作为半诚实(honest-but-curious)服务提供方截获用户输入文本经由通用语言模型计算产生的文本特征,它将以较高的准确度推测原始文本中是否包含特定敏感词.然而,该工作仅采用了特定敏感词存在与否这一单一敏感信息窃取任务,依赖一些较为严格的攻击假设,且未涉及除英语外其他语种的使用场景.为解决上述问题,提出1条针对通用文本特征的隐私窃取链,从更多维度评估通用语言模型使用中潜在的隐私风险.实验结果表明:仅根据通用语言模型提取出的文本表征,攻击者能以近100%的准确度推断其模型来源,以超70%的准确度推断其原始文本长度,最终推断出最有可能出现的敏感词列表,以重建原始文本的敏感语义.此外,额外针对3种典型的中文预训练通用语言模型开展了相应的隐私窃取风险评估,评估结果表明中文通用语言模型同样存在着不可忽视的隐私风险.

关键词: 深度学习隐私, 通用语言模型, 自然语言处理, 深度学习, 人工智能, 信息安全

Abstract: Recently, a variety of Transformer-based GPLMs (general-purpose language models), including Google’s BERT (bidirectional encoder representation from transformers), are proposed in NLP (natural language processing). GPLMs help achieve state-of-the-art performance on a wide range of NLP tasks, and are applied in industrial applications. Despite their generality and promising performance, a recent research work first shows that an attacker, who has access to the textual embeddings produced by GPLMs, can infer whether the original text contains a specific keyword with high accuracy. However, the previous work has the following limitations. First, they only consider the occurrence of one sensitive word as the sensitive information to steal, which is still far from a threatening privacy violation. Besides, their attack requires several rather strict security assumptions on the attacker’s capability, e.g., the attacker knows which GPLM produces the victim’s textual embeddings. Moreover, they only consider the GPLMs designed for English texts. To address the aforementioned limitations and serve as a complement to their work, this paper proposes a more comprehensive privacy theft chain which is designed to explore whether there are even more privacy risks in general-purpose language models. Via experiments on 13 commercial GPLMs, we empirically show that an attacker can step by step infer the GPLM type behind the textual embedding with near 100% accuracy, then infer the textual length with over 70% on average and finally probe sensitive words that possibly occur in the original text, which brings useful information for the attacker to finally reconstruct the sensitive semantics. Besides, this paper also evaluates the privacy risks of three typical general-purpose language models in Chinese. The results confirm that privacy risks also exist in Chinese general-purpose language models, which calls for mitigation studies in the future.

Key words: deep learning privacy, general-purpose language model (GPLMs), natural language processing, deep learning, artificial intelligence, information security

中图分类号: