• 中国精品科技期刊
  • CCF推荐A类中文期刊
  • 计算领域高质量科技期刊T1类
高级检索

通用深度学习语言模型的隐私风险评估

潘旭东, 张谧, 颜一帆, 陆逸凡, 杨珉

潘旭东, 张谧, 颜一帆, 陆逸凡, 杨珉. 通用深度学习语言模型的隐私风险评估[J]. 计算机研究与发展, 2021, 58(5): 1092-1105. DOI: 10.7544/issn1000-1239.2021.20200908
引用本文: 潘旭东, 张谧, 颜一帆, 陆逸凡, 杨珉. 通用深度学习语言模型的隐私风险评估[J]. 计算机研究与发展, 2021, 58(5): 1092-1105. DOI: 10.7544/issn1000-1239.2021.20200908
Pan Xudong, Zhang Mi, Yan Yifan, Lu Yifan, Yang Min. Evaluating Privacy Risks of Deep Learning Based General-Purpose Language Models[J]. Journal of Computer Research and Development, 2021, 58(5): 1092-1105. DOI: 10.7544/issn1000-1239.2021.20200908
Citation: Pan Xudong, Zhang Mi, Yan Yifan, Lu Yifan, Yang Min. Evaluating Privacy Risks of Deep Learning Based General-Purpose Language Models[J]. Journal of Computer Research and Development, 2021, 58(5): 1092-1105. DOI: 10.7544/issn1000-1239.2021.20200908

通用深度学习语言模型的隐私风险评估

基金项目: 国家自然科学基金项目(61972099,U1636204,U1836213,U1836210,U1736208);上海市自然科学基金项目(19ZR1404800)
详细信息
  • 中图分类号: TP309

Evaluating Privacy Risks of Deep Learning Based General-Purpose Language Models

Funds: This work was supported by the National Natural Science Foundation of China (61972099, U1636204, U1836213, U1836210, U1736208) and the Natural Science Foundation of Shanghai (19ZR1404800).
  • 摘要: 近年来,自然语言处理领域涌现出多种基于Transformer网络结构的通用深度学习语言模型,简称“通用语言模型(general-purpose language models, GPLMs)”,包括Google提出的BERT(bidirectional encoder representation from transformers)模型等,已在多个标准数据集和多项重要自然语言处理任务上刷新了最优基线指标,并已逐渐在商业场景中得到应用.尽管其具有很好的泛用性和性能表现,在实际部署场景中,通用语言模型的安全性却鲜为研究者所重视.近年有研究工作指出,如果攻击者利用中间人攻击或作为半诚实(honest-but-curious)服务提供方截获用户输入文本经由通用语言模型计算产生的文本特征,它将以较高的准确度推测原始文本中是否包含特定敏感词.然而,该工作仅采用了特定敏感词存在与否这一单一敏感信息窃取任务,依赖一些较为严格的攻击假设,且未涉及除英语外其他语种的使用场景.为解决上述问题,提出1条针对通用文本特征的隐私窃取链,从更多维度评估通用语言模型使用中潜在的隐私风险.实验结果表明:仅根据通用语言模型提取出的文本表征,攻击者能以近100%的准确度推断其模型来源,以超70%的准确度推断其原始文本长度,最终推断出最有可能出现的敏感词列表,以重建原始文本的敏感语义.此外,额外针对3种典型的中文预训练通用语言模型开展了相应的隐私窃取风险评估,评估结果表明中文通用语言模型同样存在着不可忽视的隐私风险.
    Abstract: Recently, a variety of Transformer-based GPLMs (general-purpose language models), including Google’s BERT (bidirectional encoder representation from transformers), are proposed in NLP (natural language processing). GPLMs help achieve state-of-the-art performance on a wide range of NLP tasks, and are applied in industrial applications. Despite their generality and promising performance, a recent research work first shows that an attacker, who has access to the textual embeddings produced by GPLMs, can infer whether the original text contains a specific keyword with high accuracy. However, the previous work has the following limitations. First, they only consider the occurrence of one sensitive word as the sensitive information to steal, which is still far from a threatening privacy violation. Besides, their attack requires several rather strict security assumptions on the attacker’s capability, e.g., the attacker knows which GPLM produces the victim’s textual embeddings. Moreover, they only consider the GPLMs designed for English texts. To address the aforementioned limitations and serve as a complement to their work, this paper proposes a more comprehensive privacy theft chain which is designed to explore whether there are even more privacy risks in general-purpose language models. Via experiments on 13 commercial GPLMs, we empirically show that an attacker can step by step infer the GPLM type behind the textual embedding with near 100% accuracy, then infer the textual length with over 70% on average and finally probe sensitive words that possibly occur in the original text, which brings useful information for the attacker to finally reconstruct the sensitive semantics. Besides, this paper also evaluates the privacy risks of three typical general-purpose language models in Chinese. The results confirm that privacy risks also exist in Chinese general-purpose language models, which calls for mitigation studies in the future.
  • 期刊类型引用(5)

    1. 周军芽,吴进伟,吴广飞,张何为. 基于Bi-LSTM神经网络的短文本敏感词识别方法. 武汉理工大学学报(信息与管理工程版). 2024(02): 312-316 . 百度学术
    2. 石新满,胡广林,邵鑫,赵新爽,张思慧,乔晓. 基于人工智能大语言模型技术的电网优化运行应用分析. 自动化与仪器仪表. 2024(08): 180-184 . 百度学术
    3. 李卓卓,蒋雨萌. 信息隐私量表对象、指标和应用的研究与展望. 情报理论与实践. 2024(10): 41-52 . 百度学术
    4. 谭九生,李猛. 人机融合智能的伦理风险及其适应性治理. 昆明理工大学学报(社会科学版). 2022(03): 37-45 . 百度学术
    5. 潘旭东,张谧,杨珉. 基于神经元激活模式控制的深度学习训练数据泄露诱导. 计算机研究与发展. 2022(10): 2323-2337 . 本站查看

    其他类型引用(7)

计量
  • 文章访问数:  1059
  • HTML全文浏览量:  5
  • PDF下载量:  609
  • 被引次数: 12
出版历程
  • 发布日期:  2021-04-30

目录

    /

    返回文章
    返回