Large language models are shown to present privacy risks through memorization of training data, and several recent works have studied such risks for the pre-training phase. Little attention, however, has been given to the fine-tuning phase and it is not well understood how different fine-tuning methods (such as fine-tuning the full model, the model head, and adapter) compare in terms of memorization risk. This presents increasing concern as the "pre-train and fine-tune" paradigm proliferates. In this paper, we empirically study memorization of fine-tuning methods using membership inference and extraction attacks, and show that their susceptibility to attacks is very different. We observe that fine-tuning the head of the model has the highest susceptibility to attacks, whereas fine-tuning smaller adapters appears to be less vulnerable to known extraction attacks.
@article{arxiv.2205.12506,
title = {Memorization in NLP Fine-tuning Methods},
author = {Fatemehsadat Mireshghallah and Archit Uniyal and Tianhao Wang and David Evans and Taylor Berg-Kirkpatrick},
journal= {arXiv preprint arXiv:2205.12506},
year = {2022}
}