Have You Ever Seen Them? Entity-level Membership Inference through Interrogating Large Language Models

2026-06-22 · Source: Takara TLDR - Daily AI Papers · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, medium

Summary

A new study by Yiran Zhu and Ziqi Yang introduces entity-level membership inference (ELMI), a novel approach to assess privacy leakage and copyright compliance risks in Large Language Models (LLMs). Unlike existing methods that focus on specific training samples, ELMI determines if information related to a real-world entity was used in an LLM's training data, drawing an analogy to human memory's ability to accumulate knowledge from scattered mentions. The researchers formalize this task for a practical label-only black-box setting, where only generated texts are observable. They instantiate five interrogation strategies that use limited entity clues to construct prompts, elicit entity-related responses, and infer membership from semantic features. Experiments on person entities demonstrate ELMI's effectiveness, achieving an AUC up to 0.97 and providing gains of 6.0% to 17.5% in Balanced Accuracy over adapted sample-level baselines.

Key takeaway

For AI Security Engineers evaluating LLM privacy, this research indicates that entity-level membership inference is a significant, practical threat. You should prioritize developing robust defenses against black-box interrogation methods that can reveal whether specific entity information was used in training, even without direct sample memorization. Implement proactive measures to mitigate risks associated with sensitive entity data exposure, as current sample-level defenses may be insufficient.

Key insights

LLMs can be interrogated to infer if entity-related information was in their training data, akin to human memory.

Principles

• LLMs accumulate entity knowledge.
• Entity-level MI is feasible.
• Black-box interrogation works.

Method

Five interrogation strategies construct prompts from limited entity clues, elicit entity-related responses, and infer membership from semantic features in generated texts in a label-only black-box setting.

In practice

• Assess LLM privacy risks.
• Evaluate copyright compliance.
• Identify specific entity data.

Topics

• Large Language Models
• Membership Inference
• Entity-level Privacy
• Black-box Attacks
• Data Leakage
• AI Security

Code references

• studio-ousia/luke

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, AI Security Engineer, Machine Learning Engineer

Related on AIssential

• Detecting Data Contamination in Large Language Models — Black-box MIAs are currently ineffective at reliably detecting data contamination in LLM training corpora.
• Spoon-feeding a Monster — Autonomous security testing requires separating LLM reasoning from deterministic execution to ensure ground truth and prevent hallucinations.
• DPrivBench: Benchmarking LLMs' Reasoning for Differential Privacy — LLMs struggle with advanced differential privacy reasoning, despite handling textbook mechanisms well.
• MRMMIA: Membership Inference Attacks on Memory in Chat Agents — Chat agent memory is vulnerable to membership inference attacks, which MRMMIA effectively demonstrates across various access levels.
• NAMESAKES: Probing Identity Memorization in Text-to-Image Models — A black-box probe can reliably detect identity memorization in text-to-image models without needing ground truth or training data access.
• What the Eyes See, the LLMs Miss: Exploiting Human Perception for Adversarial Text Attacks — LLM content moderation systems are vulnerable to visually-based adversarial attacks that exploit human perception.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Takara TLDR - Daily AI Papers.