Thanks to visit codestin.com
Credit goes to github.com

Skip to content
/ SimMIA Public

The code for paper 'Membership Inference on LLMs in the Wild'

simmia2026.github.io

License

MIT license
6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

simmia2026/SimMIA

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1 Commit
assets
assets
Β 
Β 
scripts
scripts
Β 
Β 
src/simmia
src/simmia
Β 
Β 
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
setup.py
setup.py
Β 
Β 

Repository files navigation

Membership Inference on LLMs in the Wild

arXiv Dataset on HF Website License: MIT

This is the official repository of the paper "Membership Inference on LLMs in the Wild".

Membership Inference Attacks (MIAs) act as a crucial auditing tool for the opaque training data of Large Language Models (LLMs). However, existing techniques predominantly rely on inaccessible model internals (e.g., logits) or suffer from poor generalization across domains in strict black-box settings where only generated text is available. In this work, we propose SimMIA, a robust MIA framework tailored for this text-only regime by leveraging an advanced sampling strategy and scoring mechanism. Furthermore, we present WikiMIA-25, a new benchmark curated to evaluate MIA performance on modern proprietary LLMs. Experiments demonstrate that SimMIA achieves state-of-the-art results in the black-box setting, rivaling baselines that exploit internal model information.

πŸ”” Updates

  • [2026-01-19] πŸ”₯ We release the code of our paper. The detailed instructions can be found below.

✨ Overview

SaMIA SimMIA

Compared to SaMIA, a representative black-box MIA baseline, SimMIA advances it by:

  1. Word-by-Word Sampling: SimMIA samples the immediate next word for every possible prefix rather than a complete continuation for a fixed-length prefix.
  2. Semantic Scoring: SimMIA relies on soft embedding-based similarity to score each word rather than surface-form exact matching.
  3. Relative Aggregation: SimMIA computes the relative ratio between scores perturbed by non-members and unperturbed scores.

πŸš€ Main Results Highlights

  • WikiMIA: SOTA black-box MIA, improving AUC by +16.6 over prior black-box baselines and even surpassing the best gray-box method on some models (e.g., OPT-6.7B).

    Detailed WikiMIA results.

    WikiMIA Results (click to enlarge)

  • MIMIR: +14.9 AUC over previous SOTA black-box performance, trailing the best gray-box methods by only 3.4 AUC points on average.

    Detailed MIMIR results.

    MIMIR Results (click to enlarge)

  • WikiMIA-25: generalizes to both legacy and latest (including proprietary) LLMs, outperforming the best black-box baseline by +21.7 AUC and +25.8 TPR@5%FPR.

    Detailed WikiMIA-25 results.

    WikiMIA-25 Results (click to enlarge)

πŸ› οΈ Installation

Our implementation is based on python=3.12. Follow the commands below to prepare the Python environment (we recommend using Miniconda to setup the environment):

# git clone this repository
git clone https://github.com/simmia2026/SimMIA.git
cd simmia

# install dependencies
conda create -n simmia python=3.12
conda activate simmia
pip install -e .

If you want to experiment with closed-source LLM APIs, please run pip install -e .[api].

πŸ’‘ Preparation

Before testing closed-source LLMs, export your API keys into the environment first:

export OPENAI_API_KEY="your-actual-api-key-here"
export GOOGLE_API_KEY="your-actual-api-key-here"
export ANTHROPIC_API_KEY="your-actual-api-key-here"

🎯 Usage

⏬ Open-Source Models

Here is an example of testing SimMIA in Pythia-6.9B with WikiMIA-25 (8 GPUs):

simmia.benchmark
  --gpu_ids 0 1 2 3 4 5 6 7
  --model_name_or_path EleutherAI/pythia-6.9b
  --sampling relative_word_by_word
  --postprocess process_relative_word_data
  --inference relative_semantic_ratio
  --output_dir simmia_out
  --num_samples 100
  --data SimMIA/WikiMIA-25
  --sub_dataset paper_subset
  --num_shots 7
  --prefix_ratio 0.0
  --top_k 20

Key Argument Explanations:

  • --sampling: the way to sample continuations from LLMs. You can perform either word-by-word sampling like SimMIA or complete continuation from a fixed-length prefix like SaMIA.
  • --postprocess: some necessary data preparation, especially for SimMIA.
  • --inference: which method is used to compute the membership score.

Note

If you want to switch to SaMIA:

  • Use --sampling generate_all_remaining
  • Set --inference rouge_n
  • Set --prefix_ratio to a value strictly between 0 and 1 (e.g., --prefix_ratio 0.5)

🌐 Closed-Source Models

To experiment with closed-source model APIs, simply add --concurrency to control the maximum number of parallel API requests, and prefix the API-based model name with api:. Here is an example that modifies the previous example to test Gemini 2.5 Flash:

simmia.benchmark
  --concurrency 5
  --gpu_ids 0 1 2 3 4 5 6 7
  --model_name_or_path api:google/gemini-2.5-flash
  ...  # others remain the same as the above

Note

Although calling closed-source LLM APIs does not require any GPU resources, our implementation relies on --gpu_ids to decide the number of parallel computation-intensive works. In this case, --gpu_ids must be set as SimMIA needs to run dense retrievers to calculate word similarity. If you really do not have any GPUs, please set export CUDA_VISIBLE_DEVICES="" and --gpu_ids 0 to run dense retrievers on CPU.

Warning

Currently, we only support models from OpenAI (api:openai/*), Anthropic (api:anthropic/*), and Google (api:google/*).

πŸ“Š Reproducing Paper Results

We provide scripts to reproduce the results of SaMIA, SimMIA*, and SimMIA reported in the paper.

cd simmia

# SaMIA
bash scripts/run_samia.sh <MODEL NAME OR PATH> <DATA> <SUB_DATASET> [GPU_IDS] [CONCURRENCY]

# SimMIA*
bash scripts/run_simmia_hard.sh <MODEL NAME OR PATH> <DATA> <SUB_DATASET> [GPU_IDS] [CONCURRENCY]

# SimMIA
bash scripts/run_simmia_soft.sh <MODEL NAME OR PATH> <DATA> <SUB_DATASET> [GPU_IDS] [CONCURRENCY]

Valid SUB_DATASET values for different DATA:

  • For swj0419/WikiMIA: WikiMIA_length32, WikiMIA_length64, WikiMIA_length128, WikiMIA_length256 (or just 32, 64, 128, 256)
  • For SimMIA/WikiMIA-25: WikiMIA_length32, WikiMIA_length64, WikiMIA_length128, paper_subset (or just 32, 64, 128 for length values)
  • For iamgroot42/mimir: wikipedia_(en), github, pile_cc, pubmed_central, arxiv, dm_mathematics, hackernews

Note

For SimMIA with dm_mathematics in MIMIR, the --exact_match_number flag is automatically enabled to use exact numeric matching instead of word similarity for numerical values.

To reproduce the results of most gray-box MIAs (e.g., Loss/Reference/Zlib/Neighborhood/Min-K%/Min-K%++/ReCaLL) reported in the paper, please refer to the official MIMIR repo.

Note

MIMIR has its own data format. To run gray-box baselines on WikiMIA / WikiMIA-25, you need to convert datasets into MIMIR's expected format.

To reproduce the result of PETAL, please refer to the official artifacts.

Note

The official PETAL implementation evaluates the result on the MIMIR subset by default. If you want to reproduce our full MIMIR result, you need to load the complete dataset.

βœ’οΈ Citation

Please cite our paper if you find our work useful:

@misc{yi2026membership,
      title={Membership Inference on LLMs in the Wild}, 
      author={Jiatong Yi and Yanyang Li},
      year={2026},
      eprint={2601.11314},
      archivePrefix={arXiv},
      primaryClass={cs.CL},
      url={https://arxiv.org/abs/2601.11314}, 
}

About

The code for paper 'Membership Inference on LLMs in the Wild'

simmia2026.github.io

Topics

black-box evaluation llm-inference inference-attack

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages