Training Data Extraction From Pre-trained Language Models: A Survey

As the deployment of pre-trained language models (PLMs) expands, pressing security concerns have arisen regarding the potential for malicious extraction of training data, posing a threat to data privacy.This study is the first to provide a comprehensive survey of training data extraction from PLMs.Our review covers more than 100 key papers in fields such as natural language processing and security.First, preliminary knowledge is recapped and a taxonomy of various definitions of memorization is presented.The approaches for attack and defense are then systemized.Furthermore, the empirical findings of several quantitative studies are highlighted.Finally, future research directions based on this review are suggested.


Introduction
Pre-trained language models (PLMs) are widely used in natural language processing.Statistical models that assign probabilities to token sequences have been studied, and large neural networks are increasingly being used for pre-training with large datasets.This scaling has led to fluent natural language generation and success in many other downstream tasks (Devlin et al., 2019).In some cases, parameter updates are not required for downstream tasks (Radford et al., 2019;Brown et al., 2020).
With increasing applications of PLMs, security concerns have increased considerably (Bender et al., 2021;Bommasani et al., 2021;Weidinger et al., 2022).Studies have revealed the risk of language models exhibiting unintentional memorization of training data, and occasionally outputting memorized information (Carlini et al., 2019(Carlini et al., , 2021(Carlini et al., , 2023b;;Lee et al., 2023).In particular, Carlini et al. (2021) identified that personal information can be extracted by generating numerous sentences from PLMs and performing membership inference (Shokri et al., 2017).These attacks on PLMs are referred to as training data extraction and are undesirable because of privacy, decreased utility, and reduced fairness concerns (Carlini et al., 2023b).However, with the evolution of PLMs, limited progress has been achieved in addressing these concerns, and security technology is yet to mature.
This study is the first to provide a comprehensive survey of training data extraction from PLMs.Starting with the pioneering work, we reviewed more than 100 previous and subsequent studies.Specifically, we screened papers citing Carlini et al. (2021) 1 based on the relationships, the number of citations, and their acceptance.First, Section 2 presents preliminary knowledge.We then discuss several topics with the following contributions: • A taxonomy of various definitions of memorization (Section 3) was presented.Training data extraction has become close to the famous security attack known as model inversion (Fredrikson et al., 2015).
• We systematize the approaches to attack (Section 4) and defense (Section 5).Furthermore, we highlight empirical findings (Section 6) from several quantitative evaluation studies.
• Based on the review, we suggest future research directions (Section 7).

Preliminaries about PLMs
This section describes the basics of modern PLMs.First, we explain the methodology used for training language models and generating texts.Next, the standard practical schema is introduced.

Language Models
Language models represent a probability distribution over the sequences of tokens.Based on the pre-training method, language modeling can be categorized into two types (Yang et al., 2023): autoregressive language modeling, which predicts words sequentially from left to right (Bengio et al., 2000;Mikolov et al., 2010), and masked language modeling, which hides some parts of a sentence and fills in the gaps (Devlin et al., 2019).The former is sometimes called causal language modeling (Tirumala et al., 2022).This study is focused on autoregressive language models with transformer (Vaswani et al., 2017), following many recent studies on training data extraction.Note that some studies have focused on masked language models such as BERT (Lehman et al., 2021;Mireshghallah et al., 2022a;He et al., 2022) and T5 (Carlini et al., 2023b).Most studies address pre-training rather than fine-tuning (Mireshghallah et al., 2022b).
Autoregressive language models take a series of tokens as input and output a probability distribution for the next token.We show a schema of training and generation by following Carlini et al. (2021).
Training.The following statistical model was assumed for distribution: where x 1 , x 2 , . . ., x n is a sequence of tokens from a vocabulary using the chain rule of probability: ) denote the likelihood of token x i when evaluating neural network f with parameters θ.Language models are trained to optimize the probability of the data in a training set.Formally, training involves minimizing the loss function as follows: for each data in the training set.This setting can be qualitatively regarded as memorizing the flow of sentences in each training data.
Generating.New tokens can be generated by iterating the following process: This decoding process continues until conditions are satisfied.The simplest is greedy decoding, selecting the most probable tokens one by one.However, studies have revealed that simply maximizing the output probability generates text that is not natural to humans (Li et al., 2016;Holtzman et al., 2020).Therefore, several approaches have been proposed for sampling from a probability distribution such as top-k sampling (Fan et al., 2018) and top-p sampling (Appendix A).

Pre-training and Fine-tuning
Prior to BERT (Devlin et al., 2019), specific models were trained for individual tasks.By contrast, in the PLMs approach, large neural networks with large datasets are pre-trained and fine-tuned for several downstream tasks.Radford et al. (2018) revealed that autoregressive language modeling is effective for PLMs with transformers.This extension, GPT-2 (Radford et al., 2019) and GPT-3 (Brown et al., 2020), can be applied to various tasks without fine-tuning by providing a few examples (in-context learning).The scaling of large models with large datasets has attracted considerable research attention (Appendix B).PLMs exhibit a significant advantage in using datasets that match a specific domain.These models can exhibit superior performance in domainspecific tasks than larger models pre-trained on general datasets.Studies, such as BioMegatron (Shin et al., 2020), BioGPT (Luo et al., 2022), Galactica (Taylor et al., 2022), and BloombergGPT (Wu et al., 2023), have been conducted.However, the potential risk of training data extraction, especially when using sensitive datasets in pre-training, should be considered (Nakamura et al., 2020;Lehman et al., 2021;Jagannatha et al., 2021;Singhal et al., 2022;Yang et al., 2022).There are also ethical topics such as the human rights in the texts (Li et al., 2018;Ginart et al., 2019;Garg et al., 2020;Henderson et al., 2022) and plagiarism regarding copyright (Lee et al., 2023).Examples include PLMs created from contracts (Chalkidis et al., 2020;Zheng et al., 2021), clinical information (Kawazoe et al., 2021), music (Agostinelli et al., 2023), and source code (Chen et al., 2021).

Definitions of Memorization
Memorization is the concept that PLMs store and output information about the training data.There is a wide variety of research on memorization, with diverse definitions and assumptions.We illustrate a taxonomy of definitions in Figure 1.

Eidetic memorization
A mainstream method is eidetic memorization (Carlini et al., 2021) and its variations (Thomas Mc-Coy et al., 2021;Carlini et al., 2023b; Kandpal   et al., 2022;Tirumala et al., 2022).These definitions assume that PLMs output memorized data when appropriate prompts are provided.Carlini et al. (2021) defined eidetic memorization as Definition 3.1, and in a subsequent study (Carlini et al., 2023b), they adopted the definition in Definition 3.2.They stated that eidetic memorization can be used in cases in which no prompt, whereas the subsequent definition is suitable for conditions with prompts.Some studies have adopted definitions similar to those in Definition 3.2.Examples include Tirumala et al. (2022) with a per-token definition of exact memorization, and Kandpal et al. (2022) with a document-level definition of perfect memorization.
Definition 3.1 (eidetic memorization).A string s is k-eidetic memorized by PLM f θ if a prompt p exists such that f (p) = s and s appears at most k times in the training set.

Definition 3.2 (a variation of eidetic memorization).
A string s is k-memorized with k tokens of context from a PLM f θ if a (length-k) string p exists such that the concatenation [p||s] is contained in the training set, and f θ produces s when prompted with p by using greedy decoding.

Differential privacy
Differential privacy (Dwork et al., 2006) is widely used in memorization, and definitions based on differential privacy have been devised (Jagielski et al., 2020;Nasr et al., 2021).Differential privacy was formulated based on the premise that removing any data from the training set should not considerably change trained models.Although this method protects the personal information of a single user, Brown et al. (2022) reported that the method can-not capture the complexity of social and linguistic data.Differential privacy is introduced as a defense approach in Section 5.2.

Counterfactual memorization
Studies have defined counterfactual memorization as the difference between a training data's expected loss under a model that has and has not been trained on that data (Feldman and Zhang, 2020;van den Burg and Williams, 2021).Zhang et al. (2021c) investigated this form of memorization in PLMs based on the taxonomy of human memorization in psychology.
The definition of counterfactual memorization has received limited attention in training data extraction.Carlini et al. (2023b) noted that this definition requires training thousands of models to measure privacy.Thus, evaluating PLMs becomes difficult because of their inference costs.Furthermore, Kandpal et al. (2022) remarked that this definition is not considered a privacy attack scenario because access to the training corpus is assumed.This phenomenon is related to the adversarial knowledge presented in Section 4.2.

Approximate memorization
Although the definitions of memorization thus far assume exact string matches, definitions have been proposed to relax this condition.Here, Ippolito et al. (2022) refer to definitions based on exact string matches as verbatim memorization.They revealed that verbatim memorization can be handled by simply adjusting the decoding method and proposed alternative definitions called approximate memorization that consider string fuzziness, as presented in Definition 3.3.Some methods have been proposed to calculate similarity.Ippolito et al. (2022) set the condition that BLEU(s, g) (Papineni et al., 2002) is greater than 0.75.The threshold value of 0.75 was selected by qualitatively inspecting examples.Lee et al. (2022) defined that the token is memorized if it is part of a substring of 50 tokens of a string in the training data.Definition 3.3 (approximate memorization).A string s is k-approximately memorized by PLM f θ if a (length-k) string p exists such that (s, g) satisfies certain conditions of similarity, and f θ produces g when prompted with p.

Revisiting model inversion
Reconstructing training data from a model presents a well-known security concern called model inver- sion attacks (Fredrikson et al., 2015).Carlini et al. (2021) explained that the main difference is that training data extraction does not allow fuzziness.However, this difference has decreased since the introduction of relaxed definitions of memorization.Kandpal et al. (2022) mentioned several previous studies (Carlini et al., 2019(Carlini et al., , 2021;;Inan et al., 2021) as model inversion.

Training Data Extraction Attacks
This section systematizes the attack procedure.Most studies follow Carlini et al. (2021).They revealed that hundreds of verbatim text sequences can be extracted from the training data.Given a PLM, the procedure consists of two steps, candidate generation, and membership inference, as displayed in Figure 2.

Candidate generation
The first step is to generate numerous texts from a given PLM.Texts can be generated from PLMs using several decoding methods, as discussed in Appendix A. Here, Carlini et al. (2023b) reported that the choice of the decoding strategy does not considerably affect their experimental results.In contrast, Lee et al. (2023) observed that top-k and top-p sampling tended to extract more training data.
Another perspective is the procedure for providing prompts.Prompts are provided according to two options, giving only a special token2 (sometimes called no prompt) or specific strings as prompts.Studies have constructed prompts by extracting data from the dataset considered to be used in creating PLMs.Carlini et al. (2021) randomly sampled between 5 and 10 tokens from scraped data.Carlini et al. (2023b) extracted a subset of the Pile dataset (Gao et al., 2020) in prompting GPT-Neo model family (Black et al., 2022).

Membership inference
Membership inference aims to predict whether any particular example is used to train a machine learning model (Shokri et al., 2017;Song and Shmatikov, 2019;Hisamoto et al., 2020).This result can lead directly to privacy violations.We describe membership inference on PLMs from the following five perspectives in a survey paper (Hu et al., 2022): target model, adversarial knowledge, approach, algorithm, and domain.
Adversarial knowledge.The second perspective is the knowledge that can be handled explicitly by attackers.We describe two aspects of adversarial knowledge, namely models and training sets.The patterns of adversarial knowledge in this study are summarized in Appendix C. Hu et al. (2022) presented the adversarial knowledge of models.The models are classified into two categories, namely white-box and black-box, according to accessibility (Nasr et al., 2019).Under the white-box setting, an attacker can obtain all information and use it for the attack.This includes the training procedure and the architecture and trained parameters of the target model.However, in the black-box setting, an attacker can only have limited access to the target model.Hu et al. (2022) classified the black-box setting into three parts, namely full confidence scores, top-k confidence scores, and prediction labels only.They differ in the extent of access an attacker has to the PLMs output.The setting of full confidence scores assumes a situation in which the training process of the model is unknown, but all outputs for any given input are available.Therefore, an attacker can obtain prediction labels with probabilities and calculate the loss.The setting of top-k confidence scores indicates that an attacker can obtain several candidates of the output.The scope of the attack is restricted because losses cannot be calculated.Another setting provides only labels without prediction values (Choquette-Choo et al., 2021;Zhu et al., 2023).Many web services with PLMs, such as DeepL3 and ChatGPT4 , only allow users to view labels for the model output.
Furthermore, we describe the adversarial knowledge of the training sets.In the white-box setting, the training set is stated and publicly available.The most harmful attacks are black box setups that do not assume access to the training set.Such attacks include PLMs created by private datasets.In some cases, the data are partially publicly available.Such cases include the ones wherein only the beginning of the news article is available for free, certain editions are accessible, and some articles have been made private over time.Although the data itself are not partially published, substrings can be inferred in the hidden private data using a priori knowledge (Henderson et al., 2018;Carlini et al., 2019).Examples are prompts like "Bob's phone number is" and "Alice's password is".
We must be aware of scenarios in which the dataset and PLMs are unwillingly leaked and become public.Adversarial knowledge is immediately converted to the white-box level.For example, even if a web service with PLMs trained on a private dataset provides users with only a string, it is crucial to discuss risks when both the dataset and the PLMs are unintentionally made public.
In studies of training data extraction from PLMs, perplexity is often used for metrics of membership inference (Carlini et al., 2019(Carlini et al., , 2021)).Given a sequence of tokens x 1 , . . ., x n , the perplexity is defined as: Algorithm.The fourth perspective is whether the algorithm is centralized or federated.Federated learning approaches have received considerable attention in privacy protection research (Melis et al., 2019;Nasr et al., 2019;Lee et al., 2021;Kairouz et al., 2021).However, focusing on training data extraction, the mainstream approach is based on centralized methods as of April 2023.

Domain.
Text datasets are rooted in various domains, as described in Section 2.2.Clinics are a crucial research field that involves handling of highly confidential information.Lehman et al. (2021) recovered patient names and their associated conditions from PLMs using electronic clinical records.Jagannatha et al. (2021) demonstrated that patients with rare disease profiles may be highly vulnerable to higher privacy leakages through experiments using PLMs of clinical data.Many other domains require careful processing, such as contracts (Yin and Habernal, 2022) and source code5 .A discussion of the right to be forgotten in the legal and news industries has emerged (Li et al., 2018;Ginart et al., 2019;Garg et al., 2020;Henderson et al., 2022).Therefore, it should be ensured that PLMs do not unintentionally become digital archives.Publicly available datasets do not necessarily indicate that they are completely independent of the risk of training data extraction from PLMs.The context in which the information is shared should be known to respect privacy (Dourish, 2004;Nissenbaum, 2009).Nissenbaum's contextual integrity (Nissenbaum, 2009) states that a change in any one of five characteristics (data subject, sender, recipient, information type, and transmission principle) may alter privacy expectations.Brown et al. (2022) emphasized the importance of PLMs only with data explicitly intended for public use.The Italian Data Protection Authority issued a statement 6 on March 2023 in accordance with the European General Data Protection Regulation (GDPR) against OpenAI, the provider of ChatGPT, for their data processing.

Training Data Extraction Defenses
This section systematizes approaches to defense.We can mitigate privacy risks before, during, and after creating PLMs as displayed in Figure 2. The classification was reconstructed using references (Hu et al., 2022;Huang et al., 2022;Jagielski et al., 2023).Extensive studies have been conducted on the hazardous generation of PLMs (Kurita et al., 2020;Mei et al., 2022;Levy et al., 2022;Ouyang et al., 2022;Carlini et al., 2023c).However, this study focused on training data extraction.

Pre-processing
First, pre-processing the training set is considered.
Data sanitization.The simplest solution is to identify and remove any text that conveys personal information (Ren et al., 2016;Continella et al., 2017;Vakili et al., 2022).However, as noted in Section 4.2, privacy depends on the context, and determining privacy from the string alone is difficult.Brown et al. (2022) proposed that data sanitization is only useful for removing context-independent, well-defined, static pieces of personal information from the training set.
Data deduplication.Studies have indicated that data deduplication mitigates the memorization of PLMs (Allamanis, 2019;Kandpal et al., 2022;Lee et al., 2022).This method is more efficient than methods that train models and is expected to be a practical solution.Empirical findings on data deduplication are presented in Section 6.2.

Training
The second method is a pre-training strategy.
6 https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9870847 Differential privacy.Applying differential privacy (Dwork et al., 2006) methods for providing data privacy guarantees in machine learning models has attracted considerable research attention.Differential privacy is a data protection measure that is designed to ensure that providing data does not reveal much information about the user.However, applying these algorithms (e.g., DP-SGD (Abadi et al., 2016) and DP-FedAvg (Ramaswamy et al., 2020)) to PLMs is challenging.Performance degradation and increased computation and memory usage are the primary concerns.
To address this problem, a framework has been proposed for training models in two steps (Yu et al., 2021(Yu et al., , 2022;;Li et al., 2022;He et al., 2023) 7 .In the framework, large amounts of non-private datasets are used for pre-training to obtain general features; next, additional training is applied with a sensitive dataset using a differential privacy algorithm.Downey et al. (2022) reported that the differential privacy approach is effective in preventing memorization, despite its computational and model performance costs.Note that Tramèr et al. (2022) summarized a critical view.They argued that publicly accessible datasets are not free from privacy risks because they contain information that is unintentionally released to the public.Therefore, discussing whether private information that we want to hide is contained in the public dataset is essential.It is known that understanding the semantic guarantee of differential privacy is difficult when private data is involved (Cummings et al., 2021).
Another barrier to applying differential privacy to PLMs is the requirement of defining secret boundaries even though text data are not binary.Studies have considered various levels of granularity, from individual tokens or words to sentences, documents, or even the entire user dataset (McMahan et al., 2018;Levy et al., 2021;Lukas et al., 2023).
Regularization.Regularization is a well-known approach for suppressing overfitting in machine learning models.The memorization of models is typically associated with overfitting (Yeom et al., 2018;Zhang et al., 2021b).Therefore, regularization during training that reduces overfitting can be used as a measure of membership inference (Hu et al., 2022).Mireshghallah et al. (2021) proposed a regularization method regarding the memoriza-tion of PLMs and claimed usefulness compared with differential privacy methods.Some studies have constrained the representation of neural networks by the information bottleneck layer (Alemi et al., 2017;Henderson and Fehr, 2023).
Pre-training large neural networks has distinctive tendencies compared with common machine learning.A single data in the training set is not used for too many epochs in pre-training and is sometimes used for less than one epoch.Furthermore, Carlini et al. (2021) reported that a characteristic of PLM memorization is the emergence of training data with an abnormally lower loss than the average.Tirumala et al. (2022) revealed that large language models can memorize most of their data before overfitting and tend not to forget much information through the training process.Biderman et al. (2023) have focused on the training process and attempted to predict the memorization of PLMs.
Knowledge distillation.Another approach is knowledge distillation (Hinton et al., 2015), in which the output of a large teacher model is used to train a small student model.Shejwalkar and Houmansadr (2021) revealed that knowledge distillation can be used to restrict an attacker's direct access to a private training set, which considerably reduces membership information leakage.

Post-processing
The third step is to post-process the PLMs output.
Confidence masking.Limiting the output of PLMs is a simple but effective defense mechanism.For example, confidence masking can be used for adjusting adversarial knowledge, as presented in Section 4.2 and Appendix C.
Filtering.Filtering the output of PLMs before providing them to users is crucial.Identifying items to be filtered incurs a cost, and ensuring diversity remains challenging.Perez et al. (2022) proposed a method to automatically identify test cases by extracting potentially dangerous outputs by detailing prompts using various PLMs.
In particular, based on one of the first comprehensive quantitative studies (Carlini et al., 2023b), we report on the impact of the model size, the string duplication in the training set, and the length of prompts.They used various sizes of GPT-Neo model family (Black et al., 2022), which are the autoregressive language models pre-trained by the Pile dataset (Gao et al., 2020).Four model sizes, namely 125 million, 1.3 billion (B), 2.7 B, and 6 B parameters, were considered.The number of duplicate strings was determined by analyzing the Pile dataset.A subset of 50,000 sentences from the Pile dataset was used for evaluation, and the distribution of duplicates was considered.The beginning of each sentence was cut out at a certain number of tokens and considered as a prompt.The amount of memorization was calculated as the fraction of generations that exactly reproduce the true string for their prompt averaged over all prompts and sequence lengths.
6.1 Larger models memorize more Carlini et al. (2023b) revealed that a near-perfect log-linear relationship exists such that the larger the model size is, the more strings are memorized.Numerically, a ten-fold increase in the model size increased the amount of memorization by 19 ppt.For comparison, they performed the same analysis with the GPT-2 model family.The amount of memorization was 40 % for 1.3 B GPT-neo compared with 6 % for the GPT-2 of the same size.This phenomenon implied the effect of memorization of the training data, not just the model size.Carlini et al. (2023b) used the definition of verbatim memorization, and Ippolito et al. (2022) confirmed similar results with the definition of approximate memorization.Although not sufficiently quantitative, initial studies (Carlini et al., 2019;Zhang et al., 2021b) have provided preliminary evidence.Tirumala et al. (2022) and Lee et al. (2023) also revealed that larger models memorize more.et al. (2023b) reported that a clear log-linear trend exists between the number of duplicates and the amount of memorization.They measured the amount of memorization for each bucket with duplicate counts ranging from 2 to 900.Kandpal et al. (2022) and Lee et al. (2022) also revealed that duplication in the training set of PLMs relates to the likelihood of memorizing strings and proposed that deduplication mitigates training data extraction.However, memorization can occur even with only a few duplicates, and deduplication cannot prevent it completely.Chang et al. (2023) reported that the degree of memorization of ChatGPT and GPT-4 (OpenAI, 2023) was related to the frequency of the passages that appeared on the web.

Carlini
6.3 Longer prompts extract more Carlini et al. (2023b) revealed that the amount of memorization increases with the length of the prompt.For example, the amount of memorization by the 6 B model was 33 % for 50 tokens, compared with 65 % for 450 tokens.This experiment was inspired by the findings of Carlini et al. (2019).They suggested that setting the maximum prompt length available to users considerably reduces the risk of training data extraction.

Conclusion & Future Directions
We have reviewed over 100 papers for the first comprehensive survey on training data extraction from PLMs.The final section provides suggestions for future research directions.We hope that this study highlights the importance of training data extraction from PLMs and accelerates the discussion.

Is memorization always evil?
Most studies did not distinguish the degree of danger of memorized strings (Lee et al., 2020).Ideally, the undesirable memorization of telephone numbers and email addresses must be separated from the acceptable memorization.Huang et al. (2022) was among the first to differentiate between memorization and association in PLMs.They concluded that the risk of specific personal information being leaked is low because PLMs cannot semantically associate personal information with their owners.
The boundary between memorization and knowledge of PLMs remains ambiguous with the definition of approximate memorization (Ippolito et al., 2022;Lee et al., 2022).Deduplication of training sets, which is considered useful in Sections 5 and 6, leads to the elimination of helpful knowledge.Therefore, we must consider what memorization is (Haviv et al., 2022) and balance the security concerns with the model performance, depending on the final application.The definition of counterfactual memorization introduced in Section 3.3 incorporated psychological findings that could be useful despite its challenges.

Toward broader research fields
Discussing the handling of the fuzziness of a string is important.Ippolito et al. (2022) stated that the current definition of approximate memorization focuses on English, and different considerations are required for other conditions such as non-English languages.In addition, they suggested two research areas that could help improve the definition: image generation memorization and plagiarism detection.Images are more difficult to generate than text for matching exactly with the original.Therefore, fuzzy memorization has been investigated and measured.Fredrikson et al. (2015), which proposed the model inversion attack, used face recognition in images as the subject of their experiments.Studies have used metrics that consider image similarity (Zhang et al., 2020;Haim et al., 2022;Balle et al., 2022).Furthermore, the trend toward pre-training in both images and language (Lu et al., 2019;Li et al., 2020) should be considered.The limitations of the definition of verbatim textual matching have been discussed in plagiarism detection research (Roy et al., 2009;Potthast et al., 2010).Similarities are explored from multiple perspectives, including word changes, shuffling, and paraphrasing.

Evaluation schema
Room for ingenuity exists in the construction of evaluation sets.Establishing a schema for quantitative evaluation, which has received considerable attention, is critical.Studies mentioned in Sections 4 and 6 have created evaluation sets by extracting a subset of the training set.Sampling is essential because of inference time limitations.However, we must be careful to see if there are other factors to consider besides the distribution of the number of duplicates to avoid bias due to sampling.
Evaluation metrics for the training data extraction are open for discussion.Carlini et al. (2022) postulated that the ideal evaluation metric must be based on realistic attack scenarios, whereas most studies on membership inference measure the average accuracy rate.They proposed that membership inference should be evaluated by the true positive rate with a low false positive rate.The Training Data Extraction Challenge8 measures attack speed as well as recall and precision.

Limitations
First, this study focused on PLMs in training data extraction, particularly autoregressive language models.Other target models, such as masked language models (described in Section 2.1) and word embeddings (noted in Section 4.2), require another discussion.Additionally, due to prioritization constraints, the discussion on other topics, including model inversion attacks and the federated learning approach, was limited.However, these areas are established and can be supplemented by other studies (Fredrikson et al., 2015;Zhang et al., 2021a).
Second, in practical applications of PLM, it is necessary to audit not only security but also various other aspects such as performance degradation (Mökander et al., 2023).There are a number of security concerns beyond training data extraction (noted in Section 5).There are also papers discussing performance degradation of PLMs over time (Ishihara et al., 2022).
Finally, this comprehensive survey is based on information as of April 2023.Studies on training data extraction from PLMs have primarily focused on natural language processing and security.These domains are undergoing rapid changes.Therefore, some of the content may become obsolete in the near future.

A Type of Decoding
Two classes of methods, namely deterministic and stochastic, are used for decoding (Su et al., 2022).In the deterministic method, the most probable tokens based on the probability distribution of the model are used.Greedy methods and beam searches are widely used.However, studies have revealed that simply maximizing the output probability generates text that is not natural to humans (Li et al., 2016;Holtzman et al., 2020).Therefore, several approaches have been proposed for sampling from a probability distribution.Stochastic methods include top-k sampling (Fan et al., 2018), top-p sampling, and nucleus sampling (Holtzman et al., 2020), in which samples are extracted from the lexical subset.A method to adjust the probability distribution using the temperature parameter was used to increase the diversity of the generated texts (Ackley et al., 1985).
In the candidate generation step in Section 4.1, texts can be generated from PLMs using several decoding methods.Some studies adopted a greedy method (Carlini et al., 2023b).Others used topk sampling (Carlini et al., 2021;Lee et al., 2022) and tuned the temperature (Carlini et al., 2021) to increase the diversity of the generated texts.

B Scaling Law for Language Models
Building PLMs requires large datasets.Studies have proposed models with larger parameters pretrained with large datasets (Smith et al., 2022;Chowdhery et al., 2022).Experimental results revealed the existence of a scaling law (Kaplan et al., 2020;Henighan et al., 2020).This study suggested that the performance of language models using the transformer improves as the model size, dataset size, and amount of computation increase.Villalobos et al. (2022) cautioned that the data available for pre-training language models may be exhausted in the near future.

C Patterns of Adversarial Knowledge
Table 1 presents the patterns of adversarial knowledge of the models and Table 2 details the patterns of adversarial knowledge of the training set.These tables provide specific patterns.For example, white-box for models indicates PLMs published on platforms such as Hugging Face 9 with training explanations, which can be downloaded.As discussed in Section 4.2, two main types, namely white and black boxes, exist.In black-box settings, several patterns depend on the situation.Table 1 reveals the classification of the black-box proposed by Hu et al. (2022): full confidence scores, top-k confidence scores, and prediction labels.In

Figure 1 :
Figure 1: Taxonomy of definitions of memorization.

Figure 2 :
Figure 2: The procedure of training data extraction attacks and possible defenses.

Table 2 ,
9 https://huggingface.co/models Adversarial knowledge Model or the output Pattern white-box all Models are available with proper explanations.black-box full confidence scores All outputs of models are available.top-k confidence scores Top-k outputs of models are available.prediction label only Only prediction labels are available.

Table 1 :
Adversarial knowledge of models and patterns.

Table 2 :
Adversarial knowledge of training sets and patterns.several possible patterns of adversarial knowledge are presented on training sets.