Towards More Realistic Extraction Attacks: An Adversarial Perspective

Yash More, Prakhar Ganesh, Golnoosh Farnadi

Abstract
Language models are prone to memorizing their training data, making them vulnerable to extraction attacks. While existing research often examines isolated setups, such as a single model or a fixed prompt, real-world adversaries have a considerably larger attack surface due to access to models across various sizes and checkpoints, and repeated prompting. In this paper, we revisit extraction attacks from an adversarial perspective—with multi-faceted access to the underlying data. We find significant churn in extraction trends, i.e., even unintuitive changes to the prompt, or targeting smaller models and earlier checkpoints, can extract distinct information. By combining multiple attacks, our adversary doubles (2 ×) the extraction risks, persisting even under mitigation strategies like data deduplication. We conclude with four case studies, including detecting pre-training data, copyright violations, extracting personally identifiable information, and attacking closed-source models, showing how our more realistic adversary can outperform existing adversaries in the literature.
Anthology ID:
2025.tacl-1.82
Volume:
Transactions of the Association for Computational Linguistics, Volume 13
Month:
Year:
2025
Address:
Cambridge, MA
Venue:
TACL
SIG:
Publisher:
MIT Press
Note:
Pages:
1832–1849
Language:
URL:
https://preview.aclanthology.org/ingest-eacl/2025.tacl-1.82/
DOI:
10.1162/tacl.a.62
Bibkey:
Cite (ACL):
Yash More, Prakhar Ganesh, and Golnoosh Farnadi. 2025. Towards More Realistic Extraction Attacks: An Adversarial Perspective. Transactions of the Association for Computational Linguistics, 13:1832–1849.
Cite (Informal):
Towards More Realistic Extraction Attacks: An Adversarial Perspective (More et al., TACL 2025)
Copy Citation:
PDF:
https://preview.aclanthology.org/ingest-eacl/2025.tacl-1.82.pdf
PDF Cite Search Fix data