Differential Low-Rank Adaptation-based Sensitive Information Protection for Large Language Model Training

doi:10.19678/j.issn.1000-3428.00252845

Abstract

Abstract: As generative AI technologies become increasingly integrated into sensitive industries, the over-reliance of large generative models on memorizing training data during fine-tuning poses a growing risk of privacy leakage, where user identities, behavioral traces, and other sensitive information may be reconstructed during inference. To address this issue, a novel fine-tuning approach combining Differential Privacy (DP) with Low-Rank Adaptation (LoRA) is proposed. This method freezes the parameters of the pre-trained model and updates only the inserted LoRA modules. Additionally, Differential Privacy Stochastic Gradient Descent (DP-SGD) is introduced, implementing gradient norm clipping and Gaussian noise injection on a per-sample basis to minimize the model’s dependence on individual training samples. Based on the Qwen2-1.5B language model, a task-specific fine-tuning dataset incorporating user profiles is constructed, and adversarial samples targeting typical sensitive fields—such as identity markers, behavioral characteristics, and location data—are developed to evaluate the anti-leakage capabilities of traditional full-parameter fine-tuning versus the DP-LoRA approach. Experimental results demonstrate that fully fine-tuned models exhibit a high sensitive-information match rate of 73.07% across 130 adversarial samples, indicating severe privacy vulnerabilities. In contrast, the DP-LoRA fine-tuned models achieve a significantly reduced match rate of only 1.5%, with generated content showing minimal correlation to original training data. This approach effectively mitigates the risk of sensitive information disclosure, offering a cost-efficient and highly adaptable training strategy for deploying generative models in real-world scenarios with stringent data security requirements.

摘要： 随着生成式人工智能技术在敏感行业的深入应用，生成式大模型在微调阶段对训练数据的过度“记忆”问题日益严重，易导致用户身份、行为轨迹等敏感信息在推理阶段被重现，造成隐私泄露风险。针对这一问题，提出一种融合差分隐私（Differential Privacy, DP）与低秩适配（Low-Rank Adaptation, LoRA）的微调训练方法，在冻结预训练模型主体参数的基础上，仅对插入的LoRA模块进行梯度更新，并在训练过程中引入差分隐私随机梯度下降（DP-SGD）机制，对单样本梯度实施范数裁剪与高斯噪声注入，以控制模型对个体样本的敏感依赖。该方法以Qwen2-1.5B语言模型为基础，构建包含用户画像的指令式微调数据集，并设计针对身份标识、行为特征、位置信息等典型敏感字段的攻击样本，对比传统全参数微调与DP-LoRA方法在防泄露能力上的差异。实验结果表明，全参数微调模型在130条攻击样本中敏感信息匹配率高达73.07%，显示出严重的隐私风险；而DP-LoRA微调模型的匹配率显著降低至1.5%，整体生成内容与原始数据相关性极低。该方法有效降低了敏感信息重现概率，为生成式模型在数据安全要求较高的实际场景中提供了一种低成本、高适应性的训练策略。

Yanli Lv, Yiwen Jiang, Hanyu Feng, Zhenqi Guo, Sheng Xiang. Differential Low-Rank Adaptation-based Sensitive Information Protection for Large Language Model Training[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.00252845.

吕艳丽, 江伊雯, 冯函宇, 郭振奇, 向声. 基于差分低秩适配的大模型训练敏感信息保护方法研究[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.00252845.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.00252845

References

[1] Dwork C. Differential privacy[C]//International colloquium on automata, languages, and programming. Berlin, Heidelberg: Springer Berlin Heidelberg, 2006: 1-12. [2] Abadi, M., Chu, A., et al. (2016). Deep Learning with Differential Privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. [3] Bu Z, Wang Y X, Zha S, et al. Automatic clipping: Differentially private deep learning made easier and stronger[J]. Advances in Neural Information Processing Systems, 2023, 36: 41727-41764. [4] Wei C, Li W, Chen G, et al. DC-SGD: Differentially Private SGD with Dynamic Clipping through Gradient Norm Distribution Estimation[J]. IEEE Transactions on Information Forensics and Security, 2025. [5] Lee J, Kifer D. Concentrated differentially private gradient descent with adaptive per-iteration privacy budget[C]//Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 2018: 1656-1665. [6] Hong J, Wang Z, Zhou J. Dynamic privacy budget allocation improves data efficiency of differentially private gradient descent[C]//Proceedings of the 2022 ACM Conference on Fairness, Accountability, and Transparency. 2022: 11-35. [7] Boenisch F, Mühl C, Dziedzic A, et al. Have it your way: Individualized Privacy Assignment for DP-SGD[J]. Advances in Neural Information Processing Systems, 2023, 36: 19073-19103. [8] Liu Y, Peng J, James J Q, et al. PPGAN: Privacy-preserving generative adversarial network[C]//2019 IEEE 25Th international conference on parallel and distributed systems (ICPADS). IEEE, 2019: 985-989. [9] Bu Z, Wang Y X, Zha S, et al. Differentially private optimization on large model at small cost[C]//International Conference on Machine Learning. PMLR, 2023: 3192-3218. [10] Bu Z, Wang Y X, Zha S, et al. Differentially private bias-term fine-tuning of foundation models[J]. arXiv preprint arXiv:2210.00036, 2022. [11] Phan N H, Wu X, Hu H, et al. Adaptive laplace mechanism: Differential privacy preservation in deep learning[C]//2017 IEEE international conference on data mining (ICDM). IEEE, 2017: 385-394. [12] Xu Z, Shi S, Liu A X, et al. An adaptive and fast convergent approach to differentially private deep learning[C]//IEEE INFOCOM 2020-IEEE Conference on Computer Communications. IEEE, 2020: 1867-1876. [13] Mironov I. Rényi differential privacy[C]//2017 IEEE 30th computer security foundations symposium (CSF). IEEE, 2017: 263-275. [14] Dwork C, Rothblum G N. Concentrated differential privacy[J]. arXiv preprint arXiv:1603.01887, 2016. [15] Bun M, Dwork C, Rothblum G N, et al. Composable and versatile privacy via truncated cdp[C]//Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing. 2018: 74-86. [16] Song S, Chaudhuri K, Sarwate A D. Stochastic gradient descent with differentially private updates[C]//2013 IEEE global conference on signal and information processing. IEEE, 2013: 245-248. [17] Rajkumar A, Agarwal S. A differentially private stochastic gradient descent algorithm for multiparty classification[C]//Artificial Intelligence and Statistics. PMLR, 2012: 933-941. [18] Bu Z, Dong J, Long Q, et al. Deep learning with gaussian differential privacy[J]. Harvard data science review, 2020, 2020(23): 10.1162/99608f92. cfc5dd25. [19] Gopi S, Lee Y T, Wutschitz L. Numerical composition of differential privacy[J]. Advances in Neural Information Processing Systems, 2021, 34: 11631-11642. [20] Liu X, Li H, Xu G, et al. Adaptive privacy-preserving federated learning[J]. Peer-to-peer networking and applications, 2020, 13: 2356-2366. [21] Du J, Li S, Chen X, et al. Dynamic differential-privacy preserving sgd[J]. arXiv preprint arXiv:2111.00173, 2021. [22] Li P, Liang M, Jiang Z, et al. Differentially Private Deep Learning with Importance-based Adaptive Gradient Processing[C]//The 16th Asian Conference on Machine Learning (Conference Track). 2024. [23] Chaudhuri K, Monteleoni C, Sarwate A D. Differentially private empirical risk minimization[J]. Journal of Machine Learning Research, 2011, 12(3). [24] Jayaraman B, Evans D. Evaluating differentially private machine learning in practice[C]//28th USENIX Security Symposium (USENIX Security 19). 2019: 1895-1912. [25] Gong M, Xie Y, Pan K, et al. A survey on differentially private machine learning[J]. IEEE computational intelligence magazine, 2020, 15(2): 49-64. [26] Xie L, Lin K, Wang S, et al. Differentially private generative adversarial network[J]. arXiv preprint arXiv:1802.06739, 2018. [27] Dwork C. Differential privacy: A survey of results[C]//International conference on theory and applications of models of computation. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008: 1-19. [28] Dwork C, Rothblum G N, Vadhan S. Boosting and differential privacy[C]//2010 IEEE 51st annual symposium on foundations of computer science. IEEE, 2010: 51-60. [29] Friedman A, Schuster A. Data mining with differential privacy[C]//Proceedings of the 16th ACM SIGKDD international conference on Knowledge discovery and data mining. 2010: 493-502. [30] Bai J, Bai S, Chu Y, et al. Qwen technical report[J]. arXiv preprint arXiv:2309.16609, 2023. [31] Wang J, Zhang W, Zhang G, et al. Research on Mistake Analysis and Personalized Learning Feedback System Based on the Qwen2 Model[J]. Advances in Engineering Technology Research, 2025, 13(1): 807-807. [32] Chu Y, Xu J, Yang Q, et al. Qwen2-audio technical report[J]. arXiv preprint arXiv:2407.10759, 2024. [33] Hu E J, Shen Y, Wallis P, et al. Lora: Low-rank adaptation of large language models[J]. ICLR, 2022, 1(2): 3. [34] Augustin A, Yi J, Clausen T, et al. A study of LoRa: Long range & low power networks for the internet of things[J]. Sensors, 2016, 16(9): 1466. [35] Sun Y, Li Z, Li Y, et al. Improving loRA in privacy-preserving federated learning[J]. arXiv preprint arXiv:2403.12313, 2024. [36] Tsai Y L, Li Y, Chen Z, et al. Differentially private fine-tuning of diffusion models[J]. arXiv preprint arXiv:2406.01355, 2024. [37] Quinn P, Malgieri G. The difficulty of defining sensitive data—the concept of sensitive data in the EU data protection framework[J]. German Law Journal, 2021, 22(8): 1583-1612. [38] Vijayarani S, Tamilarasi A. An efficient masking technique for sensitive data protection[C]//2011 International Conference on Recent Trends in Information Technology (ICRTIT). IEEE, 2011: 1245-1249. [39] Shu X, Yao D, Bertino E. Privacy-preserving detection of sensitive data exposure[J]. IEEE transactions on information forensics and security, 2015, 10(5): 1092-1103. [40] 张奇荣,唐庆银.基于差分隐私的大数据风险分析技术研究[J].软件,2025,46(04):83-85. Zhang QR, Tang QY. Big Data Risk Analysis Technology Based on Differential Privacy[J]. Software, 2025,46(4):83-85. [41] 周亚建, 由永桥,王宇,等.自适应梯度裁剪的差分隐私保护算法[J/OL].北京邮电大学学报,1-6[2025-05-26].https://doi.org/10.13190/j.jbupt.2024-111. of Beijing Zhou YJ, You YQ, Wang Y, et al. Differential Privacy Protection Algorithm with Adaptive Gradient Clipping[J/OL]. Journal University https://doi.org/10.13190/j.jbupt.2024-111 of Posts and Telecommunications, 1-6[2025-05-26]. [42] 赵婵婵,马坤明,石宝,等.基于差分隐私的自适应联邦学习隐私保护方案[J].科学技术与工程,2025,25(07):2849-2855. Zhao CC, Ma KM, Shi B, et al. Differential Privacy-Based Adaptive Federated Learning Privacy Protection Scheme[J]. Science Technology and Engineering, 2025,25(07):2849-2855. [43] 熊平,朱天清,王晓峰.差分隐私保护及其应用[J].计算机学报,2014,37(01):101-122. Xiong P, Zhu TQ, Wang XF. Differential Privacy Protection and Its Applications[J]. Journal of Computer Science and Technology, 2014,37(1):101-122.

Please choose a citation manager

Content to export