Differentiation-Based Extraction of Proprietary Data from Fine-Tuned LLMs

Zongjie LI; Daoyuan WU; Shuai WANG; Zhendong SU

doi:10.1145/3719027.3744856

Differentiation-Based Extraction of Proprietary Data from Fine-Tuned LLMs

Zongjie LI
, Daoyuan WU^*
, Shuai WANG^*
, Zhendong SU

^*Corresponding author for this work

Lingnan University

Research output: Book Chapters | Papers in Conference Proceedings › Conference paper (refereed) › Research › peer-review

2 Citations (Scopus)

Abstract

The increasing demand for domain-specific and human-aligned Large Language Models (LLMs) has led to the widespread adoption of Supervised Fine-Tuning (SFT) techniques. SFT datasets often comprise valuable instruction-response pairs, making them highly valuable targets for potential extraction. This paper studies this critical research problem for the first time. We start by formally defining and formulating the problem, then explore various attack goals, types, and variants based on the unique properties of SFT data in real-world scenarios. Based on our analysis of extraction behaviors of direct extraction, we develop a novel extraction method specifically designed for SFT models, called Differentiated Data Extraction (DDE), which exploits the confidence levels of fine-tuned models and their behavioral differences from pre-trained base models. Through extensive experiments across multiple domains and scenarios, we demonstrate the feasibility of SFT data extraction using DDE. Our results show that DDE consistently outperforms existing extraction baselines in all attack settings. To counter this new attack, we propose a defense mechanism that mitigates DDE attacks with minimal impact on model performance. Overall, our research reveals hidden data leak risks in fine-tuned LLMs and provides insights for developing more secure models.

Original language	English
Title of host publication	CCS '25: Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security
Editors	Chun-Ying HUANG, Jyh-Cheng CHEN, Shiuhpyng SHIEH
Publisher	Association for Computing Machinery, Inc
Pages	3071-3085
Number of pages	15
ISBN (Electronic)	9798400715259
DOIs	https://doi.org/10.1145/3719027.3744856
Publication status	Published - 22 Nov 2025
Event	32nd ACM SIGSAC Conference on Computer and Communications Security - Taipei, Taiwan, China Duration: 13 Oct 2025 → 17 Oct 2025

Conference

Conference	32nd ACM SIGSAC Conference on Computer and Communications Security
Abbreviated title	CCS 2025
Country/Territory	Taiwan, China
City	Taipei
Period	13/10/25 → 17/10/25

Bibliographical note

Publisher Copyright:
© 2025 Copyright held by the owner/author(s).

Funding

The HKUST authors are supported in part by a RGC CRF grant under the contract C6015-23G and research fund provided by HSBC.

Keywords

Data Extraction
Large Language Model

Access to Document

10.1145/3719027.3744856

Cite this

@inproceedings{56313ec3b7374f759c1bc1aee6b29917,

title = "Differentiation-Based Extraction of Proprietary Data from Fine-Tuned LLMs",

abstract = "The increasing demand for domain-specific and human-aligned Large Language Models (LLMs) has led to the widespread adoption of Supervised Fine-Tuning (SFT) techniques. SFT datasets often comprise valuable instruction-response pairs, making them highly valuable targets for potential extraction. This paper studies this critical research problem for the first time. We start by formally defining and formulating the problem, then explore various attack goals, types, and variants based on the unique properties of SFT data in real-world scenarios. Based on our analysis of extraction behaviors of direct extraction, we develop a novel extraction method specifically designed for SFT models, called Differentiated Data Extraction (DDE), which exploits the confidence levels of fine-tuned models and their behavioral differences from pre-trained base models. Through extensive experiments across multiple domains and scenarios, we demonstrate the feasibility of SFT data extraction using DDE. Our results show that DDE consistently outperforms existing extraction baselines in all attack settings. To counter this new attack, we propose a defense mechanism that mitigates DDE attacks with minimal impact on model performance. Overall, our research reveals hidden data leak risks in fine-tuned LLMs and provides insights for developing more secure models.",

keywords = "Data Extraction, Large Language Model",

author = "Zongjie LI and Daoyuan WU and Shuai WANG and Zhendong SU",

note = "Publisher Copyright: {\textcopyright} 2025 Copyright held by the owner/author(s).; 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025 ; Conference date: 13-10-2025 Through 17-10-2025",

year = "2025",

month = nov,

day = "22",

doi = "10.1145/3719027.3744856",

language = "English",

pages = "3071--3085",

editor = "Chun-Ying HUANG and Jyh-Cheng CHEN and Shiuhpyng SHIEH",

booktitle = "CCS '25: Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery, Inc",

address = "United States",

}

LI, Z, WU, D, WANG, S & SU, Z 2025, Differentiation-Based Extraction of Proprietary Data from Fine-Tuned LLMs. in C-Y HUANG, J-C CHEN & S SHIEH (eds), CCS '25: Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, pp. 3071-3085, 32nd ACM SIGSAC Conference on Computer and Communications Security, Taipei, Taiwan, China, 13/10/25. https://doi.org/10.1145/3719027.3744856

Differentiation-Based Extraction of Proprietary Data from Fine-Tuned LLMs. / LI, Zongjie; WU, Daoyuan; WANG, Shuai et al.
CCS '25: Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. ed. / Chun-Ying HUANG; Jyh-Cheng CHEN; Shiuhpyng SHIEH. Association for Computing Machinery, Inc, 2025. p. 3071-3085.

Research output: Book Chapters | Papers in Conference Proceedings › Conference paper (refereed) › Research › peer-review

TY - GEN

T1 - Differentiation-Based Extraction of Proprietary Data from Fine-Tuned LLMs

AU - LI, Zongjie

AU - WU, Daoyuan

AU - WANG, Shuai

AU - SU, Zhendong

PY - 2025/11/22

Y1 - 2025/11/22

N2 - The increasing demand for domain-specific and human-aligned Large Language Models (LLMs) has led to the widespread adoption of Supervised Fine-Tuning (SFT) techniques. SFT datasets often comprise valuable instruction-response pairs, making them highly valuable targets for potential extraction. This paper studies this critical research problem for the first time. We start by formally defining and formulating the problem, then explore various attack goals, types, and variants based on the unique properties of SFT data in real-world scenarios. Based on our analysis of extraction behaviors of direct extraction, we develop a novel extraction method specifically designed for SFT models, called Differentiated Data Extraction (DDE), which exploits the confidence levels of fine-tuned models and their behavioral differences from pre-trained base models. Through extensive experiments across multiple domains and scenarios, we demonstrate the feasibility of SFT data extraction using DDE. Our results show that DDE consistently outperforms existing extraction baselines in all attack settings. To counter this new attack, we propose a defense mechanism that mitigates DDE attacks with minimal impact on model performance. Overall, our research reveals hidden data leak risks in fine-tuned LLMs and provides insights for developing more secure models.

AB - The increasing demand for domain-specific and human-aligned Large Language Models (LLMs) has led to the widespread adoption of Supervised Fine-Tuning (SFT) techniques. SFT datasets often comprise valuable instruction-response pairs, making them highly valuable targets for potential extraction. This paper studies this critical research problem for the first time. We start by formally defining and formulating the problem, then explore various attack goals, types, and variants based on the unique properties of SFT data in real-world scenarios. Based on our analysis of extraction behaviors of direct extraction, we develop a novel extraction method specifically designed for SFT models, called Differentiated Data Extraction (DDE), which exploits the confidence levels of fine-tuned models and their behavioral differences from pre-trained base models. Through extensive experiments across multiple domains and scenarios, we demonstrate the feasibility of SFT data extraction using DDE. Our results show that DDE consistently outperforms existing extraction baselines in all attack settings. To counter this new attack, we propose a defense mechanism that mitigates DDE attacks with minimal impact on model performance. Overall, our research reveals hidden data leak risks in fine-tuned LLMs and provides insights for developing more secure models.

KW - Data Extraction

KW - Large Language Model

UR - https://www.scopus.com/pages/publications/105023897620

U2 - 10.1145/3719027.3744856

DO - 10.1145/3719027.3744856

M3 - Conference paper (refereed)

AN - SCOPUS:105023897620

SP - 3071

EP - 3085

BT - CCS '25: Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security

A2 - HUANG, Chun-Ying

A2 - CHEN, Jyh-Cheng

A2 - SHIEH, Shiuhpyng

PB - Association for Computing Machinery, Inc

T2 - 32nd ACM SIGSAC Conference on Computer and Communications Security

Y2 - 13 October 2025 through 17 October 2025

ER -

Differentiation-Based Extraction of Proprietary Data from Fine-Tuned LLMs

Abstract

Conference

Bibliographical note

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this