Although large language models (LLMs) are widely deployed, the data used to train them is rarely disclosed. Given the incredible scale of this data, up to trillions of tokens, it is all but certain that it includes potentially problematic text such as copyrighted materials, personally identifiable information, and test data for widely reported reference benchmarks. However, we currently have no way to know which data of these types is included or in what proportions. In this paper, we study the pretraining data detection problem: given a piece of text and black-box access to an LLM without knowing the pretraining data, can we determine if the model was trained on the provided text? To facilitate this study, we introduce a dynamic benchmark WIKIMIA that uses data created before and after model training to support gold truth detection. We also introduce a new detection method Min-K% Prob based on a simple hypothesis: an unseen example is likely to contain a few outlier words with low probabilities under the LLM, while a seen example is less likely to have words with such low probabilities. Min-K% Prob can be applied without any knowledge about the pretraining corpus or any additional training, departing from previous detection methods that require training a reference model on data that is similar to the pretraining data. Moreover, our experiments demonstrate that Min-K% Prob achieves a 7.4% improvement on WIKIMIA over these previous methods. We apply Min-K% Prob to three real-world scenarios, copyrighted book detection, contaminated downstream example detection and privacy auditing of machine unlearning, and find it a consistently effective solution.

翻译：尽管大型语言模型（LLMs）已被广泛部署，但其训练所使用的数据却鲜有披露。鉴于这些数据规模之庞大——可达数万亿个词元——几乎可以肯定其中包含潜在问题文本，例如受版权保护的材料、个人身份信息以及广泛报道的参考基准测试数据。然而，我们目前无法得知这些数据类型是否被包含以及各占多大比例。本文研究预训练数据检测问题：给定一段文本，在不了解预训练数据的情况下仅通过黑盒访问LLM，能否判断该模型是否在所提供的文本上训练过？为促进此项研究，我们引入动态基准WIKIMIA，利用模型训练前后创建的数据支持真实标注检测。我们还提出一种新的检测方法Min-K% Prob，其基于简单假设：未见过示例很可能包含少数概率极低的异常词，而见过示例则不太可能出现此类低概率词。Min-K% Prob无需任何关于预训练语料库的知识或额外训练即可应用，这不同于以往需要在与预训练数据相似的数据上训练参考模型的检测方法。此外，实验表明，Min-K% Prob在WIKIMIA上相比先前方法取得7.4%的性能提升。我们将Min-K% Prob应用于三种真实场景：受版权保护书籍检测、受污染下游样本检测以及机器遗忘的隐私审计，发现它始终是一种有效的解决方案。