Although large language models (LLMs) are widely deployed, the data used to train them is rarely disclosed. Given the incredible scale of this data, up to trillions of tokens, it is all but certain that it includes potentially problematic text such as copyrighted materials, personally identifiable information, and test data for widely reported reference benchmarks. However, we currently have no way to know which data of these types is included or in what proportions. In this paper, we study the pretraining data detection problem: given a piece of text and black-box access to an LLM without knowing the pretraining data, can we determine if the model was trained on the provided text? To facilitate this study, we introduce a dynamic benchmark WIKIMIA that uses data created before and after model training to support gold truth detection. We also introduce a new detection method Min-K% Prob based on a simple hypothesis: an unseen example is likely to contain a few outlier words with low probabilities under the LLM, while a seen example is less likely to have words with such low probabilities. Min-K% Prob can be applied without any knowledge about the pretraining corpus or any additional training, departing from previous detection methods that require training a reference model on data that is similar to the pretraining data. Moreover, our experiments demonstrate that Min-K% Prob achieves a 7.4% improvement on WIKIMIA over these previous methods. We apply Min-K% Prob to three real-world scenarios, copyrighted book detection, contaminated downstream example detection and privacy auditing of machine unlearning, and find it a consistently effective solution.

翻译：尽管大型语言模型（LLMs）已被广泛部署，但其训练所使用的数据却鲜有公开。鉴于这些数据的规模之巨——可达数万亿词元——几乎可以肯定其中包含潜在问题文本，例如受版权保护的材料、个人身份信息以及广泛报道的参考基准测试数据。然而，我们目前无法知晓这些数据类型中哪些被包含，以及各自占比如何。本文研究预训练数据检测问题：在给定一段文本且仅能黑盒访问LLM（且不知其预训练数据）的情况下，我们能否判断该模型是否在所提供的文本上接受过训练？为推进此项研究，我们引入一个动态基准WIKIMIA，该基准利用模型训练前后创建的数据来支持真实标签检测。我们还提出一种新的检测方法Min-K% Prob，其基于一个简单假设：未见过样本可能包含少数概率极低的离群词，而已见过样本则不太可能出现此类低概率词。Min-K% Prob无需任何关于预训练语料的知识或额外训练即可应用，这与先前需要在与预训练数据相似的数据上训练参考模型的检测方法截然不同。此外，实验表明，Min-K% Prob在WIKIMIA上相比先前方法提升了7.4%的性能。我们将Min-K% Prob应用于三个真实场景——受版权保护的书籍检测、受污染的下游示例检测以及机器遗忘的隐私审计——并发现其始终是一种有效的解决方案。