Gibberish is All You Need for Membership Inference Detection in Contrastive Language-Audio Pretraining

Contrastive language-audio pretraining has significantly improved multimodal representation learning [22]. Techniques like DSCLAP and T-CLAP enhance domain-specific applications and temporal alignment, showcasing the effectiveness of integrating language and audio [23].

Recent studies show that automatic speech recognition (ASR) systems are vulnerable to MIAs[5, 2].These MIAs typically rely on costly shadow models[17, 21] and require real audio as input to target model[16], which may lead to new leakage.

CLAP is trained to maximize cosine similarity between audio and text features of members. Thus, if one modality of a member is provided to target model, the corresponding other modality data typically yields a higher probability score in the calculated distribution when input alongside other samples.

Based on this, we propose PRMID (Probability Ranking Membership Inference Detector) as shown in Figure 3.

Probability Distribution Evaluated by CLAP. We first match the tested audio $x$ with tested text $t$ and a set of textual gibberish $\mathcal{G}=\{g_{1},g_{2},\ldots,g_{\ell}\}$. We use CLAP to obtain the probability distribution $\mathcal{P}=\{P(t),P(g_{1}),P(g_{2}),\ldots,P(g_{\ell})\}$, where $P(t)+P(g_{1})+P(g_{2})+\ldots+P(g_{\ell})=1$.

Membership Inference through Ranking. We define the rank of the tested text $t$ within the probability distribution $\mathcal{P}$ as $r_{t}=P(t)$. We conduct $N$ repeated experiments, generating $\ell$ gibberish samples in each trial. Each experiment yields a probability distribution $\mathcal{P}$, which enables us to analyze $r_{t}$.

We set thresholds $T_{1}$ and $T_{2}$ for top $k\%$ and bottom $k\%$, where $k\%$ is a specified percentage (for example, 1%).

We consider three scenarios below:

• •

  If count of $r_{t}$ in top $k\%$ exceeds $T_{1}$ across $N$ experiments, we infer that both $t$ and $x$ are present in $D_{\text{train}}$.

• •

  If count of $r_{t}$ in bottom $k\%$ exceeds $T_{2}$ across $N$ experiments, $t$ is outside of $D_{\text{train}}$, while $x$ remains within.

• •

  A sample is classified as random if $r_{t}$ exhibits a uniform distribution across all $\ell+1$ options. Specifically, the expected probability for any rank is $\frac{1}{\ell+1}$. If the observed frequencies for each rank fall within the expected range of $\frac{N}{\ell+1}$, we conclude that $t$ is outside of $D_{\text{train}}$, with the status of $x$ remaining undetermined.

Membership inference for Audio. In reverse inference, we can swap the roles of audio and text and repeat the inference process above as illustrated in Figure 4, allowing membership inference for both modalities.

While PRMID requires both audio and text inputs from the individual as input for the target model, this can introduce new privacy risks, as the target model may not have previously encountered dual-modal PII of that individual.

To address this limitation, we propose USMID (unimodal detector for membership inference detection). This detector is designed to ascertain whether the PII of a speaker is included in the training set of target CLAP model $M$, under the condition that only the speaker’s textual description is provided to $M$.

An overview of USMID is illustrated in Figure 5. Firstly, for a textual description $t$, we develop a feature extractor to map $t$ to a feature vector, through audio optimization guided by CLAP. Then, we make the key observation that textual gibberish like “dv3*4l-XT0”—random combinations of numbers and symbols clearly do not match any textual descriptions in training set, and hence the detector can generate large amount of textual gibberish that are known out of $D_{\text{train}}$. Using feature vectors extracted from these gibberish, detector can train multiple anomaly detectors to form an anomaly detection voting system. Finally, during inference phase, the features of the target textual description are fed into the system, and the inference result is determined through voting. Furthermore, when actual audio samples corresponding to the textual description are available, the detector can leverage them to perform clustering on feature vectors of the test samples to enhance detection performance.

Feature Extraction through CLAP-guided Audio Optimization. The feature extraction for a textual description $t$ involves iterative optimization of an audio $x$, to maximize the correlation between the embeddings of $t$ and $x$ produced by the target CLAP model. The extraction process, described in Algorithm 1, iterates for $n$ epochs; and within each epoch, an audio is optimized for $m$ iterations, to maximize the cosine similarity between its embedding of CLAP and that of target textual description. The average optimized cosine similarity $S$ and standard deviation of optimized audio embeddings $D$ are extracted as the features of $t$ from model $M$.

Generation of Textual Gibberish. USMID starts the detection process with generating a set of $\ell$ gibberish strings $\mathcal{G}=\{g_{1},g_{2},\ldots,g_{\ell}\}$, which are random combinations of digits and symbols with certain length. As these gibberish texts are randomly generated at the inference time, with overwhelming probability that they did not appear in the training set. Applying the proposed feature extraction algorithm on ${\cal G}$, we obtain $\ell$ feature vectors ${\cal F}=\{f_{1},f_{2},\ldots,f_{\ell}\}$ of the gibberish texts.

Training Anomaly Detectors. Motivated by the observations in Figure3 that feature vectors of the texts in and out of the training set of $M$ are well separated, we propose to train an anomaly detector using ${\cal F}$, such that texts out of $D_{\text{train}}$ are considered “normal”, and the problem of membership inference on $t$ is converted to anomaly detection on its feature vector. More specifically, $t$ is classified as part of $D_{\text{train}}$, if its feature vector is detected “abnormal” by the trained anomaly detector. Specifically in USMID, we train several anomaly detection models on ${\cal F}$, such as Isolation Forest [24], LocalOutlierFactor [25] and AutoEncoder [26]. These models constitute an anomaly detection voting system that will be used for membership inference on the test textual descriptions.

Textual Membership Inference through Voting. For each textual description $t$ in the test set, USMID first extracts its feature vector $f$ using Algorithm 1, and then feeds $f$ to each of the obtained anomaly detectors to cast a vote on whether $t$ is an anomaly. When the total number of votes exceeds a predefined detetion threshold $N$, $t$ is determined as an anomaly, i.e., PII with textual description $t$ is used to train the CLAP model $M$; otherwise, $t$ is considered normal and no PII with $t$ is leaked through training of $M$.

Enhancement with Real audios. At inference time, if real audios of the test texts are available at the detector (e.g., audios of a person), they can be used to extract an additional feature measuring the average distance between the embeddings of real audios and those of optimized audios using the CLAP model, using which the feature vectors of the test texts can be clustered into two partitions with one in $D_{\text{train}}$ and another one out of $D_{\text{train}}$. This adds an additional vote for each test text to the above described anomaly detection voting system, potentially facilitating the detection accuracy.

Specifically, for each test text $t$, the detector is equipped with a set of $c$ real audios $\{x_{\mathrm{real}}^{1},x_{\mathrm{real}}^{2},\ldots,x_{\mathrm{real}}^{c}\}$. Similar to the feature extraction process in Algorithm 1, over $k$ epochs with independent initializations, $k$ optimized audios $\{x_{\mathrm{opt}}^{1},x_{\mathrm{opt}}^{2},\ldots,x_{\mathrm{opt}}^{k}\}$ for $t$ are obtained under the guidance of the CLAP model. Then, we apply a pretrained feature extraction model $F$ (e.g.,DeepFace for face audios) to the real and optimized audios to obtain real embeddings $\{v_{\mathrm{real}}^{1},v_{\mathrm{real}}^{2},\ldots,v_{\mathrm{real}}^{c}\}$ and optimized embeddings $\{v_{\mathrm{opt}}^{1},v_{\mathrm{opt}}^{2},\ldots,v_{\mathrm{opt}}^{k}\}$. Finally, we compute the average pair-wise $\ell_{2}$ distance between the real and optimized embeddings, denoted by $R$, over $c\cdot k$ pairs, and use $R$ as an additional feature of the text $t$.

For a batch of $B$ test texts $(t_{1},t_{2},\ldots,t_{B})$, we extract their features $((S_{1},D_{1},R_{1}),(S_{2},D_{2},R_{2}),\ldots,(S_{B},D_{B},R_{B}))$ first. Feeding the first two features $S_{i}$ and $D_{i}$ into a trained anomaly detection system, each text $t_{i}$ obtains an anomaly score based on the number of detectors that classify it as abnormal. Additionally, the $K$-means algorithm with $K=2$ partitions the feature vectors $\{(S_{i},D_{i},R_{i})\}_{i=1}^{B}$ into “normal” cluster and an “abnormal” clusters, contributing another vote to the anomaly score of each instance. Finally, membership inference is performed by comparing the total votes received to a detection threshold $N^{\prime}$.

On training anomaly detectors, we randomly generated $\ell=100$ textual gibberish (some of them are shown in Table I).

The audio optimization was performed for $n=100$ epochs; and in each epoch, $m=100$ Gradient Descent (GD) iterations with a learning rate of $3\times 10^{-2}$. Four anomaly detection models, i.e., LocalOutlierFactor [25], IsolationForest [24], OneClassSVM [32, 33], and AutoEncoder [34] were trained, and $N=3$ was chosen as the detection threshold.

As shown in Table II, USMID consistently outperforms all baselines even with only text PII, achieving a precision of 88.12% on LibriSpeech with 50 audio clips per person.

Additionally, USMID demonstrates notable advantages in training time and resource efficiency compared to baseline methods as shown in Table III. It requires only 3.7 hours of training, much less than AuditMI’s 80 hours, while maintaining competitive inference times.

We also evaluate the effect of providing USMID with a real audio of the tested person. In this case, the embedding distances between the real and optimized audios of the test samples are used to perform a $2$-means clustering, adding another vote to the inference. We accordingly raise the detection threshold $N^{\prime}$ to $4$. As illustrated in Table IV, the given audio helps to improve the performance of USMID across all tested CLAP models, showing an increase of 3.36% on CommonVoice with 1 audio clip per person.

We further explore the impacts of different system parameters on the detection accuracy.

Optimization parameters. Figure 7 and 7 show that during feature extraction, optimizing for $n=100$ epochs, each with $m=1,000$ iterations, offers the optimal performance. Additional epochs and optimization iterations yield minimal improvements despite increased computational costs.

Detection threshold. Figure 9 and 9 show that the system achieves higher accuracy with a threshold of three votes for text-only inputs and four votes when real audio is included. A high threshold may miss anomalies, while a low threshold may incorrectly classify normal inputs as anomalies.

Number of textual gibberish. As shown in Figure 11, for different target models, the detection accuracies initially improve as the number of gibberish texts increases, and converge after using more than $50$ gibberish strings.

Number of real audios. As shown in Figure 11, integrating real audios can enhance the detection accuracy; however, the improvements of using more than 1 audio are rather marginal.