Abstract:Textual data is often represented as real-numbered embeddings in NLP, particularly with the popularity of large language models (LLMs) and Embeddings as a Service (EaaS). However, storing sensitive information as embeddings can be susceptible to security breaches, as research shows that text can be reconstructed from embeddings, even without knowledge of the underlying model. While defence mechanisms have been explored, these are exclusively focused on English, leaving other languages potentially exposed to attacks. This work explores LLM security through multilingual embedding inversion. We define the problem of black-box multilingual and cross-lingual inversion attacks, and explore their potential implications. Our findings suggest that multilingual LLMs may be more vulnerable to inversion attacks, in part because English-based defences may be ineffective. To alleviate this, we propose a simple masking defense effective for both monolingual and multilingual models. This study is the first to investigate multilingual inversion attacks, shedding light on the differences in attacks and defenses across monolingual and multilingual settings.

What problem does this paper attempt to address?

### Problems Addressed by the Paper This paper explores the security issues of multilingual large language models (LLMs) in embedding vector inversion attacks. Specifically, the researchers focus on the following points: 1. **Multilingual Embedding Vector Inversion Attacks**: - The researchers define the black-box multilingual and cross-lingual inversion attack problems and explore the potential impacts of these attacks. - They find that multilingual LLMs may be more susceptible to inversion attacks compared to monolingual models, partly because existing English defense mechanisms may not be effective for other languages. 2. **Cross-lingual Inversion Attacks**: - The researchers also introduce cross-lingual inversion attacks to assess whether an attacker can still successfully perform an inversion attack when they do not know the language of the target text. - To this end, they propose an Ad hoc Translation method to overcome the limitations of current string matching metrics in cross-lingual scenarios. 3. **Defense Mechanisms**: - The researchers evaluate the effectiveness of existing defense methods, particularly the method proposed by Morris et al. (2023). - They find that defense mechanisms designed to protect monolingual models are less effective in protecting multilingual models. - To mitigate this issue, they propose a simple masking defense mechanism that is effective for both monolingual and multilingual models and does not require additional model training. ### Background and Motivation With the development of natural language processing (NLP) technology, especially the proliferation of large language models (LLMs) and Embeddings as a Service (EaaS), text data is often represented as real-valued embedding vectors. However, this representation poses security risks, as research has shown that text can be reconstructed from embedding vectors even without knowledge of the underlying model. Although some defense mechanisms have been proposed, these mechanisms mainly focus on English, leaving the security of other languages at risk. ### Main Contributions 1. **First Study on Multilingual Inversion Attacks**: - This research is the first systematic exploration of multilingual inversion attacks, revealing differences in attacks and defenses across different languages. 2. **Proposed Effective Defense Mechanism**: - A simple masking defense mechanism is proposed, which is applicable to both monolingual and multilingual models and does not require additional model training. 3. **Evaluation Method for Cross-lingual Inversion Attacks**: - The Ad hoc Translation method is introduced to evaluate the effectiveness of cross-lingual inversion attacks, overcoming the limitations of existing evaluation metrics in cross-lingual scenarios. Through these studies, the authors aim to improve the security of multilingual models and reduce the risk of privacy leakage.

Text Embedding Inversion Security for Multilingual Language Models

Against All Odds: Overcoming Typology, Script, and Language Confusion in Multilingual Embedding Inversion Attacks

The Secret Revealer: Generative Model-Inversion Attacks Against Deep Neural Networks

Mitigating Privacy Risks in LLM Embeddings from Embedding Inversion

A GAN-Based Defense Framework Against Model Inversion Attacks.

An Inversion Attack Against Obfuscated Embedding Matrix in Language Model Inference

Transferable Embedding Inversion Attack: Uncovering Privacy Risks in Text Embeddings without Model Queries

Information Leakage from Embedding in Large Language Models

Understanding Privacy Risks of Embeddings Induced by Large Language Models

Understanding and Mitigating the Threat of Vec2Text to Dense Retrieval Systems

MGIA: Mutual Gradient Inversion Attack in Multi-Modal Federated Learning (Student Abstract)

Unbridled Icarus: A Survey of the Potential Perils of Image Inputs in Multimodal Large Language Model Security

Seeing is Deceiving: Exploitation of Visual Pathways in Multi-Modal Language Models

Can LLMs be Fooled? Investigating Vulnerabilities in LLMs

Data Defenses Against Large Language Models

Exploring Vulnerabilities and Threats in Large Language Models: Safeguarding Against Exploitation and Misuse

Watermarking Text Data on Large Language Models for Dataset Copyright

Safety of Multimodal Large Language Models on Images and Texts

LAMP: Extracting Text from Gradients with Language Model Priors

Query-Relevant Images Jailbreak Large Multi-Modal Models

The Model Inversion Eavesdropping Attack in Semantic Communication Systems