As large language models (LLMs) evolve into memory-augmented agents for multi-tenant collaborative environments, they introduce novel user-level privacy risks, as leakage extends beyond direct disclosure to statistical inference based on subtle shifts in aggregate responses or reasoning paths. To measure this threat, we introduce ShadowMem, a benchmark built on formal user-level adjacency (paired \(D, D'\) datasets) with programmatic attack probes to detect these statistical signals. Using this benchmark, we develop two differentially private defenses: E2P, an end-to-end retrieval pipeline providing formal guarantees, and our primary contribution, SCOPE, an optimized, adaptive mechanism. SCOPE utilizes a stability-conditioned gate to invoke privatization only when a system’s decision is near a boundary (statistical risk) is detected. Experiments confirm that while both methods provide robust protection, SCOPE achieves this with substantially better accuracy, demonstrating that stability-aware safeguards can make differential privacy a practical tool for confidential LLM agents.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Private Memory Under the Spotlight: Diagnosing and Defending User-Level Leakage in LLM-Augmented Systems

  • Yinchi Ge,
  • Hui Zhang,
  • Zhenyuan Huang,
  • Haohang Sun,
  • Shenghao Jin,
  • Haijun Yang

摘要

As large language models (LLMs) evolve into memory-augmented agents for multi-tenant collaborative environments, they introduce novel user-level privacy risks, as leakage extends beyond direct disclosure to statistical inference based on subtle shifts in aggregate responses or reasoning paths. To measure this threat, we introduce ShadowMem, a benchmark built on formal user-level adjacency (paired \(D, D'\) datasets) with programmatic attack probes to detect these statistical signals. Using this benchmark, we develop two differentially private defenses: E2P, an end-to-end retrieval pipeline providing formal guarantees, and our primary contribution, SCOPE, an optimized, adaptive mechanism. SCOPE utilizes a stability-conditioned gate to invoke privatization only when a system’s decision is near a boundary (statistical risk) is detected. Experiments confirm that while both methods provide robust protection, SCOPE achieves this with substantially better accuracy, demonstrating that stability-aware safeguards can make differential privacy a practical tool for confidential LLM agents.