Search papers, labs, and topics across Lattice.
This paper introduces GradAudit, a gradient-based framework designed to audit Vision-Language Large Models (VLLMs) for training data exposure, particularly focusing on the critical area of healthcare. By leveraging the stability of gradients on training samples compared to the noise of non-training samples, GradAudit effectively identifies genuine image-text associations learned during training. The empirical results demonstrate that GradAudit significantly outperforms existing methods, revealing a concerning underestimation of unauthorized data usage as models advance.
GradAudit uncovers that advanced VLLMs can inadvertently expose up to 40% more unauthorized training data than previously detected by existing methods.
Vision-Language Large Models (VLLMs) trained on massive crawled corpora raise pressing copyright and data-provenance concerns. These concerns are particularly acute in healthcare, where patient medical images paired with clinical reports demand rigorous privacy safeguards. However, existing training data detection methods either fail in cross-modal scenarios or rely on superficial output signals with insufficient discriminative power. We introduce GradAudit, a gradient-based auditing framework that examines internal optimization dynamics rather than treating VLLMs as black boxes. Our approach builds on a key observation: model parameters converge to regions where gradients on training samples become stable and well-aligned, whereas gradients on non-training samples remain noisy and inconsistent. By analyzing these gradient signatures, GradAudit achieves strong separability and detects genuine image-text associations learned during training, not merely individual modality membership. Empirically, across both medical and general-domain datasets, GradAudit substantially outperforms state-of-the-art baselines in both pretraining and fine-tuning VLLMs. In a case study employing copyrighted content, we show that existing training data detection methods not only underestimate the extent of unauthorized data usage, but that this underestimation becomes more pronounced as models become more recent and more advanced.