Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Corrective Machine Unlearning

Shashwat Goel, Ameya Prabhu, Philip Torr, Ponnurangam Kumaraguru, Amartya Sanyal

TL;DR

This work defines Corrective Machine Unlearning as post-training mitigation of manipulated data when only a small representative subset is identifiable, highlighting that traditional retraining or privacy-focused unlearning is often insufficient. It formalizes the problem, introduces objective metrics Acc_corr and Acc_retain, and contrasts corrective unlearning with privacy-oriented aims across three dimensions: goals, gold standards, and constraints. Through experiments on poisoning and Interclass Confusion using CIFAR-10/100 and PCam, it shows that retraining-from-scratch with incomplete deletion is ineffective unless nearly all manipulated data is identified, while Selective Synaptic Dampening (SSD) can successfully remove poisoning effects with as little as 10% of manipulated samples identified, though it fails for IC and can degrade overall utility. The results underscore the need for developing robust, manipulation-agnostic corrective unlearning methods and shed light on the practical boundaries of current approaches for web-scale data integrity challenges.

Abstract

Machine Learning models increasingly face data integrity challenges due to the use of large-scale training datasets drawn from the Internet. We study what model developers can do if they detect that some data was manipulated or incorrect. Such manipulated data can cause adverse effects including vulnerability to backdoored samples, systemic biases, and reduced accuracy on certain input domains. Realistically, all manipulated training samples cannot be identified, and only a small, representative subset of the affected data can be flagged. We formalize Corrective Machine Unlearning as the problem of mitigating the impact of data affected by unknown manipulations on a trained model, only having identified a subset of the corrupted data. We demonstrate that the problem of corrective unlearning has significantly different requirements from traditional privacy-oriented unlearning. We find most existing unlearning methods, including retraining-from-scratch without the deletion set, require most of the manipulated data to be identified for effective corrective unlearning. However, one approach, Selective Synaptic Dampening, achieves limited success, unlearning adverse effects with just a small portion of the manipulated samples in our setting, which shows encouraging signs for future progress. We hope our work spurs research towards developing better methods for corrective unlearning and offers practitioners a new strategy to handle data integrity challenges arising from web-scale training. Code is available at https://github.com/drimpossible/corrective-unlearning-bench.

Corrective Machine Unlearning

TL;DR

This work defines Corrective Machine Unlearning as post-training mitigation of manipulated data when only a small representative subset is identifiable, highlighting that traditional retraining or privacy-focused unlearning is often insufficient. It formalizes the problem, introduces objective metrics Acc_corr and Acc_retain, and contrasts corrective unlearning with privacy-oriented aims across three dimensions: goals, gold standards, and constraints. Through experiments on poisoning and Interclass Confusion using CIFAR-10/100 and PCam, it shows that retraining-from-scratch with incomplete deletion is ineffective unless nearly all manipulated data is identified, while Selective Synaptic Dampening (SSD) can successfully remove poisoning effects with as little as 10% of manipulated samples identified, though it fails for IC and can degrade overall utility. The results underscore the need for developing robust, manipulation-agnostic corrective unlearning methods and shed light on the practical boundaries of current approaches for web-scale data integrity challenges.

Abstract

Machine Learning models increasingly face data integrity challenges due to the use of large-scale training datasets drawn from the Internet. We study what model developers can do if they detect that some data was manipulated or incorrect. Such manipulated data can cause adverse effects including vulnerability to backdoored samples, systemic biases, and reduced accuracy on certain input domains. Realistically, all manipulated training samples cannot be identified, and only a small, representative subset of the affected data can be flagged. We formalize Corrective Machine Unlearning as the problem of mitigating the impact of data affected by unknown manipulations on a trained model, only having identified a subset of the corrupted data. We demonstrate that the problem of corrective unlearning has significantly different requirements from traditional privacy-oriented unlearning. We find most existing unlearning methods, including retraining-from-scratch without the deletion set, require most of the manipulated data to be identified for effective corrective unlearning. However, one approach, Selective Synaptic Dampening, achieves limited success, unlearning adverse effects with just a small portion of the manipulated samples in our setting, which shows encouraging signs for future progress. We hope our work spurs research towards developing better methods for corrective unlearning and offers practitioners a new strategy to handle data integrity challenges arising from web-scale training. Code is available at https://github.com/drimpossible/corrective-unlearning-bench.
Paper Structure (31 sections, 13 figures, 3 tables)

This paper contains 31 sections, 13 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Problem Formulation
  3. Motivation
  4. Objective of Corrective Unlearning
  5. Differences from Privacy-Oriented Unlearning
  6. Different Goals (Removal of Incorrect Training Data):
  7. Different Gold-Standards (Retraining without deletion set is not enough):
  8. Different Constraints (No Privacy Requirements):
  9. Experiments
  10. Manipulation Types and Evaluation Benchmarks
  11. Experimental details
  12. Experimental Results
  13. Why does $\textrm{SSD}$ fail for IC test but work for poisoning?
  14. Application on a Medical Dataset: PCam - Binary Classification
  15. Related Work
  16. ...and 16 more sections

Figures (13)

  • Figure 1: Traditionally, retraining after removing deletion data is considered a gold standard in unlearning, as all samples whose influence is to be removed are assumed to be known. This relies on the retained data not reinforcing the effect to be unlearnt. When developers cannot identify all the manipulated data for corrective unlearning, the retained data can continue to perpetuate the adverse effects of the manipulation. Ideally, corrective unlearning procedures should correct model outputs on the affected domain with access to only a small but representative subset of the manipulated data.
  • Figure 2: Corrective Accuracy ($Acc_{corr}$) after applying different unlearning procedures. Each method ("None" represents the original model) is shown across different identified fractions ($\alpha$) of manipulated samples. No method unlearns both the manipulations well when $\leq 80\%$ of the manipulated data is identified, including $\textrm{RewoD}$ which is considered a gold standard at $\alpha=1$.
  • Figure 3: Histogram of importance ratio values computed for each parameter by $\textrm{SSD}$. We find poisoning leads to more outlier values, which supports the hypothesis that poisoning can be removed by dampening outlier parameters unlike Interclass Confusion.
  • Figure 5: Unlearning performance of Scrub across hyperparameters on the IC evaluation at different $\alpha$.
  • Figure 6: Unlearning performance of Scrub across hyperparameters on the poisoning evaluation at different $\alpha$.
  • ...and 8 more figures