Adversarial Machine Unlearning

TL;DR

This work targets the challenge of removing training data influence from models by embedding unlearning into a Stackelberg game with a Membership Inference Attack auditor. It leverages implicit differentiation to differentiate through the auditor’s optimization, producing a gradient-based SG-Unlearn method that integrates with end-to-end pipelines. Empirical results on CIFAR-10/100 and SVHN show SG often outperforms baselines in reducing MIA success while maintaining reasonable utility, though class-wise forgetting remains hard to neutralize. The framework advances trustworthy ML by coupling unlearning with adversarial testing, offering a principled way to quantify and reduce residual data traces.

Abstract

This paper focuses on the challenge of machine unlearning, aiming to remove the influence of specific training data on machine learning models. Traditionally, the development of unlearning algorithms runs parallel with that of membership inference attacks (MIA), a type of privacy threat to determine whether a data instance was used for training. However, the two strands are intimately connected: one can view machine unlearning through the lens of MIA success with respect to removed data. Recognizing this connection, we propose a game-theoretic framework that integrates MIAs into the design of unlearning algorithms. Specifically, we model the unlearning problem as a Stackelberg game in which an unlearner strives to unlearn specific training data from a model, while an auditor employs MIAs to detect the traces of the ostensibly removed data. Adopting this adversarial perspective allows the utilization of new attack advancements, facilitating the design of unlearning algorithms. Our framework stands out in two ways. First, it takes an adversarial approach and proactively incorporates the attacks into the design of unlearning algorithms. Secondly, it uses implicit differentiation to obtain the gradients that limit the attacker's success, thus benefiting the process of unlearning. We present empirical results to demonstrate the effectiveness of the proposed approach for machine unlearning.

Figures (4)

• Figure 1: An ablation study to understand the impact of adversarial modeling on the process of unlearning; $\alpha \xspace=1$ and $\alpha \xspace=0$ corresponds to the cases with and without adversarial modeling, respectively. The results are the averages over 10 experiments with different seeds, and 95% confidence intervals are displayed. From the left to the right: 1) the defender's utility, evaluated as the test accuracy ${Acc\xspace}_{te}$ minus the MIA accuracy; 2) test accuracy; 3) MIA accuracy; 4) Wasserstein distance between the cross-entropy losses of the forget and test instances. Top row: CIFAR-10; Bottom row: CIFAR-100. Epoch 0: Original model.
• Figure 2: Experiments with different values of the trade-off parameter $\alpha$. We consider 7 values $\{ 0.05, 0.1, 0.25, 0.5, 1, 2, 5 \}$. Each dot represents a batch of 5 random experiments with the same $\alpha$. The coordinates of a dot are the corresponding metrics averaged over the 5 runs. Top row: CIFAR-10; Bottom row: CIFAR-100.
• Figure 3: An ablation study to understand the impact of adversarial modeling on the process of unlearning; $\alpha \xspace=1$ and $\alpha \xspace=0$ corresponds to the cases with and without adversarial modeling, respectively. The results are the averages over 10 experiments with different seeds, and 95% confidence intervals are displayed. From the left to the right: 1) the defender's utility, evaluated as the test accuracy ${Acc\xspace}_{te}$ minus the MIA accuracy; 2) test accuracy; 3) MIA accuracy; 4) Wasserstein distance between the cross-entropy losses of the forget and test instances.
• Figure 4: The training loss for the retrain baseline. For CIFAR10 and CIFAR100, the learning rate is multiplied by 0.1 when epoch is at 60, 120, 160; for SVHN, the same multiplication is done at epoch 60, 120. Top to bottom: CIFAR10, CIFAR100, SVHN.