Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Really Unlearned? Verifying Machine Unlearning via Influential Sample Pairs

Heng Xu, Tianqing Zhu, Lefeng Zhang, Wanlei Zhou

TL;DR

This paper addresses the problem of verifying machine unlearning in MLaaS, where unlearning requests may be bypassed by adversarial providers. It introduces IndirectVerify, a formal verification scheme that uses influential sample pairs consisting of trigger samples and a reaction sample, leveraging a gradient-matching objective to create perturbations that indirectly affect the reaction sample's loss. The authors provide theoretical analyses based on influence functions and demonstrate robustness against known bypass strategies, along with comprehensive experiments across multiple models and datasets showing effective verification with minimal impact on model utility. The approach offers a practical, attack-resilient mechanism for accountable unlearning in outsourced ML settings, with implications for privacy compliance and consumer trust.

Abstract

Machine unlearning enables pre-trained models to eliminate the effects of partial training samples. Previous research has mainly focused on proposing efficient unlearning strategies. However, the verification of machine unlearning, or in other words, how to guarantee that a sample has been successfully unlearned, has been overlooked for a long time. Existing verification schemes typically rely on machine learning attack techniques, such as backdoor or membership inference attacks. As these techniques are not formally designed for verification, they are easily bypassed when an untrustworthy MLaaS undergoes rapid fine-tuning to merely meet the verification conditions, rather than executing real unlearning. In this paper, we propose a formal verification scheme, IndirectVerify, to determine whether unlearning requests have been successfully executed. We design influential sample pairs: one referred to as trigger samples and the other as reaction samples. Users send unlearning requests regarding trigger samples and use reaction samples to verify if the unlearning operation has been successfully carried out. We propose a perturbation-based scheme to generate those influential sample pairs. The objective is to perturb only a small fraction of trigger samples, leading to the reclassification of reaction samples. This indirect influence will be used for our verification purposes. In contrast to existing schemes that employ the same samples for all processes, our scheme, IndirectVerify, provides enhanced robustness, making it less susceptible to bypassing processes.

Really Unlearned? Verifying Machine Unlearning via Influential Sample Pairs

TL;DR

This paper addresses the problem of verifying machine unlearning in MLaaS, where unlearning requests may be bypassed by adversarial providers. It introduces IndirectVerify, a formal verification scheme that uses influential sample pairs consisting of trigger samples and a reaction sample, leveraging a gradient-matching objective to create perturbations that indirectly affect the reaction sample's loss. The authors provide theoretical analyses based on influence functions and demonstrate robustness against known bypass strategies, along with comprehensive experiments across multiple models and datasets showing effective verification with minimal impact on model utility. The approach offers a practical, attack-resilient mechanism for accountable unlearning in outsourced ML settings, with implications for privacy compliance and consumer trust.

Abstract

Machine unlearning enables pre-trained models to eliminate the effects of partial training samples. Previous research has mainly focused on proposing efficient unlearning strategies. However, the verification of machine unlearning, or in other words, how to guarantee that a sample has been successfully unlearned, has been overlooked for a long time. Existing verification schemes typically rely on machine learning attack techniques, such as backdoor or membership inference attacks. As these techniques are not formally designed for verification, they are easily bypassed when an untrustworthy MLaaS undergoes rapid fine-tuning to merely meet the verification conditions, rather than executing real unlearning. In this paper, we propose a formal verification scheme, IndirectVerify, to determine whether unlearning requests have been successfully executed. We design influential sample pairs: one referred to as trigger samples and the other as reaction samples. Users send unlearning requests regarding trigger samples and use reaction samples to verify if the unlearning operation has been successfully carried out. We propose a perturbation-based scheme to generate those influential sample pairs. The objective is to perturb only a small fraction of trigger samples, leading to the reclassification of reaction samples. This indirect influence will be used for our verification purposes. In contrast to existing schemes that employ the same samples for all processes, our scheme, IndirectVerify, provides enhanced robustness, making it less susceptible to bypassing processes.
Paper Structure (33 sections, 21 equations, 11 figures, 1 table, 2 algorithms)

This paper contains 33 sections, 21 equations, 11 figures, 1 table, 2 algorithms.

Table of Contents

  1. Introduction
  2. Preliminary
  3. Related Works
  4. Machine Unlearning
  5. Unlearning Verification
  6. Discussion of Related Works
  7. Machine Unlearning and MLaaS
  8. Problem Defination
  9. Existence Verification Scheme Process
  10. Case Studies: the bypass of current verification schemes
  11. Bypassing MIAs-based Schemes
  12. Bypassing Backdoor-based Schemes
  13. Objectives
  14. Methodology
  15. Overview
  16. ...and 18 more sections

Figures (11)

  • Figure 1: Existing Verification Scheme Process.
  • Figure 2: Our Verification Scheme
  • Figure 3: The Illustration of Determinism for Existing Verification Schemes.
  • Figure 4: The Illustration of Determinism for Our Verification Schemes.
  • Figure 5: Verification results of different schemes. The Y-axis represents ACC, INA and accuracy on the selected test sample, respectively. In the backdoor scheme, embedding initially yields high accuracy, reduced to near 0% after unlearning, confirming successful removal. MIAs-based verification effectively identifies training samples but fails post-unlearning. IndirectVerify, using influential sample pairs, can verify the unlearning process effectively.
  • ...and 6 more figures

Theorems & Definitions (1)

  • Definition 1: Machine Unlearning DBLP:conf/sp/CaoY15