Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Towards LLM Unlearning Resilient to Relearning Attacks: A Sharpness-Aware Minimization Perspective and Beyond

Chongyu Fan, Jinghan Jia, Yihua Zhang, Anil Ramakrishna, Mingyi Hong, Sijia Liu

TL;DR

This work tackles the fragility of LLM unlearning against relearning attacks by framing unlearning as a robust, min–max optimization and revealing a natural link to sharpness-aware minimization (SAM). By integrating SAM and broader smoothing strategies (RS, GP, CR, WA) with unlearning objectives, the authors show that a flatter loss landscape in the forget region improves resistance to relearning while preserving overall utility. Extensive experiments on WMDP and MUSE demonstrate consistent gains in unlearning robustness, including defenses against jailbreaking prompts. The findings highlight the practical value of smoothness optimization for private and safe LLM deployment and establish a foundation for further robust unlearning research.

Abstract

The LLM unlearning technique has recently been introduced to comply with data regulations and address the safety and ethical concerns of LLMs by removing the undesired data-model influence. However, state-of-the-art unlearning methods face a critical vulnerability: they are susceptible to ``relearning'' the removed information from a small number of forget data points, known as relearning attacks. In this paper, we systematically investigate how to make unlearned models robust against such attacks. For the first time, we establish a connection between robust unlearning and sharpness-aware minimization (SAM) through a unified robust optimization framework, in an analogy to adversarial training designed to defend against adversarial attacks. Our analysis for SAM reveals that smoothness optimization plays a pivotal role in mitigating relearning attacks. Thus, we further explore diverse smoothing strategies to enhance unlearning robustness. Extensive experiments on benchmark datasets, including WMDP and MUSE, demonstrate that SAM and other smoothness optimization approaches consistently improve the resistance of LLM unlearning to relearning attacks. Notably, smoothness-enhanced unlearning also helps defend against (input-level) jailbreaking attacks, broadening our proposal's impact in robustifying LLM unlearning. Codes are available at https://github.com/OPTML-Group/Unlearn-Smooth.

Towards LLM Unlearning Resilient to Relearning Attacks: A Sharpness-Aware Minimization Perspective and Beyond

TL;DR

This work tackles the fragility of LLM unlearning against relearning attacks by framing unlearning as a robust, min–max optimization and revealing a natural link to sharpness-aware minimization (SAM). By integrating SAM and broader smoothing strategies (RS, GP, CR, WA) with unlearning objectives, the authors show that a flatter loss landscape in the forget region improves resistance to relearning while preserving overall utility. Extensive experiments on WMDP and MUSE demonstrate consistent gains in unlearning robustness, including defenses against jailbreaking prompts. The findings highlight the practical value of smoothness optimization for private and safe LLM deployment and establish a foundation for further robust unlearning research.

Abstract

The LLM unlearning technique has recently been introduced to comply with data regulations and address the safety and ethical concerns of LLMs by removing the undesired data-model influence. However, state-of-the-art unlearning methods face a critical vulnerability: they are susceptible to ``relearning'' the removed information from a small number of forget data points, known as relearning attacks. In this paper, we systematically investigate how to make unlearned models robust against such attacks. For the first time, we establish a connection between robust unlearning and sharpness-aware minimization (SAM) through a unified robust optimization framework, in an analogy to adversarial training designed to defend against adversarial attacks. Our analysis for SAM reveals that smoothness optimization plays a pivotal role in mitigating relearning attacks. Thus, we further explore diverse smoothing strategies to enhance unlearning robustness. Extensive experiments on benchmark datasets, including WMDP and MUSE, demonstrate that SAM and other smoothness optimization approaches consistently improve the resistance of LLM unlearning to relearning attacks. Notably, smoothness-enhanced unlearning also helps defend against (input-level) jailbreaking attacks, broadening our proposal's impact in robustifying LLM unlearning. Codes are available at https://github.com/OPTML-Group/Unlearn-Smooth.

Paper Structure

This paper contains 14 sections, 12 equations, 8 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. LLM Unlearning and Relearning Attacks
  4. Enhancing Unlearning Robustness: From SAM to Broader Smoothness Optimization
  5. Experiments
  6. Experiment setups
  7. Experiment results
  8. Conclusion
  9. Algorithm for SAM-enhanced Unlearning
  10. Additional Visualization Results for Loss Landscape on Retain Set
  11. Detailed Experiment Setups
  12. Additional Results on WMDP
  13. Additional Results on MUSE
  14. Generation Examples under Jailbreaking Attack

Figures (8)

  • Figure 1: Unlearning example on the WMDP Bio dataset before and after relearning attacks: (a) UE (unlearning effectiveness) of Zephyr-7B-beta ('Origin'), the NPO-unlearned model w/o relearning ('Unlearn'), and the relearned model from the unlearned one ('Relearn$\mathrm{N}$'), where $\mathrm{N}$ represents the number of forget data samples used for relearning. (b) Response example of different models in (a) evaluated on WMDP.
  • Figure 2: Improved unlearning robustness by smoothness optimization-integrated NPO (including NPO+SAM, RS, GP, CR, or WA) compared to vanilla NPO on WMDP following the setup in Fig. \ref{['fig: NPO_example']}. (a) Unlearning effectiveness of different models ('Unlearn' and 'Relearn$\mathrm{N}$' that undergoes relearning with $\mathrm{N}$ examples) obtained from various NPO variants. (b)$\sim$(c) The prediction loss landscape of the original model and NPO-unlearned model on the forget set, where higher values around $x = y = 0$ indicate more effective unlearning. The 3D loss landscape is defined as $z = \ell({\boldsymbol{\theta}} + x \cdot \mathbf{r}_1 + y \cdot \mathbf{r}_2)$, with ${\boldsymbol{\theta}}$ representing the unlearned model. (d)$\sim$(h) Similar loss landscape visualizations to (b), but with the unlearned model obtained using smooth variants of NPO.
  • Figure 3: Unlearning robustness comparison for different methods (NPO, GradDiff, and RMU) with and without SAM on WMDP under various relearning attacks settings. The UE of the original model ('Origin') is also included for comparison. (a) UE vs. the number of relearning epochs using 20 forget samples. (b) UE vs. the number of forget data points with 1 relearning epoch.
  • Figure 4: Unlearning robustness of NPO and NPO+SAM on WMDP under relearning attacks with different sets (AGNews, GSM8K, SST2), using 60 samples for 1 epoch.
  • Figure 5: Unlearning robustness of NPO and NPO+SAM on MUSE Books and News under relearning attacks with varying data amounts ($\bullet$, $\blacksquare$, and $\blacktriangle$ denote 200, 300, and 400 samples for Books, and 400, 500, and 600 samples for News.). UE is measured via KnowMem and VerbMem on $\mathcal{D}_\mathrm{f}$ (lower is better). The original model’s performance is included for reference; results closer to 'origin' indicate weaker unlearning robustness.
  • ...and 3 more figures

Theorems & Definitions (1)

  • Remark 1