Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CRFU: Compressive Representation Forgetting Against Privacy Leakage on Machine Unlearning

Weiqi Wang, Chenhan Zhang, Zhiyi Tian, Shushu Liu, Shui Yu

TL;DR

This work tackles privacy leakage risks that arise during machine unlearning by introducing CRFU, a compressive representation forgetting unlearning scheme designed for IB-trained models. By simultaneously minimizing $I(X_e;Z)$ and $I(Y_e;Z)$ and enforcing remembering constraints via KL divergences, CRFU erases erased data from the learned representations while preserving previously learned utility. The authors provide theoretical justification that CRFU’s unlearning is equivalent to retraining on the remaining data and substantiate it with extensive experiments across MNIST, Fashion-MNIST, CIFAR-10, and STL-10, showing substantial defense improvements against reconstruction and membership inference attacks with modest accuracy degradation. The work offers a practical, tunable approach to privacy-preserving unlearning in black-box IB models and outlines future directions including adaptive attacks and differential privacy integrations to further strengthen defenses.

Abstract

Machine unlearning allows data owners to erase the impact of their specified data from trained models. Unfortunately, recent studies have shown that adversaries can recover the erased data, posing serious threats to user privacy. An effective unlearning method removes the information of the specified data from the trained model, resulting in different outputs for the same input before and after unlearning. Adversaries can exploit these output differences to conduct privacy leakage attacks, such as reconstruction and membership inference attacks. However, directly applying traditional defenses to unlearning leads to significant model utility degradation. In this paper, we introduce a Compressive Representation Forgetting Unlearning scheme (CRFU), designed to safeguard against privacy leakage on unlearning. CRFU achieves data erasure by minimizing the mutual information between the trained compressive representation (learned through information bottleneck theory) and the erased data, thereby maximizing the distortion of data. This ensures that the model's output contains less information that adversaries can exploit. Furthermore, we introduce a remembering constraint and an unlearning rate to balance the forgetting of erased data with the preservation of previously learned knowledge, thereby reducing accuracy degradation. Theoretical analysis demonstrates that CRFU can effectively defend against privacy leakage attacks. Our experimental results show that CRFU significantly increases the reconstruction mean square error (MSE), achieving a defense effect improvement of approximately $200\%$ against privacy reconstruction attacks with only $1.5\%$ accuracy degradation on MNIST.

CRFU: Compressive Representation Forgetting Against Privacy Leakage on Machine Unlearning

TL;DR

This work tackles privacy leakage risks that arise during machine unlearning by introducing CRFU, a compressive representation forgetting unlearning scheme designed for IB-trained models. By simultaneously minimizing and and enforcing remembering constraints via KL divergences, CRFU erases erased data from the learned representations while preserving previously learned utility. The authors provide theoretical justification that CRFU’s unlearning is equivalent to retraining on the remaining data and substantiate it with extensive experiments across MNIST, Fashion-MNIST, CIFAR-10, and STL-10, showing substantial defense improvements against reconstruction and membership inference attacks with modest accuracy degradation. The work offers a practical, tunable approach to privacy-preserving unlearning in black-box IB models and outlines future directions including adaptive attacks and differential privacy integrations to further strengthen defenses.

Abstract

Machine unlearning allows data owners to erase the impact of their specified data from trained models. Unfortunately, recent studies have shown that adversaries can recover the erased data, posing serious threats to user privacy. An effective unlearning method removes the information of the specified data from the trained model, resulting in different outputs for the same input before and after unlearning. Adversaries can exploit these output differences to conduct privacy leakage attacks, such as reconstruction and membership inference attacks. However, directly applying traditional defenses to unlearning leads to significant model utility degradation. In this paper, we introduce a Compressive Representation Forgetting Unlearning scheme (CRFU), designed to safeguard against privacy leakage on unlearning. CRFU achieves data erasure by minimizing the mutual information between the trained compressive representation (learned through information bottleneck theory) and the erased data, thereby maximizing the distortion of data. This ensures that the model's output contains less information that adversaries can exploit. Furthermore, we introduce a remembering constraint and an unlearning rate to balance the forgetting of erased data with the preservation of previously learned knowledge, thereby reducing accuracy degradation. Theoretical analysis demonstrates that CRFU can effectively defend against privacy leakage attacks. Our experimental results show that CRFU significantly increases the reconstruction mean square error (MSE), achieving a defense effect improvement of approximately against privacy reconstruction attacks with only accuracy degradation on MNIST.

Paper Structure

This paper contains 30 sections, 1 theorem, 17 equations, 7 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Introduction
  3. Related Work
  4. Machine Unlearning
  5. Privacy Attacks on Unlearning
  6. Preliminary
  7. Threat Model of Privacy Leakage Attacks on Unlearning
  8. Attacking Data Preparation
  9. Adversary Goal and Capabilities
  10. Privacy Inference Attack Process on Unlearning
  11. Implementation of Information Bottleneck
  12. Compressive Representation Forgetting Unlearning
  13. Problem Definition
  14. CRFU Method
  15. Overview of CRFU
  16. ...and 15 more sections

Key Result

Proposition 1

Define the CRFU loss function as Then, minimizing the loss in rfu_loss to unlearn the erased dataset $D_e$ from an IB model trained based on $D$ is equivalent to retraining an IB model by minimizing $\mathcal{L}_r = \beta I(X_r;Z) - I(Y_r;Z)$ based on $D_r$.

Figures (7)

  • Figure 1: Compressive representation forgetting unlearning (CRFU) to defend against privacy leakage on unlearning. When a user (Alice) requests to unlearn her sensitive dataset $D_e$ from a trained IB model, CRFU minimizes the mutual information between the erased dataset and the learned representation to unlearn both the representer and approximator of this model. Since both our unlearning and original learning distorts as much information of inputs $X$ in representation $Z$ as possible, the outputs of the model contain less information about the inputs that could be used for privacy inference by Bob. It can also be explained from the training Markov chain, $X \to Z \to \hat{Y}$; and the representer is trained to minimize the mutual information between X and Z; therefore, $I(X;X) \gg I(X;Z) \ge I(X;\hat{Y})$.
  • Figure 2: Privacy leakage attack based on the black-box model's outputs before and after unlearning.
  • Figure 3: IB learning process (upper half) and CRFU unlearning process (lower half) with a fixed learned IB model (a trained and fixed upper half).
  • Figure 4: Performance of different unlearning methods of various ${\it EDR}$
  • Figure 5: The variations in accuracy on the remaining (abbreviated as Re.) dataset and backdoor accuracy on the erased (abbreviated as Er.) dataset during unlearning of various unlearning rate $\beta_u$ on MNIST
  • ...and 2 more figures

Theorems & Definitions (2)

  • Proposition 1
  • Definition 1