Does Machine Unlearning Truly Remove Knowledge?
Haokun Chen, Yueqi Zhang, Yuan Bi, Yao Zhang, Tong Liu, Jinhe Bi, Jian Lan, Jindong Gu, Claudia Grosser, Denis Krompass, Nassir Navab, Volker Tresp
TL;DR
This paper tackles the problem of validating machine unlearning in large language models under data privacy regulations by introducing a comprehensive auditing framework with 3 benchmarks, 6 unlearning algorithms, and 5 prompt-based auditing methods. It augments prompt-based evaluation with a novel Activation Perturbation-based Auditing (ActPert) that perturbs intermediate activations to reveal residual knowledge, addressing limitations of input-output audits. Across benchmarks (WHP, TOFU, RWKU) and architectures (e.g., Llama-2-Chat, Llama-3-Instruct, Phi-3-mini-Instruct), results show persistent memorized content despite unlearning, with prefix-based auditing and ActPert often outperforming optimization-based methods. The findings highlight the need for robust evaluation of unlearning, especially regarding knowledge acquired during pretraining, and suggest that preference-based unlearning strategies are more resilient to auditing than refusal-based ones, informing future directions for GDPR-compliant, safer LLM deployment.
Abstract
In recent years, Large Language Models (LLMs) have achieved remarkable advancements, drawing significant attention from the research community. Their capabilities are largely attributed to large-scale architectures, which require extensive training on massive datasets. However, such datasets often contain sensitive or copyrighted content sourced from the public internet, raising concerns about data privacy and ownership. Regulatory frameworks, such as the General Data Protection Regulation (GDPR), grant individuals the right to request the removal of such sensitive information. This has motivated the development of machine unlearning algorithms that aim to remove specific knowledge from models without the need for costly retraining. Despite these advancements, evaluating the efficacy of unlearning algorithms remains a challenge due to the inherent complexity and generative nature of LLMs. In this work, we introduce a comprehensive auditing framework for unlearning evaluation, comprising three benchmark datasets, six unlearning algorithms, and five prompt-based auditing methods. By using various auditing algorithms, we evaluate the effectiveness and robustness of different unlearning strategies. To explore alternatives beyond prompt-based auditing, we propose a novel technique that leverages intermediate activation perturbations, addressing the limitations of auditing methods that rely solely on model inputs and outputs.