Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Dual-View Inference Attack: Machine Unlearning Amplifies Privacy Exposure

Lulu Xue, Shengshan Hu, Linqiang Qian, Peijin Guo, Yechao Zhang, Minghui Li, Yanjun Zhang, Dayong Ye, Leo Yu Zhang

TL;DR

This work reveals a previously overlooked privacy risk of machine unlearning: allowing an attacker to query both the original and unlearned models (dual-view) amplifies privacy leakage for retained data. It introduces Privacy Knowledge Gain to formalize this risk and DVIA, a black-box membership inference attack that uses Unlearning Confidence Difference and a simple likelihood-ratio inference without attack-model training. Through experiments on CIFAR/SVHN/CIFAR-100 with varying unlearning methods, DVIA consistently outperforms prior MIAs, including when unlearning is approximate, and demonstrates strong leakage even for non-forgotten data. The study highlights practical privacy implications for unlearning APIs and proposes avenues for defense and future research in broader domains.

Abstract

Machine unlearning is a newly popularized technique for removing specific training data from a trained model, enabling it to comply with data deletion requests. While it protects the rights of users requesting unlearning, it also introduces new privacy risks. Prior works have primarily focused on the privacy of data that has been unlearned, while the risks to retained data remain largely unexplored. To address this gap, we focus on the privacy risks of retained data and, for the first time, reveal the vulnerabilities introduced by machine unlearning under the dual-view setting, where an adversary can query both the original and the unlearned models. From an information-theoretic perspective, we introduce the concept of {privacy knowledge gain} and demonstrate that the dual-view setting allows adversaries to obtain more information than querying either model alone, thereby amplifying privacy leakage. To effectively demonstrate this threat, we propose DVIA, a Dual-View Inference Attack, which extracts membership information on retained data using black-box queries to both models. DVIA eliminates the need to train an attack model and employs a lightweight likelihood ratio inference module for efficient inference. Experiments across different datasets and model architectures validate the effectiveness of DVIA and highlight the privacy risks inherent in the dual-view setting.

Dual-View Inference Attack: Machine Unlearning Amplifies Privacy Exposure

TL;DR

This work reveals a previously overlooked privacy risk of machine unlearning: allowing an attacker to query both the original and unlearned models (dual-view) amplifies privacy leakage for retained data. It introduces Privacy Knowledge Gain to formalize this risk and DVIA, a black-box membership inference attack that uses Unlearning Confidence Difference and a simple likelihood-ratio inference without attack-model training. Through experiments on CIFAR/SVHN/CIFAR-100 with varying unlearning methods, DVIA consistently outperforms prior MIAs, including when unlearning is approximate, and demonstrates strong leakage even for non-forgotten data. The study highlights practical privacy implications for unlearning APIs and proposes avenues for defense and future research in broader domains.

Abstract

Machine unlearning is a newly popularized technique for removing specific training data from a trained model, enabling it to comply with data deletion requests. While it protects the rights of users requesting unlearning, it also introduces new privacy risks. Prior works have primarily focused on the privacy of data that has been unlearned, while the risks to retained data remain largely unexplored. To address this gap, we focus on the privacy risks of retained data and, for the first time, reveal the vulnerabilities introduced by machine unlearning under the dual-view setting, where an adversary can query both the original and the unlearned models. From an information-theoretic perspective, we introduce the concept of {privacy knowledge gain} and demonstrate that the dual-view setting allows adversaries to obtain more information than querying either model alone, thereby amplifying privacy leakage. To effectively demonstrate this threat, we propose DVIA, a Dual-View Inference Attack, which extracts membership information on retained data using black-box queries to both models. DVIA eliminates the need to train an attack model and employs a lightweight likelihood ratio inference module for efficient inference. Experiments across different datasets and model architectures validate the effectiveness of DVIA and highlight the privacy risks inherent in the dual-view setting.

Paper Structure

This paper contains 22 sections, 2 theorems, 12 equations, 10 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Machine Unlearning
  4. Membership Inference Attacks
  5. Privacy Analysis
  6. Threat Model
  7. Privacy Knowledge Gain
  8. Dual-View Inference Attack
  9. Unlearning Confidence Difference
  10. Likelihood Ratio Inference
  11. Experiment
  12. Experimental Setup
  13. Comparative Experiment
  14. Ablation Experiments
  15. Approximate Unlearning
  16. ...and 7 more sections

Key Result

Theorem 1

For the target dataset $D_t$, The privacy knowledge gain satisfies: where $\delta(D_t)$ is the behavioral impact for $D_t$, $M_{D_t}$ is the membership status of $D_t$, and $\mathbb{P}(\cdot \mid \cdot)$ denotes conditional probability.

Figures (10)

  • Figure 1: An illustration of the dual-view setting, showing that accessing two models can result in greater privacy leakage than accessing a single model alone.
  • Figure 2: A depiction of the unlearning influence on the target model’s non-forgotten and unseen data. "Inf." refers to the influence score, and UCD is the metric we propose to measure the behavioral impact in black-box settings.
  • Figure 3: Density plots of influence score and UCD. It can be observed that the distributions of both show similarity.
  • Figure 4: Evaluation across different datasets and models, where the blue bars represent the comparative methods and the red bars represent our approach.
  • Figure 5: The evaluation of attack performance under different unlearning methods.
  • ...and 5 more figures

Theorems & Definitions (6)

  • Definition 1: Privacy Knowledge Gain
  • Definition 2
  • Theorem 1
  • Definition 3
  • Theorem 2
  • proof