Hard to Forget: Poisoning Attacks on Certified Machine Unlearning

Marchant, Neil G.; Rubinstein, Benjamin I. P.; Alfeld, Scott

doi:10.1609/aaai.v36i7.20736

Cited by 17 publications

(7 citation statements)

References 36 publications

(32 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They neglect the security challenges introduced by this technique. Although there are a few recent works exploring the possibility of conducting malicious attacks leveraging machine unlearning (Qian et al 2023;Di et al 2022;Marchant, Rubinstein, and Alfeld 2022), those attacks are quite different from the attack discussed in this paper. Backdoor Attacks.…”

Section: Background and Related Workmentioning

confidence: 95%

Backdoor Attacks via Machine Unlearning

Liu,

Wang,

Huai

et al. 2024

AAAI

View full text Add to dashboard Cite

As a new paradigm to erase data from a model and protect user privacy, machine unlearning has drawn significant attention. However, existing studies on machine unlearning mainly focus on its effectiveness and efficiency, neglecting the security challenges introduced by this technique. In this paper, we aim to bridge this gap and study the possibility of conducting malicious attacks leveraging machine unlearning. Specifically, we consider the backdoor attack via machine unlearning, where an attacker seeks to inject a backdoor in the unlearned model by submitting malicious unlearning requests, so that the prediction made by the unlearned model can be changed when a particular trigger presents. In our study, we propose two attack approaches. The first attack approach does not require the attacker to poison any training data of the model. The attacker can achieve the attack goal only by requesting to unlearn a small subset of his contributed training data. The second approach allows the attacker to poison a few training instances with a pre-defined trigger upfront, and then activate the attack via submitting a malicious unlearning request. Both attack approaches are proposed with the goal of maximizing the attack utility while ensuring attack stealthiness. The effectiveness of the proposed attacks is demonstrated with different machine unlearning algorithms as well as different models on different datasets.

show abstract

Section: Background and Related Workmentioning

confidence: 95%

Backdoor Attacks via Machine Unlearning

Liu,

Wang,

Huai

et al. 2024

AAAI

View full text Add to dashboard Cite

show abstract

“…Currently, there are two works [36], [18] that investigate the potential threats to machine unlearning. The first work [36] proposes slow-down attacks that aim to increase the computational cost of the unlearning process by adding perturbations to the original unlearned samples. The second work [18] proposes targeted attacks that aim to cause the model to misclassify particular target test samples.…”

Section: Difference From Existing Threats To Machine Unlearningmentioning

confidence: 99%

A Duty to Forget, a Right to be Assured? Exposing Vulnerabilities in Machine Unlearning Services

Hu,

Wang,

Chang

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The right to be forgotten requires the removal or "unlearning" of a user's data from machine learning models. However, in the context of Machine Learning as a Service (MLaaS), retraining a model from scratch to fulfill the unlearning request is impractical due to the lack of training data on the service provider's side (the server). Furthermore, approximate unlearning further embraces a complex trade-off between utility (model performance) and privacy (unlearning performance). In this paper, we try to explore the potential threats posed by unlearning services in MLaaS, specifically over-unlearning, where more information is unlearned than expected. We propose two strategies that leverage over-unlearning to measure the impact on the trade-off balancing, under black-box access settings, in which the existing machine unlearning attacks are not applicable. The effectiveness of these strategies is evaluated through extensive experiments on benchmark datasets, across various model architectures and representative unlearning approaches. Results indicate significant potential for both strategies to undermine model efficacy in unlearning scenarios. This study uncovers an underexplored gap between unlearning and contemporary MLaaS, highlighting the need for careful considerations in balancing data unlearning, model utility, and security.

show abstract

“…According to Theorem 5, Equation (23) will naturally iterate to converge when the spectral radius of (𝐼 − 𝐻 ) is less than one. We take 𝐻 −1 𝑡 ∇ 𝜃 0 ΔL ( G\ΔG) as the estimation of 𝐻 −1…”

Section: Efficient Estimationmentioning

confidence: 99%

“…GraphEditor [9] is a very recent work that supports exact graph unlearning free from shard model retraining, but is restricted to linear GNN structure under Ridge regression formulation. • Another line [8,13,14,23,24,30] resorts to gradient analysis techniques instead to approximate the unlearning process, so as to avoid retraining sub-models from scratch. Among them, influence function [20] is a promising proxy to estimate the parameter changes caused by a sample removal, which is on up-weighting the individual loss w.r.t.…”

Section: Introductionmentioning

confidence: 99%

GIF: A General Graph Unlearning Strategy via Influence Function

Yang

Qian

et al. 2023

Proceedings of the ACM Web Conference 2023

View full text Add to dashboard Cite

With the greater emphasis on privacy and security in our society, the problem of graph unlearning -revoking the influence of specific data on the trained GNN model, is drawing increasing attention. However, ranging from machine unlearning to recently emerged graph unlearning methods, existing efforts either resort to retraining paradigm, or perform approximate erasure that fails to consider the inter-dependency between connected neighbors or imposes constraints on GNN structure, therefore hard to achieve satisfying performance-complexity trade-offs.In this work, we explore the influence function tailored for graph unlearning, so as to improve the unlearning efficacy and efficiency for graph unlearning. We first present a unified problem formulation of diverse graph unlearning tasks w.r.t. node, edge, and feature. Then, we recognize the crux to the inability of traditional influence function for graph unlearning, and devise Graph Influence Function (GIF), a model-agnostic unlearning method that can efficiently and accurately estimate parameter changes in response to a 𝜖-mass perturbation in deleted data. The idea is to supplement the objective of the traditional influence function with an additional loss term of the influenced neighbors due to the structural dependency. Further deductions on the closed-form solution of parameter changes provide a better understanding of the unlearning mechanism. We conduct extensive experiments on four representative GNN models and three benchmark datasets to justify the superiority of GIF for diverse graph unlearning tasks in terms of unlearning efficacy, model utility, and unlearning efficiency. Our implementations are available at https://github.com/wujcan/GIF-torch/.

show abstract

Hard to Forget: Poisoning Attacks on Certified Machine Unlearning

Cited by 17 publications

References 36 publications

Backdoor Attacks via Machine Unlearning

Backdoor Attacks via Machine Unlearning

A Duty to Forget, a Right to be Assured? Exposing Vulnerabilities in Machine Unlearning Services

GIF: A General Graph Unlearning Strategy via Influence Function

Contact Info

Product

Resources

About