Apollo: A Posteriori Label-Only Membership Inference Attack Towards Machine Unlearning

TL;DR

Apollo introduces a novel label-only membership inference attack that effectively determines if data samples have been unlearned from a machine learning model, enhancing privacy attack capabilities with minimal model access.

Contribution

The paper presents Apollo, a new attack method that infers unlearned data membership using only label outputs, under a strict threat model, improving attack feasibility.

Findings

Achieves high precision in membership inference with limited model access.

Outperforms existing attacks in scenarios with restricted access.

Demonstrates the vulnerability of machine unlearning to label-only inference.

Abstract

Machine Unlearning (MU) aims to update Machine Learning (ML) models following requests to remove training samples and their influences on a trained model efficiently without retraining the original ML model from scratch. While MU itself has been employed to provide privacy protection and regulatory compliance, it can also increase the attack surface of the model. Existing privacy inference attacks towards MU that aim to infer properties of the unlearned set rely on the weaker threat model that assumes the attacker has access to both the unlearned model and the original model, limiting their feasibility toward real-life scenarios. We propose a novel privacy attack, A Posteriori Label-Only Membership Inference Attack towards MU, Apollo, that infers whether a data sample has been unlearned, following a strict threat model where an adversary has access to the label-output of the unlearned model only. We demonstrate that our proposed attack, while requiring less access to the target model compared to previous attacks, can achieve relatively high precision on the membership status of the unlearned samples.