When Forgetting Triggers Backdoors: A Clean Unlearning Attack

TL;DR

This paper introduces a novel clean backdoor attack that exploits the unlearning process to activate malicious signals, revealing vulnerabilities in current machine unlearning defenses.

Contribution

It presents a new attack method that leverages clean unlearning to trigger backdoors, exposing weaknesses in existing defenses and emphasizing the need for more robust solutions.

Findings

The attack can be activated by unlearning non-poisoned samples.

It creates a stealthy and powerful backdoor that is hard to detect.

Current unlearning defenses are vulnerable to this approach.

Abstract

Machine unlearning has emerged as a key component in ensuring ``Right to be Forgotten'', enabling the removal of specific data points from trained models. However, even when the unlearning is performed without poisoning the forget-set (clean unlearning), it can be exploited for stealthy attacks that existing defenses struggle to detect. In this paper, we propose a novel {\em clean} backdoor attack that exploits both the model learning phase and the subsequent unlearning requests. Unlike traditional backdoor methods, during the first phase, our approach injects a weak, distributed malicious signal across multiple classes. The real attack is then activated and amplified by selectively unlearning {\em non-poisoned} samples. This strategy results in a powerful and stealthy novel attack that is hard to detect or mitigate, highlighting critical vulnerabilities in current unlearning mechanisms and highlighting the need for more robust defenses.