Reminiscence Attack on Residuals: Exploiting Approximate Machine Unlearning for Privacy

TL;DR

This paper exposes privacy vulnerabilities in approximate machine unlearning due to residuals, introduces a new attack method called ReA, and proposes a dual-phase unlearning framework to mitigate privacy risks while maintaining efficiency.

Contribution

It reveals residual-based privacy attacks in approximate unlearning, develops ReA for enhanced membership inference, and proposes a mitigation framework effective across tasks.

Findings

ReA outperforms prior attacks by up to 1.90x in accuracy.

Residuals persist across architectures and algorithms, exposing privacy risks.

The proposed framework reduces attack accuracy to near random, with minimal retraining cost.

Abstract

Machine unlearning enables the removal of specific data from ML models to uphold the right to be forgotten. While approximate unlearning algorithms offer efficient alternatives to full retraining, this work reveals that they fail to adequately protect the privacy of unlearned data. In particular, these algorithms introduce implicit residuals which facilitate privacy attacks targeting at unlearned data. We observe that these residuals persist regardless of model architectures, parameters, and unlearning algorithms, exposing a new attack surface beyond conventional output-based leakage. Based on this insight, we propose the Reminiscence Attack (ReA), which amplifies the correlation between residuals and membership privacy through targeted fine-tuning processes. ReA achieves up to 1.90x and 1.12x higher accuracy than prior attacks when inferring class-wise and sample-wise membership, respectively. To mitigate such residual-induced privacy risk, we develop a dual-phase approximate unlearning framework that first eliminates deep-layer unlearned data traces and then enforces convergence stability to prevent models from "pseudo-convergence", where their outputs are similar to retrained models but still preserve unlearned residuals. Our framework works for both classification and generation tasks. Experimental evaluations confirm that our approach maintains high unlearning efficacy, while reducing the adaptive privacy attack accuracy to nearly random guess, at the computational cost of 2-12% of full retraining from scratch.