The Unseen Threat: Residual Knowledge in Machine Unlearning under Perturbed Samples

TL;DR

This paper identifies a privacy risk in machine unlearning where residual knowledge persists around forgotten samples, especially under adversarial perturbations, and proposes a fine-tuning method to mitigate this issue.

Contribution

The paper formalizes the residual knowledge vulnerability in machine unlearning and introduces RURK, a fine-tuning strategy to reduce residual knowledge in high-dimensional models.

Findings

Residual knowledge is prevalent across existing unlearning methods.

The proposed RURK method effectively reduces residual knowledge.

Residual knowledge persists even when models are unlearned, especially under adversarial perturbations.

Abstract

Machine unlearning offers a practical alternative to avoid full model re-training by approximately removing the influence of specific user data. While existing methods certify unlearning via statistical indistinguishability from re-trained models, these guarantees do not naturally extend to model outputs when inputs are adversarially perturbed. In particular, slight perturbations of forget samples may still be correctly recognized by the unlearned model - even when a re-trained model fails to do so - revealing a novel privacy risk: information about the forget samples may persist in their local neighborhood. In this work, we formalize this vulnerability as residual knowledge and show that it is inevitable in high-dimensional settings. To mitigate this risk, we propose a fine-tuning strategy, named RURK, that penalizes the model's ability to re-recognize perturbed forget samples. Experiments on vision benchmarks with deep neural networks demonstrate that residual knowledge is prevalent across existing unlearning methods and that our approach effectively prevents residual knowledge.