Revisiting Privacy Leakage in Machine Unlearning: Membership Inference Beyond the Forgotten Set
Jie Fu, Nima Naderloui, Da Zhong, Yuan Hong, Wendy Hui Wang
TL;DR
This paper investigates privacy risks in machine unlearning, introducing a novel attack that exploits model predictions to infer membership, and evaluates defenses revealing a privacy-accuracy trade-off.
Contribution
It presents TC-UMIA, the first tri-class membership inference attack for unlearning, and assesses defense mechanisms across multiple datasets and models.
Findings
Unlearning can increase privacy risks to retained data.
TC-UMIA effectively distinguishes among forget, retain, and unseen data.
Dropout offers a better privacy-accuracy balance among defenses.
Abstract
Machine unlearning (MU) has emerged as a key mechanism for ensuring data privacy and regulatory compliance by enabling models to forget specific training samples. However, recent studies have shown that the removal of data can inadvertently introduce privacy leakages to the retain set,i.e., data that remain in the model after unlearning. In this paper, we extend the scope of privacy analysis in unlearning to the often-overlooked retained data. We introduce TC-UMIA, the first tri-class unlearning membership inference attack. TC-UMIA is a population-level inference framework that leverages model predictions before and after unlearning to distinguish among the forget, retain, and unseen set. Extensive experiments on five state-of-the-art unlearning algorithms and six real-world datasets demonstrate that: (i) unlearning can introduce additional privacy risks to the retain set, making it…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.