Hard to Forget: Poisoning Attacks on Certified Machine Unlearning
Abstract
The right to erasure requires removal of a user's information from data held by organizations, with rigorous interpretations extending to downstream products such as learned models. Retraining from scratch with the particular user's data omitted fully removes its influence on the resulting model, but comes with a high computational cost. Machine "unlearning" mitigates the cost incurred by full retraining: instead, models are updated incrementally, possibly only requiring retraining when approximation errors accumulate. Rapid progress has been made towards privacy guarantees on the indistinguishability of unlearned and retrained models, but current formalisms do not place practical bounds on computation. In this paper we demonstrate how an attacker can exploit this oversight, highlighting a novel attack surface introduced by machine unlearning. We consider an attacker aiming to increase the computational cost of data removal. We derive and empirically investigate a poisoning attack on certified machine unlearning where strategically designed training data triggers complete retraining when removed.
- Publication:
-
arXiv e-prints
- Pub Date:
- September 2021
- DOI:
- 10.48550/arXiv.2109.08266
- arXiv:
- arXiv:2109.08266
- Bibcode:
- 2021arXiv210908266M
- Keywords:
-
- Computer Science - Machine Learning;
- Computer Science - Cryptography and Security
- E-Print:
- Align with camera-ready submission to AAAI-22. Changes include: switched to row-wise normalization in Algorithm 3, added link to GitHub repository, added Appendix C with additional results on long-term effectiveness