Gone but Not Forgotten: Improved Benchmarks for Machine Unlearning

We are primarily interested in approximate unlearning where the influence of the forget set is practically removed, as opposed to exact unlearning where the influence must completely and provably removed. We define unlearning as follows. We have a dataset $\mathcal{D}$ partitioned into forget, retain, validation, and test sets $\mathcal{D}_{f}$, $\mathcal{D}_{r}$, $\mathcal{D}_{val}$, and $\mathcal{D}_{test}$, respectively. A model $M$ is trained on the training subset $\mathcal{D}_{train}=\mathcal{D}_{f}\cup\mathcal{D}_{r}$, where $\mathcal{D}_{f}\cap\mathcal{D}_{r}=\emptyset$. An unlearning algorithm $\mathcal{U}:M\times(\mathcal{D}_{r},\mathcal{D}_{f})\rightarrow M^{\prime}$ produces a new model $M^{\prime}$ which ideally has minimized the possibility of information leakage from $\mathcal{D}_{f}$, maintained model performance, and done so with minimal compute. Iterative unlearning requires an extended definition (omitted here for brevity), but intuitively, it is the repeated act of unlearning over time.

We argue that worst-case measures of privacy are crucial for effective evaluations of unlearning algorithms. Users, in the absence of a strict guarantee of their own privacy, will care primarily about worst-case outcomes for themselves, rather than average- or even best-case metrics. When examining privacy through the lens of DP, as many in the unlearning field do, this becomes even more clear. Satisfying $(\epsilon,\delta)$-Differential Privacy requires a mathematical proof showing an algorithm satisfies a strict worst-case upper-bound on potential information leakage from $\mathcal{D}_{train}$ across all possible training examples. Therefore, strong unlearning evaluations will both use as effective MIAs as possible, and present the results of the attacks with worst-case metrics.

Through our literature review we have found that the most common MIA used to evaluate algorithms is a simple Logistic Regression classifier trained to predict whether or not a loss value comes from an example in $\mathcal{D}_{f}$ [6, 14, 15, 16, 17]. Furthermore, results are reported almost exclusively through either accuracy or recall - both of which are average case metrics. The study in [16] takes an important step forward in using stronger MIAs, adapting the online version of the SoTA Likelihood Ratio Attack (LiRA) from [18] to the unlearning setting. The ‘online’ version refers to the need to train new models for every membership query. Notably, they continue the precedent set in [18] by showing Receiver Operating Characteristic (ROC) curves with log-scales to show performance at very low false-positive rates - better demonstrating worst-case outcomes. The effectiveness of LiRA as an MIA makes it a much more realistic estimate of privacy.

One downside of [16]’s online-LiRA implementation is its computational complexity. The attack entails training 256 ‘shadow’ models (each on a random half of the training set) and then running an unlearning algorithm 10,000 times on random forget sets for each of the 256 shadow models. This amounts to over 2.5 million unlearning runs per algorithm. For any fine-tuning based algorithm, or any algorithm dealing with even moderately large models or data sets, this sort of evaluation is impractical.

To remedy this gap, we adapt the offline version of LiRA for unlearning in our benchmarking framework. ‘Offline’ means that no new shadow models need to be trained for new membership queries. This setup only requires a single unlearning run, making this attack much more feasible - especially in the iterative unlearning setting (Section 2.3). While it is not as strong an attack as online-LiRA, and therefore worse for privacy estimation, it is much stronger than the basic Logistic Regression MIA, so we recommend its use in cases where the online-LiRA attack is computationally infeasible.

While MIAs are often just used to rank unlearning algorithms, some approaches have been made to more directly estimate DP privacy parameters ($\epsilon$, $\delta$). The 2023 NeurIPS Machine Unlearning Competition [19] based their metric on group-level DP, a stricter formulation of DP which considers datasets differing by up to $k$ examples, which makes sense for unlearning as requests are likely to be batched. In fact, the competition metric used estimates of worst-case MIA performance to estimate $\epsilon$ for each example in $\mathcal{D}_{f}$, producing an entire distribution of privacy levels. While [19] averaged the per-example estimates of $\epsilon$ into a single score, we re-implement the per-example $\epsilon$ estimation to preserve the full distribution of privacy levels, which we find to be a valuable point of comparison.

While intuitively one may think that unlearning can only result in positive outcomes with respect to the privacy of forgotten data, [5] demonstrate that, in regards to an attacker who already has the outputs of the base model, the act of unlearning may result in worse privacy than not unlearning at all. The idea of model update-leakage - where an adversary uses the difference in behaviors of two models as an attack vector - has been previously studied in iterative learning scenarios [20, 12], and [5] demonstrate that the issue is still relevant in the unlearning setting. [5] find that update-leakages are often stronger than standard attacks for both fully retrained and unlearned models, although the effect is weaker for the latter. In this regard unlearning may actually be preferential to retraining in terms of privacy, as it could find an optimal middle ground between the two types of attacks. We therefore evaluate unlearning algorithms on update-leakage attacks to:

1. 1.

   Demonstrate an additional benefit of unlearning over retraining from scratch by showing less susceptibility to update-leakage attacks.

2. 2.

   Ensure a ‘do no harm’ criteria is satisfied by showing an update-leakage attack does no worse than an attack on the base model.

To the best of our knowledge (through review of citations of [5]), the only unlearning algorithm benchmarked on an update-leakage attack, besides SISA in [5], is GraphEraser [21], an unlearning algorithm for graph data. We implement and run evaluations on the update-leak attack from [5], which works very similarly to online-LiRA, except uses outputs from both the base and the unlearned models.

The final piece of a comprehensive unlearning evaluation is studying how unlearning affects a model after repeated applications of an algorithm. If unlearning can truly be a replacement for full retraining, and deployers of ML models fully comply with data removal requests and destroy the base model trained on $\mathcal{D}_{f}$, then unlearning must be iteratively applied to unlearned models. Few papers consider this set-up, and those that do are usually special cases where unlearning can be performed in closed form or with convex optimization [10] [11] [3]. Surprisingly, we were able to locate only one unlearning paper that evaluates iterative test accuracy [22]. We have not encountered an iterative test accuracy evaluation in the vision domain.

In the iterative setting, it is required at each iteration to both ensure effective forgetting and, crucially, maintain model performance, as performance degradation tends to accumulate over time. Single forget set evaluations simply do not capture this important dimension of real-world performance. It should be noted that auditing privacy over many iterations may be prohibitively expensive, especially for attacks like online-LiRA that require hundreds of unlearning runs per iteration - so in this setting, our offline-LiRA implementation might be preferred. In either case, test-set performance can be computed directly after each unlearning iteration, so we advocate for its inclusion in any unlearning evaluation. We implement an iterative unlearning pipeline that handles the required dataset splitting and model management to allow for extending existing unlearning evaluations to the iterative setting – we focus primarily on test-set accuracy.