Enhancing AI safety of machine unlearning for ensembled models

IF 7.2 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Applied Soft Computing Pub Date : 2025-03-14 DOI:10.1016/j.asoc.2025.113011

Huanyi Ye , Jiale Guo , Ziyao Liu , Yu Jiang , Kwok-Yan Lam

{"title":"Enhancing AI safety of machine unlearning for ensembled models","authors":"Huanyi Ye , Jiale Guo , Ziyao Liu , Yu Jiang , Kwok-Yan Lam","doi":"10.1016/j.asoc.2025.113011","DOIUrl":null,"url":null,"abstract":"<div><div>Recently, machine unlearning (MU) has received significant attention for its ability to remove specific undesired knowledge from a trained model, thereby ensuring AI safety. Furthermore, efforts have been made to integrate MU into existing Machine Learning as a Service (MLaaS), allowing users to raise requests to remove the influence of their data used in the training phase, after which the server conducts MU to remove its influence based on the unlearning requests. However, previous research reveals that malicious users may manipulate the requests so that the model utility may be significantly compromised after unlearning, which is known as malicious unlearning. In addition, privacy leakage may be exploited by malicious users by analyzing inference results obtained from the original model and the unlearned model. In this connection, we investigate these potential risks, specifically in ensemble models, which are widely adopted in MU because of their efficiency in unlearning and robustness in learning. However, despite these advantages, their vulnerabilities to malicious unlearning and privacy leakage remain largely unexplored. Our work explores malicious unlearning and malicious inference in ensemble settings. We propose a method in which malicious unlearning requests can trigger hidden poisons in ensembles, causing target images to be misclassified as intended by adversaries. Additionally, we introduce a privacy leakage attack where adversaries with black-box access to voting outputs can infer the unlearned label by analyzing the differences between the original and unlearned ensemble outputs. Experimental results demonstrate that these attacks can be highly stealthy and achieve a high success rate. Furthermore, comparative experiments reveal that these attacks present slightly lower stealthiness in ensemble settings compared to single-model scenarios, suggesting that ensemble models have advantages in detecting such malicious activities. These findings reveal that ensemble models are vulnerable to malicious unlearning and privacy leakage and highlight the urgent need for more robust MU designs to ensure AI safety.</div></div>","PeriodicalId":50737,"journal":{"name":"Applied Soft Computing","volume":"174 ","pages":"Article 113011"},"PeriodicalIF":7.2000,"publicationDate":"2025-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Applied Soft Computing","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1568494625003229","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Recently, machine unlearning (MU) has received significant attention for its ability to remove specific undesired knowledge from a trained model, thereby ensuring AI safety. Furthermore, efforts have been made to integrate MU into existing Machine Learning as a Service (MLaaS), allowing users to raise requests to remove the influence of their data used in the training phase, after which the server conducts MU to remove its influence based on the unlearning requests. However, previous research reveals that malicious users may manipulate the requests so that the model utility may be significantly compromised after unlearning, which is known as malicious unlearning. In addition, privacy leakage may be exploited by malicious users by analyzing inference results obtained from the original model and the unlearned model. In this connection, we investigate these potential risks, specifically in ensemble models, which are widely adopted in MU because of their efficiency in unlearning and robustness in learning. However, despite these advantages, their vulnerabilities to malicious unlearning and privacy leakage remain largely unexplored. Our work explores malicious unlearning and malicious inference in ensemble settings. We propose a method in which malicious unlearning requests can trigger hidden poisons in ensembles, causing target images to be misclassified as intended by adversaries. Additionally, we introduce a privacy leakage attack where adversaries with black-box access to voting outputs can infer the unlearned label by analyzing the differences between the original and unlearned ensemble outputs. Experimental results demonstrate that these attacks can be highly stealthy and achieve a high success rate. Furthermore, comparative experiments reveal that these attacks present slightly lower stealthiness in ensemble settings compared to single-model scenarios, suggesting that ensemble models have advantages in detecting such malicious activities. These findings reveal that ensemble models are vulnerable to malicious unlearning and privacy leakage and highlight the urgent need for more robust MU designs to ensure AI safety.

Abstract Image

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Applied Soft Computing 工程技术-计算机：跨学科应用

CiteScore

15.80

自引率

6.90%

发文量

874

审稿时长

10.9 months

期刊介绍： Applied Soft Computing is an international journal promoting an integrated view of soft computing to solve real life problems.The focus is to publish the highest quality research in application and convergence of the areas of Fuzzy Logic, Neural Networks, Evolutionary Computing, Rough Sets and other similar techniques to address real world complexities. Applied Soft Computing is a rolling publication: articles are published as soon as the editor-in-chief has accepted them. Therefore, the web site will continuously be updated with new articles and the publication time will be short.